Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 30 12:21:23.273579 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.2M free. Jul 30 12:21:23.275991 osdx systemd-journald[60253]: Received client request to rotate journal, rotating. Jul 30 12:21:23.276038 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f. Jul 30 12:21:23.282788 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'. Jul 30 12:21:23.573706 osdx osdx-coredump[348149]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 30 12:21:23.580568 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system coredump delete all'. Jul 30 12:21:23.951135 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu. Jul 30 12:21:24.056080 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 30 12:21:24.102567 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 30 12:21:24.206854 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'. Jul 30 12:21:24.284055 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 30 12:21:24.341987 osdx cfgd[1242]: [210769]Completed change to active configuration Jul 30 12:21:24.368070 osdx OSDxCLI[210769]: User 'admin' committed the configuration. Jul 30 12:21:24.390992 osdx OSDxCLI[210769]: User 'admin' left the configuration menu. Jul 30 12:21:24.524484 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 30 12:21:24.671703 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu. Jul 30 12:21:24.722576 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 30 12:21:24.820479 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 30 12:21:24.870547 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka''. Jul 30 12:21:24.956803 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jul 30 12:21:25.022448 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'. Jul 30 12:21:25.118745 osdx ca-certificates[348284]: Updating certificates in /etc/ssl/certs... Jul 30 12:21:25.575068 osdx ca-certificates[349287]: 1 added, 0 removed; done. Jul 30 12:21:25.578025 osdx ca-certificates[349294]: Running hooks in /etc/ca-certificates/update.d... Jul 30 12:21:25.581939 osdx ca-certificates[349296]: done. Jul 30 12:21:25.640245 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 30 12:21:25.641710 osdx cfgd[1242]: [210769]Completed change to active configuration Jul 30 12:21:25.644156 osdx OSDxCLI[210769]: User 'admin' committed the configuration. Jul 30 12:21:25.659151 osdx OSDxCLI[210769]: User 'admin' left the configuration menu. Jul 30 12:21:25.661257 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] dnscrypt-proxy 2.0.45 Jul 30 12:21:25.661418 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Network connectivity detected Jul 30 12:21:25.661446 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Dropping privileges Jul 30 12:21:25.663471 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Network connectivity detected Jul 30 12:21:25.663511 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 30 12:21:25.663511 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 30 12:21:25.664443 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-r7o2vrcexa2qcwsf.tmp: permission denied Jul 30 12:21:25.664485 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Source [RD] loaded Jul 30 12:21:25.664543 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [WARNING] Missing stamp for server [server-name`] Jul 30 12:21:25.664586 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jul 30 12:21:25.664620 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Firefox workaround initialized Jul 30 12:21:25.664654 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpun_qruul] Jul 30 12:21:25.803057 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal show | cat'. Jul 30 12:21:25.845834 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] [rd-server] OK (DoH) - rtt: 158ms Jul 30 12:21:25.845834 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 158ms) Jul 30 12:21:25.845834 osdx dnscrypt-proxy[349300]: [2024-07-30 12:21:25] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 30 12:21:30.283957 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free. Jul 30 12:21:30.286436 osdx systemd-journald[60253]: Received client request to rotate journal, rotating. Jul 30 12:21:30.286473 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f. Jul 30 12:21:30.293291 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'. Jul 30 12:21:30.575046 osdx osdx-coredump[350896]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 30 12:21:30.582726 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system coredump delete all'. Jul 30 12:21:30.966740 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu. Jul 30 12:21:31.030650 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 30 12:21:31.114041 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 30 12:21:31.179083 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'. Jul 30 12:21:31.286448 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 30 12:21:31.355029 osdx cfgd[1242]: [210769]Completed change to active configuration Jul 30 12:21:31.382196 osdx OSDxCLI[210769]: User 'admin' committed the configuration. Jul 30 12:21:31.403546 osdx OSDxCLI[210769]: User 'admin' left the configuration menu. Jul 30 12:21:31.537677 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 30 12:21:31.656116 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu. Jul 30 12:21:31.718488 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 30 12:21:31.810075 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 30 12:21:31.860415 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWT285CKp4385nLBo2+BCrmHFYNUbdDsOiXkqIpY4kbpPdIcbPK+AIka''. Jul 30 12:21:31.950876 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jul 30 12:21:32.000839 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jul 30 12:21:32.114532 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'. Jul 30 12:21:32.188175 osdx ca-certificates[351031]: Updating certificates in /etc/ssl/certs... Jul 30 12:21:32.695068 osdx ca-certificates[352036]: 1 added, 0 removed; done. Jul 30 12:21:32.698829 osdx ca-certificates[352042]: Running hooks in /etc/ca-certificates/update.d... Jul 30 12:21:32.702574 osdx ca-certificates[352044]: done. Jul 30 12:21:32.766885 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 30 12:21:32.768421 osdx cfgd[1242]: [210769]Completed change to active configuration Jul 30 12:21:32.772155 osdx OSDxCLI[210769]: User 'admin' committed the configuration. Jul 30 12:21:32.786136 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] dnscrypt-proxy 2.0.45 Jul 30 12:21:32.786384 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Network connectivity detected Jul 30 12:21:32.786473 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Dropping privileges Jul 30 12:21:32.789087 osdx OSDxCLI[210769]: User 'admin' left the configuration menu. Jul 30 12:21:32.791483 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Network connectivity detected Jul 30 12:21:32.791483 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 30 12:21:32.791483 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 30 12:21:32.792626 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-2haksvoakyrovspu.tmp: permission denied Jul 30 12:21:32.792626 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Source [RD] loaded Jul 30 12:21:32.792688 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jul 30 12:21:32.792688 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jul 30 12:21:32.792688 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Firefox workaround initialized Jul 30 12:21:32.792688 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpswhvgvlj] Jul 30 12:21:32.934636 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 119ms Jul 30 12:21:32.934636 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 119ms) Jul 30 12:21:32.934636 osdx dnscrypt-proxy[352048]: [2024-07-30 12:21:32] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jul 30 12:21:32.936672 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key ZkpxI4KOXS0PfVFoDbl2ky3b set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'