Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 03 13:19:49.370857 osdx systemd-journald[1835]: Runtime Journal (/run/log/journal/d3b584433ca54f4e84c38003c593de3f) is 2.0M, max 15.3M, 13.2M free. Dec 03 13:19:49.372102 osdx systemd-journald[1835]: Received client request to rotate journal, rotating. Dec 03 13:19:49.372170 osdx systemd-journald[1835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d3b584433ca54f4e84c38003c593de3f. Dec 03 13:19:49.384768 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'system journal clear'. Dec 03 13:19:49.751019 osdx osdx-coredump[141836]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 03 13:19:49.761338 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'system coredump delete all'. Dec 03 13:19:50.305883 osdx OSDxCLI[9822]: User 'admin' entered the configuration menu. Dec 03 13:19:50.443472 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 03 13:19:50.536629 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 03 13:19:50.608817 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'show working'. Dec 03 13:19:50.744099 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 03 13:19:50.866588 osdx cfgd[1634]: [9822]Completed change to active configuration Dec 03 13:19:50.895603 osdx OSDxCLI[9822]: User 'admin' committed the configuration. Dec 03 13:19:50.946657 osdx OSDxCLI[9822]: User 'admin' left the configuration menu. Dec 03 13:19:51.063062 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 03 13:19:51.248634 osdx OSDxCLI[9822]: User 'admin' entered the configuration menu. Dec 03 13:19:51.338322 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 03 13:19:51.421260 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 03 13:19:51.502164 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc'. Dec 03 13:19:51.617843 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Dec 03 13:19:51.725044 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'show working'. Dec 03 13:19:51.815521 osdx ca-certificates[141979]: Updating certificates in /etc/ssl/certs... Dec 03 13:19:52.573731 osdx ca-certificates[142983]: 1 added, 0 removed; done. Dec 03 13:19:52.577966 osdx ca-certificates[142989]: Running hooks in /etc/ca-certificates/update.d... Dec 03 13:19:52.582273 osdx ca-certificates[142991]: done. Dec 03 13:19:52.640667 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 03 13:19:52.642950 osdx cfgd[1634]: [9822]Completed change to active configuration Dec 03 13:19:52.647128 osdx OSDxCLI[9822]: User 'admin' committed the configuration. Dec 03 13:19:52.682674 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] dnscrypt-proxy 2.0.45 Dec 03 13:19:52.682996 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Network connectivity detected Dec 03 13:19:52.683031 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Dropping privileges Dec 03 13:19:52.690499 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Network connectivity detected Dec 03 13:19:52.690669 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 03 13:19:52.690669 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 03 13:19:52.700453 osdx OSDxCLI[9822]: User 'admin' left the configuration menu. Dec 03 13:19:52.701993 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-5nlnxygnlst3h7qe.tmp: permission denied Dec 03 13:19:52.701993 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Source [RD] loaded Dec 03 13:19:52.702068 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [WARNING] Missing stamp for server [server-name`] Dec 03 13:19:52.702068 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Dec 03 13:19:52.702068 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Firefox workaround initialized Dec 03 13:19:52.702068 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpt2zmgfmi] Dec 03 13:19:52.893087 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'system journal show | cat'. Dec 03 13:19:52.900870 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] [rd-server] OK (DoH) - rtt: 161ms Dec 03 13:19:52.900870 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 161ms) Dec 03 13:19:52.900870 osdx dnscrypt-proxy[142995]: [2024-12-03 13:19:52] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 03 13:20:00.404636 osdx systemd-journald[1835]: Runtime Journal (/run/log/journal/d3b584433ca54f4e84c38003c593de3f) is 2.0M, max 15.3M, 13.3M free. Dec 03 13:20:00.407004 osdx systemd-journald[1835]: Received client request to rotate journal, rotating. Dec 03 13:20:00.407078 osdx systemd-journald[1835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d3b584433ca54f4e84c38003c593de3f. Dec 03 13:20:00.425872 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'system journal clear'. Dec 03 13:20:00.900917 osdx osdx-coredump[144596]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 03 13:20:00.921733 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'system coredump delete all'. Dec 03 13:20:01.655960 osdx OSDxCLI[9822]: User 'admin' entered the configuration menu. Dec 03 13:20:01.798785 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 03 13:20:01.879086 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 03 13:20:02.086261 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'show working'. Dec 03 13:20:02.258946 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 03 13:20:02.457799 osdx cfgd[1634]: [9822]Completed change to active configuration Dec 03 13:20:02.492189 osdx OSDxCLI[9822]: User 'admin' committed the configuration. Dec 03 13:20:02.527951 osdx OSDxCLI[9822]: User 'admin' left the configuration menu. Dec 03 13:20:02.748355 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 03 13:20:03.051289 osdx OSDxCLI[9822]: User 'admin' entered the configuration menu. Dec 03 13:20:03.162428 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 03 13:20:03.282662 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 03 13:20:03.398082 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc'. Dec 03 13:20:03.533008 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Dec 03 13:20:03.638704 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Dec 03 13:20:03.791784 osdx OSDxCLI[9822]: User 'admin' added a new cfg line: 'show working'. Dec 03 13:20:03.905044 osdx ca-certificates[144743]: Updating certificates in /etc/ssl/certs... Dec 03 13:20:04.571362 osdx ca-certificates[145749]: 1 added, 0 removed; done. Dec 03 13:20:04.575757 osdx ca-certificates[145755]: Running hooks in /etc/ca-certificates/update.d... Dec 03 13:20:04.579515 osdx ca-certificates[145757]: done. Dec 03 13:20:04.651469 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 03 13:20:04.653385 osdx cfgd[1634]: [9822]Completed change to active configuration Dec 03 13:20:04.657771 osdx OSDxCLI[9822]: User 'admin' committed the configuration. Dec 03 13:20:04.686347 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] dnscrypt-proxy 2.0.45 Dec 03 13:20:04.686687 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Network connectivity detected Dec 03 13:20:04.686717 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Dropping privileges Dec 03 13:20:04.704954 osdx OSDxCLI[9822]: User 'admin' left the configuration menu. Dec 03 13:20:04.709439 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Network connectivity detected Dec 03 13:20:04.709525 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 03 13:20:04.709525 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 03 13:20:04.710664 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-3b24mvfcu7ch4nde.tmp: permission denied Dec 03 13:20:04.710779 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Source [RD] loaded Dec 03 13:20:04.710841 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [WARNING] Missing stamp for server [PRIVATE-server-name`] Dec 03 13:20:04.710885 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Dec 03 13:20:04.710977 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Firefox workaround initialized Dec 03 13:20:04.711024 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpzeg79if4] Dec 03 13:20:04.893593 osdx OSDxCLI[9822]: User 'admin' executed a new command: 'system journal show | cat'. Dec 03 13:20:04.942523 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 202ms Dec 03 13:20:04.942523 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 202ms) Dec 03 13:20:04.942523 osdx dnscrypt-proxy[145761]: [2024-12-03 13:20:04] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key NQInIGTGK6vd7pP22jiGvUQe set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'