Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 03 16:25:10.291082 osdx systemd-journald[19587]: Runtime Journal (/run/log/journal/aa1bd7befff24a8b91d1e90ef92c032b) is 2.0M, max 15.3M, 13.2M free. Jul 03 16:25:10.293291 osdx systemd-journald[19587]: Received client request to rotate journal, rotating. Jul 03 16:25:10.293346 osdx systemd-journald[19587]: Vacuuming done, freed 0B of archived journals from /run/log/journal/aa1bd7befff24a8b91d1e90ef92c032b. Jul 03 16:25:10.301604 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'system journal clear'. Jul 03 16:25:10.631048 osdx osdx-coredump[265208]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 03 16:25:10.639321 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'system coredump delete all'. Jul 03 16:25:11.117628 osdx OSDxCLI[150173]: User 'admin' entered the configuration menu. Jul 03 16:25:11.204413 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 03 16:25:11.288435 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 03 16:25:11.356316 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'show working'. Jul 03 16:25:11.473211 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 03 16:25:11.529839 osdx cfgd[1440]: [150173]Completed change to active configuration Jul 03 16:25:11.555990 osdx OSDxCLI[150173]: User 'admin' committed the configuration. Jul 03 16:25:11.575197 osdx OSDxCLI[150173]: User 'admin' left the configuration menu. Jul 03 16:25:11.710935 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 03 16:25:11.856665 osdx OSDxCLI[150173]: User 'admin' entered the configuration menu. Jul 03 16:25:11.914815 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 03 16:25:12.016989 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 03 16:25:12.070554 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka''. Jul 03 16:25:12.161062 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jul 03 16:25:12.232857 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'show working'. Jul 03 16:25:12.337614 osdx ca-certificates[265320]: Updating certificates in /etc/ssl/certs... Jul 03 16:25:12.871891 osdx ca-certificates[266323]: 1 added, 0 removed; done. Jul 03 16:25:12.876337 osdx ca-certificates[266330]: Running hooks in /etc/ca-certificates/update.d... Jul 03 16:25:12.879360 osdx ca-certificates[266332]: done. Jul 03 16:25:12.945759 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 03 16:25:12.947238 osdx cfgd[1440]: [150173]Completed change to active configuration Jul 03 16:25:12.950044 osdx OSDxCLI[150173]: User 'admin' committed the configuration. Jul 03 16:25:12.976533 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] dnscrypt-proxy 2.0.45 Jul 03 16:25:12.976821 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Network connectivity detected Jul 03 16:25:12.976821 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Dropping privileges Jul 03 16:25:12.979084 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Network connectivity detected Jul 03 16:25:12.979084 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 03 16:25:12.979084 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 03 16:25:12.979824 osdx OSDxCLI[150173]: User 'admin' left the configuration menu. Jul 03 16:25:12.980526 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-q4yiz2smugwu34c3.tmp: permission denied Jul 03 16:25:12.980526 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Source [RD] loaded Jul 03 16:25:12.980526 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [WARNING] Missing stamp for server [server-name`] Jul 03 16:25:12.980526 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jul 03 16:25:12.980526 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Firefox workaround initialized Jul 03 16:25:12.980526 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:12] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp8ewgmvlu] Jul 03 16:25:13.127246 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'system journal show | cat'. Jul 03 16:25:13.129225 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:13] [NOTICE] [rd-server] OK (DoH) - rtt: 119ms Jul 03 16:25:13.129264 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:13] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 119ms) Jul 03 16:25:13.129264 osdx dnscrypt-proxy[266336]: [2024-07-03 16:25:13] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 03 16:25:17.290100 osdx systemd-journald[19587]: Runtime Journal (/run/log/journal/aa1bd7befff24a8b91d1e90ef92c032b) is 2.0M, max 15.3M, 13.3M free. Jul 03 16:25:17.290669 osdx systemd-journald[19587]: Received client request to rotate journal, rotating. Jul 03 16:25:17.290706 osdx systemd-journald[19587]: Vacuuming done, freed 0B of archived journals from /run/log/journal/aa1bd7befff24a8b91d1e90ef92c032b. Jul 03 16:25:17.300001 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'system journal clear'. Jul 03 16:25:17.626580 osdx osdx-coredump[267932]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 03 16:25:17.635024 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'system coredump delete all'. Jul 03 16:25:18.097282 osdx OSDxCLI[150173]: User 'admin' entered the configuration menu. Jul 03 16:25:18.170239 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 03 16:25:18.255021 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 03 16:25:18.320458 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'show working'. Jul 03 16:25:18.430719 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 03 16:25:18.479982 osdx cfgd[1440]: [150173]Completed change to active configuration Jul 03 16:25:18.511782 osdx OSDxCLI[150173]: User 'admin' committed the configuration. Jul 03 16:25:18.528767 osdx OSDxCLI[150173]: User 'admin' left the configuration menu. Jul 03 16:25:18.676586 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 03 16:25:18.840992 osdx OSDxCLI[150173]: User 'admin' entered the configuration menu. Jul 03 16:25:18.899825 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 03 16:25:18.998701 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 03 16:25:19.053896 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka''. Jul 03 16:25:19.148891 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jul 03 16:25:19.205312 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jul 03 16:25:19.319709 osdx OSDxCLI[150173]: User 'admin' added a new cfg line: 'show working'. Jul 03 16:25:19.409053 osdx ca-certificates[268045]: Updating certificates in /etc/ssl/certs... Jul 03 16:25:19.956931 osdx ca-certificates[269048]: 1 added, 0 removed; done. Jul 03 16:25:19.960755 osdx ca-certificates[269055]: Running hooks in /etc/ca-certificates/update.d... Jul 03 16:25:19.963897 osdx ca-certificates[269057]: done. Jul 03 16:25:20.027110 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 03 16:25:20.028663 osdx cfgd[1440]: [150173]Completed change to active configuration Jul 03 16:25:20.030790 osdx OSDxCLI[150173]: User 'admin' committed the configuration. Jul 03 16:25:20.046523 osdx OSDxCLI[150173]: User 'admin' left the configuration menu. Jul 03 16:25:20.053252 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] dnscrypt-proxy 2.0.45 Jul 03 16:25:20.053431 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Network connectivity detected Jul 03 16:25:20.053503 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Dropping privileges Jul 03 16:25:20.055707 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Network connectivity detected Jul 03 16:25:20.055732 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 03 16:25:20.055732 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 03 16:25:20.056893 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-jxwj25y42einj6z4.tmp: permission denied Jul 03 16:25:20.056893 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Source [RD] loaded Jul 03 16:25:20.056948 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jul 03 16:25:20.056948 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jul 03 16:25:20.056948 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Firefox workaround initialized Jul 03 16:25:20.056948 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpdigvzny_] Jul 03 16:25:20.201670 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 121ms Jul 03 16:25:20.201670 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 121ms) Jul 03 16:25:20.201670 osdx dnscrypt-proxy[269061]: [2024-07-03 16:25:20] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jul 03 16:25:20.202053 osdx OSDxCLI[150173]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key G35mLcNUcDprLQAoPLd8KUFy set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'