Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9 set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 10 12:46:34.329909 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.2M free. Mar 10 12:46:34.330666 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 12:46:34.330715 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 12:46:34.343161 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'. Mar 10 12:46:34.685307 osdx osdx-coredump[204859]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 12:46:34.692900 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 12:46:35.165966 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu. Mar 10 12:46:35.255670 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 12:46:35.361789 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 12:46:35.447512 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'. Mar 10 12:46:35.566465 osdx INFO[204883]: FRR daemons did not change Mar 10 12:46:35.590679 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 10 12:46:35.714595 osdx cfgd[1455]: [132790]Completed change to active configuration Mar 10 12:46:35.749752 osdx OSDxCLI[132790]: User 'admin' committed the configuration. Mar 10 12:46:35.765672 osdx OSDxCLI[132790]: User 'admin' left the configuration menu. Mar 10 12:46:35.931563 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 10 12:46:36.106526 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu. Mar 10 12:46:36.181961 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 10 12:46:36.282086 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 10 12:46:36.337082 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9'. Mar 10 12:46:36.434288 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Mar 10 12:46:36.544010 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'. Mar 10 12:46:36.620996 osdx INFO[204995]: FRR daemons did not change Mar 10 12:46:36.635099 osdx ca-certificates[205011]: Updating certificates in /etc/ssl/certs... Mar 10 12:46:37.131060 osdx ca-certificates[206015]: 1 added, 0 removed; done. Mar 10 12:46:37.134048 osdx ca-certificates[206021]: Running hooks in /etc/ca-certificates/update.d... Mar 10 12:46:37.136734 osdx ca-certificates[206023]: done. Mar 10 12:46:37.206977 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 10 12:46:37.208211 osdx cfgd[1455]: [132790]Completed change to active configuration Mar 10 12:46:37.211858 osdx OSDxCLI[132790]: User 'admin' committed the configuration. Mar 10 12:46:37.232573 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] dnscrypt-proxy 2.0.45 Mar 10 12:46:37.232760 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Network connectivity detected Mar 10 12:46:37.232818 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Dropping privileges Mar 10 12:46:37.234930 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Network connectivity detected Mar 10 12:46:37.234980 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 10 12:46:37.234980 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 10 12:46:37.238727 osdx OSDxCLI[132790]: User 'admin' left the configuration menu. Mar 10 12:46:37.246028 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-p2nde5fupudhigmw.tmp: permission denied Mar 10 12:46:37.246028 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Source [RD] loaded Mar 10 12:46:37.246114 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [WARNING] Missing stamp for server [server-name`] Mar 10 12:46:37.246114 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Mar 10 12:46:37.246114 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Firefox workaround initialized Mar 10 12:46:37.246114 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpkmy1mxug] Mar 10 12:46:37.349497 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] [rd-server] OK (DoH) - rtt: 81ms Mar 10 12:46:37.349497 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 81ms) Mar 10 12:46:37.349497 osdx dnscrypt-proxy[206027]: [2025-03-10 12:46:37] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9 set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 10 12:46:42.303387 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free. Mar 10 12:46:42.304025 osdx systemd-journald[51744]: Received client request to rotate journal, rotating. Mar 10 12:46:42.304066 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6. Mar 10 12:46:42.313480 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'. Mar 10 12:46:42.675586 osdx osdx-coredump[207626]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Mar 10 12:46:42.685104 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system coredump delete all'. Mar 10 12:46:43.171215 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu. Mar 10 12:46:43.264074 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 10 12:46:43.349517 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 10 12:46:43.460163 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'. Mar 10 12:46:43.530360 osdx INFO[207650]: FRR daemons did not change Mar 10 12:46:43.551850 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 10 12:46:43.657675 osdx cfgd[1455]: [132790]Completed change to active configuration Mar 10 12:46:43.682435 osdx OSDxCLI[132790]: User 'admin' committed the configuration. Mar 10 12:46:43.708558 osdx OSDxCLI[132790]: User 'admin' left the configuration menu. Mar 10 12:46:43.857367 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 10 12:46:44.034169 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu. Mar 10 12:46:44.112149 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 10 12:46:44.224988 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 10 12:46:44.296554 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9'. Mar 10 12:46:44.404168 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Mar 10 12:46:44.468995 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Mar 10 12:46:44.604809 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'. Mar 10 12:46:44.672406 osdx INFO[207763]: FRR daemons did not change Mar 10 12:46:44.687711 osdx ca-certificates[207779]: Updating certificates in /etc/ssl/certs... Mar 10 12:46:45.187094 osdx ca-certificates[208783]: 1 added, 0 removed; done. Mar 10 12:46:45.189948 osdx ca-certificates[208789]: Running hooks in /etc/ca-certificates/update.d... Mar 10 12:46:45.192991 osdx ca-certificates[208791]: done. Mar 10 12:46:45.256209 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 10 12:46:45.257323 osdx cfgd[1455]: [132790]Completed change to active configuration Mar 10 12:46:45.260296 osdx OSDxCLI[132790]: User 'admin' committed the configuration. Mar 10 12:46:45.276854 osdx OSDxCLI[132790]: User 'admin' left the configuration menu. Mar 10 12:46:45.288900 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] dnscrypt-proxy 2.0.45 Mar 10 12:46:45.289111 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Network connectivity detected Mar 10 12:46:45.289230 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Dropping privileges Mar 10 12:46:45.291556 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Network connectivity detected Mar 10 12:46:45.291585 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 10 12:46:45.291585 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 10 12:46:45.292448 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-bwzawe6ltahzo4po.tmp: permission denied Mar 10 12:46:45.292448 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Source [RD] loaded Mar 10 12:46:45.292637 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [WARNING] Missing stamp for server [PRIVATE-server-name`] Mar 10 12:46:45.292669 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Mar 10 12:46:45.292669 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Firefox workaround initialized Mar 10 12:46:45.292669 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp5cmjmopi] Mar 10 12:46:45.393632 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 79ms Mar 10 12:46:45.393749 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 79ms) Mar 10 12:46:45.393781 osdx dnscrypt-proxy[208795]: [2025-03-10 12:46:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key l1u4Z3QPreFeNGUMhzF6UN0L set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'