Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 25 09:49:13.303235 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.1M, max 15.3M, 13.2M free. Jun 25 09:49:13.304451 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 09:49:13.304510 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 09:49:13.314137 osdx OSDxCLI[146429]: User 'admin' executed a new command: 'system journal clear'. Jun 25 09:49:13.530763 osdx OSDxCLI[146429]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 09:49:13.764397 osdx OSDxCLI[146429]: User 'admin' entered the configuration menu. Jun 25 09:49:13.851054 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 09:49:13.946770 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 09:49:14.013656 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'show working'. Jun 25 09:49:14.110170 osdx ubnt-cfgd[199368]: inactive Jun 25 09:49:14.130766 osdx INFO[199376]: FRR daemons did not change Jun 25 09:49:14.152453 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 09:49:14.229301 osdx cfgd[1463]: [146429]Completed change to active configuration Jun 25 09:49:14.243809 osdx OSDxCLI[146429]: User 'admin' committed the configuration. Jun 25 09:49:14.270599 osdx OSDxCLI[146429]: User 'admin' left the configuration menu. Jun 25 09:49:14.441093 osdx OSDxCLI[146429]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 25 09:49:14.633674 osdx OSDxCLI[146429]: User 'admin' entered the configuration menu. Jun 25 09:49:14.709818 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 25 09:49:14.777627 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 25 09:49:14.892595 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 25 09:49:15.007198 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 25 09:49:15.129618 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'show working'. Jun 25 09:49:15.224830 osdx ubnt-cfgd[199526]: inactive Jun 25 09:49:15.248455 osdx INFO[199534]: FRR daemons did not change Jun 25 09:49:15.272403 osdx ca-certificates[199550]: Updating certificates in /etc/ssl/certs... Jun 25 09:49:15.789265 osdx ubnt-cfgd[200548]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 25 09:49:15.800818 osdx ca-certificates[200552]: 1 added, 0 removed; done. Jun 25 09:49:15.803565 osdx ca-certificates[200560]: Running hooks in /etc/ca-certificates/update.d... Jun 25 09:49:15.806648 osdx ca-certificates[200562]: done. Jun 25 09:49:15.876732 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 25 09:49:15.878197 osdx cfgd[1463]: [146429]Completed change to active configuration Jun 25 09:49:15.881546 osdx OSDxCLI[146429]: User 'admin' committed the configuration. Jun 25 09:49:15.920056 osdx OSDxCLI[146429]: User 'admin' left the configuration menu. Jun 25 09:49:16.104608 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] dnscrypt-proxy 2.0.45 Jun 25 09:49:16.105120 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Network connectivity detected Jun 25 09:49:16.105120 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Dropping privileges Jun 25 09:49:16.107274 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Network connectivity detected Jun 25 09:49:16.107319 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 25 09:49:16.107319 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 25 09:49:16.120636 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-2qdmfosx53j6oggl.tmp: permission denied Jun 25 09:49:16.120636 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Source [RD] loaded Jun 25 09:49:16.120823 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [WARNING] Missing stamp for server [server-name`] Jun 25 09:49:16.120849 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 25 09:49:16.120849 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Firefox workaround initialized Jun 25 09:49:16.120849 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpp3v6qaev] Jun 25 09:49:16.124723 osdx OSDxCLI[146429]: User 'admin' executed a new command: 'system journal show | cat'. Jun 25 09:49:16.297470 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] [rd-server] OK (DoH) - rtt: 109ms Jun 25 09:49:16.297470 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 109ms) Jun 25 09:49:16.297470 osdx dnscrypt-proxy[200566]: [2025-06-25 09:49:16] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 25 09:49:23.360683 osdx systemd-journald[1763]: Runtime Journal (/run/log/journal/68a40460747548beabf18e9bf53e3a28) is 2.0M, max 15.3M, 13.3M free. Jun 25 09:49:23.361309 osdx systemd-journald[1763]: Received client request to rotate journal, rotating. Jun 25 09:49:23.361358 osdx systemd-journald[1763]: Vacuuming done, freed 0B of archived journals from /run/log/journal/68a40460747548beabf18e9bf53e3a28. Jun 25 09:49:23.371660 osdx OSDxCLI[146429]: User 'admin' executed a new command: 'system journal clear'. Jun 25 09:49:23.603080 osdx OSDxCLI[146429]: User 'admin' executed a new command: 'system coredump delete all'. Jun 25 09:49:23.818192 osdx OSDxCLI[146429]: User 'admin' entered the configuration menu. Jun 25 09:49:23.896544 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 25 09:49:23.979963 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 25 09:49:24.049235 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'show working'. Jun 25 09:49:24.144207 osdx ubnt-cfgd[202223]: inactive Jun 25 09:49:24.163856 osdx INFO[202231]: FRR daemons did not change Jun 25 09:49:24.181023 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 25 09:49:24.252506 osdx cfgd[1463]: [146429]Completed change to active configuration Jun 25 09:49:24.264881 osdx OSDxCLI[146429]: User 'admin' committed the configuration. Jun 25 09:49:24.288692 osdx OSDxCLI[146429]: User 'admin' left the configuration menu. Jun 25 09:49:24.425264 osdx OSDxCLI[146429]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 25 09:49:24.584972 osdx OSDxCLI[146429]: User 'admin' entered the configuration menu. Jun 25 09:49:24.684932 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 25 09:49:24.747118 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 25 09:49:24.843417 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 25 09:49:24.900737 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 25 09:49:25.001101 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 25 09:49:25.101175 osdx OSDxCLI[146429]: User 'admin' added a new cfg line: 'show working'. Jun 25 09:49:25.181419 osdx ubnt-cfgd[202382]: inactive Jun 25 09:49:25.205341 osdx INFO[202390]: FRR daemons did not change Jun 25 09:49:25.219498 osdx ca-certificates[202406]: Updating certificates in /etc/ssl/certs... Jun 25 09:49:25.720871 osdx ubnt-cfgd[203404]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 25 09:49:25.730115 osdx ca-certificates[203410]: 1 added, 0 removed; done. Jun 25 09:49:25.733382 osdx ca-certificates[203416]: Running hooks in /etc/ca-certificates/update.d... Jun 25 09:49:25.736101 osdx ca-certificates[203418]: done. Jun 25 09:49:25.817508 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 25 09:49:25.818913 osdx cfgd[1463]: [146429]Completed change to active configuration Jun 25 09:49:25.820932 osdx OSDxCLI[146429]: User 'admin' committed the configuration. Jun 25 09:49:25.839305 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] dnscrypt-proxy 2.0.45 Jun 25 09:49:25.839517 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Network connectivity detected Jun 25 09:49:25.839627 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Dropping privileges Jun 25 09:49:25.842233 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Network connectivity detected Jun 25 09:49:25.842274 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 25 09:49:25.842274 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 25 09:49:25.843419 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-2n7tj3v5pv2hlhzv.tmp: permission denied Jun 25 09:49:25.843419 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Source [RD] loaded Jun 25 09:49:25.843478 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 25 09:49:25.843478 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 25 09:49:25.843478 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Firefox workaround initialized Jun 25 09:49:25.843478 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:25] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpckrs1s21] Jun 25 09:49:25.873604 osdx OSDxCLI[146429]: User 'admin' left the configuration menu. Jun 25 09:49:26.018462 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:26] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 111ms Jun 25 09:49:26.018462 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:26] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 111ms) Jun 25 09:49:26.018462 osdx dnscrypt-proxy[203422]: [2025-06-25 09:49:26] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWD5r1csnnklqUUFVtMh2XNd set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'