Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 19 14:52:11.309990 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.2M free. May 19 14:52:11.312528 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 14:52:11.312577 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 14:52:11.322691 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'. May 19 14:52:11.675508 osdx osdx-coredump[169566]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 14:52:11.683283 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system coredump delete all'. May 19 14:52:12.147602 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu. May 19 14:52:12.225710 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 14:52:12.312861 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 14:52:12.380525 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'. May 19 14:52:12.483131 osdx INFO[169586]: FRR daemons did not change May 19 14:52:12.508531 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 14:52:12.606432 osdx cfgd[1649]: [2756]Completed change to active configuration May 19 14:52:12.634061 osdx OSDxCLI[2756]: User 'admin' committed the configuration. May 19 14:52:12.658550 osdx OSDxCLI[2756]: User 'admin' left the configuration menu. May 19 14:52:12.801696 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 14:52:12.989288 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu. May 19 14:52:13.049095 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 19 14:52:13.152608 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 19 14:52:13.211968 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb'. May 19 14:52:13.305648 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. May 19 14:52:13.389490 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'. May 19 14:52:13.479411 osdx INFO[169694]: FRR daemons did not change May 19 14:52:13.498409 osdx ca-certificates[169710]: Updating certificates in /etc/ssl/certs... May 19 14:52:13.978847 osdx ca-certificates[170714]: 1 added, 0 removed; done. May 19 14:52:13.981617 osdx ca-certificates[170720]: Running hooks in /etc/ca-certificates/update.d... May 19 14:52:13.984502 osdx ca-certificates[170722]: done. May 19 14:52:14.044811 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 19 14:52:14.046004 osdx cfgd[1649]: [2756]Completed change to active configuration May 19 14:52:14.048143 osdx OSDxCLI[2756]: User 'admin' committed the configuration. May 19 14:52:14.067241 osdx OSDxCLI[2756]: User 'admin' left the configuration menu. May 19 14:52:14.068066 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] dnscrypt-proxy 2.0.45 May 19 14:52:14.068183 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Network connectivity detected May 19 14:52:14.068325 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Dropping privileges May 19 14:52:14.070361 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Network connectivity detected May 19 14:52:14.070386 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 19 14:52:14.070400 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 19 14:52:14.071322 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-pef6smifqrbqqobo.tmp: permission denied May 19 14:52:14.071322 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Source [RD] loaded May 19 14:52:14.071382 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [WARNING] Missing stamp for server [server-name`] May 19 14:52:14.071399 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] May 19 14:52:14.071399 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Firefox workaround initialized May 19 14:52:14.071399 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Loading the set of cloaking rules from [/tmp/tmps9eavsjw] May 19 14:52:14.192423 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] [rd-server] OK (DoH) - rtt: 96ms May 19 14:52:14.192423 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 96ms) May 19 14:52:14.192423 osdx dnscrypt-proxy[170726]: [2025-05-19 14:52:14] [NOTICE] dnscrypt-proxy is ready - live servers: 1 May 19 14:52:14.212799 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 19 14:52:21.350151 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free. May 19 14:52:21.351545 osdx systemd-journald[1859]: Received client request to rotate journal, rotating. May 19 14:52:21.351591 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5. May 19 14:52:21.362569 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'. May 19 14:52:21.681156 osdx osdx-coredump[172325]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 19 14:52:21.688971 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system coredump delete all'. May 19 14:52:22.152265 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu. May 19 14:52:22.227453 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 14:52:22.313584 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 14:52:22.381175 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'. May 19 14:52:22.481038 osdx INFO[172345]: FRR daemons did not change May 19 14:52:22.499555 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 14:52:22.599597 osdx cfgd[1649]: [2756]Completed change to active configuration May 19 14:52:22.626233 osdx OSDxCLI[2756]: User 'admin' committed the configuration. May 19 14:52:22.642970 osdx OSDxCLI[2756]: User 'admin' left the configuration menu. May 19 14:52:22.793792 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 14:52:22.968046 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu. May 19 14:52:23.033111 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 19 14:52:23.162610 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 19 14:52:23.221522 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb'. May 19 14:52:23.319464 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. May 19 14:52:23.380896 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. May 19 14:52:23.495630 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'. May 19 14:52:23.568294 osdx INFO[172454]: FRR daemons did not change May 19 14:52:23.582979 osdx ca-certificates[172470]: Updating certificates in /etc/ssl/certs... May 19 14:52:24.088943 osdx ca-certificates[173474]: 1 added, 0 removed; done. May 19 14:52:24.091795 osdx ca-certificates[173480]: Running hooks in /etc/ca-certificates/update.d... May 19 14:52:24.094548 osdx ca-certificates[173482]: done. May 19 14:52:24.151835 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 19 14:52:24.153186 osdx cfgd[1649]: [2756]Completed change to active configuration May 19 14:52:24.156302 osdx OSDxCLI[2756]: User 'admin' committed the configuration. May 19 14:52:24.174315 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] dnscrypt-proxy 2.0.45 May 19 14:52:24.174508 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Network connectivity detected May 19 14:52:24.174581 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Dropping privileges May 19 14:52:24.176461 osdx OSDxCLI[2756]: User 'admin' left the configuration menu. May 19 14:52:24.176925 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Network connectivity detected May 19 14:52:24.176953 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 19 14:52:24.176953 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 19 14:52:24.177943 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-wx62s4rm5ld6kge5.tmp: permission denied May 19 14:52:24.177995 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Source [RD] loaded May 19 14:52:24.178045 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [WARNING] Missing stamp for server [PRIVATE-server-name`] May 19 14:52:24.178090 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] May 19 14:52:24.178120 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Firefox workaround initialized May 19 14:52:24.178143 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpyhdrhbuw] May 19 14:52:24.305855 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 105ms May 19 14:52:24.305855 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 105ms) May 19 14:52:24.305855 osdx dnscrypt-proxy[173486]: [2025-05-19 14:52:24] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key 0M4kjZtUdCocVDacCIaCKtMz set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'