Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWQZ2ymJR3cx/DW7dLf6oNoOvkA9YNwkwOg+z0mItse52IYE3slBR8rF set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 10 22:45:33.313608 osdx systemd-journald[246736]: Runtime Journal (/run/log/journal/d6792964fe7547c9a60a3d774aa97dac) is 1.8M, max 13.8M, 11.9M free. Oct 10 22:45:33.315185 osdx systemd-journald[246736]: Received client request to rotate journal, rotating. Oct 10 22:45:33.315231 osdx systemd-journald[246736]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d6792964fe7547c9a60a3d774aa97dac. Oct 10 22:45:33.323288 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'system journal clear'. Oct 10 22:45:33.528724 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'system coredump delete all'. Oct 10 22:45:33.843776 osdx OSDxCLI[472467]: User 'admin' entered the configuration menu. Oct 10 22:45:33.918766 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 10 22:45:33.998222 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 10 22:45:34.196728 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'show working'. Oct 10 22:45:34.323139 osdx ubnt-cfgd[537075]: inactive Oct 10 22:45:34.342819 osdx INFO[537081]: FRR daemons did not change Oct 10 22:45:34.363198 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 10 22:45:34.413401 osdx WARNING[537149]: No supported link modes on interface eth0 Oct 10 22:45:34.414770 osdx modulelauncher[537149]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Oct 10 22:45:34.414782 osdx modulelauncher[537149]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Oct 10 22:45:34.415941 osdx modulelauncher[537149]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Oct 10 22:45:34.415950 osdx modulelauncher[537149]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Oct 10 22:45:34.479661 osdx cfgd[1464]: [472467]Completed change to active configuration Oct 10 22:45:34.497060 osdx OSDxCLI[472467]: User 'admin' committed the configuration. Oct 10 22:45:34.537953 osdx OSDxCLI[472467]: User 'admin' left the configuration menu. Oct 10 22:45:34.727687 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 10 22:45:34.978707 osdx OSDxCLI[472467]: User 'admin' entered the configuration menu. Oct 10 22:45:35.082517 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 10 22:45:35.153795 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 10 22:45:35.259129 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQZ2ymJR3cx/DW7dLf6oNoOvkA9YNwkwOg+z0mItse52IYE3slBR8rF'. Oct 10 22:45:35.409854 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Oct 10 22:45:35.892543 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'show working'. Oct 10 22:45:35.992646 osdx ubnt-cfgd[537236]: inactive Oct 10 22:45:36.018447 osdx INFO[537244]: FRR daemons did not change Oct 10 22:45:36.032515 osdx ca-certificates[537260]: Updating certificates in /etc/ssl/certs... Oct 10 22:45:36.656528 osdx ubnt-cfgd[538272]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Oct 10 22:45:36.664969 osdx ca-certificates[538277]: 1 added, 0 removed; done. Oct 10 22:45:36.668247 osdx ca-certificates[538284]: Running hooks in /etc/ca-certificates/update.d... Oct 10 22:45:36.671530 osdx ca-certificates[538286]: done. Oct 10 22:45:36.727722 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 10 22:45:36.729338 osdx cfgd[1464]: [472467]Completed change to active configuration Oct 10 22:45:36.732837 osdx OSDxCLI[472467]: User 'admin' committed the configuration. Oct 10 22:45:36.748439 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:36] [NOTICE] dnscrypt-proxy 2.0.45 Oct 10 22:45:36.748716 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:36] [NOTICE] Network connectivity detected Oct 10 22:45:36.748760 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:36] [NOTICE] Dropping privileges Oct 10 22:45:36.749552 osdx OSDxCLI[472467]: User 'admin' left the configuration menu. Oct 10 22:45:36.752008 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:36] [NOTICE] Network connectivity detected Oct 10 22:45:36.752076 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:36] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 10 22:45:36.752076 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:36] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 10 22:45:37.080933 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-vq4dzcqpsitisuup.tmp: permission denied Oct 10 22:45:37.080933 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [NOTICE] Source [RD] loaded Oct 10 22:45:37.080933 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [WARNING] Missing stamp for server [server-name`] Oct 10 22:45:37.080933 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Oct 10 22:45:37.080933 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [NOTICE] Firefox workaround initialized Oct 10 22:45:37.080933 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpexdcxr10] Oct 10 22:45:37.182090 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'system journal show | cat'. Oct 10 22:45:37.415896 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [NOTICE] [rd-server] OK (DoH) - rtt: 106ms Oct 10 22:45:37.415896 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 106ms) Oct 10 22:45:37.415896 osdx dnscrypt-proxy[538290]: [2025-10-10 22:45:37] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWQZ2ymJR3cx/DW7dLf6oNoOvkA9YNwkwOg+z0mItse52IYE3slBR8rF set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Oct 10 22:45:45.326379 osdx systemd-journald[246736]: Runtime Journal (/run/log/journal/d6792964fe7547c9a60a3d774aa97dac) is 1.8M, max 13.8M, 11.9M free. Oct 10 22:45:45.329079 osdx systemd-journald[246736]: Received client request to rotate journal, rotating. Oct 10 22:45:45.329138 osdx systemd-journald[246736]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d6792964fe7547c9a60a3d774aa97dac. Oct 10 22:45:45.337613 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'system journal clear'. Oct 10 22:45:45.588396 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'system coredump delete all'. Oct 10 22:45:45.957368 osdx OSDxCLI[472467]: User 'admin' entered the configuration menu. Oct 10 22:45:46.032714 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 10 22:45:46.137989 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 10 22:45:46.208715 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'show working'. Oct 10 22:45:46.300025 osdx ubnt-cfgd[539973]: inactive Oct 10 22:45:46.317783 osdx INFO[539979]: FRR daemons did not change Oct 10 22:45:46.341084 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 10 22:45:46.381671 osdx WARNING[540047]: No supported link modes on interface eth0 Oct 10 22:45:46.383412 osdx modulelauncher[540047]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Oct 10 22:45:46.383433 osdx modulelauncher[540047]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Oct 10 22:45:46.384887 osdx modulelauncher[540047]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Oct 10 22:45:46.384898 osdx modulelauncher[540047]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Oct 10 22:45:46.419661 osdx cfgd[1464]: [472467]Completed change to active configuration Oct 10 22:45:46.431037 osdx OSDxCLI[472467]: User 'admin' committed the configuration. Oct 10 22:45:46.502044 osdx OSDxCLI[472467]: User 'admin' left the configuration menu. Oct 10 22:45:46.637926 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 10 22:45:46.795312 osdx OSDxCLI[472467]: User 'admin' entered the configuration menu. Oct 10 22:45:46.852996 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 10 22:45:46.964022 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 10 22:45:47.018370 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWQZ2ymJR3cx/DW7dLf6oNoOvkA9YNwkwOg+z0mItse52IYE3slBR8rF'. Oct 10 22:45:47.107546 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Oct 10 22:45:47.158504 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Oct 10 22:45:47.359653 osdx OSDxCLI[472467]: User 'admin' added a new cfg line: 'show working'. Oct 10 22:45:47.425110 osdx ubnt-cfgd[540135]: inactive Oct 10 22:45:47.457421 osdx INFO[540143]: FRR daemons did not change Oct 10 22:45:47.472773 osdx ca-certificates[540159]: Updating certificates in /etc/ssl/certs... Oct 10 22:45:48.014752 osdx ubnt-cfgd[541171]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Oct 10 22:45:48.024883 osdx ca-certificates[541176]: 1 added, 0 removed; done. Oct 10 22:45:48.028523 osdx ca-certificates[541183]: Running hooks in /etc/ca-certificates/update.d... Oct 10 22:45:48.032208 osdx ca-certificates[541185]: done. Oct 10 22:45:48.101543 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 10 22:45:48.102812 osdx cfgd[1464]: [472467]Completed change to active configuration Oct 10 22:45:48.105131 osdx OSDxCLI[472467]: User 'admin' committed the configuration. Oct 10 22:45:48.125299 osdx OSDxCLI[472467]: User 'admin' left the configuration menu. Oct 10 22:45:48.126865 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] dnscrypt-proxy 2.0.45 Oct 10 22:45:48.127041 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Network connectivity detected Oct 10 22:45:48.127101 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Dropping privileges Oct 10 22:45:48.129119 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Network connectivity detected Oct 10 22:45:48.129168 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 10 22:45:48.129168 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 10 22:45:48.130483 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-qpyss43mizsumzgn.tmp: permission denied Oct 10 22:45:48.130483 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Source [RD] loaded Oct 10 22:45:48.130543 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [WARNING] Missing stamp for server [PRIVATE-server-name`] Oct 10 22:45:48.130543 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Oct 10 22:45:48.130543 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Firefox workaround initialized Oct 10 22:45:48.130543 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpjfes23hs] Oct 10 22:45:48.285890 osdx OSDxCLI[472467]: User 'admin' executed a new command: 'system journal show | cat'. Oct 10 22:45:48.360033 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 148ms Oct 10 22:45:48.360033 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 148ms) Oct 10 22:45:48.360033 osdx dnscrypt-proxy[541189]: [2025-10-10 22:45:48] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key qKTqaqW8ffawfOIZN3pycl7r set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'