Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9 set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Apr 10 20:12:18.380001 osdx systemd-journald[55338]: Runtime Journal (/run/log/journal/5c505a9749274d37b6c4605b7d8c5dbf) is 2.0M, max 15.3M, 13.2M free. Apr 10 20:12:18.380987 osdx systemd-journald[55338]: Received client request to rotate journal, rotating. Apr 10 20:12:18.381044 osdx systemd-journald[55338]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5c505a9749274d37b6c4605b7d8c5dbf. Apr 10 20:12:18.391538 osdx OSDxCLI[284355]: User 'admin' executed a new command: 'system journal clear'. Apr 10 20:12:18.758327 osdx osdx-coredump[362772]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 20:12:18.768571 osdx OSDxCLI[284355]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 20:12:19.296533 osdx OSDxCLI[284355]: User 'admin' entered the configuration menu. Apr 10 20:12:19.437010 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 20:12:19.517343 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 20:12:19.631007 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'show working'. Apr 10 20:12:19.706066 osdx ubnt-cfgd[362790]: inactive Apr 10 20:12:19.744684 osdx INFO[362798]: FRR daemons did not change Apr 10 20:12:19.765002 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 20:12:19.849679 osdx cfgd[1682]: [284355]Completed change to active configuration Apr 10 20:12:19.864056 osdx OSDxCLI[284355]: User 'admin' committed the configuration. Apr 10 20:12:19.890300 osdx OSDxCLI[284355]: User 'admin' left the configuration menu. Apr 10 20:12:20.073721 osdx OSDxCLI[284355]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 10 20:12:20.275866 osdx OSDxCLI[284355]: User 'admin' entered the configuration menu. Apr 10 20:12:20.340899 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 10 20:12:20.464340 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 10 20:12:20.537001 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9'. Apr 10 20:12:20.633738 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Apr 10 20:12:20.728230 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'show working'. Apr 10 20:12:20.841217 osdx ubnt-cfgd[362948]: inactive Apr 10 20:12:20.903016 osdx INFO[362956]: FRR daemons did not change Apr 10 20:12:20.919425 osdx ca-certificates[362972]: Updating certificates in /etc/ssl/certs... Apr 10 20:12:21.439479 osdx ca-certificates[363976]: 1 added, 0 removed; done. Apr 10 20:12:21.442422 osdx ca-certificates[363982]: Running hooks in /etc/ca-certificates/update.d... Apr 10 20:12:21.445057 osdx ca-certificates[363984]: done. Apr 10 20:12:21.505330 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Apr 10 20:12:21.506975 osdx cfgd[1682]: [284355]Completed change to active configuration Apr 10 20:12:21.510820 osdx OSDxCLI[284355]: User 'admin' committed the configuration. Apr 10 20:12:21.532496 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] dnscrypt-proxy 2.0.45 Apr 10 20:12:21.532755 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Network connectivity detected Apr 10 20:12:21.532984 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Dropping privileges Apr 10 20:12:21.535105 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Network connectivity detected Apr 10 20:12:21.535148 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 10 20:12:21.535148 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 10 20:12:21.536298 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-32bs7ub4fyigoaif.tmp: permission denied Apr 10 20:12:21.536298 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Source [RD] loaded Apr 10 20:12:21.536351 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [WARNING] Missing stamp for server [server-name`] Apr 10 20:12:21.536351 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Apr 10 20:12:21.536351 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Firefox workaround initialized Apr 10 20:12:21.536351 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpu3uwn148] Apr 10 20:12:21.538730 osdx OSDxCLI[284355]: User 'admin' left the configuration menu. Apr 10 20:12:21.631504 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] [rd-server] OK (DoH) - rtt: 72ms Apr 10 20:12:21.631504 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 72ms) Apr 10 20:12:21.631504 osdx dnscrypt-proxy[363988]: [2025-04-10 20:12:21] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9 set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Apr 10 20:12:27.328562 osdx systemd-journald[55338]: Runtime Journal (/run/log/journal/5c505a9749274d37b6c4605b7d8c5dbf) is 2.0M, max 15.3M, 13.3M free. Apr 10 20:12:27.332477 osdx systemd-journald[55338]: Received client request to rotate journal, rotating. Apr 10 20:12:27.332531 osdx systemd-journald[55338]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5c505a9749274d37b6c4605b7d8c5dbf. Apr 10 20:12:27.338398 osdx OSDxCLI[284355]: User 'admin' executed a new command: 'system journal clear'. Apr 10 20:12:27.707134 osdx osdx-coredump[365632]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 10 20:12:27.717271 osdx OSDxCLI[284355]: User 'admin' executed a new command: 'system coredump delete all'. Apr 10 20:12:28.217164 osdx OSDxCLI[284355]: User 'admin' entered the configuration menu. Apr 10 20:12:28.352185 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 10 20:12:28.407556 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 10 20:12:28.539110 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'show working'. Apr 10 20:12:28.606184 osdx ubnt-cfgd[365650]: inactive Apr 10 20:12:28.643457 osdx INFO[365658]: FRR daemons did not change Apr 10 20:12:28.664485 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 10 20:12:28.746690 osdx cfgd[1682]: [284355]Completed change to active configuration Apr 10 20:12:28.760845 osdx OSDxCLI[284355]: User 'admin' committed the configuration. Apr 10 20:12:28.799171 osdx OSDxCLI[284355]: User 'admin' left the configuration menu. Apr 10 20:12:28.972132 osdx OSDxCLI[284355]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 10 20:12:29.123670 osdx OSDxCLI[284355]: User 'admin' entered the configuration menu. Apr 10 20:12:29.209147 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 10 20:12:29.336965 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 10 20:12:29.412349 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTt7DYU0ZgUAcoieyMSSPMOLL1TJYZDnDtWxZ0qvDG+ekYo570V8bs9'. Apr 10 20:12:29.508009 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Apr 10 20:12:29.586997 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Apr 10 20:12:29.701876 osdx OSDxCLI[284355]: User 'admin' added a new cfg line: 'show working'. Apr 10 20:12:29.773362 osdx ubnt-cfgd[365809]: inactive Apr 10 20:12:29.806069 osdx INFO[365817]: FRR daemons did not change Apr 10 20:12:29.820648 osdx ca-certificates[365833]: Updating certificates in /etc/ssl/certs... Apr 10 20:12:30.368048 osdx ca-certificates[366836]: 1 added, 0 removed; done. Apr 10 20:12:30.371030 osdx ca-certificates[366843]: Running hooks in /etc/ca-certificates/update.d... Apr 10 20:12:30.374873 osdx ca-certificates[366845]: done. Apr 10 20:12:30.445042 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Apr 10 20:12:30.446674 osdx cfgd[1682]: [284355]Completed change to active configuration Apr 10 20:12:30.449633 osdx OSDxCLI[284355]: User 'admin' committed the configuration. Apr 10 20:12:30.467792 osdx OSDxCLI[284355]: User 'admin' left the configuration menu. Apr 10 20:12:30.473703 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] dnscrypt-proxy 2.0.45 Apr 10 20:12:30.473914 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Network connectivity detected Apr 10 20:12:30.474043 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Dropping privileges Apr 10 20:12:30.476399 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Network connectivity detected Apr 10 20:12:30.476479 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 10 20:12:30.476479 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 10 20:12:30.477602 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-lmun43c6gjowwf5w.tmp: permission denied Apr 10 20:12:30.477602 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Source [RD] loaded Apr 10 20:12:30.477663 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [WARNING] Missing stamp for server [PRIVATE-server-name`] Apr 10 20:12:30.477663 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Apr 10 20:12:30.477663 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Firefox workaround initialized Apr 10 20:12:30.477663 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp84e7d8w3] Apr 10 20:12:30.568943 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 69ms Apr 10 20:12:30.568943 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 69ms) Apr 10 20:12:30.568943 osdx dnscrypt-proxy[366849]: [2025-04-10 20:12:30] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key p41e7Vdi4Pa5l7JP7Ylxb2An set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'