Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$
Show output
May 14 09:42:53.330290 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.2M free.
May 14 09:42:53.330727 osdx systemd-journald[1884]: Received client request to rotate journal, rotating.
May 14 09:42:53.330761 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5.
May 14 09:42:53.341379 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'.
May 14 09:42:53.677589 osdx osdx-coredump[27678]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 14 09:42:53.685876 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'.
May 14 09:42:54.253464 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu.
May 14 09:42:54.373452 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 14 09:42:54.431588 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 14 09:42:54.538881 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'.
May 14 09:42:54.605545 osdx ubnt-cfgd[27696]: inactive
May 14 09:42:54.629426 osdx INFO[27704]: FRR daemons did not change
May 14 09:42:54.736609 osdx cfgd[1681]: [2678]Completed change to active configuration
May 14 09:42:54.750387 osdx OSDxCLI[2678]: User 'admin' committed the configuration.
May 14 09:42:54.767774 osdx OSDxCLI[2678]: User 'admin' left the configuration menu.
May 14 09:42:54.946984 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 14 09:42:55.133077 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu.
May 14 09:42:55.230252 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 14 09:42:55.320296 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
May 14 09:42:55.378117 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb'.
May 14 09:42:55.477608 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
May 14 09:42:55.553273 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'.
May 14 09:42:55.650418 osdx ubnt-cfgd[27854]: inactive
May 14 09:42:55.678166 osdx INFO[27862]: FRR daemons did not change
May 14 09:42:55.697754 osdx ca-certificates[27878]: Updating certificates in /etc/ssl/certs...
May 14 09:42:56.196193 osdx ca-certificates[28881]: 1 added, 0 removed; done.
May 14 09:42:56.199385 osdx ca-certificates[28888]: Running hooks in /etc/ca-certificates/update.d...
May 14 09:42:56.202087 osdx ca-certificates[28890]: done.
May 14 09:42:56.266714 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 14 09:42:56.268028 osdx cfgd[1681]: [2678]Completed change to active configuration
May 14 09:42:56.271201 osdx OSDxCLI[2678]: User 'admin' committed the configuration.
May 14 09:42:56.288644 osdx OSDxCLI[2678]: User 'admin' left the configuration menu.
May 14 09:42:56.300232 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] dnscrypt-proxy 2.0.45
May 14 09:42:56.300399 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Network connectivity detected
May 14 09:42:56.300490 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Dropping privileges
May 14 09:42:56.302980 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Network connectivity detected
May 14 09:42:56.303020 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
May 14 09:42:56.303020 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
May 14 09:42:56.334645 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-elmuhdqkl4qwd4de.tmp: permission denied
May 14 09:42:56.334763 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Source [RD] loaded
May 14 09:42:56.334856 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [WARNING] Missing stamp for server [server-name`]
May 14 09:42:56.334916 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
May 14 09:42:56.334958 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Firefox workaround initialized
May 14 09:42:56.335002 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpia8_zm_i]
May 14 09:42:56.449089 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal show | cat'.
May 14 09:42:56.484772 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] [rd-server] OK (DoH) - rtt: 123ms
May 14 09:42:56.484772 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 123ms)
May 14 09:42:56.484772 osdx dnscrypt-proxy[28894]: [2025-05-14 09:42:56] [NOTICE] dnscrypt-proxy is ready - live servers: 1

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server-name PRIVATE-rd-server
set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb
set service dns proxy source RD prefix PRIVATE-
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$
Show output
May 14 09:43:03.308108 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free.
May 14 09:43:03.311919 osdx systemd-journald[1884]: Received client request to rotate journal, rotating.
May 14 09:43:03.311984 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5.
May 14 09:43:03.319804 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'.
May 14 09:43:03.671946 osdx osdx-coredump[30546]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 14 09:43:03.681863 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'.
May 14 09:43:04.180412 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu.
May 14 09:43:04.316836 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 14 09:43:04.400673 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 14 09:43:04.517153 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'.
May 14 09:43:04.610794 osdx ubnt-cfgd[30564]: inactive
May 14 09:43:04.635952 osdx INFO[30572]: FRR daemons did not change
May 14 09:43:04.733238 osdx cfgd[1681]: [2678]Completed change to active configuration
May 14 09:43:04.747883 osdx OSDxCLI[2678]: User 'admin' committed the configuration.
May 14 09:43:04.766659 osdx OSDxCLI[2678]: User 'admin' left the configuration menu.
May 14 09:43:04.939749 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 14 09:43:05.128034 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu.
May 14 09:43:05.190239 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 14 09:43:05.297983 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
May 14 09:43:05.357915 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb'.
May 14 09:43:05.464868 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
May 14 09:43:05.532877 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
May 14 09:43:05.723363 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'.
May 14 09:43:05.797484 osdx ubnt-cfgd[30723]: inactive
May 14 09:43:05.817353 osdx INFO[30731]: FRR daemons did not change
May 14 09:43:05.831179 osdx ca-certificates[30746]: Updating certificates in /etc/ssl/certs...
May 14 09:43:06.336853 osdx ca-certificates[31751]: 1 added, 0 removed; done.
May 14 09:43:06.339699 osdx ca-certificates[31757]: Running hooks in /etc/ca-certificates/update.d...
May 14 09:43:06.342436 osdx ca-certificates[31759]: done.
May 14 09:43:06.400262 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 14 09:43:06.401597 osdx cfgd[1681]: [2678]Completed change to active configuration
May 14 09:43:06.404505 osdx OSDxCLI[2678]: User 'admin' committed the configuration.
May 14 09:43:06.421537 osdx OSDxCLI[2678]: User 'admin' left the configuration menu.
May 14 09:43:06.424157 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] dnscrypt-proxy 2.0.45
May 14 09:43:06.424336 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Network connectivity detected
May 14 09:43:06.424453 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Dropping privileges
May 14 09:43:06.426836 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Network connectivity detected
May 14 09:43:06.426916 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
May 14 09:43:06.426948 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
May 14 09:43:06.427887 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-owywi62ppinwpntm.tmp: permission denied
May 14 09:43:06.427887 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Source [RD] loaded
May 14 09:43:06.427971 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [WARNING] Missing stamp for server [PRIVATE-server-name`]
May 14 09:43:06.427971 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
May 14 09:43:06.428004 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Firefox workaround initialized
May 14 09:43:06.428004 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp32q0ob9a]
May 14 09:43:06.587784 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 135ms
May 14 09:43:06.587784 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 135ms)
May 14 09:43:06.587784 osdx dnscrypt-proxy[31763]: [2025-05-14 09:43:06] [NOTICE] dnscrypt-proxy is ready - live servers: 1
May 14 09:43:06.595354 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal show | cat'.

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key SQv6soWbIlIB1wA9MXVhuJLK
set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key InvalidMinisignKey==
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'