Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/ set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 19 17:26:13.492492 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.2M free. Feb 19 17:26:13.495273 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 17:26:13.495372 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 17:26:13.518771 osdx OSDxCLI[95458]: User 'admin' executed a new command: 'system journal clear'. Feb 19 17:26:14.036659 osdx osdx-coredump[243212]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 17:26:14.070046 osdx OSDxCLI[95458]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 17:26:14.833569 osdx OSDxCLI[95458]: User 'admin' entered the configuration menu. Feb 19 17:26:14.989381 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 17:26:15.079805 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 17:26:15.225405 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'show working'. Feb 19 17:26:15.347489 osdx INFO[243236]: FRR daemons did not change Feb 19 17:26:15.379098 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 17:26:15.547970 osdx cfgd[1448]: [95458]Completed change to active configuration Feb 19 17:26:15.590137 osdx OSDxCLI[95458]: User 'admin' committed the configuration. Feb 19 17:26:15.668778 osdx OSDxCLI[95458]: User 'admin' left the configuration menu. Feb 19 17:26:15.865505 osdx OSDxCLI[95458]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 17:26:16.108268 osdx OSDxCLI[95458]: User 'admin' entered the configuration menu. Feb 19 17:26:16.235747 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 19 17:26:16.410511 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 19 17:26:16.603484 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'. Feb 19 17:26:16.788215 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Feb 19 17:26:16.989021 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'show working'. Feb 19 17:26:17.149230 osdx INFO[243348]: FRR daemons did not change Feb 19 17:26:17.173288 osdx ca-certificates[243364]: Updating certificates in /etc/ssl/certs... Feb 19 17:26:18.739976 osdx ca-certificates[244369]: 1 added, 0 removed; done. Feb 19 17:26:18.746696 osdx ca-certificates[244374]: Running hooks in /etc/ca-certificates/update.d... Feb 19 17:26:18.752569 osdx ca-certificates[244376]: done. Feb 19 17:26:18.859722 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 19 17:26:18.863176 osdx cfgd[1448]: [95458]Completed change to active configuration Feb 19 17:26:18.869039 osdx OSDxCLI[95458]: User 'admin' committed the configuration. Feb 19 17:26:18.915243 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:18] [NOTICE] dnscrypt-proxy 2.0.45 Feb 19 17:26:18.915554 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:18] [NOTICE] Network connectivity detected Feb 19 17:26:18.916357 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:18] [NOTICE] Dropping privileges Feb 19 17:26:18.925138 osdx OSDxCLI[95458]: User 'admin' left the configuration menu. Feb 19 17:26:18.932531 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:18] [NOTICE] Network connectivity detected Feb 19 17:26:18.932716 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:18] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 19 17:26:18.932805 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:18] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 19 17:26:19.187011 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-am6djtwengcbxtrl.tmp: permission denied Feb 19 17:26:19.187240 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [NOTICE] Source [RD] loaded Feb 19 17:26:19.187367 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [WARNING] Missing stamp for server [server-name`] Feb 19 17:26:19.187466 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Feb 19 17:26:19.187553 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [NOTICE] Firefox workaround initialized Feb 19 17:26:19.187622 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp1uoi4d9n] Feb 19 17:26:19.216321 osdx OSDxCLI[95458]: User 'admin' executed a new command: 'system journal show | cat'. Feb 19 17:26:19.333880 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [NOTICE] [rd-server] OK (DoH) - rtt: 52ms Feb 19 17:26:19.333880 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 52ms) Feb 19 17:26:19.333880 osdx dnscrypt-proxy[244380]: [2025-02-19 17:26:19] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/ set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 19 17:26:28.649713 osdx systemd-journald[1749]: Runtime Journal (/run/log/journal/88d6d46990514354af95198d86011406) is 2.0M, max 15.3M, 13.3M free. Feb 19 17:26:28.652968 osdx systemd-journald[1749]: Received client request to rotate journal, rotating. Feb 19 17:26:28.653086 osdx systemd-journald[1749]: Vacuuming done, freed 0B of archived journals from /run/log/journal/88d6d46990514354af95198d86011406. Feb 19 17:26:28.669588 osdx OSDxCLI[95458]: User 'admin' executed a new command: 'system journal clear'. Feb 19 17:26:29.509641 osdx osdx-coredump[245987]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Feb 19 17:26:29.525993 osdx OSDxCLI[95458]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 17:26:30.524396 osdx OSDxCLI[95458]: User 'admin' entered the configuration menu. Feb 19 17:26:30.698446 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 17:26:30.839040 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 17:26:30.986158 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'show working'. Feb 19 17:26:31.127844 osdx INFO[246011]: FRR daemons did not change Feb 19 17:26:31.168941 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 17:26:31.393675 osdx cfgd[1448]: [95458]Completed change to active configuration Feb 19 17:26:31.439358 osdx OSDxCLI[95458]: User 'admin' committed the configuration. Feb 19 17:26:31.500083 osdx OSDxCLI[95458]: User 'admin' left the configuration menu. Feb 19 17:26:31.793931 osdx OSDxCLI[95458]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 17:26:32.080154 osdx OSDxCLI[95458]: User 'admin' entered the configuration menu. Feb 19 17:26:32.219550 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 19 17:26:32.378359 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 19 17:26:32.542393 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'. Feb 19 17:26:32.665635 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Feb 19 17:26:32.779888 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Feb 19 17:26:32.955271 osdx OSDxCLI[95458]: User 'admin' added a new cfg line: 'show working'. Feb 19 17:26:33.101970 osdx INFO[246124]: FRR daemons did not change Feb 19 17:26:33.140218 osdx ca-certificates[246140]: Updating certificates in /etc/ssl/certs... Feb 19 17:26:34.471151 osdx ca-certificates[247143]: 1 added, 0 removed; done. Feb 19 17:26:34.479147 osdx ca-certificates[247150]: Running hooks in /etc/ca-certificates/update.d... Feb 19 17:26:34.484450 osdx ca-certificates[247152]: done. Feb 19 17:26:34.584435 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 19 17:26:34.586752 osdx cfgd[1448]: [95458]Completed change to active configuration Feb 19 17:26:34.590483 osdx OSDxCLI[95458]: User 'admin' committed the configuration. Feb 19 17:26:34.632807 osdx OSDxCLI[95458]: User 'admin' left the configuration menu. Feb 19 17:26:34.634101 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] dnscrypt-proxy 2.0.45 Feb 19 17:26:34.634370 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Network connectivity detected Feb 19 17:26:34.634607 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Dropping privileges Feb 19 17:26:34.639108 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Network connectivity detected Feb 19 17:26:34.639108 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 19 17:26:34.639108 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 19 17:26:34.640582 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-7w3c65jmxwsic6t4.tmp: permission denied Feb 19 17:26:34.640582 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Source [RD] loaded Feb 19 17:26:34.640741 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [WARNING] Missing stamp for server [PRIVATE-server-name`] Feb 19 17:26:34.640741 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Feb 19 17:26:34.640741 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Firefox workaround initialized Feb 19 17:26:34.640741 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpo8o_kz26] Feb 19 17:26:34.774415 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 69ms Feb 19 17:26:34.774415 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 69ms) Feb 19 17:26:34.774415 osdx dnscrypt-proxy[247156]: [2025-02-19 17:26:34] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key GtEA1GIWzvDY0CEUEiz7bap2 set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'