Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 26 11:58:51.281645 osdx systemd-journald[1847]: Runtime Journal (/run/log/journal/f6c1fe6bbcb147bb817825fa9dee7ff8) is 2.0M, max 15.3M, 13.2M free. May 26 11:58:51.282796 osdx systemd-journald[1847]: Received client request to rotate journal, rotating. May 26 11:58:51.282846 osdx systemd-journald[1847]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f6c1fe6bbcb147bb817825fa9dee7ff8. May 26 11:58:51.291065 osdx OSDxCLI[29144]: User 'admin' executed a new command: 'system journal clear'. May 26 11:58:51.625333 osdx osdx-coredump[111096]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 11:58:51.632916 osdx OSDxCLI[29144]: User 'admin' executed a new command: 'system coredump delete all'. May 26 11:58:52.136849 osdx OSDxCLI[29144]: User 'admin' entered the configuration menu. May 26 11:58:52.228698 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 11:58:52.335637 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 11:58:52.439259 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'show working'. May 26 11:58:52.531358 osdx INFO[111116]: FRR daemons did not change May 26 11:58:52.550802 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 11:58:52.650982 osdx cfgd[1653]: [29144]Completed change to active configuration May 26 11:58:52.685592 osdx OSDxCLI[29144]: User 'admin' committed the configuration. May 26 11:58:52.705946 osdx OSDxCLI[29144]: User 'admin' left the configuration menu. May 26 11:58:52.853128 osdx OSDxCLI[29144]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 26 11:58:53.045392 osdx OSDxCLI[29144]: User 'admin' entered the configuration menu. May 26 11:58:53.129628 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 26 11:58:53.246229 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 26 11:58:53.299836 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. May 26 11:58:53.406232 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. May 26 11:58:53.492145 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'show working'. May 26 11:58:53.611176 osdx INFO[111224]: FRR daemons did not change May 26 11:58:53.624009 osdx ca-certificates[111240]: Updating certificates in /etc/ssl/certs... May 26 11:58:54.134829 osdx ca-certificates[112243]: 1 added, 0 removed; done. May 26 11:58:54.137720 osdx ca-certificates[112250]: Running hooks in /etc/ca-certificates/update.d... May 26 11:58:54.140743 osdx ca-certificates[112252]: done. May 26 11:58:54.191042 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 26 11:58:54.192018 osdx cfgd[1653]: [29144]Completed change to active configuration May 26 11:58:54.196398 osdx OSDxCLI[29144]: User 'admin' committed the configuration. May 26 11:58:54.222807 osdx OSDxCLI[29144]: User 'admin' left the configuration menu. May 26 11:58:54.225012 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] dnscrypt-proxy 2.0.45 May 26 11:58:54.225205 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Network connectivity detected May 26 11:58:54.225307 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Dropping privileges May 26 11:58:54.227836 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Network connectivity detected May 26 11:58:54.227891 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 26 11:58:54.227891 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 26 11:58:54.251787 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-omdmqgxxdbscyjg4.tmp: permission denied May 26 11:58:54.251787 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Source [RD] loaded May 26 11:58:54.251865 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [WARNING] Missing stamp for server [server-name`] May 26 11:58:54.251865 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] May 26 11:58:54.251865 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Firefox workaround initialized May 26 11:58:54.251865 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpq1gf2tmi] May 26 11:58:54.377931 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] [rd-server] OK (DoH) - rtt: 104ms May 26 11:58:54.377931 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 104ms) May 26 11:58:54.377931 osdx dnscrypt-proxy[112256]: [2025-05-26 11:58:54] [NOTICE] dnscrypt-proxy is ready - live servers: 1 May 26 11:58:54.379160 osdx OSDxCLI[29144]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 26 11:59:01.311067 osdx systemd-journald[1847]: Runtime Journal (/run/log/journal/f6c1fe6bbcb147bb817825fa9dee7ff8) is 2.0M, max 15.3M, 13.3M free. May 26 11:59:01.313369 osdx systemd-journald[1847]: Received client request to rotate journal, rotating. May 26 11:59:01.313439 osdx systemd-journald[1847]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f6c1fe6bbcb147bb817825fa9dee7ff8. May 26 11:59:01.323372 osdx OSDxCLI[29144]: User 'admin' executed a new command: 'system journal clear'. May 26 11:59:01.678725 osdx osdx-coredump[113854]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 26 11:59:01.686253 osdx OSDxCLI[29144]: User 'admin' executed a new command: 'system coredump delete all'. May 26 11:59:02.169390 osdx OSDxCLI[29144]: User 'admin' entered the configuration menu. May 26 11:59:02.268177 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 26 11:59:02.354231 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 26 11:59:02.421299 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'show working'. May 26 11:59:02.533896 osdx INFO[113877]: FRR daemons did not change May 26 11:59:02.553364 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 26 11:59:02.652106 osdx cfgd[1653]: [29144]Completed change to active configuration May 26 11:59:02.680232 osdx OSDxCLI[29144]: User 'admin' committed the configuration. May 26 11:59:02.710114 osdx OSDxCLI[29144]: User 'admin' left the configuration menu. May 26 11:59:02.878517 osdx OSDxCLI[29144]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 26 11:59:03.083302 osdx OSDxCLI[29144]: User 'admin' entered the configuration menu. May 26 11:59:03.167630 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 26 11:59:03.295658 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 26 11:59:03.363128 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. May 26 11:59:03.475642 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. May 26 11:59:03.544594 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. May 26 11:59:03.687754 osdx OSDxCLI[29144]: User 'admin' added a new cfg line: 'show working'. May 26 11:59:03.795727 osdx INFO[113986]: FRR daemons did not change May 26 11:59:03.808962 osdx ca-certificates[114002]: Updating certificates in /etc/ssl/certs... May 26 11:59:04.318222 osdx ca-certificates[115005]: 1 added, 0 removed; done. May 26 11:59:04.321945 osdx ca-certificates[115012]: Running hooks in /etc/ca-certificates/update.d... May 26 11:59:04.325122 osdx ca-certificates[115014]: done. May 26 11:59:04.385668 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 26 11:59:04.387270 osdx cfgd[1653]: [29144]Completed change to active configuration May 26 11:59:04.389895 osdx OSDxCLI[29144]: User 'admin' committed the configuration. May 26 11:59:04.412626 osdx OSDxCLI[29144]: User 'admin' left the configuration menu. May 26 11:59:04.417138 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] dnscrypt-proxy 2.0.45 May 26 11:59:04.417372 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Network connectivity detected May 26 11:59:04.417400 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Dropping privileges May 26 11:59:04.419450 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Network connectivity detected May 26 11:59:04.419493 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 26 11:59:04.419493 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 26 11:59:04.420652 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-qzhbpqouarthnoo4.tmp: permission denied May 26 11:59:04.420652 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Source [RD] loaded May 26 11:59:04.420723 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [WARNING] Missing stamp for server [PRIVATE-server-name`] May 26 11:59:04.420723 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] May 26 11:59:04.420723 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Firefox workaround initialized May 26 11:59:04.420723 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpm4xy193u] May 26 11:59:04.547136 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 101ms May 26 11:59:04.547136 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 101ms) May 26 11:59:04.547136 osdx dnscrypt-proxy[115018]: [2025-05-26 11:59:04] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key oMsxgF58vwDQRbSFGb7SLQo4 set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'