Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/ set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 19 19:32:06.461587 osdx systemd-journald[1656]: Runtime Journal (/run/log/journal/9e929e613f1a4f1290b0c92170d5d508) is 2.0M, max 15.3M, 13.2M free. Feb 19 19:32:06.463878 osdx systemd-journald[1656]: Received client request to rotate journal, rotating. Feb 19 19:32:06.463972 osdx systemd-journald[1656]: Vacuuming done, freed 0B of archived journals from /run/log/journal/9e929e613f1a4f1290b0c92170d5d508. Feb 19 19:32:06.481094 osdx OSDxCLI[2457]: User 'admin' executed a new command: 'system journal clear'. Feb 19 19:32:07.090662 osdx osdx-coredump[183822]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 19:32:07.122406 osdx OSDxCLI[2457]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 19:32:08.176914 osdx OSDxCLI[2457]: User 'admin' entered the configuration menu. Feb 19 19:32:08.343760 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 19:32:08.454057 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 19:32:08.624931 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'show working'. Feb 19 19:32:08.790364 osdx INFO[183846]: FRR daemons did not change Feb 19 19:32:08.827684 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 19:32:09.054393 osdx cfgd[1455]: [2457]Completed change to active configuration Feb 19 19:32:09.101948 osdx OSDxCLI[2457]: User 'admin' committed the configuration. Feb 19 19:32:09.134984 osdx OSDxCLI[2457]: User 'admin' left the configuration menu. Feb 19 19:32:09.426969 osdx OSDxCLI[2457]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 19:32:09.706716 osdx OSDxCLI[2457]: User 'admin' entered the configuration menu. Feb 19 19:32:09.815743 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 19 19:32:10.008465 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 19 19:32:10.284735 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'. Feb 19 19:32:10.408672 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Feb 19 19:32:10.864903 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'show working'. Feb 19 19:32:11.198394 osdx INFO[183958]: FRR daemons did not change Feb 19 19:32:11.248422 osdx ca-certificates[183972]: Updating certificates in /etc/ssl/certs... Feb 19 19:32:12.709644 osdx ca-certificates[184976]: 1 added, 0 removed; done. Feb 19 19:32:12.714726 osdx ca-certificates[184984]: Running hooks in /etc/ca-certificates/update.d... Feb 19 19:32:12.721421 osdx ca-certificates[184986]: done. Feb 19 19:32:12.807476 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 19 19:32:12.810154 osdx cfgd[1455]: [2457]Completed change to active configuration Feb 19 19:32:12.813809 osdx OSDxCLI[2457]: User 'admin' committed the configuration. Feb 19 19:32:12.858241 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] dnscrypt-proxy 2.0.45 Feb 19 19:32:12.858706 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Network connectivity detected Feb 19 19:32:12.859062 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Dropping privileges Feb 19 19:32:12.863228 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Network connectivity detected Feb 19 19:32:12.863228 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 19 19:32:12.863228 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 19 19:32:12.864643 osdx OSDxCLI[2457]: User 'admin' left the configuration menu. Feb 19 19:32:12.865408 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-bolt2hmd2l5tqcsx.tmp: permission denied Feb 19 19:32:12.865408 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Source [RD] loaded Feb 19 19:32:12.865408 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [WARNING] Missing stamp for server [server-name`] Feb 19 19:32:12.865408 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Feb 19 19:32:12.865408 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Firefox workaround initialized Feb 19 19:32:12.865408 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:12] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpma1px7e2] Feb 19 19:32:13.003671 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:13] [NOTICE] [rd-server] OK (DoH) - rtt: 73ms Feb 19 19:32:13.003671 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:13] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 73ms) Feb 19 19:32:13.003671 osdx dnscrypt-proxy[184990]: [2025-02-19 19:32:13] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/ set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 19 19:32:23.637586 osdx systemd-journald[1656]: Runtime Journal (/run/log/journal/9e929e613f1a4f1290b0c92170d5d508) is 2.0M, max 15.3M, 13.3M free. Feb 19 19:32:23.640459 osdx systemd-journald[1656]: Received client request to rotate journal, rotating. Feb 19 19:32:23.640748 osdx systemd-journald[1656]: Vacuuming done, freed 0B of archived journals from /run/log/journal/9e929e613f1a4f1290b0c92170d5d508. Feb 19 19:32:23.669340 osdx OSDxCLI[2457]: User 'admin' executed a new command: 'system journal clear'. Feb 19 19:32:24.523724 osdx osdx-coredump[186591]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 19:32:24.545980 osdx OSDxCLI[2457]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 19:32:25.688037 osdx OSDxCLI[2457]: User 'admin' entered the configuration menu. Feb 19 19:32:25.920357 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 19:32:26.065774 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 19:32:26.209301 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'show working'. Feb 19 19:32:26.349771 osdx INFO[186615]: FRR daemons did not change Feb 19 19:32:26.388333 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 19:32:26.610978 osdx cfgd[1455]: [2457]Completed change to active configuration Feb 19 19:32:26.657689 osdx OSDxCLI[2457]: User 'admin' committed the configuration. Feb 19 19:32:26.705468 osdx OSDxCLI[2457]: User 'admin' left the configuration menu. Feb 19 19:32:26.943206 osdx OSDxCLI[2457]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 19:32:27.325486 osdx OSDxCLI[2457]: User 'admin' entered the configuration menu. Feb 19 19:32:27.515478 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 19 19:32:27.707570 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 19 19:32:27.849289 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'. Feb 19 19:32:28.025564 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Feb 19 19:32:28.157550 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Feb 19 19:32:28.426730 osdx OSDxCLI[2457]: User 'admin' added a new cfg line: 'show working'. Feb 19 19:32:28.641091 osdx INFO[186728]: FRR daemons did not change Feb 19 19:32:28.672155 osdx ca-certificates[186746]: Updating certificates in /etc/ssl/certs... Feb 19 19:32:30.325653 osdx ca-certificates[187747]: 1 added, 0 removed; done. Feb 19 19:32:30.333814 osdx ca-certificates[187753]: Running hooks in /etc/ca-certificates/update.d... Feb 19 19:32:30.341411 osdx ca-certificates[187756]: done. Feb 19 19:32:30.485479 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 19 19:32:30.495908 osdx cfgd[1455]: [2457]Completed change to active configuration Feb 19 19:32:30.504167 osdx OSDxCLI[2457]: User 'admin' committed the configuration. Feb 19 19:32:30.612911 osdx OSDxCLI[2457]: User 'admin' left the configuration menu. Feb 19 19:32:30.623124 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] dnscrypt-proxy 2.0.45 Feb 19 19:32:30.623632 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Network connectivity detected Feb 19 19:32:30.624200 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Dropping privileges Feb 19 19:32:30.650126 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Network connectivity detected Feb 19 19:32:30.650126 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 19 19:32:30.650126 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 19 19:32:30.655000 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ugvxb4oj7hsyr2oe.tmp: permission denied Feb 19 19:32:30.655000 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Source [RD] loaded Feb 19 19:32:30.655000 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [WARNING] Missing stamp for server [PRIVATE-server-name`] Feb 19 19:32:30.655000 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Feb 19 19:32:30.655000 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Firefox workaround initialized Feb 19 19:32:30.655000 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpty21bpvp] Feb 19 19:32:30.845766 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 54ms Feb 19 19:32:30.845766 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 54ms) Feb 19 19:32:30.845766 osdx dnscrypt-proxy[187760]: [2025-02-19 19:32:30] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key qjs1DW4I8b4UlrELzVOART7H set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'