Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Nov 25 10:46:13.391437 osdx systemd-journald[1857]: Runtime Journal (/run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32) is 1.8M, max 13.8M, 11.9M free. Nov 25 10:46:13.392855 osdx systemd-journald[1857]: Received client request to rotate journal, rotating. Nov 25 10:46:13.392916 osdx systemd-journald[1857]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32. Nov 25 10:46:13.400876 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'system journal clear'. Nov 25 10:46:13.629379 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'system coredump delete all'. Nov 25 10:46:13.889437 osdx OSDxCLI[17193]: User 'admin' entered the configuration menu. Nov 25 10:46:13.974540 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 25 10:46:14.072273 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 25 10:46:14.167812 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'show working'. Nov 25 10:46:14.264274 osdx ubnt-cfgd[113784]: inactive Nov 25 10:46:14.319914 osdx INFO[113792]: FRR daemons did not change Nov 25 10:46:14.344856 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 25 10:46:14.425203 osdx cfgd[1655]: [17193]Completed change to active configuration Nov 25 10:46:14.440055 osdx OSDxCLI[17193]: User 'admin' committed the configuration. Nov 25 10:46:14.460756 osdx OSDxCLI[17193]: User 'admin' left the configuration menu. Nov 25 10:46:14.612978 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 25 10:46:14.873861 osdx OSDxCLI[17193]: User 'admin' entered the configuration menu. Nov 25 10:46:14.942249 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 25 10:46:15.037771 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Nov 25 10:46:15.098165 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Nov 25 10:46:15.205895 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Nov 25 10:46:15.274900 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'show working'. Nov 25 10:46:15.374203 osdx ubnt-cfgd[113942]: inactive Nov 25 10:46:15.469115 osdx INFO[113950]: FRR daemons did not change Nov 25 10:46:15.481790 osdx ca-certificates[113966]: Updating certificates in /etc/ssl/certs... Nov 25 10:46:16.002599 osdx ubnt-cfgd[114964]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Nov 25 10:46:16.013400 osdx ca-certificates[114969]: 1 added, 0 removed; done. Nov 25 10:46:16.017369 osdx ca-certificates[114976]: Running hooks in /etc/ca-certificates/update.d... Nov 25 10:46:16.020271 osdx ca-certificates[114978]: done. Nov 25 10:46:16.089155 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Nov 25 10:46:16.090355 osdx cfgd[1655]: [17193]Completed change to active configuration Nov 25 10:46:16.092289 osdx OSDxCLI[17193]: User 'admin' committed the configuration. Nov 25 10:46:16.112303 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] dnscrypt-proxy 2.0.45 Nov 25 10:46:16.112481 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Network connectivity detected Nov 25 10:46:16.112575 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Dropping privileges Nov 25 10:46:16.114548 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Network connectivity detected Nov 25 10:46:16.114635 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Nov 25 10:46:16.114665 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Nov 25 10:46:16.115767 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rze7jr2ascqphmqb.tmp: permission denied Nov 25 10:46:16.115817 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Source [RD] loaded Nov 25 10:46:16.115874 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [WARNING] Missing stamp for server [server-name`] Nov 25 10:46:16.115906 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Nov 25 10:46:16.115932 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Firefox workaround initialized Nov 25 10:46:16.115960 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp6ayjpk_m] Nov 25 10:46:16.123552 osdx OSDxCLI[17193]: User 'admin' left the configuration menu. Nov 25 10:46:16.320084 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'system journal show | cat'. Nov 25 10:46:16.324132 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] [rd-server] OK (DoH) - rtt: 139ms Nov 25 10:46:16.324132 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 139ms) Nov 25 10:46:16.324132 osdx dnscrypt-proxy[114982]: [2025-11-25 10:46:16] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Nov 25 10:46:23.374669 osdx systemd-journald[1857]: Runtime Journal (/run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32) is 1.8M, max 13.8M, 11.9M free. Nov 25 10:46:23.375693 osdx systemd-journald[1857]: Received client request to rotate journal, rotating. Nov 25 10:46:23.375728 osdx systemd-journald[1857]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3dabd6c33b8e497d9fdbc41689ab0c32. Nov 25 10:46:23.384498 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'system journal clear'. Nov 25 10:46:23.622775 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'system coredump delete all'. Nov 25 10:46:23.908362 osdx OSDxCLI[17193]: User 'admin' entered the configuration menu. Nov 25 10:46:23.998458 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 25 10:46:24.088490 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 25 10:46:24.153641 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'show working'. Nov 25 10:46:24.290844 osdx ubnt-cfgd[116639]: inactive Nov 25 10:46:24.310583 osdx INFO[116647]: FRR daemons did not change Nov 25 10:46:24.331689 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 25 10:46:24.402060 osdx cfgd[1655]: [17193]Completed change to active configuration Nov 25 10:46:24.412490 osdx OSDxCLI[17193]: User 'admin' committed the configuration. Nov 25 10:46:24.430459 osdx OSDxCLI[17193]: User 'admin' left the configuration menu. Nov 25 10:46:24.577196 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 25 10:46:24.744725 osdx OSDxCLI[17193]: User 'admin' entered the configuration menu. Nov 25 10:46:24.807093 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 25 10:46:24.910452 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Nov 25 10:46:24.967853 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Nov 25 10:46:25.064950 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Nov 25 10:46:25.120680 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Nov 25 10:46:25.246488 osdx OSDxCLI[17193]: User 'admin' added a new cfg line: 'show working'. Nov 25 10:46:25.316416 osdx ubnt-cfgd[116798]: inactive Nov 25 10:46:25.338841 osdx INFO[116806]: FRR daemons did not change Nov 25 10:46:25.353331 osdx ca-certificates[116822]: Updating certificates in /etc/ssl/certs... Nov 25 10:46:25.845456 osdx ubnt-cfgd[117820]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Nov 25 10:46:25.852853 osdx ca-certificates[117826]: 1 added, 0 removed; done. Nov 25 10:46:25.856612 osdx ca-certificates[117832]: Running hooks in /etc/ca-certificates/update.d... Nov 25 10:46:25.859282 osdx ca-certificates[117834]: done. Nov 25 10:46:25.928209 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Nov 25 10:46:25.929610 osdx cfgd[1655]: [17193]Completed change to active configuration Nov 25 10:46:25.931765 osdx OSDxCLI[17193]: User 'admin' committed the configuration. Nov 25 10:46:25.947759 osdx OSDxCLI[17193]: User 'admin' left the configuration menu. Nov 25 10:46:25.949624 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] dnscrypt-proxy 2.0.45 Nov 25 10:46:25.949839 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Network connectivity detected Nov 25 10:46:25.950047 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Dropping privileges Nov 25 10:46:25.952145 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Network connectivity detected Nov 25 10:46:25.952189 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Nov 25 10:46:25.952189 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Nov 25 10:46:25.952998 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-to3je62lgmxajnz5.tmp: permission denied Nov 25 10:46:25.953036 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Source [RD] loaded Nov 25 10:46:25.953080 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [WARNING] Missing stamp for server [PRIVATE-server-name`] Nov 25 10:46:25.953109 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Nov 25 10:46:25.953141 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Firefox workaround initialized Nov 25 10:46:25.953162 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:25] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpaw2xad07] Nov 25 10:46:26.135768 osdx OSDxCLI[17193]: User 'admin' executed a new command: 'system journal show | cat'. Nov 25 10:46:26.143608 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:26] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 120ms Nov 25 10:46:26.143642 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:26] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 120ms) Nov 25 10:46:26.143642 osdx dnscrypt-proxy[117838]: [2025-11-25 10:46:26] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key KKoFoa711UPlBBBMJl9pdRMu set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'