Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 09 09:27:17.408067 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.2M free. Oct 09 09:27:17.408877 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:27:17.408930 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:27:17.427116 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:27:18.000534 osdx osdx-coredump[150524]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:27:18.012934 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:27:18.786541 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:27:18.978561 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:27:19.118932 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:27:19.246418 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:27:19.392893 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:27:19.614292 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:27:19.662010 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:27:19.707519 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:27:19.934102 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 09:27:20.233354 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:27:20.378296 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:27:20.576802 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 09 09:27:20.743488 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt''. Oct 09 09:27:20.927560 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Oct 09 09:27:21.104042 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:27:21.285460 osdx ca-certificates[150663]: Updating certificates in /etc/ssl/certs... Oct 09 09:27:22.251802 osdx ca-certificates[151665]: 1 added, 0 removed; done. Oct 09 09:27:22.256477 osdx ca-certificates[151673]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:27:22.261125 osdx ca-certificates[151675]: done. Oct 09 09:27:22.349320 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:27:22.349625 osdx systemd[1]: Reached target nss-lookup.target - Host and Network Name Lookups. Oct 09 09:27:22.352240 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:27:22.356923 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:27:22.399530 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:27:22.593894 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal show | cat'. Oct 09 09:27:22.645067 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] dnscrypt-proxy 2.0.45 Oct 09 09:27:22.645403 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Network connectivity detected Oct 09 09:27:22.645443 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Dropping privileges Oct 09 09:27:22.648206 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Network connectivity detected Oct 09 09:27:22.648286 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 09 09:27:22.648286 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 09 09:27:22.653170 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-zmelzryewardb2uy.tmp: permission denied Oct 09 09:27:22.653170 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Source [RD] loaded Oct 09 09:27:22.653294 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [WARNING] Missing stamp for server [server-name`] Oct 09 09:27:22.653294 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Oct 09 09:27:22.653294 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Firefox workaround initialized Oct 09 09:27:22.653294 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpm21vtyuv] Oct 09 09:27:22.839202 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] [rd-server] OK (DoH) - rtt: 134ms Oct 09 09:27:22.839338 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 134ms) Oct 09 09:27:22.839424 osdx dnscrypt-proxy[151679]: [2024-10-09 09:27:22] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 09 09:27:31.431491 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:27:31.434497 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:27:31.434573 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:27:31.451140 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:27:31.983241 osdx osdx-coredump[153281]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:27:31.993384 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:27:32.748314 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:27:32.864210 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:27:32.948885 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:27:33.084292 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:27:33.242538 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:27:33.400282 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:27:33.448720 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:27:33.475312 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:27:33.656808 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 09:27:33.860037 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:27:33.986669 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:27:34.152550 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 09 09:27:34.245051 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt''. Oct 09 09:27:34.339442 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Oct 09 09:27:34.435293 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Oct 09 09:27:34.567357 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:27:34.694299 osdx ca-certificates[153421]: Updating certificates in /etc/ssl/certs... Oct 09 09:27:35.573801 osdx ca-certificates[154425]: 1 added, 0 removed; done. Oct 09 09:27:35.580336 osdx ca-certificates[154431]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:27:35.586785 osdx ca-certificates[154433]: done. Oct 09 09:27:35.679139 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:27:35.681240 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:27:35.685185 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:27:35.721536 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] dnscrypt-proxy 2.0.45 Oct 09 09:27:35.721875 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Network connectivity detected Oct 09 09:27:35.721967 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Dropping privileges Oct 09 09:27:35.725797 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Network connectivity detected Oct 09 09:27:35.725903 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 09 09:27:35.725903 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 09 09:27:35.727984 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-bomd7gg3rla3flsf.tmp: permission denied Oct 09 09:27:35.727984 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Source [RD] loaded Oct 09 09:27:35.728128 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [WARNING] Missing stamp for server [PRIVATE-server-name`] Oct 09 09:27:35.728128 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Oct 09 09:27:35.728128 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Firefox workaround initialized Oct 09 09:27:35.728128 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:35] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpzb0r0ein] Oct 09 09:27:35.732040 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:27:35.936430 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal show | cat'. Oct 09 09:27:36.276631 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal show | cat'. Oct 09 09:27:36.417132 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:36] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 640ms Oct 09 09:27:36.417132 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:36] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 640ms) Oct 09 09:27:36.417132 osdx dnscrypt-proxy[154437]: [2024-10-09 09:27:36] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key yv5nM6DedqGSj7WWwaFyJzSv set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'