Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 18 12:45:51.377798 osdx systemd-journald[1668]: Runtime Journal (/run/log/journal/72104842365c481ca7f4174cfa44e1fe) is 2.0M, max 15.3M, 13.2M free. Mar 18 12:45:51.378372 osdx systemd-journald[1668]: Received client request to rotate journal, rotating. Mar 18 12:45:51.378431 osdx systemd-journald[1668]: Vacuuming done, freed 0B of archived journals from /run/log/journal/72104842365c481ca7f4174cfa44e1fe. Mar 18 12:45:51.391611 osdx OSDxCLI[56339]: User 'admin' executed a new command: 'system journal clear'. Mar 18 12:45:51.816660 osdx osdx-coredump[146301]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 12:45:51.826701 osdx OSDxCLI[56339]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 12:45:52.433324 osdx OSDxCLI[56339]: User 'admin' entered the configuration menu. Mar 18 12:45:52.573229 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 12:45:52.647669 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 12:45:52.784767 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'show working'. Mar 18 12:45:52.878344 osdx INFO[146325]: FRR daemons did not change Mar 18 12:45:52.905880 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 12:45:53.037602 osdx cfgd[1456]: [56339]Completed change to active configuration Mar 18 12:45:53.072015 osdx OSDxCLI[56339]: User 'admin' committed the configuration. Mar 18 12:45:53.103050 osdx OSDxCLI[56339]: User 'admin' left the configuration menu. Mar 18 12:45:53.280935 osdx OSDxCLI[56339]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 18 12:45:53.463773 osdx OSDxCLI[56339]: User 'admin' entered the configuration menu. Mar 18 12:45:53.559383 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 18 12:45:53.677378 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 18 12:45:53.763370 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op'. Mar 18 12:45:53.849226 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Mar 18 12:45:54.010450 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'show working'. Mar 18 12:45:54.110164 osdx INFO[146437]: FRR daemons did not change Mar 18 12:45:54.127923 osdx ca-certificates[146453]: Updating certificates in /etc/ssl/certs... Mar 18 12:45:54.828459 osdx ca-certificates[147457]: 1 added, 0 removed; done. Mar 18 12:45:54.832645 osdx ca-certificates[147463]: Running hooks in /etc/ca-certificates/update.d... Mar 18 12:45:54.836656 osdx ca-certificates[147465]: done. Mar 18 12:45:54.906318 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 18 12:45:54.907784 osdx cfgd[1456]: [56339]Completed change to active configuration Mar 18 12:45:54.911976 osdx OSDxCLI[56339]: User 'admin' committed the configuration. Mar 18 12:45:54.938129 osdx OSDxCLI[56339]: User 'admin' left the configuration menu. Mar 18 12:45:54.938523 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] dnscrypt-proxy 2.0.45 Mar 18 12:45:54.938699 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Network connectivity detected Mar 18 12:45:54.938816 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Dropping privileges Mar 18 12:45:54.941965 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Network connectivity detected Mar 18 12:45:54.942043 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 18 12:45:54.942043 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 18 12:45:54.943590 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-luw5xxqi76raukhc.tmp: permission denied Mar 18 12:45:54.943590 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Source [RD] loaded Mar 18 12:45:54.943684 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [WARNING] Missing stamp for server [server-name`] Mar 18 12:45:54.943684 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Mar 18 12:45:54.943684 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Firefox workaround initialized Mar 18 12:45:54.943684 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:54] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpsw3gao9w] Mar 18 12:45:55.030594 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:55] [NOTICE] [rd-server] OK (DoH) - rtt: 55ms Mar 18 12:45:55.030727 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:55] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 55ms) Mar 18 12:45:55.030787 osdx dnscrypt-proxy[147469]: [2025-03-18 12:45:55] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 18 12:46:01.377718 osdx systemd-journald[1668]: Runtime Journal (/run/log/journal/72104842365c481ca7f4174cfa44e1fe) is 2.0M, max 15.3M, 13.3M free. Mar 18 12:46:01.379941 osdx systemd-journald[1668]: Received client request to rotate journal, rotating. Mar 18 12:46:01.380012 osdx systemd-journald[1668]: Vacuuming done, freed 0B of archived journals from /run/log/journal/72104842365c481ca7f4174cfa44e1fe. Mar 18 12:46:01.391225 osdx OSDxCLI[56339]: User 'admin' executed a new command: 'system journal clear'. Mar 18 12:46:01.835492 osdx osdx-coredump[149071]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 18 12:46:01.845822 osdx OSDxCLI[56339]: User 'admin' executed a new command: 'system coredump delete all'. Mar 18 12:46:02.461285 osdx OSDxCLI[56339]: User 'admin' entered the configuration menu. Mar 18 12:46:02.605440 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 18 12:46:02.679379 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 18 12:46:02.791733 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'show working'. Mar 18 12:46:02.886601 osdx INFO[149095]: FRR daemons did not change Mar 18 12:46:02.911918 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 18 12:46:03.055427 osdx cfgd[1456]: [56339]Completed change to active configuration Mar 18 12:46:03.092604 osdx OSDxCLI[56339]: User 'admin' committed the configuration. Mar 18 12:46:03.118873 osdx OSDxCLI[56339]: User 'admin' left the configuration menu. Mar 18 12:46:03.296503 osdx OSDxCLI[56339]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 18 12:46:03.478916 osdx OSDxCLI[56339]: User 'admin' entered the configuration menu. Mar 18 12:46:03.576274 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 18 12:46:03.675185 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 18 12:46:03.766846 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op'. Mar 18 12:46:03.856269 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Mar 18 12:46:03.946904 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Mar 18 12:46:04.063016 osdx OSDxCLI[56339]: User 'admin' added a new cfg line: 'show working'. Mar 18 12:46:04.170346 osdx INFO[149208]: FRR daemons did not change Mar 18 12:46:04.188382 osdx ca-certificates[149224]: Updating certificates in /etc/ssl/certs... Mar 18 12:46:04.909462 osdx ca-certificates[150227]: 1 added, 0 removed; done. Mar 18 12:46:04.913396 osdx ca-certificates[150234]: Running hooks in /etc/ca-certificates/update.d... Mar 18 12:46:04.917327 osdx ca-certificates[150236]: done. Mar 18 12:46:04.992389 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 18 12:46:04.993926 osdx cfgd[1456]: [56339]Completed change to active configuration Mar 18 12:46:04.997248 osdx OSDxCLI[56339]: User 'admin' committed the configuration. Mar 18 12:46:05.023291 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] dnscrypt-proxy 2.0.45 Mar 18 12:46:05.023291 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Network connectivity detected Mar 18 12:46:05.023552 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Dropping privileges Mar 18 12:46:05.023326 osdx OSDxCLI[56339]: User 'admin' left the configuration menu. Mar 18 12:46:05.026569 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Network connectivity detected Mar 18 12:46:05.026634 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 18 12:46:05.026634 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 18 12:46:05.028178 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rq42x2wdbsh3llr5.tmp: permission denied Mar 18 12:46:05.028308 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Source [RD] loaded Mar 18 12:46:05.028419 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [WARNING] Missing stamp for server [PRIVATE-server-name`] Mar 18 12:46:05.028521 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Mar 18 12:46:05.028586 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Firefox workaround initialized Mar 18 12:46:05.028634 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpb31y51nx] Mar 18 12:46:05.106025 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 44ms Mar 18 12:46:05.106025 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 44ms) Mar 18 12:46:05.106025 osdx dnscrypt-proxy[150240]: [2025-03-18 12:46:05] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key ZcxctmyfAtwdRBuHSFm61Nij set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'