Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 20 15:47:32.319511 osdx systemd-journald[210303]: Runtime Journal (/run/log/journal/a9538f26f6924eb58d28105803b55de8) is 2.1M, max 15.3M, 13.2M free. Jun 20 15:47:32.320188 osdx systemd-journald[210303]: Received client request to rotate journal, rotating. Jun 20 15:47:32.320234 osdx systemd-journald[210303]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9538f26f6924eb58d28105803b55de8. Jun 20 15:47:32.324725 osdx sudo[545285]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 20 15:47:32.331375 osdx OSDxCLI[389379]: User 'admin' executed a new command: 'system journal clear'. Jun 20 15:47:32.542287 osdx OSDxCLI[389379]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 15:47:32.775885 osdx OSDxCLI[389379]: User 'admin' entered the configuration menu. Jun 20 15:47:32.854389 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 15:47:32.935503 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 15:47:33.001866 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'show working'. Jun 20 15:47:33.096958 osdx ubnt-cfgd[545310]: inactive Jun 20 15:47:33.117333 osdx INFO[545318]: FRR daemons did not change Jun 20 15:47:33.136187 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 15:47:33.207673 osdx cfgd[1460]: [389379]Completed change to active configuration Jun 20 15:47:33.225476 osdx OSDxCLI[389379]: User 'admin' committed the configuration. Jun 20 15:47:33.250370 osdx OSDxCLI[389379]: User 'admin' left the configuration menu. Jun 20 15:47:33.396874 osdx OSDxCLI[389379]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 15:47:33.555994 osdx OSDxCLI[389379]: User 'admin' entered the configuration menu. Jun 20 15:47:33.621025 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 20 15:47:33.735902 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 20 15:47:33.792347 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 20 15:47:33.895247 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 20 15:47:33.979072 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'show working'. Jun 20 15:47:34.111975 osdx ubnt-cfgd[545468]: inactive Jun 20 15:47:34.132084 osdx INFO[545476]: FRR daemons did not change Jun 20 15:47:34.135923 osdx sudo[545479]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 20 15:47:34.145411 osdx ca-certificates[545491]: Updating certificates in /etc/ssl/certs... Jun 20 15:47:34.660428 osdx ubnt-cfgd[546490]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 20 15:47:34.669645 osdx ca-certificates[546496]: 1 added, 0 removed; done. Jun 20 15:47:34.672463 osdx ca-certificates[546502]: Running hooks in /etc/ca-certificates/update.d... Jun 20 15:47:34.675569 osdx ca-certificates[546504]: done. Jun 20 15:47:34.748503 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 20 15:47:34.749785 osdx cfgd[1460]: [389379]Completed change to active configuration Jun 20 15:47:34.754438 osdx OSDxCLI[389379]: User 'admin' committed the configuration. Jun 20 15:47:34.773027 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] dnscrypt-proxy 2.0.45 Jun 20 15:47:34.773289 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Network connectivity detected Jun 20 15:47:34.773316 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Dropping privileges Jun 20 15:47:34.775669 osdx OSDxCLI[389379]: User 'admin' left the configuration menu. Jun 20 15:47:34.775967 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Network connectivity detected Jun 20 15:47:34.776024 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 20 15:47:34.776024 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 20 15:47:34.777324 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-jxp3ybmizcozuevo.tmp: permission denied Jun 20 15:47:34.777324 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Source [RD] loaded Jun 20 15:47:34.777324 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [WARNING] Missing stamp for server [server-name`] Jun 20 15:47:34.777324 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 20 15:47:34.777324 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Firefox workaround initialized Jun 20 15:47:34.777324 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpsm3l1gy3] Jun 20 15:47:34.939464 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] [rd-server] OK (DoH) - rtt: 136ms Jun 20 15:47:34.939464 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 136ms) Jun 20 15:47:34.939464 osdx dnscrypt-proxy[546508]: [2025-06-20 15:47:34] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 20 15:47:39.000207 osdx systemd-timedated[474723]: Changed local time to Fri 2025-06-20 15:47:39 UTC Jun 20 15:47:39.002187 osdx OSDxCLI[389379]: User 'admin' executed a new command: 'set date 2025-06-20 15:47:39'. Jun 20 15:47:39.003653 osdx systemd-journald[210303]: Time jumped backwards, rotating. Jun 20 15:47:39.305810 osdx sudo[548139]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 20 15:47:39.309619 osdx systemd-journald[210303]: Runtime Journal (/run/log/journal/a9538f26f6924eb58d28105803b55de8) is 2.0M, max 15.3M, 13.3M free. Jun 20 15:47:39.311646 osdx systemd-journald[210303]: Received client request to rotate journal, rotating. Jun 20 15:47:39.311697 osdx systemd-journald[210303]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9538f26f6924eb58d28105803b55de8. Jun 20 15:47:39.314934 osdx sudo[548138]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 20 15:47:39.320922 osdx OSDxCLI[389379]: User 'admin' executed a new command: 'system journal clear'. Jun 20 15:47:39.537290 osdx OSDxCLI[389379]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 15:47:39.769235 osdx OSDxCLI[389379]: User 'admin' entered the configuration menu. Jun 20 15:47:39.842317 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 15:47:39.932220 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 15:47:39.999801 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'show working'. Jun 20 15:47:40.095261 osdx ubnt-cfgd[548163]: inactive Jun 20 15:47:40.114979 osdx INFO[548171]: FRR daemons did not change Jun 20 15:47:40.139682 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 15:47:40.238778 osdx cfgd[1460]: [389379]Completed change to active configuration Jun 20 15:47:40.249082 osdx OSDxCLI[389379]: User 'admin' committed the configuration. Jun 20 15:47:40.329143 osdx OSDxCLI[389379]: User 'admin' left the configuration menu. Jun 20 15:47:40.419510 osdx OSDxCLI[389379]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 15:47:40.592373 osdx OSDxCLI[389379]: User 'admin' entered the configuration menu. Jun 20 15:47:40.682469 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 20 15:47:40.799966 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 20 15:47:40.897957 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 20 15:47:41.029269 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 20 15:47:41.132339 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 20 15:47:41.247788 osdx OSDxCLI[389379]: User 'admin' added a new cfg line: 'show working'. Jun 20 15:47:41.317304 osdx ubnt-cfgd[548322]: inactive Jun 20 15:47:41.339770 osdx INFO[548330]: FRR daemons did not change Jun 20 15:47:41.343749 osdx sudo[548333]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 20 15:47:41.351675 osdx ca-certificates[548346]: Updating certificates in /etc/ssl/certs... Jun 20 15:47:41.861962 osdx ubnt-cfgd[549344]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 20 15:47:41.870485 osdx ca-certificates[549350]: 1 added, 0 removed; done. Jun 20 15:47:41.873447 osdx ca-certificates[549356]: Running hooks in /etc/ca-certificates/update.d... Jun 20 15:47:41.876322 osdx ca-certificates[549358]: done. Jun 20 15:47:41.939977 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 20 15:47:41.941384 osdx cfgd[1460]: [389379]Completed change to active configuration Jun 20 15:47:41.943710 osdx OSDxCLI[389379]: User 'admin' committed the configuration. Jun 20 15:47:41.966412 osdx OSDxCLI[389379]: User 'admin' left the configuration menu. Jun 20 15:47:41.971738 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] dnscrypt-proxy 2.0.45 Jun 20 15:47:41.971925 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Network connectivity detected Jun 20 15:47:41.971997 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Dropping privileges Jun 20 15:47:41.974428 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Network connectivity detected Jun 20 15:47:41.974428 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 20 15:47:41.974428 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 20 15:47:41.975486 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-vxq5jne4ll5syqpr.tmp: permission denied Jun 20 15:47:41.975486 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Source [RD] loaded Jun 20 15:47:41.975545 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 20 15:47:41.975545 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 20 15:47:41.975545 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Firefox workaround initialized Jun 20 15:47:41.975545 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:41] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpgpzpo_87] Jun 20 15:47:42.107941 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:42] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 106ms Jun 20 15:47:42.107941 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:42] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 106ms) Jun 20 15:47:42.107941 osdx dnscrypt-proxy[549362]: [2025-06-20 15:47:42] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key s1BHW7pDElCWRQ2rJn06JO1B set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'