Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jan 10 12:52:57.294847 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.2M free. Jan 10 12:52:57.298442 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 12:52:57.298491 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 12:52:57.303724 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 12:52:57.610543 osdx osdx-coredump[99504]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 12:52:57.617705 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 12:52:58.045575 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:52:58.120748 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 12:52:58.203635 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 12:52:58.280535 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:52:58.389384 osdx INFO[99528]: FRR daemons did not change Jan 10 12:52:58.406447 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 12:52:58.506357 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:52:58.530755 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:52:58.546204 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:52:58.689018 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 12:52:58.806251 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:52:58.864719 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 12:52:58.966101 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jan 10 12:52:59.021377 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc'. Jan 10 12:52:59.118983 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jan 10 12:52:59.190363 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:52:59.285814 osdx INFO[99640]: FRR daemons did not change Jan 10 12:52:59.302247 osdx ca-certificates[99656]: Updating certificates in /etc/ssl/certs... Jan 10 12:52:59.763543 osdx ca-certificates[100660]: 1 added, 0 removed; done. Jan 10 12:52:59.766590 osdx ca-certificates[100666]: Running hooks in /etc/ca-certificates/update.d... Jan 10 12:52:59.769234 osdx ca-certificates[100668]: done. Jan 10 12:52:59.838758 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 12:52:59.840443 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:52:59.847731 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:52:59.873341 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:52:59.875454 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] dnscrypt-proxy 2.0.45 Jan 10 12:52:59.875608 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Network connectivity detected Jan 10 12:52:59.875743 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Dropping privileges Jan 10 12:52:59.878107 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Network connectivity detected Jan 10 12:52:59.878178 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jan 10 12:52:59.878206 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jan 10 12:52:59.879410 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-frsyriilk3jy4nn3.tmp: permission denied Jan 10 12:52:59.879410 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Source [RD] loaded Jan 10 12:52:59.879447 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [WARNING] Missing stamp for server [server-name`] Jan 10 12:52:59.879447 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jan 10 12:52:59.879472 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Firefox workaround initialized Jan 10 12:52:59.879472 osdx dnscrypt-proxy[100672]: [2025-01-10 12:52:59] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp5k9u4shz] Jan 10 12:53:00.006602 osdx dnscrypt-proxy[100672]: [2025-01-10 12:53:00] [NOTICE] [rd-server] OK (DoH) - rtt: 105ms Jan 10 12:53:00.006602 osdx dnscrypt-proxy[100672]: [2025-01-10 12:53:00] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 105ms) Jan 10 12:53:00.006602 osdx dnscrypt-proxy[100672]: [2025-01-10 12:53:00] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jan 10 12:53:00.016743 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jan 10 12:53:04.288048 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 12:53:04.289393 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 12:53:04.289439 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 12:53:04.296997 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 12:53:04.607033 osdx osdx-coredump[102278]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 12:53:04.614679 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 12:53:05.061601 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:53:05.136789 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 12:53:05.221095 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 12:53:05.291796 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:53:05.392122 osdx INFO[102302]: FRR daemons did not change Jan 10 12:53:05.409394 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 12:53:05.505802 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:53:05.531448 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:53:05.547626 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:53:05.706881 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 12:53:05.824479 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:53:05.883821 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 12:53:05.985100 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jan 10 12:53:06.046333 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSB/vpuIPdrYSFXBh+ByzTvKdGaZgbrnM9MKal7c+zf7BxjHyU3W1Dc'. Jan 10 12:53:06.140586 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jan 10 12:53:06.195716 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jan 10 12:53:06.307935 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:53:06.380079 osdx INFO[102415]: FRR daemons did not change Jan 10 12:53:06.392358 osdx ca-certificates[102431]: Updating certificates in /etc/ssl/certs... Jan 10 12:53:06.840813 osdx ca-certificates[103434]: 1 added, 0 removed; done. Jan 10 12:53:06.844566 osdx ca-certificates[103441]: Running hooks in /etc/ca-certificates/update.d... Jan 10 12:53:06.847265 osdx ca-certificates[103443]: done. Jan 10 12:53:06.901703 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 12:53:06.902982 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:53:06.908303 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:53:06.930912 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:53:06.935067 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] dnscrypt-proxy 2.0.45 Jan 10 12:53:06.935211 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Network connectivity detected Jan 10 12:53:06.935279 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Dropping privileges Jan 10 12:53:06.937185 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Network connectivity detected Jan 10 12:53:06.937209 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jan 10 12:53:06.937209 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jan 10 12:53:06.938257 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-4lbtscdgjvtnhdkj.tmp: permission denied Jan 10 12:53:06.938257 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Source [RD] loaded Jan 10 12:53:06.938326 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jan 10 12:53:06.938326 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jan 10 12:53:06.938326 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Firefox workaround initialized Jan 10 12:53:06.938326 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:06] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp7ieto8hk] Jan 10 12:53:07.085405 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:07] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 124ms Jan 10 12:53:07.085405 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:07] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 124ms) Jan 10 12:53:07.085405 osdx dnscrypt-proxy[103447]: [2025-01-10 12:53:07] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jan 10 12:53:07.085814 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key yOwbA2qaRWDcZvUfRsrUVjNy set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'