Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 23 07:55:16.293832 osdx systemd-journald[1747]: Runtime Journal (/run/log/journal/76ff399027db4a3db160ed8651bac52f) is 2.0M, max 15.3M, 13.2M free. Jun 23 07:55:16.294711 osdx systemd-journald[1747]: Received client request to rotate journal, rotating. Jun 23 07:55:16.294751 osdx systemd-journald[1747]: Vacuuming done, freed 0B of archived journals from /run/log/journal/76ff399027db4a3db160ed8651bac52f. Jun 23 07:55:16.304171 osdx OSDxCLI[4485]: User 'admin' executed a new command: 'system journal clear'. Jun 23 07:55:16.528919 osdx OSDxCLI[4485]: User 'admin' executed a new command: 'system coredump delete all'. Jun 23 07:55:16.754209 osdx OSDxCLI[4485]: User 'admin' entered the configuration menu. Jun 23 07:55:16.829332 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 23 07:55:16.924704 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 23 07:55:16.995994 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'show working'. Jun 23 07:55:17.120963 osdx INFO[131648]: FRR daemons did not change Jun 23 07:55:17.146725 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 23 07:55:17.264451 osdx cfgd[1453]: [4485]Completed change to active configuration Jun 23 07:55:17.300729 osdx OSDxCLI[4485]: User 'admin' committed the configuration. Jun 23 07:55:17.318931 osdx OSDxCLI[4485]: User 'admin' left the configuration menu. Jun 23 07:55:17.451436 osdx OSDxCLI[4485]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 23 07:55:17.619959 osdx OSDxCLI[4485]: User 'admin' entered the configuration menu. Jun 23 07:55:17.725635 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 23 07:55:17.794238 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 23 07:55:17.893780 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 23 07:55:17.979091 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 23 07:55:18.094184 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'show working'. Jun 23 07:55:18.176811 osdx INFO[131756]: FRR daemons did not change Jun 23 07:55:18.193087 osdx ca-certificates[131772]: Updating certificates in /etc/ssl/certs... Jun 23 07:55:18.699785 osdx ubnt-cfgd[132770]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 23 07:55:18.708913 osdx ca-certificates[132776]: 1 added, 0 removed; done. Jun 23 07:55:18.712985 osdx ca-certificates[132782]: Running hooks in /etc/ca-certificates/update.d... Jun 23 07:55:18.717158 osdx ca-certificates[132784]: done. Jun 23 07:55:18.795097 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 23 07:55:18.797476 osdx cfgd[1453]: [4485]Completed change to active configuration Jun 23 07:55:18.799493 osdx OSDxCLI[4485]: User 'admin' committed the configuration. Jun 23 07:55:18.818052 osdx OSDxCLI[4485]: User 'admin' left the configuration menu. Jun 23 07:55:18.821210 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] dnscrypt-proxy 2.0.45 Jun 23 07:55:18.821210 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Network connectivity detected Jun 23 07:55:18.821496 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Dropping privileges Jun 23 07:55:18.824187 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Network connectivity detected Jun 23 07:55:18.824187 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 23 07:55:18.824187 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 23 07:55:18.825457 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-unqfwyvvh3nio6f6.tmp: permission denied Jun 23 07:55:18.825457 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Source [RD] loaded Jun 23 07:55:18.825517 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [WARNING] Missing stamp for server [server-name`] Jun 23 07:55:18.825517 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 23 07:55:18.825517 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Firefox workaround initialized Jun 23 07:55:18.825517 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpakingou3] Jun 23 07:55:18.986671 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] [rd-server] OK (DoH) - rtt: 136ms Jun 23 07:55:18.986671 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 136ms) Jun 23 07:55:18.986671 osdx dnscrypt-proxy[132788]: [2025-06-23 07:55:18] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 23 07:55:23.318526 osdx systemd-journald[1747]: Runtime Journal (/run/log/journal/76ff399027db4a3db160ed8651bac52f) is 2.0M, max 15.3M, 13.3M free. Jun 23 07:55:23.320295 osdx systemd-journald[1747]: Received client request to rotate journal, rotating. Jun 23 07:55:23.320336 osdx systemd-journald[1747]: Vacuuming done, freed 0B of archived journals from /run/log/journal/76ff399027db4a3db160ed8651bac52f. Jun 23 07:55:23.327642 osdx OSDxCLI[4485]: User 'admin' executed a new command: 'system journal clear'. Jun 23 07:55:23.560439 osdx OSDxCLI[4485]: User 'admin' executed a new command: 'system coredump delete all'. Jun 23 07:55:23.835543 osdx OSDxCLI[4485]: User 'admin' entered the configuration menu. Jun 23 07:55:23.929174 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 23 07:55:24.007681 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 23 07:55:24.117916 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'show working'. Jun 23 07:55:24.185765 osdx INFO[134392]: FRR daemons did not change Jun 23 07:55:24.204281 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 23 07:55:24.304139 osdx cfgd[1453]: [4485]Completed change to active configuration Jun 23 07:55:24.329709 osdx OSDxCLI[4485]: User 'admin' committed the configuration. Jun 23 07:55:24.346773 osdx OSDxCLI[4485]: User 'admin' left the configuration menu. Jun 23 07:55:24.496099 osdx OSDxCLI[4485]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 23 07:55:24.707102 osdx OSDxCLI[4485]: User 'admin' entered the configuration menu. Jun 23 07:55:24.767407 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 23 07:55:24.871626 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 23 07:55:24.929608 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 23 07:55:25.028126 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 23 07:55:25.083665 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 23 07:55:25.195410 osdx OSDxCLI[4485]: User 'admin' added a new cfg line: 'show working'. Jun 23 07:55:25.267034 osdx INFO[134501]: FRR daemons did not change Jun 23 07:55:25.278884 osdx ca-certificates[134517]: Updating certificates in /etc/ssl/certs... Jun 23 07:55:25.769814 osdx ubnt-cfgd[135515]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 23 07:55:25.777693 osdx ca-certificates[135521]: 1 added, 0 removed; done. Jun 23 07:55:25.780538 osdx ca-certificates[135527]: Running hooks in /etc/ca-certificates/update.d... Jun 23 07:55:25.783458 osdx ca-certificates[135529]: done. Jun 23 07:55:25.848509 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 23 07:55:25.850325 osdx cfgd[1453]: [4485]Completed change to active configuration Jun 23 07:55:25.854033 osdx OSDxCLI[4485]: User 'admin' committed the configuration. Jun 23 07:55:25.871853 osdx OSDxCLI[4485]: User 'admin' left the configuration menu. Jun 23 07:55:25.874369 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] dnscrypt-proxy 2.0.45 Jun 23 07:55:25.874521 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Network connectivity detected Jun 23 07:55:25.874654 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Dropping privileges Jun 23 07:55:25.877227 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Network connectivity detected Jun 23 07:55:25.877305 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 23 07:55:25.877336 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 23 07:55:25.878353 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-jwkgdggxcw34duf4.tmp: permission denied Jun 23 07:55:25.878406 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Source [RD] loaded Jun 23 07:55:25.878459 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 23 07:55:25.878500 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 23 07:55:25.878530 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Firefox workaround initialized Jun 23 07:55:25.878559 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:25] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp5cw79sd2] Jun 23 07:55:26.011031 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:26] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 103ms Jun 23 07:55:26.011031 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:26] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 103ms) Jun 23 07:55:26.011031 osdx dnscrypt-proxy[135533]: [2025-06-23 07:55:26] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jun 23 07:55:26.021146 osdx OSDxCLI[4485]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key pjy79ZkN3rr0lCmEp0L0tcJm set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'