Cloaking
Test suite to validate domain cloaking
Simple Cloaking
Description
Cloaks all requests to teldat.com using address 1.2.3.4.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cloaking name teldat.com destination 1.2.3.4 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash f8bc50bc5ac15ce0f76e30e6a004a073889a788f693866f15b90a61d26d26c4f set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 1.2.3.4Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 1.2.3.4
No Hosts
Description
Tells DNS Proxy to ignore host entries (static entries). As a result, requests to teldat.com return 19.18.17.16 address.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cloaking ignore-hosts set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash f8bc50bc5ac15ce0f76e30e6a004a073889a788f693866f15b90a61d26d26c4f set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns static host-name teldat.com inet 10.11.12.13 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Multiple Destinations
Description
Cloaks all requests to teldat.com using multiple IP addresses.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cloaking name teldat.com destination 1.2.3.4 set service dns proxy cloaking name teldat.com destination 4.3.2.1 set service dns proxy cloaking name teldat.com destination 'ff00::abba:abba' set service dns proxy cloaking name teldat.com destination 'ff00::dead:beef' set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash f8bc50bc5ac15ce0f76e30e6a004a073889a788f693866f15b90a61d26d26c4f set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 1.2.3.4Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 1.2.3.4 teldat.com has address 4.3.2.1
Step 3: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 4.3.2.1Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 1.2.3.4 teldat.com has address 4.3.2.1
Step 4: Run command show host lookup teldat.com type AAAA at DUT0 and check if output contains the following tokens:
teldat.com has IPv6 address ff00::dead:beefShow output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has IPv6 address ff00::abba:abba teldat.com has IPv6 address ff00::dead:beef
Step 5: Run command show host lookup teldat.com type AAAA at DUT0 and check if output contains the following tokens:
teldat.com has IPv6 address ff00::abba:abbaShow output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has IPv6 address ff00::abba:abba teldat.com has IPv6 address ff00::dead:beef
Chained Destinations
Description
Cloaks requests from multiple domains using chained destinations.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cloaking name example.com destination teldat.com set service dns proxy cloaking name teldat.es destination 1.2.3.4 set service dns proxy cloaking name teldat.es destination 'ff00::dead:beef' set service dns proxy cloaking name teldat.eu destination teldat.net set service dns proxy cloaking name teldat.net destination teldat.es set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash f8bc50bc5ac15ce0f76e30e6a004a073889a788f693866f15b90a61d26d26c4f set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup example.com type A at DUT0 and check if output contains the following tokens:
example.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused example.com has address 19.18.17.16
Step 3: Run command show host lookup teldat.es type A at DUT0 and check if output contains the following tokens:
teldat.es has address 1.2.3.4Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.es has address 1.2.3.4
Step 4: Run command show host lookup teldat.es type AAAA at DUT0 and check if output contains the following tokens:
teldat.es has IPv6 address ff00::dead:beefShow output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.es has IPv6 address ff00::dead:beef
Step 5: Run command show host lookup teldat.net type A at DUT0 and check if output contains the following tokens:
teldat.net has address 1.2.3.4Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.net has address 1.2.3.4
Step 6: Run command show host lookup teldat.net type AAAA at DUT0 and check if output contains the following tokens:
teldat.net has IPv6 address ff00::dead:beefShow output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.net has IPv6 address ff00::dead:beef
Step 7: Run command show host lookup teldat.eu type A at DUT0 and check if output contains the following tokens:
teldat.eu has address 1.2.3.4Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.eu has address 1.2.3.4
Step 8: Run command show host lookup teldat.eu type AAAA at DUT0 and check if output contains the following tokens:
teldat.eu has IPv6 address ff00::dead:beefShow output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.eu has IPv6 address ff00::dead:beef
RegEx Input
Description
Cloaks domains that match a regular expression, instead of fully matching a given FQDN.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cloaking name '*.teldat.*' destination teldat.com set service dns proxy cloaking name example.com destination teldat.com set service dns proxy cloaking name 'teldat.*' destination teldat.com set service dns proxy cloaking name teldat.com destination 10.11.12.13 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash f8bc50bc5ac15ce0f76e30e6a004a073889a788f693866f15b90a61d26d26c4f set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 10.11.12.13Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 10.11.12.13
Step 3: Run command show host lookup example.com type A at DUT0 and check if output contains the following tokens:
example.com has address 10.11.12.13Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused example.com has address 10.11.12.13
Step 4: Run command show host lookup teldat.es type A at DUT0 and check if output contains the following tokens:
teldat.es has address 10.11.12.13Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.es has address 10.11.12.13
Step 5: Run command show host lookup teldat.fake type A at DUT0 and check if output contains the following tokens:
teldat.fake has address 10.11.12.13Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.fake has address 10.11.12.13
Step 6: Run command show host lookup www.teldat.com type A at DUT0 and check if output contains the following tokens:
www.teldat.com has address 10.11.12.13Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused www.teldat.com has address 10.11.12.13
Step 7: Run command show host lookup www.teldat.es type A at DUT0 and check if output contains the following tokens:
www.teldat.es has address 10.11.12.13Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused www.teldat.es has address 10.11.12.13
Step 8: Run command show host lookup 1234.teldat.net type A at DUT0 and check if output contains the following tokens:
1234.teldat.net has address 10.11.12.13Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused 1234.teldat.net has address 10.11.12.13