Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$
Show output
Mar 21 16:28:11.552280 osdx systemd-journald[1986]: Runtime Journal (/run/log/journal/5b174a9dbeeb42728284be3b4e954aec) is 2.1M, max 15.3M, 13.2M free.
Mar 21 16:28:11.554987 osdx systemd-journald[1986]: Received client request to rotate journal, rotating.
Mar 21 16:28:11.555095 osdx systemd-journald[1986]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5b174a9dbeeb42728284be3b4e954aec.
Mar 21 16:28:11.606405 osdx OSDxCLI[2248]: User 'admin' executed a new command: 'system journal clear'.
Mar 21 16:28:12.290133 osdx osdx-coredump[144068]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 21 16:28:12.307369 osdx OSDxCLI[2248]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 21 16:28:13.360977 osdx OSDxCLI[2248]: User 'admin' entered the configuration menu.
Mar 21 16:28:13.563475 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 21 16:28:13.669424 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 21 16:28:13.828015 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'show working'.
Mar 21 16:28:13.976461 osdx ubnt-cfgd[144090]: inactive
Mar 21 16:28:14.106543 osdx INFO[144102]: FRR daemons did not change
Mar 21 16:28:14.286732 osdx cfgd[1672]: [2248]Completed change to active configuration
Mar 21 16:28:14.304445 osdx OSDxCLI[2248]: User 'admin' committed the configuration.
Mar 21 16:28:14.361537 osdx OSDxCLI[2248]: User 'admin' left the configuration menu.
Mar 21 16:28:14.603976 osdx OSDxCLI[2248]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 21 16:28:14.861449 osdx OSDxCLI[2248]: User 'admin' entered the configuration menu.
Mar 21 16:28:14.998775 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 21 16:28:15.189473 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Mar 21 16:28:15.340074 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op'.
Mar 21 16:28:15.502026 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Mar 21 16:28:15.673712 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'show working'.
Mar 21 16:28:15.835513 osdx ubnt-cfgd[144256]: inactive
Mar 21 16:28:16.011969 osdx INFO[144268]: FRR daemons did not change
Mar 21 16:28:16.054592 osdx ca-certificates[144284]: Updating certificates in /etc/ssl/certs...
Mar 21 16:28:17.301568 osdx ca-certificates[145287]: 1 added, 0 removed; done.
Mar 21 16:28:17.309294 osdx ca-certificates[145291]: Running hooks in /etc/ca-certificates/update.d...
Mar 21 16:28:17.322468 osdx ca-certificates[145295]: done.
Mar 21 16:28:17.446225 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 21 16:28:17.453102 osdx cfgd[1672]: [2248]Completed change to active configuration
Mar 21 16:28:17.457759 osdx OSDxCLI[2248]: User 'admin' committed the configuration.
Mar 21 16:28:17.497243 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] dnscrypt-proxy 2.0.45
Mar 21 16:28:17.497243 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Network connectivity detected
Mar 21 16:28:17.498459 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Dropping privileges
Mar 21 16:28:17.518223 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Network connectivity detected
Mar 21 16:28:17.518327 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Mar 21 16:28:17.518327 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Mar 21 16:28:17.521223 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ktgldl3p6isfp6vo.tmp: permission denied
Mar 21 16:28:17.521416 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Source [RD] loaded
Mar 21 16:28:17.521528 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [WARNING] Missing stamp for server [server-name`]
Mar 21 16:28:17.521620 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Mar 21 16:28:17.521733 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Firefox workaround initialized
Mar 21 16:28:17.521796 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpztn5f0po]
Mar 21 16:28:17.555725 osdx OSDxCLI[2248]: User 'admin' left the configuration menu.
Mar 21 16:28:17.655635 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] [rd-server] OK (DoH) - rtt: 51ms
Mar 21 16:28:17.655635 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 51ms)
Mar 21 16:28:17.655635 osdx dnscrypt-proxy[145300]: [2025-03-21 16:28:17] [NOTICE] dnscrypt-proxy is ready - live servers: 1

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server-name PRIVATE-rd-server
set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op
set service dns proxy source RD prefix PRIVATE-
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$
Show output
Mar 21 16:28:26.486982 osdx systemd-journald[1986]: Runtime Journal (/run/log/journal/5b174a9dbeeb42728284be3b4e954aec) is 3.9M, max 15.3M, 11.4M free.
Mar 21 16:28:26.491452 osdx systemd-journald[1986]: Received client request to rotate journal, rotating.
Mar 21 16:28:26.491520 osdx systemd-journald[1986]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5b174a9dbeeb42728284be3b4e954aec.
Mar 21 16:28:26.520214 osdx OSDxCLI[2248]: User 'admin' executed a new command: 'system journal clear'.
Mar 21 16:28:27.229549 osdx osdx-coredump[146956]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 21 16:28:27.245370 osdx OSDxCLI[2248]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 21 16:28:28.138701 osdx OSDxCLI[2248]: User 'admin' entered the configuration menu.
Mar 21 16:28:28.334547 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 21 16:28:28.451128 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 21 16:28:28.621003 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'show working'.
Mar 21 16:28:28.764327 osdx ubnt-cfgd[146978]: inactive
Mar 21 16:28:28.939839 osdx INFO[146990]: FRR daemons did not change
Mar 21 16:28:29.172545 osdx cfgd[1672]: [2248]Completed change to active configuration
Mar 21 16:28:29.191913 osdx OSDxCLI[2248]: User 'admin' committed the configuration.
Mar 21 16:28:29.268950 osdx OSDxCLI[2248]: User 'admin' left the configuration menu.
Mar 21 16:28:29.518738 osdx OSDxCLI[2248]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 21 16:28:29.896206 osdx OSDxCLI[2248]: User 'admin' entered the configuration menu.
Mar 21 16:28:30.043004 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 21 16:28:30.242204 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Mar 21 16:28:30.382753 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQmaR3fUrQXRs7Rhkc3B2HHY0bpognevEm4nzVzCey7UU9wzyoHb2Op'.
Mar 21 16:28:30.517532 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Mar 21 16:28:30.620900 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Mar 21 16:28:30.795223 osdx OSDxCLI[2248]: User 'admin' added a new cfg line: 'show working'.
Mar 21 16:28:30.959003 osdx ubnt-cfgd[147145]: inactive
Mar 21 16:28:31.085238 osdx INFO[147157]: FRR daemons did not change
Mar 21 16:28:31.109959 osdx ca-certificates[147172]: Updating certificates in /etc/ssl/certs...
Mar 21 16:28:32.323355 osdx ca-certificates[148176]: 1 added, 0 removed; done.
Mar 21 16:28:32.329680 osdx ca-certificates[148183]: Running hooks in /etc/ca-certificates/update.d...
Mar 21 16:28:32.335204 osdx ca-certificates[148185]: done.
Mar 21 16:28:32.440686 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 21 16:28:32.443102 osdx cfgd[1672]: [2248]Completed change to active configuration
Mar 21 16:28:32.448033 osdx OSDxCLI[2248]: User 'admin' committed the configuration.
Mar 21 16:28:32.478648 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] dnscrypt-proxy 2.0.45
Mar 21 16:28:32.478648 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Network connectivity detected
Mar 21 16:28:32.478648 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Dropping privileges
Mar 21 16:28:32.499542 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Network connectivity detected
Mar 21 16:28:32.499649 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Mar 21 16:28:32.499649 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Mar 21 16:28:32.500960 osdx OSDxCLI[2248]: User 'admin' left the configuration menu.
Mar 21 16:28:32.501415 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-fo6rlbkfdprzjloc.tmp: permission denied
Mar 21 16:28:32.501415 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Source [RD] loaded
Mar 21 16:28:32.501481 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Mar 21 16:28:32.501481 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Mar 21 16:28:32.501549 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Firefox workaround initialized
Mar 21 16:28:32.501549 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpipo_navi]
Mar 21 16:28:32.636030 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 73ms
Mar 21 16:28:32.636030 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 73ms)
Mar 21 16:28:32.636206 osdx dnscrypt-proxy[148189]: [2025-03-21 16:28:32] [NOTICE] dnscrypt-proxy is ready - live servers: 1

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key Ke738DRrrd7h6pUhzc3aoKVe
set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key InvalidMinisignKey==
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'