Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Aug 20 10:08:16.293734 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.2M free. Aug 20 10:08:16.295618 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 10:08:16.295673 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 10:08:16.304502 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 10:08:16.560050 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 10:08:16.860784 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 10:08:16.977570 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 10:08:17.048056 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 10:08:17.213594 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 10:08:17.318649 osdx ubnt-cfgd[56101]: inactive Aug 20 10:08:17.342483 osdx INFO[56109]: FRR daemons did not change Aug 20 10:08:17.363620 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 10:08:17.462647 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 10:08:17.474450 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 10:08:17.497263 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 10:08:17.666029 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Aug 20 10:08:17.885175 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 10:08:17.951150 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Aug 20 10:08:18.079791 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Aug 20 10:08:18.149561 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Aug 20 10:08:18.242551 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Aug 20 10:08:18.324457 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 10:08:18.428565 osdx ubnt-cfgd[56259]: inactive Aug 20 10:08:18.449453 osdx INFO[56267]: FRR daemons did not change Aug 20 10:08:18.463409 osdx ca-certificates[56282]: Updating certificates in /etc/ssl/certs... Aug 20 10:08:19.012212 osdx ubnt-cfgd[57281]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Aug 20 10:08:19.020712 osdx ca-certificates[57286]: 1 added, 0 removed; done. Aug 20 10:08:19.024745 osdx ca-certificates[57293]: Running hooks in /etc/ca-certificates/update.d... Aug 20 10:08:19.028895 osdx ca-certificates[57295]: done. Aug 20 10:08:19.084076 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Aug 20 10:08:19.085985 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 10:08:19.088472 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 10:08:19.110369 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 10:08:19.121925 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] dnscrypt-proxy 2.0.45 Aug 20 10:08:19.121925 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Network connectivity detected Aug 20 10:08:19.121925 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Dropping privileges Aug 20 10:08:19.136174 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Network connectivity detected Aug 20 10:08:19.136260 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Aug 20 10:08:19.136260 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Aug 20 10:08:19.137740 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-zyotzhtixrm6r7qr.tmp: permission denied Aug 20 10:08:19.137740 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Source [RD] loaded Aug 20 10:08:19.137740 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [WARNING] Missing stamp for server [server-name`] Aug 20 10:08:19.137740 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Aug 20 10:08:19.137740 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Firefox workaround initialized Aug 20 10:08:19.137740 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpud4tabqx] Aug 20 10:08:19.309059 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal show | cat'. Aug 20 10:08:19.326882 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] [rd-server] OK (DoH) - rtt: 75ms Aug 20 10:08:19.326882 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 75ms) Aug 20 10:08:19.326882 osdx dnscrypt-proxy[57299]: [2025-08-20 10:08:19] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Aug 20 10:08:26.316123 osdx systemd-journald[1956]: Runtime Journal (/run/log/journal/5531ee11c77d43acb462311bc7f53dec) is 2.0M, max 15.3M, 13.3M free. Aug 20 10:08:26.318323 osdx systemd-journald[1956]: Received client request to rotate journal, rotating. Aug 20 10:08:26.318373 osdx systemd-journald[1956]: Vacuuming done, freed 0B of archived journals from /run/log/journal/5531ee11c77d43acb462311bc7f53dec. Aug 20 10:08:26.326008 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system journal clear'. Aug 20 10:08:26.553888 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'system coredump delete all'. Aug 20 10:08:26.811425 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 10:08:26.897438 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Aug 20 10:08:27.013346 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Aug 20 10:08:27.083719 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 10:08:27.225789 osdx ubnt-cfgd[58955]: inactive Aug 20 10:08:28.760743 osdx INFO[58963]: FRR daemons did not change Aug 20 10:08:28.782332 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Aug 20 10:08:28.853983 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 10:08:28.868217 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 10:08:28.899091 osdx OSDxCLI[2227]: User 'admin' left the configuration menu. Aug 20 10:08:29.049675 osdx OSDxCLI[2227]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Aug 20 10:08:29.227859 osdx OSDxCLI[2227]: User 'admin' entered the configuration menu. Aug 20 10:08:29.288730 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Aug 20 10:08:29.406224 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Aug 20 10:08:29.465117 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Aug 20 10:08:29.563297 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Aug 20 10:08:29.643544 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Aug 20 10:08:30.961319 osdx OSDxCLI[2227]: User 'admin' added a new cfg line: 'show working'. Aug 20 10:08:31.553563 osdx ubnt-cfgd[59114]: inactive Aug 20 10:08:31.572204 osdx INFO[59122]: FRR daemons did not change Aug 20 10:08:31.583877 osdx ca-certificates[59137]: Updating certificates in /etc/ssl/certs... Aug 20 10:08:32.093152 osdx ubnt-cfgd[60136]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Aug 20 10:08:32.101173 osdx ca-certificates[60142]: 1 added, 0 removed; done. Aug 20 10:08:32.105132 osdx ca-certificates[60148]: Running hooks in /etc/ca-certificates/update.d... Aug 20 10:08:32.107832 osdx ca-certificates[60150]: done. Aug 20 10:08:32.178757 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Aug 20 10:08:32.180213 osdx cfgd[1656]: [2227]Completed change to active configuration Aug 20 10:08:32.200859 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] dnscrypt-proxy 2.0.45 Aug 20 10:08:32.201024 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Network connectivity detected Aug 20 10:08:32.201135 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Dropping privileges Aug 20 10:08:32.202922 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Network connectivity detected Aug 20 10:08:32.202984 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Aug 20 10:08:32.203013 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Aug 20 10:08:32.204066 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-jbl7hz74po6j2rkk.tmp: permission denied Aug 20 10:08:32.204066 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Source [RD] loaded Aug 20 10:08:32.204129 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [WARNING] Missing stamp for server [PRIVATE-server-name`] Aug 20 10:08:32.204129 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Aug 20 10:08:32.204129 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Firefox workaround initialized Aug 20 10:08:32.204129 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpkungor4l] Aug 20 10:08:32.341032 osdx OSDxCLI[2227]: User 'admin' committed the configuration. Aug 20 10:08:32.381529 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 113ms Aug 20 10:08:32.381529 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 113ms) Aug 20 10:08:32.381529 osdx dnscrypt-proxy[60154]: [2025-08-20 10:08:32] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Aug 20 10:08:32.390219 osdx OSDxCLI[2227]: User 'admin' left the configuration menu.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key QYmyHr1uo9gNTmspxDoxEX0N set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'