Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Tue 2024-02-13 14:50:15 UTC, end at Tue 2024-02-13 14:50:19 UTC. -- Feb 13 14:50:15.384790 osdx systemd-journald[1694]: Runtime journal (/run/log/journal/80d0e0b412184be1883eb13133ae3f69) is 2.0M, max 16.0M, 14.0M free. Feb 13 14:50:15.400284 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'system journal clear'. Feb 13 14:50:15.981821 osdx osdx-coredump[459]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 13 14:50:15.989768 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'system coredump delete all'. Feb 13 14:50:16.847831 osdx OSDxCLI[22889]: User 'admin' entered the configuration menu. Feb 13 14:50:17.011428 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 13 14:50:17.181230 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 13 14:50:17.394835 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 13 14:50:17.506733 osdx cfgd[1320]: [22889]Completed change to active configuration Feb 13 14:50:17.561407 osdx OSDxCLI[22889]: User 'admin' committed the configuration. Feb 13 14:50:17.601652 osdx OSDxCLI[22889]: User 'admin' left the configuration menu. Feb 13 14:50:17.774783 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 13 14:50:17.999357 osdx OSDxCLI[22889]: User 'admin' entered the configuration menu. Feb 13 14:50:18.106071 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 13 14:50:18.244864 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 13 14:50:18.331662 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''. Feb 13 14:50:18.420723 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Feb 13 14:50:18.634284 osdx ca-certificates[593]: Updating certificates in /etc/ssl/certs... Feb 13 14:50:19.321948 osdx ca-certificates[1609]: 1 added, 0 removed; done. Feb 13 14:50:19.327908 osdx ca-certificates[1615]: Running hooks in /etc/ca-certificates/update.d... Feb 13 14:50:19.333443 osdx ca-certificates[1619]: done. Feb 13 14:50:19.401505 osdx systemd[1]: Started DNSCrypt client proxy. Feb 13 14:50:19.403578 osdx cfgd[1320]: [22889]Completed change to active configuration Feb 13 14:50:19.404445 osdx systemd[1]: Reached target Host and Network Name Lookups. Feb 13 14:50:19.408908 osdx OSDxCLI[22889]: User 'admin' committed the configuration. Feb 13 14:50:19.444178 osdx OSDxCLI[22889]: User 'admin' left the configuration menu. Feb 13 14:50:19.694296 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'system journal show | cat'. Feb 13 14:50:19.741096 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] dnscrypt-proxy 2.0.45 Feb 13 14:50:19.741489 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Network connectivity detected Feb 13 14:50:19.741934 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Dropping privileges Feb 13 14:50:19.744238 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Network connectivity detected Feb 13 14:50:19.744420 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 13 14:50:19.744505 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 13 14:50:19.749423 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-vo6rhc4zbsjf4tk4.tmp: permission denied Feb 13 14:50:19.749423 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Source [RD] loaded Feb 13 14:50:19.749423 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [WARNING] Missing stamp for server [server-name`] Feb 13 14:50:19.749423 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Feb 13 14:50:19.749423 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Firefox workaround initialized Feb 13 14:50:19.749423 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpc1aoem] Feb 13 14:50:19.942813 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] [rd-server] OK (DoH) - rtt: 115ms Feb 13 14:50:19.942813 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 115ms) Feb 13 14:50:19.942813 osdx dnscrypt-proxy[1623]: [2024-02-13 14:50:19] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Feb 13 14:50:19.971108 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Tue 2024-02-13 14:50:28 UTC, end at Tue 2024-02-13 14:50:32 UTC. -- Feb 13 14:50:28.338295 osdx systemd-journald[1694]: Runtime journal (/run/log/journal/80d0e0b412184be1883eb13133ae3f69) is 2.0M, max 16.0M, 14.0M free. Feb 13 14:50:28.351435 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'system journal clear'. Feb 13 14:50:28.943617 osdx osdx-coredump[3231]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 13 14:50:28.953067 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'system coredump delete all'. Feb 13 14:50:29.911278 osdx OSDxCLI[22889]: User 'admin' entered the configuration menu. Feb 13 14:50:30.007492 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 13 14:50:30.118888 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 13 14:50:30.247491 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 13 14:50:30.364565 osdx cfgd[1320]: [22889]Completed change to active configuration Feb 13 14:50:30.406261 osdx OSDxCLI[22889]: User 'admin' committed the configuration. Feb 13 14:50:30.434452 osdx OSDxCLI[22889]: User 'admin' left the configuration menu. Feb 13 14:50:30.624541 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 13 14:50:30.884661 osdx OSDxCLI[22889]: User 'admin' entered the configuration menu. Feb 13 14:50:31.004554 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 13 14:50:31.103060 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 13 14:50:31.221566 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''. Feb 13 14:50:31.334572 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Feb 13 14:50:31.439840 osdx OSDxCLI[22889]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Feb 13 14:50:31.605286 osdx ca-certificates[3366]: Updating certificates in /etc/ssl/certs... Feb 13 14:50:32.348868 osdx ca-certificates[4355]: 1 added, 0 removed; done. Feb 13 14:50:32.355366 osdx ca-certificates[4359]: Running hooks in /etc/ca-certificates/update.d... Feb 13 14:50:32.360182 osdx ca-certificates[4363]: done. Feb 13 14:50:32.433882 osdx systemd[1]: Started DNSCrypt client proxy. Feb 13 14:50:32.437822 osdx cfgd[1320]: [22889]Completed change to active configuration Feb 13 14:50:32.447000 osdx OSDxCLI[22889]: User 'admin' committed the configuration. Feb 13 14:50:32.471916 osdx OSDxCLI[22889]: User 'admin' left the configuration menu. Feb 13 14:50:32.482375 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] dnscrypt-proxy 2.0.45 Feb 13 14:50:32.482862 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Network connectivity detected Feb 13 14:50:32.483551 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Dropping privileges Feb 13 14:50:32.486739 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Network connectivity detected Feb 13 14:50:32.486949 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 13 14:50:32.487056 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 13 14:50:32.488989 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-gstoxgzghylf6edv.tmp: permission denied Feb 13 14:50:32.489127 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Source [RD] loaded Feb 13 14:50:32.489260 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [WARNING] Missing stamp for server [PRIVATE-server-name`] Feb 13 14:50:32.489374 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Feb 13 14:50:32.489480 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Firefox workaround initialized Feb 13 14:50:32.489577 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp4YzPQ2] Feb 13 14:50:32.663031 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 122ms Feb 13 14:50:32.663031 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 122ms) Feb 13 14:50:32.663031 osdx dnscrypt-proxy[4367]: [2024-02-13 14:50:32] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Feb 13 14:50:32.681752 osdx OSDxCLI[22889]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key 'FBVdyRRXGubk3ONVxFP3rI3s' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server