Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQcbzNNOfICpCAdmLV50gqipr2gJ+owOdfO8YTj5/kE53pceNoMjONB set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 28 08:45:25.581213 osdx systemd-journald[1773]: Runtime Journal (/run/log/journal/a46937b51a3a4c469575696f63c9d620) is 2.0M, max 15.3M, 13.2M free. Jul 28 08:45:25.589447 osdx systemd-journald[1773]: Received client request to rotate journal, rotating. Jul 28 08:45:25.593010 osdx systemd-journald[1773]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a46937b51a3a4c469575696f63c9d620. Jul 28 08:45:25.625089 osdx OSDxCLI[70716]: User 'admin' executed a new command: 'system journal clear'. Jul 28 08:45:26.147447 osdx OSDxCLI[70716]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 08:45:26.682839 osdx OSDxCLI[70716]: User 'admin' entered the configuration menu. Jul 28 08:45:26.826779 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 08:45:26.967292 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 08:45:27.145349 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'show working'. Jul 28 08:45:27.302355 osdx ubnt-cfgd[168453]: inactive Jul 28 08:45:27.346588 osdx INFO[168461]: FRR daemons did not change Jul 28 08:45:27.405247 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 08:45:27.634343 osdx cfgd[1473]: [70716]Completed change to active configuration Jul 28 08:45:27.797309 osdx OSDxCLI[70716]: User 'admin' committed the configuration. Jul 28 08:45:27.857780 osdx OSDxCLI[70716]: User 'admin' left the configuration menu. Jul 28 08:45:28.089388 osdx OSDxCLI[70716]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 28 08:45:28.424012 osdx OSDxCLI[70716]: User 'admin' entered the configuration menu. Jul 28 08:45:28.540764 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 28 08:45:28.744149 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 28 08:45:28.879018 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQcbzNNOfICpCAdmLV50gqipr2gJ+owOdfO8YTj5/kE53pceNoMjONB'. Jul 28 08:45:29.052788 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jul 28 08:45:29.299194 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'show working'. Jul 28 08:45:29.507365 osdx ubnt-cfgd[168611]: inactive Jul 28 08:45:29.568332 osdx INFO[168619]: FRR daemons did not change Jul 28 08:45:29.592637 osdx ca-certificates[168635]: Updating certificates in /etc/ssl/certs... Jul 28 08:45:31.006579 osdx ubnt-cfgd[169633]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jul 28 08:45:31.036349 osdx ca-certificates[169638]: 1 added, 0 removed; done. Jul 28 08:45:31.041580 osdx ca-certificates[169645]: Running hooks in /etc/ca-certificates/update.d... Jul 28 08:45:31.048363 osdx ca-certificates[169647]: done. Jul 28 08:45:31.144017 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 28 08:45:31.148709 osdx cfgd[1473]: [70716]Completed change to active configuration Jul 28 08:45:31.154395 osdx OSDxCLI[70716]: User 'admin' committed the configuration. Jul 28 08:45:31.196751 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] dnscrypt-proxy 2.0.45 Jul 28 08:45:31.196751 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Network connectivity detected Jul 28 08:45:31.196751 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Dropping privileges Jul 28 08:45:31.212825 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Network connectivity detected Jul 28 08:45:31.212825 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 28 08:45:31.212825 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 28 08:45:31.217187 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-6j77iv44ydmbqp5u.tmp: permission denied Jul 28 08:45:31.217357 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Source [RD] loaded Jul 28 08:45:31.217574 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [WARNING] Missing stamp for server [server-name`] Jul 28 08:45:31.217688 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jul 28 08:45:31.217783 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Firefox workaround initialized Jul 28 08:45:31.217864 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Loading the set of cloaking rules from [/tmp/tmppvp1dd2x] Jul 28 08:45:31.220114 osdx OSDxCLI[70716]: User 'admin' left the configuration menu. Jul 28 08:45:31.524019 osdx OSDxCLI[70716]: User 'admin' executed a new command: 'system journal show | cat'. Jul 28 08:45:31.526217 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] [rd-server] OK (DoH) - rtt: 170ms Jul 28 08:45:31.526334 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 170ms) Jul 28 08:45:31.526334 osdx dnscrypt-proxy[169651]: [2025-07-28 08:45:31] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQcbzNNOfICpCAdmLV50gqipr2gJ+owOdfO8YTj5/kE53pceNoMjONB set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jul 28 08:45:43.551149 osdx systemd-journald[1773]: Runtime Journal (/run/log/journal/a46937b51a3a4c469575696f63c9d620) is 2.0M, max 15.3M, 13.3M free. Jul 28 08:45:43.552289 osdx systemd-journald[1773]: Received client request to rotate journal, rotating. Jul 28 08:45:43.552364 osdx systemd-journald[1773]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a46937b51a3a4c469575696f63c9d620. Jul 28 08:45:43.581097 osdx OSDxCLI[70716]: User 'admin' executed a new command: 'system journal clear'. Jul 28 08:45:44.160736 osdx OSDxCLI[70716]: User 'admin' executed a new command: 'system coredump delete all'. Jul 28 08:45:44.698091 osdx OSDxCLI[70716]: User 'admin' entered the configuration menu. Jul 28 08:45:44.875129 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 28 08:45:45.019856 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 28 08:45:45.204297 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'show working'. Jul 28 08:45:45.333876 osdx ubnt-cfgd[171308]: inactive Jul 28 08:45:45.414338 osdx INFO[171316]: FRR daemons did not change Jul 28 08:45:45.451849 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 08:45:45.686493 osdx cfgd[1473]: [70716]Completed change to active configuration Jul 28 08:45:45.712652 osdx OSDxCLI[70716]: User 'admin' committed the configuration. Jul 28 08:45:45.805026 osdx OSDxCLI[70716]: User 'admin' left the configuration menu. Jul 28 08:45:46.097441 osdx OSDxCLI[70716]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 28 08:45:46.617228 osdx OSDxCLI[70716]: User 'admin' entered the configuration menu. Jul 28 08:45:46.782849 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 28 08:45:46.933132 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jul 28 08:45:47.087233 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQcbzNNOfICpCAdmLV50gqipr2gJ+owOdfO8YTj5/kE53pceNoMjONB'. Jul 28 08:45:47.242012 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jul 28 08:45:47.431878 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jul 28 08:45:47.610774 osdx OSDxCLI[70716]: User 'admin' added a new cfg line: 'show working'. Jul 28 08:45:47.833809 osdx ubnt-cfgd[171467]: inactive Jul 28 08:45:47.950424 osdx INFO[171475]: FRR daemons did not change Jul 28 08:45:48.022396 osdx ca-certificates[171493]: Updating certificates in /etc/ssl/certs... Jul 28 08:45:49.820015 osdx ubnt-cfgd[172489]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jul 28 08:45:49.841733 osdx ca-certificates[172493]: 1 added, 0 removed; done. Jul 28 08:45:49.864019 osdx ca-certificates[172497]: Running hooks in /etc/ca-certificates/update.d... Jul 28 08:45:49.882199 osdx ca-certificates[172503]: done. Jul 28 08:45:50.046481 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 28 08:45:50.053539 osdx cfgd[1473]: [70716]Completed change to active configuration Jul 28 08:45:50.072688 osdx OSDxCLI[70716]: User 'admin' committed the configuration. Jul 28 08:45:50.176095 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] dnscrypt-proxy 2.0.45 Jul 28 08:45:50.176095 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Network connectivity detected Jul 28 08:45:50.176540 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Dropping privileges Jul 28 08:45:50.177346 osdx OSDxCLI[70716]: User 'admin' left the configuration menu. Jul 28 08:45:50.182187 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Network connectivity detected Jul 28 08:45:50.182340 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jul 28 08:45:50.182340 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jul 28 08:45:50.184078 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ewgesdgxnmnajn5c.tmp: permission denied Jul 28 08:45:50.184078 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Source [RD] loaded Jul 28 08:45:50.184338 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jul 28 08:45:50.184338 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jul 28 08:45:50.184338 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Firefox workaround initialized Jul 28 08:45:50.184338 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp664t4lo2] Jul 28 08:45:50.414053 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 111ms Jul 28 08:45:50.414263 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 111ms) Jul 28 08:45:50.414344 osdx dnscrypt-proxy[172507]: [2025-07-28 08:45:50] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key 10GZYwNKIiYfPEAjvb7SteUr set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'