Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 20 17:40:02.303437 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 17:40:02.305162 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 17:40:02.305232 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 17:40:02.313947 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'system journal clear'. Oct 20 17:40:02.518641 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 17:40:02.759353 osdx OSDxCLI[399276]: User 'admin' entered the configuration menu. Oct 20 17:40:02.864477 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 17:40:02.921164 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 17:40:03.029678 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'show working'. Oct 20 17:40:03.106859 osdx ubnt-cfgd[574538]: inactive Oct 20 17:40:03.128421 osdx INFO[574546]: FRR daemons did not change Oct 20 17:40:03.149162 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 17:40:03.223533 osdx cfgd[1655]: [399276]Completed change to active configuration Oct 20 17:40:03.235040 osdx OSDxCLI[399276]: User 'admin' committed the configuration. Oct 20 17:40:03.255218 osdx OSDxCLI[399276]: User 'admin' left the configuration menu. Oct 20 17:40:03.387278 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 20 17:40:03.511000 osdx OSDxCLI[399276]: User 'admin' entered the configuration menu. Oct 20 17:40:03.570430 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 20 17:40:03.674365 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 20 17:40:03.734659 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Oct 20 17:40:03.856427 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Oct 20 17:40:03.928437 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'show working'. Oct 20 17:40:04.024863 osdx ubnt-cfgd[574696]: inactive Oct 20 17:40:04.047794 osdx INFO[574704]: FRR daemons did not change Oct 20 17:40:04.061750 osdx ca-certificates[574719]: Updating certificates in /etc/ssl/certs... Oct 20 17:40:04.561201 osdx ubnt-cfgd[575718]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Oct 20 17:40:04.568694 osdx ca-certificates[575723]: 1 added, 0 removed; done. Oct 20 17:40:04.571638 osdx ca-certificates[575730]: Running hooks in /etc/ca-certificates/update.d... Oct 20 17:40:04.574241 osdx ca-certificates[575732]: done. Oct 20 17:40:04.629495 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 20 17:40:04.630672 osdx cfgd[1655]: [399276]Completed change to active configuration Oct 20 17:40:04.632772 osdx OSDxCLI[399276]: User 'admin' committed the configuration. Oct 20 17:40:04.649666 osdx OSDxCLI[399276]: User 'admin' left the configuration menu. Oct 20 17:40:04.654649 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] dnscrypt-proxy 2.0.45 Oct 20 17:40:04.654797 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Network connectivity detected Oct 20 17:40:04.654913 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Dropping privileges Oct 20 17:40:04.656899 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Network connectivity detected Oct 20 17:40:04.656929 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 20 17:40:04.656929 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 20 17:40:04.657977 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-k4kv4nlsh6vvp266.tmp: permission denied Oct 20 17:40:04.658026 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Source [RD] loaded Oct 20 17:40:04.658105 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [WARNING] Missing stamp for server [server-name`] Oct 20 17:40:04.658145 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Oct 20 17:40:04.658177 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Firefox workaround initialized Oct 20 17:40:04.658207 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpky9w4sun] Oct 20 17:40:04.809880 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'system journal show | cat'. Oct 20 17:40:04.833898 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] [rd-server] OK (DoH) - rtt: 108ms Oct 20 17:40:04.833898 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 108ms) Oct 20 17:40:04.833898 osdx dnscrypt-proxy[575736]: [2025-10-20 17:40:04] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 20 17:40:12.324031 osdx systemd-journald[222010]: Runtime Journal (/run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de) is 1.8M, max 13.8M, 11.9M free. Oct 20 17:40:12.326730 osdx systemd-journald[222010]: Received client request to rotate journal, rotating. Oct 20 17:40:12.326779 osdx systemd-journald[222010]: Vacuuming done, freed 0B of archived journals from /run/log/journal/82a9756ca47e4d589aa55e1b1a6b94de. Oct 20 17:40:12.334648 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'system journal clear'. Oct 20 17:40:12.561166 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'system coredump delete all'. Oct 20 17:40:12.806915 osdx OSDxCLI[399276]: User 'admin' entered the configuration menu. Oct 20 17:40:12.882603 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 20 17:40:12.972143 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 20 17:40:13.062151 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'show working'. Oct 20 17:40:13.121323 osdx ubnt-cfgd[577395]: inactive Oct 20 17:40:13.143413 osdx INFO[577403]: FRR daemons did not change Oct 20 17:40:13.162737 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 20 17:40:13.236851 osdx cfgd[1655]: [399276]Completed change to active configuration Oct 20 17:40:13.247598 osdx OSDxCLI[399276]: User 'admin' committed the configuration. Oct 20 17:40:13.263889 osdx OSDxCLI[399276]: User 'admin' left the configuration menu. Oct 20 17:40:13.410272 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 20 17:40:13.629268 osdx OSDxCLI[399276]: User 'admin' entered the configuration menu. Oct 20 17:40:13.689903 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 20 17:40:13.790419 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 20 17:40:13.851676 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQlzur2/oClj7Rp0FQo0HnXeH3oL3aJw0nfYz16MI8bzDs3/hmYqkHY'. Oct 20 17:40:13.949880 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Oct 20 17:40:14.020869 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Oct 20 17:40:14.136898 osdx OSDxCLI[399276]: User 'admin' added a new cfg line: 'show working'. Oct 20 17:40:14.206155 osdx ubnt-cfgd[577554]: inactive Oct 20 17:40:14.275664 osdx INFO[577563]: FRR daemons did not change Oct 20 17:40:14.290681 osdx ca-certificates[577579]: Updating certificates in /etc/ssl/certs... Oct 20 17:40:14.810389 osdx ubnt-cfgd[578577]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Oct 20 17:40:14.818237 osdx ca-certificates[578583]: 1 added, 0 removed; done. Oct 20 17:40:14.821268 osdx ca-certificates[578589]: Running hooks in /etc/ca-certificates/update.d... Oct 20 17:40:14.824179 osdx ca-certificates[578591]: done. Oct 20 17:40:14.879117 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 20 17:40:14.880421 osdx cfgd[1655]: [399276]Completed change to active configuration Oct 20 17:40:14.883435 osdx OSDxCLI[399276]: User 'admin' committed the configuration. Oct 20 17:40:14.904624 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] dnscrypt-proxy 2.0.45 Oct 20 17:40:14.904812 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Network connectivity detected Oct 20 17:40:14.904883 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Dropping privileges Oct 20 17:40:14.906866 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Network connectivity detected Oct 20 17:40:14.906914 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 20 17:40:14.906914 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 20 17:40:14.908263 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-dwrs6m3kse2yt2n2.tmp: permission denied Oct 20 17:40:14.908263 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Source [RD] loaded Oct 20 17:40:14.908332 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [WARNING] Missing stamp for server [PRIVATE-server-name`] Oct 20 17:40:14.908332 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Oct 20 17:40:14.908332 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Firefox workaround initialized Oct 20 17:40:14.908332 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:14] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp316x6ae3] Oct 20 17:40:14.914763 osdx OSDxCLI[399276]: User 'admin' left the configuration menu. Oct 20 17:40:15.079885 osdx OSDxCLI[399276]: User 'admin' executed a new command: 'system journal show | cat'. Oct 20 17:40:15.090407 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:15] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 111ms Oct 20 17:40:15.090407 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:15] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 111ms) Oct 20 17:40:15.090407 osdx dnscrypt-proxy[578595]: [2025-10-20 17:40:15] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key 509WvFTO4cbH5qx0txoVMsix set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'