Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWTVYBp6jW+NoTwtWahHOWCoymGBCzO5XEDDcWRBGB+LEoVmgjHOLa3f set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 11 23:51:16.399831 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.2M free. May 11 23:51:16.400875 osdx systemd-journald[118835]: Received client request to rotate journal, rotating. May 11 23:51:16.400944 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674. May 11 23:51:16.416836 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'. May 11 23:51:16.966605 osdx osdx-coredump[359866]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 11 23:51:16.978224 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system coredump delete all'. May 11 23:51:17.938483 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu. May 11 23:51:18.093453 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 11 23:51:18.207505 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 11 23:51:18.336576 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'. May 11 23:51:18.512104 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 11 23:51:18.682525 osdx cfgd[1244]: [242344]Completed change to active configuration May 11 23:51:18.737306 osdx OSDxCLI[242344]: User 'admin' committed the configuration. May 11 23:51:18.779126 osdx OSDxCLI[242344]: User 'admin' left the configuration menu. May 11 23:51:18.965068 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 11 23:51:19.185161 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu. May 11 23:51:19.290273 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 11 23:51:19.454760 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 11 23:51:19.601828 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWTVYBp6jW+NoTwtWahHOWCoymGBCzO5XEDDcWRBGB+LEoVmgjHOLa3f''. May 11 23:51:19.780006 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. May 11 23:51:19.990032 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'. May 11 23:51:20.130759 osdx ca-certificates[360005]: Updating certificates in /etc/ssl/certs... May 11 23:51:20.982616 osdx ca-certificates[361009]: 1 added, 0 removed; done. May 11 23:51:20.986972 osdx ca-certificates[361015]: Running hooks in /etc/ca-certificates/update.d... May 11 23:51:20.991458 osdx ca-certificates[361017]: done. May 11 23:51:21.084860 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 11 23:51:21.087161 osdx cfgd[1244]: [242344]Completed change to active configuration May 11 23:51:21.092545 osdx OSDxCLI[242344]: User 'admin' committed the configuration. May 11 23:51:21.120000 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] dnscrypt-proxy 2.0.45 May 11 23:51:21.120353 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Network connectivity detected May 11 23:51:21.120353 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Dropping privileges May 11 23:51:21.120980 osdx OSDxCLI[242344]: User 'admin' left the configuration menu. May 11 23:51:21.125918 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Network connectivity detected May 11 23:51:21.126010 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 11 23:51:21.126010 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 11 23:51:21.172593 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-3t7op3xiwlysp7rn.tmp: permission denied May 11 23:51:21.172593 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Source [RD] loaded May 11 23:51:21.172737 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [WARNING] Missing stamp for server [server-name`] May 11 23:51:21.172737 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] May 11 23:51:21.172737 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Firefox workaround initialized May 11 23:51:21.172737 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Loading the set of cloaking rules from [/tmp/tmprl0lq133] May 11 23:51:21.355241 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] [rd-server] OK (DoH) - rtt: 119ms May 11 23:51:21.355241 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 119ms) May 11 23:51:21.355241 osdx dnscrypt-proxy[361021]: [2025-05-11 23:51:21] [NOTICE] dnscrypt-proxy is ready - live servers: 1 May 11 23:51:21.357778 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWTVYBp6jW+NoTwtWahHOWCoymGBCzO5XEDDcWRBGB+LEoVmgjHOLa3f set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 11 23:51:29.461219 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free. May 11 23:51:29.462767 osdx systemd-journald[118835]: Received client request to rotate journal, rotating. May 11 23:51:29.462843 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674. May 11 23:51:29.481720 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'. May 11 23:51:30.017426 osdx osdx-coredump[362621]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 11 23:51:30.028100 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system coredump delete all'. May 11 23:51:30.776334 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu. May 11 23:51:30.892326 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 11 23:51:31.013903 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 11 23:51:31.133481 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'. May 11 23:51:31.274681 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 11 23:51:31.429790 osdx cfgd[1244]: [242344]Completed change to active configuration May 11 23:51:31.467791 osdx OSDxCLI[242344]: User 'admin' committed the configuration. May 11 23:51:31.523904 osdx OSDxCLI[242344]: User 'admin' left the configuration menu. May 11 23:51:31.738555 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 11 23:51:31.984176 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu. May 11 23:51:32.111638 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 11 23:51:32.237278 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 11 23:51:32.339175 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWTVYBp6jW+NoTwtWahHOWCoymGBCzO5XEDDcWRBGB+LEoVmgjHOLa3f''. May 11 23:51:32.487790 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. May 11 23:51:32.608735 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. May 11 23:51:32.773463 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'. May 11 23:51:32.962106 osdx ca-certificates[362761]: Updating certificates in /etc/ssl/certs... May 11 23:51:33.902490 osdx ca-certificates[363764]: 1 added, 0 removed; done. May 11 23:51:33.905308 osdx ca-certificates[363771]: Running hooks in /etc/ca-certificates/update.d... May 11 23:51:33.911709 osdx ca-certificates[363773]: done. May 11 23:51:34.011145 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 11 23:51:34.014512 osdx cfgd[1244]: [242344]Completed change to active configuration May 11 23:51:34.017934 osdx OSDxCLI[242344]: User 'admin' committed the configuration. May 11 23:51:34.053317 osdx OSDxCLI[242344]: User 'admin' left the configuration menu. May 11 23:51:34.056244 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] dnscrypt-proxy 2.0.45 May 11 23:51:34.056546 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Network connectivity detected May 11 23:51:34.056645 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Dropping privileges May 11 23:51:34.060651 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Network connectivity detected May 11 23:51:34.060651 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 11 23:51:34.060651 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 11 23:51:34.066610 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-beeuijtme5tnqpxg.tmp: permission denied May 11 23:51:34.066610 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Source [RD] loaded May 11 23:51:34.066610 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [WARNING] Missing stamp for server [PRIVATE-server-name`] May 11 23:51:34.066610 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] May 11 23:51:34.066610 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Firefox workaround initialized May 11 23:51:34.066610 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Loading the set of cloaking rules from [/tmp/tmphy1hz002] May 11 23:51:34.250803 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 114ms May 11 23:51:34.250803 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 114ms) May 11 23:51:34.250803 osdx dnscrypt-proxy[363777]: [2025-05-11 23:51:34] [NOTICE] dnscrypt-proxy is ready - live servers: 1 May 11 23:51:34.274750 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key lZDvsLu9KhTrlUlhqWwF8SDa set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'