Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQ9UB0SI3e/Dnm+2FNrvLtBH+OHwbNhG7Oh7/70TLzgpBdRuZGj/RRJ set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run the command system journal show | cat on DUT0 and check whether the output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 19 17:59:05.282481 osdx systemd-journald[505760]: Runtime Journal (/run/log/journal/d1b141b298644f3ea5560bad25bf4943) is 1.8M, max 13.8M, 11.9M free. May 19 17:59:05.283160 osdx systemd-journald[505760]: Received client request to rotate journal, rotating. May 19 17:59:05.283213 osdx systemd-journald[505760]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d1b141b298644f3ea5560bad25bf4943. May 19 17:59:05.291629 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'system journal clear'. May 19 17:59:05.483870 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:59:05.685196 osdx OSDxCLI[673163]: User 'admin' entered the configuration menu. May 19 17:59:05.762188 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:59:05.831381 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:59:05.889006 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'show working'. May 19 17:59:05.981723 osdx ubnt-cfgd[768406]: inactive May 19 17:59:06.030935 osdx INFO[768413]: FRR daemons did not change May 19 17:59:06.062935 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:59:06.104498 osdx WARNING[768484]: No supported link modes on interface eth0 May 19 17:59:06.105780 osdx modulelauncher[768484]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on May 19 17:59:06.105791 osdx modulelauncher[768484]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. May 19 17:59:06.106895 osdx modulelauncher[768484]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- May 19 17:59:06.106903 osdx modulelauncher[768484]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. May 19 17:59:06.315157 osdx cfgd[1918]: [673163]Completed change to active configuration May 19 17:59:06.315775 osdx OSDxCLI[673163]: User 'admin' committed the configuration. May 19 17:59:06.333150 osdx OSDxCLI[673163]: User 'admin' left the configuration menu. May 19 17:59:06.475550 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 17:59:06.538141 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'system journal show | cat'. May 19 17:59:06.665980 osdx OSDxCLI[673163]: User 'admin' entered the configuration menu. May 19 17:59:06.719788 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 19 17:59:06.817422 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 19 17:59:06.867058 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQ9UB0SI3e/Dnm+2FNrvLtBH+OHwbNhG7Oh7/70TLzgpBdRuZGj/RRJ'. May 19 17:59:06.959858 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. May 19 17:59:07.020920 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'show working'. May 19 17:59:07.109924 osdx ubnt-cfgd[768588]: inactive May 19 17:59:07.184473 osdx INFO[768597]: FRR daemons did not change May 19 17:59:07.201322 osdx ca-certificates[768613]: Updating certificates in /etc/ssl/certs... May 19 17:59:07.667726 osdx ubnt-cfgd[769625]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL May 19 17:59:07.674865 osdx ca-certificates[769631]: 1 added, 0 removed; done. May 19 17:59:07.677523 osdx ca-certificates[769637]: Running hooks in /etc/ca-certificates/update.d... May 19 17:59:07.680097 osdx ca-certificates[769639]: done. May 19 17:59:07.735203 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 19 17:59:07.741475 osdx cfgd[1918]: [673163]Completed change to active configuration May 19 17:59:07.741913 osdx OSDxCLI[673163]: User 'admin' committed the configuration. May 19 17:59:07.754072 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] dnscrypt-proxy 2.0.45 May 19 17:59:07.754267 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Network connectivity detected May 19 17:59:07.754318 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Dropping privileges May 19 17:59:07.757853 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Network connectivity detected May 19 17:59:07.757930 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 19 17:59:07.757930 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 19 17:59:07.757930 osdx OSDxCLI[673163]: User 'admin' left the configuration menu. May 19 17:59:07.760013 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ajsoy3v62gfdv4bp.tmp: permission denied May 19 17:59:07.760013 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Source [RD] loaded May 19 17:59:07.760176 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [WARNING] Missing stamp for server [server-name`] May 19 17:59:07.760176 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] May 19 17:59:07.760176 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Firefox workaround initialized May 19 17:59:07.760176 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp4j365dn2] May 19 17:59:07.894722 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] [rd-server] OK (DoH) - rtt: 115ms May 19 17:59:07.894722 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 115ms) May 19 17:59:07.894722 osdx dnscrypt-proxy[769643]: [2026-05-19 17:59:07] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQ9UB0SI3e/Dnm+2FNrvLtBH+OHwbNhG7Oh7/70TLzgpBdRuZGj/RRJ set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run the command system journal show | cat on DUT0 and check whether the output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 19 17:59:13.287127 osdx systemd-journald[505760]: Runtime Journal (/run/log/journal/d1b141b298644f3ea5560bad25bf4943) is 1.8M, max 13.8M, 11.9M free. May 19 17:59:13.288258 osdx systemd-journald[505760]: Received client request to rotate journal, rotating. May 19 17:59:13.288306 osdx systemd-journald[505760]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d1b141b298644f3ea5560bad25bf4943. May 19 17:59:13.297453 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'system journal clear'. May 19 17:59:13.491172 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'system coredump delete all'. May 19 17:59:13.694715 osdx OSDxCLI[673163]: User 'admin' entered the configuration menu. May 19 17:59:13.773736 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 19 17:59:13.843532 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 19 17:59:13.901280 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'show working'. May 19 17:59:13.994339 osdx ubnt-cfgd[771363]: inactive May 19 17:59:14.012724 osdx INFO[771370]: FRR daemons did not change May 19 17:59:14.040252 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 19 17:59:14.086023 osdx WARNING[771441]: No supported link modes on interface eth0 May 19 17:59:14.087319 osdx modulelauncher[771441]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on May 19 17:59:14.087329 osdx modulelauncher[771441]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. May 19 17:59:14.088416 osdx modulelauncher[771441]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- May 19 17:59:14.088423 osdx modulelauncher[771441]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. May 19 17:59:14.299534 osdx cfgd[1918]: [673163]Completed change to active configuration May 19 17:59:14.319027 osdx OSDxCLI[673163]: User 'admin' committed the configuration. May 19 17:59:14.338740 osdx OSDxCLI[673163]: User 'admin' left the configuration menu. May 19 17:59:14.484230 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 19 17:59:14.546578 osdx OSDxCLI[673163]: User 'admin' executed a new command: 'system journal show | cat'. May 19 17:59:14.683026 osdx OSDxCLI[673163]: User 'admin' entered the configuration menu. May 19 17:59:14.744931 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 19 17:59:14.844190 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 19 17:59:14.901555 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQ9UB0SI3e/Dnm+2FNrvLtBH+OHwbNhG7Oh7/70TLzgpBdRuZGj/RRJ'. May 19 17:59:14.994715 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. May 19 17:59:15.051967 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. May 19 17:59:15.155083 osdx OSDxCLI[673163]: User 'admin' added a new cfg line: 'show working'. May 19 17:59:15.214105 osdx ubnt-cfgd[771546]: inactive May 19 17:59:15.233789 osdx INFO[771555]: FRR daemons did not change May 19 17:59:15.245246 osdx ca-certificates[771571]: Updating certificates in /etc/ssl/certs... May 19 17:59:15.703086 osdx ubnt-cfgd[772583]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL May 19 17:59:15.710233 osdx ca-certificates[772589]: 1 added, 0 removed; done. May 19 17:59:15.712914 osdx ca-certificates[772595]: Running hooks in /etc/ca-certificates/update.d... May 19 17:59:15.715427 osdx ca-certificates[772597]: done. May 19 17:59:15.768511 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 19 17:59:15.775761 osdx cfgd[1918]: [673163]Completed change to active configuration May 19 17:59:15.776273 osdx OSDxCLI[673163]: User 'admin' committed the configuration. May 19 17:59:15.790972 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] dnscrypt-proxy 2.0.45 May 19 17:59:15.791172 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Network connectivity detected May 19 17:59:15.791206 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Dropping privileges May 19 17:59:15.793004 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Network connectivity detected May 19 17:59:15.793038 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 19 17:59:15.793038 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 19 17:59:15.793907 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-6blkmb4jukknw3vh.tmp: permission denied May 19 17:59:15.793907 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Source [RD] loaded May 19 17:59:15.793953 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [WARNING] Missing stamp for server [PRIVATE-server-name`] May 19 17:59:15.793953 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] May 19 17:59:15.793953 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Firefox workaround initialized May 19 17:59:15.793953 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp0er7ldg_] May 19 17:59:15.800228 osdx OSDxCLI[673163]: User 'admin' left the configuration menu. May 19 17:59:15.922338 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 111ms May 19 17:59:15.922338 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 111ms) May 19 17:59:15.922338 osdx dnscrypt-proxy[772601]: [2026-05-19 17:59:15] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key ysH2Xmfq7iodRquFT0P3cY5l set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'