Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 17 16:37:17.278856 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.2M free. Jul 17 16:37:17.281840 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:37:17.281923 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:37:17.290614 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:37:17.611207 osdx osdx-coredump[212362]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:37:17.618946 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:37:18.052788 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:37:18.122237 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:37:18.211103 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:37:18.275098 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:37:18.389874 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:37:18.456951 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:37:18.484045 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:37:18.498961 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:37:18.635152 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 17 16:37:18.793237 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:37:18.854846 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:37:18.959905 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 17 16:37:19.029151 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka''. Jul 17 16:37:19.119536 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jul 17 16:37:19.191900 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:37:19.321887 osdx ca-certificates[212497]: Updating certificates in /etc/ssl/certs... Jul 17 16:37:19.908482 osdx ca-certificates[213500]: 1 added, 0 removed; done. Jul 17 16:37:19.911854 osdx ca-certificates[213507]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:37:19.914860 osdx ca-certificates[213509]: done. Jul 17 16:37:19.998306 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:37:20.000005 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:37:20.002493 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:37:20.020632 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] dnscrypt-proxy 2.0.45 Jul 17 16:37:20.020867 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Network connectivity detected Jul 17 16:37:20.020953 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Dropping privileges Jul 17 16:37:20.023611 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Network connectivity detected Jul 17 16:37:20.023645 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 17 16:37:20.023645 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 17 16:37:20.025484 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-h3iu2i7xli2qq7fn.tmp: permission denied Jul 17 16:37:20.025484 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Source [RD] loaded Jul 17 16:37:20.025484 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [WARNING] Missing stamp for server [server-name`] Jul 17 16:37:20.025484 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jul 17 16:37:20.025484 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Firefox workaround initialized Jul 17 16:37:20.025484 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpp01l00dg] Jul 17 16:37:20.026204 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:37:20.145973 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] [rd-server] OK (DoH) - rtt: 93ms Jul 17 16:37:20.145973 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 93ms) Jul 17 16:37:20.145973 osdx dnscrypt-proxy[213513]: [2024-07-17 16:37:20] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 17 16:37:25.300597 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:37:25.304345 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:37:25.304401 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:37:25.311814 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:37:25.638138 osdx osdx-coredump[215105]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:37:25.646644 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:37:26.070389 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:37:26.173137 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:37:26.225722 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:37:26.326162 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:37:26.404288 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:37:26.480425 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:37:26.507425 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:37:26.522044 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:37:26.659101 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 17 16:37:26.777456 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:37:26.834624 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:37:26.934746 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 17 16:37:26.988102 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka''. Jul 17 16:37:27.085156 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jul 17 16:37:27.136014 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jul 17 16:37:27.249664 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:37:27.347691 osdx ca-certificates[215241]: Updating certificates in /etc/ssl/certs... Jul 17 16:37:27.941005 osdx ca-certificates[216245]: 1 added, 0 removed; done. Jul 17 16:37:27.945411 osdx ca-certificates[216251]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:37:27.948568 osdx ca-certificates[216253]: done. Jul 17 16:37:28.016770 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:37:28.018034 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:37:28.021811 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:37:28.038507 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:37:28.041400 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] dnscrypt-proxy 2.0.45 Jul 17 16:37:28.041620 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Network connectivity detected Jul 17 16:37:28.041721 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Dropping privileges Jul 17 16:37:28.044156 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Network connectivity detected Jul 17 16:37:28.044202 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 17 16:37:28.044202 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 17 16:37:28.045657 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ivekpiuejrigebqt.tmp: permission denied Jul 17 16:37:28.045657 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Source [RD] loaded Jul 17 16:37:28.045707 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jul 17 16:37:28.045723 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jul 17 16:37:28.045723 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Firefox workaround initialized Jul 17 16:37:28.045723 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp_8u__ijj] Jul 17 16:37:28.187509 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 120ms Jul 17 16:37:28.187509 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 120ms) Jul 17 16:37:28.187509 osdx dnscrypt-proxy[216257]: [2024-07-17 16:37:28] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jul 17 16:37:28.192832 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key hedPjU5OdVHL6OZ4f9vBZcz5 set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'