Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 24 15:11:09.000158 osdx systemd-timedated[350570]: Changed local time to Tue 2025-06-24 15:11:09 UTC Jun 24 15:11:09.001594 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'set date 2025-06-24 15:11:09'. Jun 24 15:11:09.003638 osdx systemd-journald[165652]: Time jumped backwards, rotating. Jun 24 15:11:09.356469 osdx sudo[397089]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 15:11:09.360250 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.2M free. Jun 24 15:11:09.363637 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 15:11:09.363695 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 15:11:09.364290 osdx sudo[397088]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 15:11:09.370786 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'system journal clear'. Jun 24 15:11:09.604211 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 15:11:09.879582 osdx OSDxCLI[304734]: User 'admin' entered the configuration menu. Jun 24 15:11:09.985585 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 15:11:10.113601 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 15:11:10.206939 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'show working'. Jun 24 15:11:10.324623 osdx ubnt-cfgd[397113]: inactive Jun 24 15:11:10.347478 osdx INFO[397121]: FRR daemons did not change Jun 24 15:11:10.367633 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 15:11:10.443978 osdx cfgd[1460]: [304734]Completed change to active configuration Jun 24 15:11:10.455478 osdx OSDxCLI[304734]: User 'admin' committed the configuration. Jun 24 15:11:10.484998 osdx OSDxCLI[304734]: User 'admin' left the configuration menu. Jun 24 15:11:10.667179 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 15:11:10.890433 osdx OSDxCLI[304734]: User 'admin' entered the configuration menu. Jun 24 15:11:10.955053 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 24 15:11:11.059963 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 24 15:11:11.117869 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 24 15:11:11.225243 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 24 15:11:11.306148 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'show working'. Jun 24 15:11:11.399427 osdx ubnt-cfgd[397271]: inactive Jun 24 15:11:11.423239 osdx INFO[397279]: FRR daemons did not change Jun 24 15:11:11.427025 osdx sudo[397282]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 15:11:11.435518 osdx ca-certificates[397295]: Updating certificates in /etc/ssl/certs... Jun 24 15:11:11.924034 osdx ubnt-cfgd[398293]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 24 15:11:11.931598 osdx ca-certificates[398298]: 1 added, 0 removed; done. Jun 24 15:11:11.934686 osdx ca-certificates[398305]: Running hooks in /etc/ca-certificates/update.d... Jun 24 15:11:11.938343 osdx ca-certificates[398307]: done. Jun 24 15:11:11.999900 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 24 15:11:12.000914 osdx cfgd[1460]: [304734]Completed change to active configuration Jun 24 15:11:12.002772 osdx OSDxCLI[304734]: User 'admin' committed the configuration. Jun 24 15:11:12.019339 osdx OSDxCLI[304734]: User 'admin' left the configuration menu. Jun 24 15:11:12.024866 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] dnscrypt-proxy 2.0.45 Jun 24 15:11:12.025038 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Network connectivity detected Jun 24 15:11:12.025085 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Dropping privileges Jun 24 15:11:12.027235 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Network connectivity detected Jun 24 15:11:12.027266 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 24 15:11:12.027266 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 24 15:11:12.028271 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-s4gh34kqihmndawh.tmp: permission denied Jun 24 15:11:12.028271 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Source [RD] loaded Jun 24 15:11:12.028305 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [WARNING] Missing stamp for server [server-name`] Jun 24 15:11:12.028305 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 24 15:11:12.028305 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Firefox workaround initialized Jun 24 15:11:12.028305 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpgd8k8yua] Jun 24 15:11:12.184289 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] [rd-server] OK (DoH) - rtt: 104ms Jun 24 15:11:12.184289 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 104ms) Jun 24 15:11:12.184289 osdx dnscrypt-proxy[398311]: [2025-06-24 15:11:12] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jun 24 15:11:12.192335 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 24 15:11:19.310234 osdx systemd-journald[165652]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 15:11:19.313390 osdx systemd-journald[165652]: Received client request to rotate journal, rotating. Jun 24 15:11:19.313451 osdx systemd-journald[165652]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 15:11:19.315698 osdx sudo[399945]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 15:11:19.325106 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'system journal clear'. Jun 24 15:11:19.607025 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 15:11:19.887106 osdx OSDxCLI[304734]: User 'admin' entered the configuration menu. Jun 24 15:11:20.035877 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 15:11:20.116164 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 15:11:20.256684 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'show working'. Jun 24 15:11:20.333512 osdx ubnt-cfgd[399970]: inactive Jun 24 15:11:20.358436 osdx INFO[399978]: FRR daemons did not change Jun 24 15:11:20.377367 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 15:11:20.448471 osdx cfgd[1460]: [304734]Completed change to active configuration Jun 24 15:11:20.460109 osdx OSDxCLI[304734]: User 'admin' committed the configuration. Jun 24 15:11:20.476050 osdx OSDxCLI[304734]: User 'admin' left the configuration menu. Jun 24 15:11:20.612158 osdx OSDxCLI[304734]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 15:11:20.854366 osdx OSDxCLI[304734]: User 'admin' entered the configuration menu. Jun 24 15:11:20.917054 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 24 15:11:21.033569 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 24 15:11:21.088668 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT8Tw2qzVvd50orB/Vc7ncjsuDusj16sMYw2vuFZJQFrf741JeILnRL'. Jun 24 15:11:21.185141 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 24 15:11:21.255671 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 24 15:11:21.375462 osdx OSDxCLI[304734]: User 'admin' added a new cfg line: 'show working'. Jun 24 15:11:21.459119 osdx ubnt-cfgd[400129]: inactive Jun 24 15:11:21.481441 osdx INFO[400137]: FRR daemons did not change Jun 24 15:11:21.485321 osdx sudo[400140]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 15:11:21.494246 osdx ca-certificates[400152]: Updating certificates in /etc/ssl/certs... Jun 24 15:11:21.967608 osdx ubnt-cfgd[401151]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 24 15:11:21.975901 osdx ca-certificates[401157]: 1 added, 0 removed; done. Jun 24 15:11:21.978773 osdx ca-certificates[401163]: Running hooks in /etc/ca-certificates/update.d... Jun 24 15:11:21.981624 osdx ca-certificates[401165]: done. Jun 24 15:11:22.049713 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 24 15:11:22.051144 osdx cfgd[1460]: [304734]Completed change to active configuration Jun 24 15:11:22.053979 osdx OSDxCLI[304734]: User 'admin' committed the configuration. Jun 24 15:11:22.077385 osdx OSDxCLI[304734]: User 'admin' left the configuration menu. Jun 24 15:11:22.092714 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] dnscrypt-proxy 2.0.45 Jun 24 15:11:22.092940 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Network connectivity detected Jun 24 15:11:22.092940 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Dropping privileges Jun 24 15:11:22.095280 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Network connectivity detected Jun 24 15:11:22.095324 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 24 15:11:22.095324 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 24 15:11:22.096444 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-6goddaefk36pjvpa.tmp: permission denied Jun 24 15:11:22.096444 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Source [RD] loaded Jun 24 15:11:22.096490 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 24 15:11:22.096510 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 24 15:11:22.096510 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Firefox workaround initialized Jun 24 15:11:22.096510 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpt4aakath] Jun 24 15:11:22.255069 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 104ms Jun 24 15:11:22.255069 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 104ms) Jun 24 15:11:22.255069 osdx dnscrypt-proxy[401169]: [2025-06-24 15:11:22] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key uiuFyDlfC8RszKZSe3QAetEt set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'