Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWR7zgD3myiVzzTelUZS0DQtvUALRJJHT1IO6clAO41wYZ6PEdXWUL0s set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 02 09:52:26.000202 osdx systemd-timedated[280457]: Changed local time to Tue 2026-06-02 09:52:26 UTC Jun 02 09:52:26.001548 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'set date 2026-06-02 09:52:26'. Jun 02 09:52:26.003431 osdx systemd-journald[148515]: Time jumped backwards, rotating. Jun 02 09:52:26.339910 osdx sudo[281521]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 02 09:52:26.343101 osdx systemd-journald[148515]: Runtime Journal (/run/log/journal/a0363f0a73514b24b35c4ba7ae73dc6e) is 1.8M, max 13.8M, 11.9M free. Jun 02 09:52:26.343528 osdx systemd-journald[148515]: Received client request to rotate journal, rotating. Jun 02 09:52:26.343576 osdx systemd-journald[148515]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a0363f0a73514b24b35c4ba7ae73dc6e. Jun 02 09:52:26.347092 osdx sudo[281520]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 02 09:52:26.353446 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'system journal clear'. Jun 02 09:52:26.572008 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'system coredump delete all'. Jun 02 09:52:26.827472 osdx OSDxCLI[171599]: User 'admin' entered the configuration menu. Jun 02 09:52:26.940643 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 02 09:52:27.019526 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 02 09:52:27.086324 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'show working'. Jun 02 09:52:27.189152 osdx ubnt-cfgd[281547]: inactive Jun 02 09:52:27.209998 osdx INFO[281555]: FRR daemons did not change Jun 02 09:52:27.235431 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 02 09:52:27.312295 osdx cfgd[1665]: [171599]Completed change to active configuration Jun 02 09:52:27.325254 osdx OSDxCLI[171599]: User 'admin' committed the configuration. Jun 02 09:52:27.353861 osdx OSDxCLI[171599]: User 'admin' left the configuration menu. Jun 02 09:52:27.500336 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 02 09:52:27.651572 osdx OSDxCLI[171599]: User 'admin' entered the configuration menu. Jun 02 09:52:27.753821 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 02 09:52:27.829116 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 02 09:52:27.949245 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWR7zgD3myiVzzTelUZS0DQtvUALRJJHT1IO6clAO41wYZ6PEdXWUL0s'. Jun 02 09:52:28.058510 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 02 09:52:28.148417 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'show working'. Jun 02 09:52:28.247219 osdx ubnt-cfgd[281707]: inactive Jun 02 09:52:28.273434 osdx INFO[281715]: FRR daemons did not change Jun 02 09:52:28.277369 osdx sudo[281718]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 02 09:52:28.299470 osdx ca-certificates[281731]: Updating certificates in /etc/ssl/certs... Jun 02 09:52:28.882110 osdx ubnt-cfgd[282729]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 02 09:52:28.895167 osdx ca-certificates[282733]: 1 added, 0 removed; done. Jun 02 09:52:28.898117 osdx ca-certificates[282741]: Running hooks in /etc/ca-certificates/update.d... Jun 02 09:52:28.901057 osdx ca-certificates[282743]: done. Jun 02 09:52:28.964090 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 02 09:52:28.965888 osdx cfgd[1665]: [171599]Completed change to active configuration Jun 02 09:52:28.980698 osdx OSDxCLI[171599]: User 'admin' committed the configuration. Jun 02 09:52:28.992314 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:28] [NOTICE] dnscrypt-proxy 2.0.45 Jun 02 09:52:28.992604 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:28] [NOTICE] Network connectivity detected Jun 02 09:52:28.992639 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:28] [NOTICE] Dropping privileges Jun 02 09:52:28.995354 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:28] [NOTICE] Network connectivity detected Jun 02 09:52:28.995396 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:28] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 02 09:52:28.995396 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:28] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 02 09:52:29.009076 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-cyl6zt7xbwtgkjtd.tmp: permission denied Jun 02 09:52:29.009076 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [NOTICE] Source [RD] loaded Jun 02 09:52:29.009170 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [WARNING] Missing stamp for server [server-name`] Jun 02 09:52:29.009170 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 02 09:52:29.009170 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [NOTICE] Firefox workaround initialized Jun 02 09:52:29.009170 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpmb8dcpnm] Jun 02 09:52:29.020362 osdx OSDxCLI[171599]: User 'admin' left the configuration menu. Jun 02 09:52:29.164788 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [NOTICE] [rd-server] OK (DoH) - rtt: 126ms Jun 02 09:52:29.164883 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 126ms) Jun 02 09:52:29.164925 osdx dnscrypt-proxy[282747]: [2026-06-02 09:52:29] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWR7zgD3myiVzzTelUZS0DQtvUALRJJHT1IO6clAO41wYZ6PEdXWUL0s set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 02 09:52:34.000190 osdx systemd-timedated[280457]: Changed local time to Tue 2026-06-02 09:52:34 UTC Jun 02 09:52:34.002557 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'set date 2026-06-02 09:52:34'. Jun 02 09:52:34.003898 osdx systemd-journald[148515]: Time jumped backwards, rotating. Jun 02 09:52:34.386316 osdx sudo[284376]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 02 09:52:34.389965 osdx systemd-journald[148515]: Runtime Journal (/run/log/journal/a0363f0a73514b24b35c4ba7ae73dc6e) is 1.9M, max 13.8M, 11.8M free. Jun 02 09:52:34.391904 osdx systemd-journald[148515]: Received client request to rotate journal, rotating. Jun 02 09:52:34.391972 osdx systemd-journald[148515]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a0363f0a73514b24b35c4ba7ae73dc6e. Jun 02 09:52:34.395246 osdx sudo[284375]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 02 09:52:34.403029 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'system journal clear'. Jun 02 09:52:34.677627 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'system coredump delete all'. Jun 02 09:52:34.956386 osdx OSDxCLI[171599]: User 'admin' entered the configuration menu. Jun 02 09:52:35.079760 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 02 09:52:35.131823 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 02 09:52:35.242987 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'show working'. Jun 02 09:52:35.323940 osdx ubnt-cfgd[284402]: inactive Jun 02 09:52:35.346736 osdx INFO[284410]: FRR daemons did not change Jun 02 09:52:35.383904 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 02 09:52:35.466099 osdx cfgd[1665]: [171599]Completed change to active configuration Jun 02 09:52:35.479254 osdx OSDxCLI[171599]: User 'admin' committed the configuration. Jun 02 09:52:35.495806 osdx OSDxCLI[171599]: User 'admin' left the configuration menu. Jun 02 09:52:35.646839 osdx OSDxCLI[171599]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 02 09:52:35.825769 osdx OSDxCLI[171599]: User 'admin' entered the configuration menu. Jun 02 09:52:35.885039 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 02 09:52:35.987490 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 02 09:52:36.044097 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWR7zgD3myiVzzTelUZS0DQtvUALRJJHT1IO6clAO41wYZ6PEdXWUL0s'. Jun 02 09:52:36.132381 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 02 09:52:36.191125 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 02 09:52:36.302166 osdx OSDxCLI[171599]: User 'admin' added a new cfg line: 'show working'. Jun 02 09:52:36.376247 osdx ubnt-cfgd[284563]: inactive Jun 02 09:52:36.397495 osdx INFO[284571]: FRR daemons did not change Jun 02 09:52:36.400977 osdx sudo[284574]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 02 09:52:36.411321 osdx ca-certificates[284587]: Updating certificates in /etc/ssl/certs... Jun 02 09:52:36.970355 osdx ubnt-cfgd[285585]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 02 09:52:36.981429 osdx ca-certificates[285591]: 1 added, 0 removed; done. Jun 02 09:52:36.984405 osdx ca-certificates[285597]: Running hooks in /etc/ca-certificates/update.d... Jun 02 09:52:36.987201 osdx ca-certificates[285599]: done. Jun 02 09:52:37.060321 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 02 09:52:37.061703 osdx cfgd[1665]: [171599]Completed change to active configuration Jun 02 09:52:37.063943 osdx OSDxCLI[171599]: User 'admin' committed the configuration. Jun 02 09:52:37.083868 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] dnscrypt-proxy 2.0.45 Jun 02 09:52:37.084133 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Network connectivity detected Jun 02 09:52:37.084199 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Dropping privileges Jun 02 09:52:37.086372 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Network connectivity detected Jun 02 09:52:37.086424 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 02 09:52:37.086424 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 02 09:52:37.087699 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ghqxc3v237uqxwjv.tmp: permission denied Jun 02 09:52:37.087699 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Source [RD] loaded Jun 02 09:52:37.087756 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 02 09:52:37.087756 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 02 09:52:37.087756 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Firefox workaround initialized Jun 02 09:52:37.087805 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpkfwzj04t] Jun 02 09:52:37.136929 osdx OSDxCLI[171599]: User 'admin' left the configuration menu. Jun 02 09:52:37.242888 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 122ms Jun 02 09:52:37.242888 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 122ms) Jun 02 09:52:37.242888 osdx dnscrypt-proxy[285603]: [2026-06-02 09:52:37] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key wFAHLZBU3EaBQQhgWmyyyKCT set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'