Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/ set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 03 11:59:07.409880 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.2M free. Feb 03 11:59:07.410522 osdx systemd-journald[1936]: Received client request to rotate journal, rotating. Feb 03 11:59:07.410568 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16. Feb 03 11:59:07.428157 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'. Feb 03 11:59:08.059383 osdx osdx-coredump[136708]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 03 11:59:08.072252 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system coredump delete all'. Feb 03 11:59:09.033051 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu. Feb 03 11:59:09.191068 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 03 11:59:09.312636 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 03 11:59:09.448420 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'. Feb 03 11:59:09.574490 osdx INFO[136729]: FRR daemons did not change Feb 03 11:59:09.610153 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 03 11:59:09.784873 osdx cfgd[1636]: [64814]Completed change to active configuration Feb 03 11:59:09.828445 osdx OSDxCLI[64814]: User 'admin' committed the configuration. Feb 03 11:59:09.879360 osdx OSDxCLI[64814]: User 'admin' left the configuration menu. Feb 03 11:59:10.077501 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 03 11:59:10.368442 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu. Feb 03 11:59:10.509619 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 03 11:59:10.668610 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 03 11:59:10.799347 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'. Feb 03 11:59:10.947595 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Feb 03 11:59:11.093644 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'. Feb 03 11:59:11.237135 osdx INFO[136838]: FRR daemons did not change Feb 03 11:59:11.260637 osdx ca-certificates[136854]: Updating certificates in /etc/ssl/certs... Feb 03 11:59:12.126629 osdx ca-certificates[137857]: 1 added, 0 removed; done. Feb 03 11:59:12.132309 osdx ca-certificates[137864]: Running hooks in /etc/ca-certificates/update.d... Feb 03 11:59:12.137688 osdx ca-certificates[137866]: done. Feb 03 11:59:12.226662 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 03 11:59:12.230157 osdx cfgd[1636]: [64814]Completed change to active configuration Feb 03 11:59:12.235092 osdx OSDxCLI[64814]: User 'admin' committed the configuration. Feb 03 11:59:12.261047 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] dnscrypt-proxy 2.0.45 Feb 03 11:59:12.261387 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Network connectivity detected Feb 03 11:59:12.261517 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Dropping privileges Feb 03 11:59:12.264978 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Network connectivity detected Feb 03 11:59:12.265199 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 03 11:59:12.265199 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 03 11:59:12.266780 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-6rnqgbgiksx3pbka.tmp: permission denied Feb 03 11:59:12.266780 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Source [RD] loaded Feb 03 11:59:12.266951 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [WARNING] Missing stamp for server [server-name`] Feb 03 11:59:12.266951 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Feb 03 11:59:12.266951 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Firefox workaround initialized Feb 03 11:59:12.266951 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp8c6ssepd] Feb 03 11:59:12.280750 osdx OSDxCLI[64814]: User 'admin' left the configuration menu. Feb 03 11:59:12.450438 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] [rd-server] OK (DoH) - rtt: 147ms Feb 03 11:59:12.450438 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 147ms) Feb 03 11:59:12.450438 osdx dnscrypt-proxy[137870]: [2025-02-03 11:59:12] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/ set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 03 11:59:20.399920 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.4M, max 15.3M, 12.9M free. Feb 03 11:59:20.402177 osdx systemd-journald[1936]: Received client request to rotate journal, rotating. Feb 03 11:59:20.402263 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16. Feb 03 11:59:20.432607 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'. Feb 03 11:59:20.976569 osdx osdx-coredump[139470]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 03 11:59:20.989720 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system coredump delete all'. Feb 03 11:59:21.815428 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu. Feb 03 11:59:21.972061 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 03 11:59:22.073559 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 03 11:59:22.305074 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'. Feb 03 11:59:22.449747 osdx INFO[139491]: FRR daemons did not change Feb 03 11:59:22.482217 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 03 11:59:22.651003 osdx cfgd[1636]: [64814]Completed change to active configuration Feb 03 11:59:22.689640 osdx OSDxCLI[64814]: User 'admin' committed the configuration. Feb 03 11:59:22.718701 osdx OSDxCLI[64814]: User 'admin' left the configuration menu. Feb 03 11:59:22.941015 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 03 11:59:23.243123 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu. Feb 03 11:59:23.355607 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 03 11:59:23.502959 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 03 11:59:23.611527 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'. Feb 03 11:59:23.734525 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Feb 03 11:59:23.878256 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Feb 03 11:59:24.070683 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'. Feb 03 11:59:24.186380 osdx INFO[139601]: FRR daemons did not change Feb 03 11:59:24.208437 osdx ca-certificates[139616]: Updating certificates in /etc/ssl/certs... Feb 03 11:59:25.025388 osdx ca-certificates[140621]: 1 added, 0 removed; done. Feb 03 11:59:25.031145 osdx ca-certificates[140627]: Running hooks in /etc/ca-certificates/update.d... Feb 03 11:59:25.036208 osdx ca-certificates[140629]: done. Feb 03 11:59:25.134656 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 03 11:59:25.137357 osdx cfgd[1636]: [64814]Completed change to active configuration Feb 03 11:59:25.142326 osdx OSDxCLI[64814]: User 'admin' committed the configuration. Feb 03 11:59:25.171595 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] dnscrypt-proxy 2.0.45 Feb 03 11:59:25.171888 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Network connectivity detected Feb 03 11:59:25.171999 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Dropping privileges Feb 03 11:59:25.175674 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Network connectivity detected Feb 03 11:59:25.175765 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 03 11:59:25.175765 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 03 11:59:25.177259 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-xr6vqv74cqmp2niy.tmp: permission denied Feb 03 11:59:25.177259 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Source [RD] loaded Feb 03 11:59:25.177363 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [WARNING] Missing stamp for server [PRIVATE-server-name`] Feb 03 11:59:25.177363 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Feb 03 11:59:25.177363 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Firefox workaround initialized Feb 03 11:59:25.177363 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp51o9pncc] Feb 03 11:59:25.214424 osdx OSDxCLI[64814]: User 'admin' left the configuration menu. Feb 03 11:59:25.434599 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 213ms Feb 03 11:59:25.434599 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 213ms) Feb 03 11:59:25.434599 osdx dnscrypt-proxy[140633]: [2025-02-03 11:59:25] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Feb 03 11:59:25.441169 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key Bfxq8yFq7uzTdkrN5IZ4t1It set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'