Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 04 15:16:59.300499 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.2M free. Dec 04 15:16:59.302463 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:16:59.302516 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:16:59.310460 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:16:59.619600 osdx osdx-coredump[83475]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 04 15:16:59.626908 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system coredump delete all'. Dec 04 15:17:00.057948 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:17:00.126994 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:17:00.211827 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:17:00.283828 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:17:00.398470 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:17:00.505852 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:17:00.539432 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:17:00.555698 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:17:00.693386 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 04 15:17:00.809421 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:17:00.909200 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:17:00.962287 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 04 15:17:01.058251 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc''. Dec 04 15:17:01.106165 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Dec 04 15:17:01.222884 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:17:01.307015 osdx ca-certificates[83621]: Updating certificates in /etc/ssl/certs... Dec 04 15:17:01.827587 osdx ca-certificates[84624]: 1 added, 0 removed; done. Dec 04 15:17:01.830633 osdx ca-certificates[84631]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:17:01.833896 osdx ca-certificates[84633]: done. Dec 04 15:17:01.914785 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:17:01.916100 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:17:01.918102 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:17:01.933963 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:17:01.936717 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] dnscrypt-proxy 2.0.45 Dec 04 15:17:01.936866 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Network connectivity detected Dec 04 15:17:01.936969 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Dropping privileges Dec 04 15:17:01.938930 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Network connectivity detected Dec 04 15:17:01.938970 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 04 15:17:01.938970 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 04 15:17:01.939890 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-3wa5dpqr7dstvsv7.tmp: permission denied Dec 04 15:17:01.939890 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Source [RD] loaded Dec 04 15:17:01.939957 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [WARNING] Missing stamp for server [server-name`] Dec 04 15:17:01.939957 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Dec 04 15:17:01.939957 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Firefox workaround initialized Dec 04 15:17:01.939957 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:01] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpcmzhsfxl] Dec 04 15:17:02.084870 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal show | cat'. Dec 04 15:17:02.163282 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:02] [NOTICE] [rd-server] OK (DoH) - rtt: 198ms Dec 04 15:17:02.163282 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:02] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 198ms) Dec 04 15:17:02.163282 osdx dnscrypt-proxy[84637]: [2024-12-04 15:17:02] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 04 15:17:07.320699 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:17:07.322502 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:17:07.322545 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:17:07.331378 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:17:07.699672 osdx osdx-coredump[86237]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 04 15:17:07.707972 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system coredump delete all'. Dec 04 15:17:08.177845 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:17:08.245444 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:17:08.329226 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:17:08.395751 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:17:08.510549 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:17:08.618261 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:17:08.646218 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:17:08.670229 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:17:08.803692 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 04 15:17:08.955890 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:17:09.013294 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:17:09.108843 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 04 15:17:09.162192 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc''. Dec 04 15:17:09.249654 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Dec 04 15:17:09.299249 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Dec 04 15:17:09.422081 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:17:09.500017 osdx ca-certificates[86377]: Updating certificates in /etc/ssl/certs... Dec 04 15:17:10.013941 osdx ca-certificates[87380]: 1 added, 0 removed; done. Dec 04 15:17:10.017523 osdx ca-certificates[87387]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:17:10.020523 osdx ca-certificates[87389]: done. Dec 04 15:17:10.086934 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:17:10.088718 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:17:10.093210 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:17:10.108205 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] dnscrypt-proxy 2.0.45 Dec 04 15:17:10.108205 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Network connectivity detected Dec 04 15:17:10.108465 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Dropping privileges Dec 04 15:17:10.108846 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:17:10.110114 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Network connectivity detected Dec 04 15:17:10.110147 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 04 15:17:10.110147 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 04 15:17:10.111470 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-5nz3qsqgdaichg5c.tmp: permission denied Dec 04 15:17:10.111470 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Source [RD] loaded Dec 04 15:17:10.111524 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [WARNING] Missing stamp for server [PRIVATE-server-name`] Dec 04 15:17:10.111524 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Dec 04 15:17:10.111524 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Firefox workaround initialized Dec 04 15:17:10.111524 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpg6kovc6c] Dec 04 15:17:10.257443 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal show | cat'. Dec 04 15:17:10.271798 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 138ms Dec 04 15:17:10.271798 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 138ms) Dec 04 15:17:10.271798 osdx dnscrypt-proxy[87393]: [2024-12-04 15:17:10] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key f0DwUgy9mIuc5djSC6RyV5NQ set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'