Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 07 12:40:03.297440 osdx systemd-journald[115269]: Runtime Journal (/run/log/journal/ea320b11e8924984abe0660bdd8d3fcc) is 2.0M, max 15.3M, 13.2M free. Oct 07 12:40:03.300672 osdx systemd-journald[115269]: Received client request to rotate journal, rotating. Oct 07 12:40:03.300736 osdx systemd-journald[115269]: Vacuuming done, freed 0B of archived journals from /run/log/journal/ea320b11e8924984abe0660bdd8d3fcc. Oct 07 12:40:03.309423 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'system journal clear'. Oct 07 12:40:03.646483 osdx osdx-coredump[344784]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 07 12:40:03.653962 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'system coredump delete all'. Oct 07 12:40:04.099382 osdx OSDxCLI[267623]: User 'admin' entered the configuration menu. Oct 07 12:40:04.181800 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 07 12:40:04.266249 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 07 12:40:04.338916 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'show working'. Oct 07 12:40:04.456676 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 07 12:40:04.533839 osdx cfgd[1439]: [267623]Completed change to active configuration Oct 07 12:40:04.559837 osdx OSDxCLI[267623]: User 'admin' committed the configuration. Oct 07 12:40:04.575591 osdx OSDxCLI[267623]: User 'admin' left the configuration menu. Oct 07 12:40:04.718886 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 07 12:40:04.854485 osdx zebra[1404]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 07 12:40:04.889817 osdx OSDxCLI[267623]: User 'admin' entered the configuration menu. Oct 07 12:40:04.951185 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 07 12:40:05.052992 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 07 12:40:05.108269 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W''. Oct 07 12:40:05.204453 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Oct 07 12:40:05.277679 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'show working'. Oct 07 12:40:05.395254 osdx ca-certificates[344923]: Updating certificates in /etc/ssl/certs... Oct 07 12:40:05.890948 osdx ca-certificates[345926]: 1 added, 0 removed; done. Oct 07 12:40:05.893666 osdx ca-certificates[345933]: Running hooks in /etc/ca-certificates/update.d... Oct 07 12:40:05.897117 osdx ca-certificates[345935]: done. Oct 07 12:40:05.957046 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 07 12:40:05.958141 osdx cfgd[1439]: [267623]Completed change to active configuration Oct 07 12:40:05.961647 osdx OSDxCLI[267623]: User 'admin' committed the configuration. Oct 07 12:40:05.991405 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] dnscrypt-proxy 2.0.45 Oct 07 12:40:05.991405 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Network connectivity detected Oct 07 12:40:05.991405 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Dropping privileges Oct 07 12:40:05.992609 osdx OSDxCLI[267623]: User 'admin' left the configuration menu. Oct 07 12:40:05.994229 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Network connectivity detected Oct 07 12:40:05.994263 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 07 12:40:05.994277 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 07 12:40:05.995654 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-eppmbu7z3c5dn3hf.tmp: permission denied Oct 07 12:40:05.995654 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Source [RD] loaded Oct 07 12:40:05.995690 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [WARNING] Missing stamp for server [server-name`] Oct 07 12:40:05.995704 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Oct 07 12:40:05.995704 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Firefox workaround initialized Oct 07 12:40:05.995733 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:05] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpvl56l5l5] Oct 07 12:40:06.138419 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:06] [NOTICE] [rd-server] OK (DoH) - rtt: 119ms Oct 07 12:40:06.138419 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:06] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 119ms) Oct 07 12:40:06.138419 osdx dnscrypt-proxy[345939]: [2024-10-07 12:40:06] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Oct 07 12:40:06.141982 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 07 12:40:11.301854 osdx systemd-journald[115269]: Runtime Journal (/run/log/journal/ea320b11e8924984abe0660bdd8d3fcc) is 2.0M, max 15.3M, 13.3M free. Oct 07 12:40:11.302427 osdx systemd-journald[115269]: Received client request to rotate journal, rotating. Oct 07 12:40:11.302468 osdx systemd-journald[115269]: Vacuuming done, freed 0B of archived journals from /run/log/journal/ea320b11e8924984abe0660bdd8d3fcc. Oct 07 12:40:11.313561 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'system journal clear'. Oct 07 12:40:11.644888 osdx osdx-coredump[347535]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 07 12:40:11.652784 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'system coredump delete all'. Oct 07 12:40:12.132377 osdx OSDxCLI[267623]: User 'admin' entered the configuration menu. Oct 07 12:40:12.207897 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 07 12:40:12.345766 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 07 12:40:12.425267 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'show working'. Oct 07 12:40:12.562020 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 07 12:40:12.640896 osdx cfgd[1439]: [267623]Completed change to active configuration Oct 07 12:40:12.674364 osdx OSDxCLI[267623]: User 'admin' committed the configuration. Oct 07 12:40:12.707625 osdx OSDxCLI[267623]: User 'admin' left the configuration menu. Oct 07 12:40:12.840692 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 07 12:40:13.034699 osdx OSDxCLI[267623]: User 'admin' entered the configuration menu. Oct 07 12:40:13.119352 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 07 12:40:13.218800 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 07 12:40:13.283714 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W''. Oct 07 12:40:13.373040 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Oct 07 12:40:13.428417 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Oct 07 12:40:13.539754 osdx OSDxCLI[267623]: User 'admin' added a new cfg line: 'show working'. Oct 07 12:40:13.625671 osdx ca-certificates[347675]: Updating certificates in /etc/ssl/certs... Oct 07 12:40:14.123816 osdx ca-certificates[348679]: 1 added, 0 removed; done. Oct 07 12:40:14.126537 osdx ca-certificates[348685]: Running hooks in /etc/ca-certificates/update.d... Oct 07 12:40:14.129262 osdx ca-certificates[348687]: done. Oct 07 12:40:14.206314 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 07 12:40:14.207686 osdx cfgd[1439]: [267623]Completed change to active configuration Oct 07 12:40:14.210113 osdx OSDxCLI[267623]: User 'admin' committed the configuration. Oct 07 12:40:14.228555 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] dnscrypt-proxy 2.0.45 Oct 07 12:40:14.228733 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Network connectivity detected Oct 07 12:40:14.228853 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Dropping privileges Oct 07 12:40:14.231729 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Network connectivity detected Oct 07 12:40:14.231773 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 07 12:40:14.231773 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 07 12:40:14.232627 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-pukhuotthbo6zdse.tmp: permission denied Oct 07 12:40:14.232674 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Source [RD] loaded Oct 07 12:40:14.232721 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [WARNING] Missing stamp for server [PRIVATE-server-name`] Oct 07 12:40:14.232758 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Oct 07 12:40:14.232788 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Firefox workaround initialized Oct 07 12:40:14.232814 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp8s83p7ar] Oct 07 12:40:14.237193 osdx OSDxCLI[267623]: User 'admin' left the configuration menu. Oct 07 12:40:14.390864 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 135ms Oct 07 12:40:14.390864 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 135ms) Oct 07 12:40:14.390864 osdx dnscrypt-proxy[348691]: [2024-10-07 12:40:14] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Oct 07 12:40:14.396709 osdx OSDxCLI[267623]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key qfH9E92P1uPun1X8oXIwoGBD set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'