Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 13 16:17:35.328296 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.2M free. May 13 16:17:35.329673 osdx systemd-journald[27261]: Received client request to rotate journal, rotating. May 13 16:17:35.329728 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9. May 13 16:17:35.338446 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'. May 13 16:17:35.692409 osdx osdx-coredump[31464]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 16:17:35.702943 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system coredump delete all'. May 13 16:17:36.224089 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu. May 13 16:17:36.301153 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 16:17:36.399719 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 16:17:36.516766 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'. May 13 16:17:36.624083 osdx ubnt-cfgd[31482]: inactive May 13 16:17:36.649342 osdx INFO[31490]: FRR daemons did not change May 13 16:17:36.671759 osdx zebra[1400]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 13 16:17:36.671770 osdx zebra[1400]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=1029, pid=3387930639 May 13 16:17:36.671775 osdx zebra[1400]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 13 16:17:36.671779 osdx zebra[1400]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=1030, pid=3387930639 May 13 16:17:36.672137 osdx zebra[1400]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (197[10.215.200.100 if 2 vrfid 0]) into the kernel May 13 16:17:36.672143 osdx zebra[1400]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (198[10.215.200.200 if 2 vrfid 0]) into the kernel May 13 16:17:36.754712 osdx cfgd[1470]: [30995]Completed change to active configuration May 13 16:17:36.767861 osdx OSDxCLI[30995]: User 'admin' committed the configuration. May 13 16:17:36.788677 osdx OSDxCLI[30995]: User 'admin' left the configuration menu. May 13 16:17:36.935469 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 13 16:17:37.080622 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu. May 13 16:17:37.152410 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 13 16:17:37.255449 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 13 16:17:37.312680 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb'. May 13 16:17:37.409689 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. May 13 16:17:37.484195 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'. May 13 16:17:37.579937 osdx ubnt-cfgd[31640]: inactive May 13 16:17:37.603264 osdx INFO[31648]: FRR daemons did not change May 13 16:17:37.631597 osdx ca-certificates[31664]: Updating certificates in /etc/ssl/certs... May 13 16:17:38.177298 osdx ca-certificates[32666]: 1 added, 0 removed; done. May 13 16:17:38.180436 osdx ca-certificates[32674]: Running hooks in /etc/ca-certificates/update.d... May 13 16:17:38.183594 osdx ca-certificates[32676]: done. May 13 16:17:38.262476 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 13 16:17:38.263305 osdx systemd[1]: Reached target nss-lookup.target - Host and Network Name Lookups. May 13 16:17:38.265244 osdx cfgd[1470]: [30995]Completed change to active configuration May 13 16:17:38.269212 osdx OSDxCLI[30995]: User 'admin' committed the configuration. May 13 16:17:38.286987 osdx OSDxCLI[30995]: User 'admin' left the configuration menu. May 13 16:17:38.440134 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal show | cat'. May 13 16:17:38.481959 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] dnscrypt-proxy 2.0.45 May 13 16:17:38.482186 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Network connectivity detected May 13 16:17:38.482235 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Dropping privileges May 13 16:17:38.484659 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Network connectivity detected May 13 16:17:38.484710 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 13 16:17:38.484710 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 13 16:17:38.494072 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-stlf6cjiwa6rin6k.tmp: permission denied May 13 16:17:38.494072 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Source [RD] loaded May 13 16:17:38.494072 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [WARNING] Missing stamp for server [server-name`] May 13 16:17:38.494072 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] May 13 16:17:38.494072 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Firefox workaround initialized May 13 16:17:38.494072 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:38] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpn6g1n24n] May 13 16:17:39.673834 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:39] [NOTICE] [rd-server] OK (DoH) - rtt: 110ms May 13 16:17:39.673834 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:39] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 110ms) May 13 16:17:39.673834 osdx dnscrypt-proxy[32680]: [2025-05-13 16:17:39] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 13 16:17:45.304096 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free. May 13 16:17:45.304830 osdx systemd-journald[27261]: Received client request to rotate journal, rotating. May 13 16:17:45.304881 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9. May 13 16:17:45.314981 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'. May 13 16:17:45.632163 osdx osdx-coredump[34331]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 13 16:17:45.639514 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system coredump delete all'. May 13 16:17:46.142781 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu. May 13 16:17:46.279916 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 13 16:17:46.340169 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 13 16:17:46.468448 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'. May 13 16:17:46.528107 osdx ubnt-cfgd[34349]: inactive May 13 16:17:46.553527 osdx INFO[34357]: FRR daemons did not change May 13 16:17:46.572730 osdx zebra[1400]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 13 16:17:46.572742 osdx zebra[1400]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=1048, pid=3387930639 May 13 16:17:46.572748 osdx zebra[1400]: [HSYZM-HV7HF] Extended Error: Nexthop has invalid gateway May 13 16:17:46.572752 osdx zebra[1400]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is unreachable, type=RTM_NEWNEXTHOP(104), seq=1049, pid=3387930639 May 13 16:17:46.572783 osdx zebra[1400]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (197[10.215.200.100 if 2 vrfid 0]) into the kernel May 13 16:17:46.572788 osdx zebra[1400]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (198[10.215.200.200 if 2 vrfid 0]) into the kernel May 13 16:17:46.670822 osdx cfgd[1470]: [30995]Completed change to active configuration May 13 16:17:46.682856 osdx OSDxCLI[30995]: User 'admin' committed the configuration. May 13 16:17:46.736803 osdx OSDxCLI[30995]: User 'admin' left the configuration menu. May 13 16:17:46.886888 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 13 16:17:47.075523 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu. May 13 16:17:47.186706 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 13 16:17:47.269471 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 13 16:17:47.373010 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQEeJjmfUIxcQf+xjCLNOj6gsrYZ4K0UHZjJVRVNPNrrRvVZEA0tdeb'. May 13 16:17:47.442067 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. May 13 16:17:47.542830 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. May 13 16:17:47.630579 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'. May 13 16:17:47.695514 osdx ubnt-cfgd[34508]: inactive May 13 16:17:47.715582 osdx INFO[34516]: FRR daemons did not change May 13 16:17:47.727495 osdx ca-certificates[34532]: Updating certificates in /etc/ssl/certs... May 13 16:17:48.267646 osdx ca-certificates[35536]: 1 added, 0 removed; done. May 13 16:17:48.271193 osdx ca-certificates[35542]: Running hooks in /etc/ca-certificates/update.d... May 13 16:17:48.275273 osdx ca-certificates[35544]: done. May 13 16:17:48.353194 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 13 16:17:48.354570 osdx cfgd[1470]: [30995]Completed change to active configuration May 13 16:17:48.356756 osdx OSDxCLI[30995]: User 'admin' committed the configuration. May 13 16:17:48.380873 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] dnscrypt-proxy 2.0.45 May 13 16:17:48.381076 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Network connectivity detected May 13 16:17:48.381159 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Dropping privileges May 13 16:17:48.383200 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Network connectivity detected May 13 16:17:48.383229 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 13 16:17:48.383229 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 13 16:17:48.386928 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ly72x4pbnip4fzrt.tmp: permission denied May 13 16:17:48.386928 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Source [RD] loaded May 13 16:17:48.386986 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [WARNING] Missing stamp for server [PRIVATE-server-name`] May 13 16:17:48.386986 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] May 13 16:17:48.386986 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Firefox workaround initialized May 13 16:17:48.386986 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:48] [NOTICE] Loading the set of cloaking rules from [/tmp/tmptl7muwfo] May 13 16:17:48.411030 osdx OSDxCLI[30995]: User 'admin' left the configuration menu. May 13 16:17:48.570573 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal show | cat'. May 13 16:17:49.630681 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:49] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 147ms May 13 16:17:49.630681 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:49] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 147ms) May 13 16:17:49.630681 osdx dnscrypt-proxy[35548]: [2025-05-13 16:17:49] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key Lj2PoOSbbo4awn04iuDe3Ck4 set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'