Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

Mar 24 12:09:37.296189 osdx systemd-journald[1674]: Runtime Journal (/run/log/journal/aec016c8ce304ac68362b205c4156884) is 1.8M, max 13.8M, 11.9M free.
Mar 24 12:09:37.299202 osdx systemd-journald[1674]: Received client request to rotate journal, rotating.
Mar 24 12:09:37.299260 osdx systemd-journald[1674]: Vacuuming done, freed 0B of archived journals from /run/log/journal/aec016c8ce304ac68362b205c4156884.
Mar 24 12:09:37.307759 osdx OSDxCLI[2595]: User 'admin' executed a new command: 'system journal clear'.
Mar 24 12:09:37.531730 osdx OSDxCLI[2595]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 24 12:09:37.853082 osdx OSDxCLI[2595]: User 'admin' entered the configuration menu.
Mar 24 12:09:37.930973 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 24 12:09:38.026787 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 24 12:09:38.111446 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'show working'.
Mar 24 12:09:38.209134 osdx ubnt-cfgd[136512]: inactive
Mar 24 12:09:38.230847 osdx INFO[136520]: FRR daemons did not change
Mar 24 12:09:38.251209 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 24 12:09:38.330175 osdx cfgd[1472]: [2595]Completed change to active configuration
Mar 24 12:09:38.345373 osdx OSDxCLI[2595]: User 'admin' committed the configuration.
Mar 24 12:09:38.361960 osdx OSDxCLI[2595]: User 'admin' left the configuration menu.
Mar 24 12:09:38.508745 osdx OSDxCLI[2595]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 24 12:09:38.697515 osdx OSDxCLI[2595]: User 'admin' entered the configuration menu.
Mar 24 12:09:38.824084 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 24 12:09:38.962882 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Mar 24 12:09:39.021784 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'.
Mar 24 12:09:39.123848 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Mar 24 12:09:39.197695 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'show working'.
Mar 24 12:09:39.290649 osdx ubnt-cfgd[136670]: inactive
Mar 24 12:09:39.313136 osdx INFO[136678]: FRR daemons did not change
Mar 24 12:09:39.326867 osdx ca-certificates[136694]: Updating certificates in /etc/ssl/certs...
Mar 24 12:09:39.825407 osdx ubnt-cfgd[137692]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Mar 24 12:09:39.833159 osdx ca-certificates[137697]: 1 added, 0 removed; done.
Mar 24 12:09:39.837344 osdx ca-certificates[137704]: Running hooks in /etc/ca-certificates/update.d...
Mar 24 12:09:39.840419 osdx ca-certificates[137706]: done.
Mar 24 12:09:39.907681 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 24 12:09:39.909189 osdx cfgd[1472]: [2595]Completed change to active configuration
Mar 24 12:09:39.911881 osdx OSDxCLI[2595]: User 'admin' committed the configuration.
Mar 24 12:09:39.940144 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] dnscrypt-proxy 2.0.45
Mar 24 12:09:39.940387 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Network connectivity detected
Mar 24 12:09:39.940417 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Dropping privileges
Mar 24 12:09:39.942854 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Network connectivity detected
Mar 24 12:09:39.942892 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Mar 24 12:09:39.942892 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Mar 24 12:09:39.943757 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rjl3oeuzvrh4bswe.tmp: permission denied
Mar 24 12:09:39.943757 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Source [RD] loaded
Mar 24 12:09:39.943961 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [WARNING] Missing stamp for server [server-name`]
Mar 24 12:09:39.944003 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Mar 24 12:09:39.944025 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Firefox workaround initialized
Mar 24 12:09:39.944025 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp26yzfn7u]
Mar 24 12:09:39.975970 osdx OSDxCLI[2595]: User 'admin' left the configuration menu.
Mar 24 12:09:39.981748 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] [rd-server] OK (DoH) - rtt: 11ms
Mar 24 12:09:39.981748 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 11ms)
Mar 24 12:09:39.981748 osdx dnscrypt-proxy[137710]: [2026-03-24 12:09:39] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server-name PRIVATE-rd-server
set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY
set service dns proxy source RD prefix PRIVATE-
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

Mar 24 12:09:45.336267 osdx systemd-journald[1674]: Runtime Journal (/run/log/journal/aec016c8ce304ac68362b205c4156884) is 1.8M, max 13.8M, 11.9M free.
Mar 24 12:09:45.336899 osdx systemd-journald[1674]: Received client request to rotate journal, rotating.
Mar 24 12:09:45.336945 osdx systemd-journald[1674]: Vacuuming done, freed 0B of archived journals from /run/log/journal/aec016c8ce304ac68362b205c4156884.
Mar 24 12:09:45.346968 osdx OSDxCLI[2595]: User 'admin' executed a new command: 'system journal clear'.
Mar 24 12:09:45.579580 osdx OSDxCLI[2595]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 24 12:09:45.836452 osdx OSDxCLI[2595]: User 'admin' entered the configuration menu.
Mar 24 12:09:45.920689 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 24 12:09:45.994736 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 24 12:09:46.103012 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'show working'.
Mar 24 12:09:46.167620 osdx ubnt-cfgd[139362]: inactive
Mar 24 12:09:46.190600 osdx INFO[139370]: FRR daemons did not change
Mar 24 12:09:46.216904 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 24 12:09:46.287023 osdx cfgd[1472]: [2595]Completed change to active configuration
Mar 24 12:09:46.298191 osdx OSDxCLI[2595]: User 'admin' committed the configuration.
Mar 24 12:09:46.320020 osdx OSDxCLI[2595]: User 'admin' left the configuration menu.
Mar 24 12:09:46.466535 osdx OSDxCLI[2595]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 24 12:09:46.629999 osdx OSDxCLI[2595]: User 'admin' entered the configuration menu.
Mar 24 12:09:46.693582 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 24 12:09:46.792939 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Mar 24 12:09:46.847678 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'.
Mar 24 12:09:46.943302 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Mar 24 12:09:47.001067 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Mar 24 12:09:47.110709 osdx OSDxCLI[2595]: User 'admin' added a new cfg line: 'show working'.
Mar 24 12:09:47.174150 osdx ubnt-cfgd[139521]: inactive
Mar 24 12:09:47.199047 osdx INFO[139529]: FRR daemons did not change
Mar 24 12:09:47.210929 osdx ca-certificates[139545]: Updating certificates in /etc/ssl/certs...
Mar 24 12:09:47.702600 osdx ubnt-cfgd[140543]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Mar 24 12:09:47.710442 osdx ca-certificates[140549]: 1 added, 0 removed; done.
Mar 24 12:09:47.714194 osdx ca-certificates[140555]: Running hooks in /etc/ca-certificates/update.d...
Mar 24 12:09:47.717147 osdx ca-certificates[140557]: done.
Mar 24 12:09:47.781458 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 24 12:09:47.782933 osdx cfgd[1472]: [2595]Completed change to active configuration
Mar 24 12:09:47.786259 osdx OSDxCLI[2595]: User 'admin' committed the configuration.
Mar 24 12:09:47.816058 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] dnscrypt-proxy 2.0.45
Mar 24 12:09:47.816256 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Network connectivity detected
Mar 24 12:09:47.816383 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Dropping privileges
Mar 24 12:09:47.819064 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Network connectivity detected
Mar 24 12:09:47.819103 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Mar 24 12:09:47.819103 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Mar 24 12:09:47.820038 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-p5jpv4orjflpiijy.tmp: permission denied
Mar 24 12:09:47.820038 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Source [RD] loaded
Mar 24 12:09:47.820091 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Mar 24 12:09:47.820091 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Mar 24 12:09:47.820091 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Firefox workaround initialized
Mar 24 12:09:47.820091 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Loading the set of cloaking rules from [/tmp/tmptr4ieh8p]
Mar 24 12:09:47.823938 osdx OSDxCLI[2595]: User 'admin' left the configuration menu.
Mar 24 12:09:47.859884 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 14ms
Mar 24 12:09:47.859980 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 14ms)
Mar 24 12:09:47.860006 osdx dnscrypt-proxy[140561]: [2026-03-24 12:09:47] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key bthWgY3tGvPbvC15SWAPFvUU
set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name rd-server
set service dns proxy source RD minisign-key InvalidMinisignKey==
set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md'
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

---