Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Sep 05 09:52:37.345303 osdx systemd-journald[1764]: Runtime Journal (/run/log/journal/8e652e5518b84f0bb5a60f6ad502329f) is 1.9M, max 13.8M, 11.8M free. Sep 05 09:52:37.347052 osdx systemd-journald[1764]: Received client request to rotate journal, rotating. Sep 05 09:52:37.347103 osdx systemd-journald[1764]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8e652e5518b84f0bb5a60f6ad502329f. Sep 05 09:52:37.355971 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'system journal clear'. Sep 05 09:52:37.567932 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'system coredump delete all'. Sep 05 09:52:37.850169 osdx OSDxCLI[2038]: User 'admin' entered the configuration menu. Sep 05 09:52:37.931884 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Sep 05 09:52:38.053194 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Sep 05 09:52:38.121792 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'show working'. Sep 05 09:52:38.216031 osdx ubnt-cfgd[144551]: inactive Sep 05 09:52:38.237211 osdx INFO[144559]: FRR daemons did not change Sep 05 09:52:38.341036 osdx cfgd[1461]: [2038]Completed change to active configuration Sep 05 09:52:38.354742 osdx OSDxCLI[2038]: User 'admin' committed the configuration. Sep 05 09:52:38.380993 osdx OSDxCLI[2038]: User 'admin' left the configuration menu. Sep 05 09:52:38.541262 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Sep 05 09:52:38.721106 osdx OSDxCLI[2038]: User 'admin' entered the configuration menu. Sep 05 09:52:38.782845 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Sep 05 09:52:38.885023 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Sep 05 09:52:38.941124 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Sep 05 09:52:39.041526 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Sep 05 09:52:39.155072 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'show working'. Sep 05 09:52:39.221199 osdx ubnt-cfgd[144709]: inactive Sep 05 09:52:39.241311 osdx INFO[144717]: FRR daemons did not change Sep 05 09:52:39.254735 osdx ca-certificates[144733]: Updating certificates in /etc/ssl/certs... Sep 05 09:52:39.743265 osdx ubnt-cfgd[145731]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Sep 05 09:52:39.750775 osdx ca-certificates[145736]: 1 added, 0 removed; done. Sep 05 09:52:39.753873 osdx ca-certificates[145743]: Running hooks in /etc/ca-certificates/update.d... Sep 05 09:52:39.756618 osdx ca-certificates[145745]: done. Sep 05 09:52:39.819368 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Sep 05 09:52:39.820584 osdx cfgd[1461]: [2038]Completed change to active configuration Sep 05 09:52:39.822928 osdx OSDxCLI[2038]: User 'admin' committed the configuration. Sep 05 09:52:39.848815 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] dnscrypt-proxy 2.0.45 Sep 05 09:52:39.849021 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Network connectivity detected Sep 05 09:52:39.849059 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Dropping privileges Sep 05 09:52:39.850826 osdx OSDxCLI[2038]: User 'admin' left the configuration menu. Sep 05 09:52:39.851659 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Network connectivity detected Sep 05 09:52:39.851692 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Sep 05 09:52:39.851692 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Sep 05 09:52:39.853058 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-zzolrl54xmjtmluh.tmp: permission denied Sep 05 09:52:39.853058 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Source [RD] loaded Sep 05 09:52:39.853125 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [WARNING] Missing stamp for server [server-name`] Sep 05 09:52:39.853125 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Sep 05 09:52:39.853125 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Firefox workaround initialized Sep 05 09:52:39.853125 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:39] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpinfb00b4] Sep 05 09:52:39.999857 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'system journal show | cat'. Sep 05 09:52:40.078251 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:40] [NOTICE] [rd-server] OK (DoH) - rtt: 158ms Sep 05 09:52:40.078251 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:40] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 158ms) Sep 05 09:52:40.078251 osdx dnscrypt-proxy[145749]: [2025-09-05 09:52:40] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Sep 05 09:52:46.000164 osdx systemd-timedated[123083]: Changed local time to Fri 2025-09-05 09:52:46 UTC Sep 05 09:52:46.002226 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'set date 2025-09-05 09:52:46'. Sep 05 09:52:46.002390 osdx systemd-journald[1764]: Time jumped backwards, rotating. Sep 05 09:52:46.301131 osdx systemd-journald[1764]: Runtime Journal (/run/log/journal/8e652e5518b84f0bb5a60f6ad502329f) is 1.8M, max 13.8M, 11.9M free. Sep 05 09:52:46.302310 osdx systemd-journald[1764]: Received client request to rotate journal, rotating. Sep 05 09:52:46.302360 osdx systemd-journald[1764]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8e652e5518b84f0bb5a60f6ad502329f. Sep 05 09:52:46.310942 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'system journal clear'. Sep 05 09:52:46.532348 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'system coredump delete all'. Sep 05 09:52:46.756098 osdx OSDxCLI[2038]: User 'admin' entered the configuration menu. Sep 05 09:52:46.834642 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Sep 05 09:52:46.918020 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Sep 05 09:52:46.985874 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'show working'. Sep 05 09:52:47.079992 osdx ubnt-cfgd[147410]: inactive Sep 05 09:52:47.100367 osdx INFO[147418]: FRR daemons did not change Sep 05 09:52:47.196720 osdx cfgd[1461]: [2038]Completed change to active configuration Sep 05 09:52:47.207302 osdx OSDxCLI[2038]: User 'admin' committed the configuration. Sep 05 09:52:47.224916 osdx OSDxCLI[2038]: User 'admin' left the configuration menu. Sep 05 09:52:47.378018 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Sep 05 09:52:47.588471 osdx OSDxCLI[2038]: User 'admin' entered the configuration menu. Sep 05 09:52:47.648331 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Sep 05 09:52:47.753361 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Sep 05 09:52:47.820996 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Sep 05 09:52:47.934994 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Sep 05 09:52:47.990822 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Sep 05 09:52:48.119637 osdx OSDxCLI[2038]: User 'admin' added a new cfg line: 'show working'. Sep 05 09:52:48.204986 osdx ubnt-cfgd[147569]: inactive Sep 05 09:52:48.226202 osdx INFO[147577]: FRR daemons did not change Sep 05 09:52:48.240727 osdx ca-certificates[147593]: Updating certificates in /etc/ssl/certs... Sep 05 09:52:48.733369 osdx ubnt-cfgd[148591]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Sep 05 09:52:48.741892 osdx ca-certificates[148597]: 1 added, 0 removed; done. Sep 05 09:52:48.744944 osdx ca-certificates[148603]: Running hooks in /etc/ca-certificates/update.d... Sep 05 09:52:48.747962 osdx ca-certificates[148605]: done. Sep 05 09:52:48.826811 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Sep 05 09:52:48.828330 osdx cfgd[1461]: [2038]Completed change to active configuration Sep 05 09:52:48.830915 osdx OSDxCLI[2038]: User 'admin' committed the configuration. Sep 05 09:52:48.847859 osdx OSDxCLI[2038]: User 'admin' left the configuration menu. Sep 05 09:52:48.855725 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] dnscrypt-proxy 2.0.45 Sep 05 09:52:48.855895 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Network connectivity detected Sep 05 09:52:48.856030 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Dropping privileges Sep 05 09:52:48.858755 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Network connectivity detected Sep 05 09:52:48.858801 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Sep 05 09:52:48.858801 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Sep 05 09:52:48.860013 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-6zxqtczrsji42ybi.tmp: permission denied Sep 05 09:52:48.860013 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Source [RD] loaded Sep 05 09:52:48.860089 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [WARNING] Missing stamp for server [PRIVATE-server-name`] Sep 05 09:52:48.860089 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Sep 05 09:52:48.860089 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Firefox workaround initialized Sep 05 09:52:48.860089 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:48] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp76gazfa0] Sep 05 09:52:49.015973 osdx OSDxCLI[2038]: User 'admin' executed a new command: 'system journal show | cat'. Sep 05 09:52:49.037472 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:49] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 115ms Sep 05 09:52:49.037472 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:49] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 115ms) Sep 05 09:52:49.037472 osdx dnscrypt-proxy[148609]: [2025-09-05 09:52:49] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key vTlh5gmoqjXyQg3uc5mHbRpm set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'