Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWTUXJ6T0aB8HL7mSwF1vDY155kKDSUFz4TKygoN/8HIZkwlBkOL1Pco set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 30 12:19:05.296029 osdx systemd-journald[1923]: Runtime Journal (/run/log/journal/877522c656344df9b9ad28416f5f036f) is 2.0M, max 15.3M, 13.2M free. Oct 30 12:19:05.297672 osdx systemd-journald[1923]: Received client request to rotate journal, rotating. Oct 30 12:19:05.297720 osdx systemd-journald[1923]: Vacuuming done, freed 0B of archived journals from /run/log/journal/877522c656344df9b9ad28416f5f036f. Oct 30 12:19:05.306153 osdx OSDxCLI[101074]: User 'admin' executed a new command: 'system journal clear'. Oct 30 12:19:05.630140 osdx osdx-coredump[194368]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 30 12:19:05.637974 osdx OSDxCLI[101074]: User 'admin' executed a new command: 'system coredump delete all'. Oct 30 12:19:06.073967 osdx OSDxCLI[101074]: User 'admin' entered the configuration menu. Oct 30 12:19:06.145325 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 30 12:19:06.240027 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 30 12:19:06.311179 osdx ERROR[194376]: unexpected Traceback (most recent call last): File "osdx/bin/op/fan_control.py", line 23, in _send_fan_control_cmd FileNotFoundError: [Errno 2] No such file or directory Oct 30 12:19:06.315216 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'show working'. Oct 30 12:19:06.429672 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 30 12:19:06.535571 osdx cfgd[1636]: [101074]Completed change to active configuration Oct 30 12:19:06.561100 osdx OSDxCLI[101074]: User 'admin' committed the configuration. Oct 30 12:19:06.578849 osdx OSDxCLI[101074]: User 'admin' left the configuration menu. Oct 30 12:19:06.713683 osdx OSDxCLI[101074]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 30 12:19:06.838812 osdx OSDxCLI[101074]: User 'admin' entered the configuration menu. Oct 30 12:19:06.897942 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 30 12:19:07.008041 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 30 12:19:07.063344 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWTUXJ6T0aB8HL7mSwF1vDY155kKDSUFz4TKygoN/8HIZkwlBkOL1Pco''. Oct 30 12:19:07.157979 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Oct 30 12:19:07.228584 osdx ERROR[194484]: unexpected Traceback (most recent call last): File "osdx/bin/op/fan_control.py", line 23, in _send_fan_control_cmd FileNotFoundError: [Errno 2] No such file or directory Oct 30 12:19:07.233330 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'show working'. Oct 30 12:19:07.352754 osdx ca-certificates[194511]: Updating certificates in /etc/ssl/certs... Oct 30 12:19:07.837451 osdx ca-certificates[195514]: 1 added, 0 removed; done. Oct 30 12:19:07.841396 osdx ca-certificates[195521]: Running hooks in /etc/ca-certificates/update.d... Oct 30 12:19:07.845174 osdx ca-certificates[195523]: done. Oct 30 12:19:07.917968 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 30 12:19:07.919182 osdx cfgd[1636]: [101074]Completed change to active configuration Oct 30 12:19:07.921588 osdx OSDxCLI[101074]: User 'admin' committed the configuration. Oct 30 12:19:07.941334 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] dnscrypt-proxy 2.0.45 Oct 30 12:19:07.941681 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Network connectivity detected Oct 30 12:19:07.941988 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Dropping privileges Oct 30 12:19:07.944536 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Network connectivity detected Oct 30 12:19:07.944587 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 30 12:19:07.944587 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 30 12:19:07.945865 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-23voeqt544mo4bom.tmp: permission denied Oct 30 12:19:07.945913 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Source [RD] loaded Oct 30 12:19:07.945970 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [WARNING] Missing stamp for server [server-name`] Oct 30 12:19:07.946011 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Oct 30 12:19:07.946046 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Firefox workaround initialized Oct 30 12:19:07.946080 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:07] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpbms7_1i7] Oct 30 12:19:07.949015 osdx OSDxCLI[101074]: User 'admin' left the configuration menu. Oct 30 12:19:08.098768 osdx OSDxCLI[101074]: User 'admin' executed a new command: 'system journal show | cat'. Oct 30 12:19:08.099905 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:08] [NOTICE] [rd-server] OK (DoH) - rtt: 126ms Oct 30 12:19:08.099905 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:08] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 126ms) Oct 30 12:19:08.099968 osdx dnscrypt-proxy[195527]: [2024-10-30 12:19:08] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWTUXJ6T0aB8HL7mSwF1vDY155kKDSUFz4TKygoN/8HIZkwlBkOL1Pco set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 30 12:19:13.371344 osdx systemd-journald[1923]: Runtime Journal (/run/log/journal/877522c656344df9b9ad28416f5f036f) is 2.0M, max 15.3M, 13.3M free. Oct 30 12:19:13.372791 osdx systemd-journald[1923]: Received client request to rotate journal, rotating. Oct 30 12:19:13.372853 osdx systemd-journald[1923]: Vacuuming done, freed 0B of archived journals from /run/log/journal/877522c656344df9b9ad28416f5f036f. Oct 30 12:19:13.383646 osdx OSDxCLI[101074]: User 'admin' executed a new command: 'system journal clear'. Oct 30 12:19:13.759667 osdx osdx-coredump[197130]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 30 12:19:13.767580 osdx OSDxCLI[101074]: User 'admin' executed a new command: 'system coredump delete all'. Oct 30 12:19:14.227927 osdx OSDxCLI[101074]: User 'admin' entered the configuration menu. Oct 30 12:19:14.307411 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 30 12:19:14.400964 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 30 12:19:14.467578 osdx ERROR[197138]: unexpected Traceback (most recent call last): File "osdx/bin/op/fan_control.py", line 23, in _send_fan_control_cmd FileNotFoundError: [Errno 2] No such file or directory Oct 30 12:19:14.468307 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'show working'. Oct 30 12:19:14.572785 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 30 12:19:14.683766 osdx cfgd[1636]: [101074]Completed change to active configuration Oct 30 12:19:14.709246 osdx OSDxCLI[101074]: User 'admin' committed the configuration. Oct 30 12:19:14.732454 osdx OSDxCLI[101074]: User 'admin' left the configuration menu. Oct 30 12:19:14.883971 osdx OSDxCLI[101074]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 30 12:19:15.046802 osdx OSDxCLI[101074]: User 'admin' entered the configuration menu. Oct 30 12:19:15.108121 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 30 12:19:15.208527 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 30 12:19:15.263543 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWTUXJ6T0aB8HL7mSwF1vDY155kKDSUFz4TKygoN/8HIZkwlBkOL1Pco''. Oct 30 12:19:15.359330 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Oct 30 12:19:15.416165 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Oct 30 12:19:15.529388 osdx ERROR[197247]: unexpected Traceback (most recent call last): File "osdx/bin/op/fan_control.py", line 23, in _send_fan_control_cmd FileNotFoundError: [Errno 2] No such file or directory Oct 30 12:19:15.530305 osdx OSDxCLI[101074]: User 'admin' added a new cfg line: 'show working'. Oct 30 12:19:15.618616 osdx ca-certificates[197274]: Updating certificates in /etc/ssl/certs... Oct 30 12:19:16.117734 osdx ca-certificates[198277]: 1 added, 0 removed; done. Oct 30 12:19:16.120654 osdx ca-certificates[198284]: Running hooks in /etc/ca-certificates/update.d... Oct 30 12:19:16.123357 osdx ca-certificates[198286]: done. Oct 30 12:19:16.181138 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 30 12:19:16.182401 osdx cfgd[1636]: [101074]Completed change to active configuration Oct 30 12:19:16.184843 osdx OSDxCLI[101074]: User 'admin' committed the configuration. Oct 30 12:19:16.203438 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] dnscrypt-proxy 2.0.45 Oct 30 12:19:16.203618 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Network connectivity detected Oct 30 12:19:16.203693 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Dropping privileges Oct 30 12:19:16.205643 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Network connectivity detected Oct 30 12:19:16.205743 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 30 12:19:16.205785 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 30 12:19:16.206904 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-kvyc5kyez377ye77.tmp: permission denied Oct 30 12:19:16.206904 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Source [RD] loaded Oct 30 12:19:16.206965 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [WARNING] Missing stamp for server [PRIVATE-server-name`] Oct 30 12:19:16.206965 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Oct 30 12:19:16.206965 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Firefox workaround initialized Oct 30 12:19:16.206965 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpls6ocyg_] Oct 30 12:19:16.223632 osdx OSDxCLI[101074]: User 'admin' left the configuration menu. Oct 30 12:19:16.381860 osdx dnscrypt-proxy[198290]: [2024-10-30 12:19:16] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 142ms
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key 88nvxn8tdwPrurDPwYAQPeTS set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'