Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWRllbitmtufX+k41v8CFHbDM6zrtjCrh4lLiQ1I3/vyj9BhoNr4Y18C set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Nov 12 16:29:22.308118 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 2.1M, max 13.8M, 11.6M free. Nov 12 16:29:22.309910 osdx systemd-journald[1872]: Received client request to rotate journal, rotating. Nov 12 16:29:22.309959 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99. Nov 12 16:29:22.318921 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'. Nov 12 16:29:22.551336 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system coredump delete all'. Nov 12 16:29:22.807079 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu. Nov 12 16:29:22.925872 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 12 16:29:22.979225 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 12 16:29:23.074268 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'. Nov 12 16:29:23.131205 osdx ubnt-cfgd[276938]: inactive Nov 12 16:29:23.151027 osdx INFO[276944]: FRR daemons did not change Nov 12 16:29:23.173917 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 12 16:29:23.213175 osdx WARNING[277012]: No supported link modes on interface eth0 Nov 12 16:29:23.214558 osdx modulelauncher[277012]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Nov 12 16:29:23.214571 osdx modulelauncher[277012]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Nov 12 16:29:23.215676 osdx modulelauncher[277012]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Nov 12 16:29:23.215685 osdx modulelauncher[277012]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Nov 12 16:29:23.250882 osdx cfgd[1666]: [123608]Completed change to active configuration Nov 12 16:29:23.262362 osdx OSDxCLI[123608]: User 'admin' committed the configuration. Nov 12 16:29:23.278433 osdx OSDxCLI[123608]: User 'admin' left the configuration menu. Nov 12 16:29:23.438822 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 12 16:29:23.639832 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu. Nov 12 16:29:23.756333 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 12 16:29:23.871672 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Nov 12 16:29:23.939276 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRllbitmtufX+k41v8CFHbDM6zrtjCrh4lLiQ1I3/vyj9BhoNr4Y18C'. Nov 12 16:29:24.045162 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Nov 12 16:29:24.157805 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'. Nov 12 16:29:24.234150 osdx ubnt-cfgd[277099]: inactive Nov 12 16:29:24.259111 osdx INFO[277107]: FRR daemons did not change Nov 12 16:29:24.273822 osdx ca-certificates[277123]: Updating certificates in /etc/ssl/certs... Nov 12 16:29:24.870397 osdx ubnt-cfgd[278135]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Nov 12 16:29:24.880315 osdx ca-certificates[278141]: 1 added, 0 removed; done. Nov 12 16:29:24.883629 osdx ca-certificates[278147]: Running hooks in /etc/ca-certificates/update.d... Nov 12 16:29:24.886551 osdx ca-certificates[278149]: done. Nov 12 16:29:24.958279 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Nov 12 16:29:24.959566 osdx cfgd[1666]: [123608]Completed change to active configuration Nov 12 16:29:24.961717 osdx OSDxCLI[123608]: User 'admin' committed the configuration. Nov 12 16:29:24.987239 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] dnscrypt-proxy 2.0.45 Nov 12 16:29:24.987608 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Network connectivity detected Nov 12 16:29:24.987608 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Dropping privileges Nov 12 16:29:24.990976 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Network connectivity detected Nov 12 16:29:24.991064 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Nov 12 16:29:24.991064 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Nov 12 16:29:24.992671 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-qvrsgtibastd5sfo.tmp: permission denied Nov 12 16:29:24.992671 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Source [RD] loaded Nov 12 16:29:24.992754 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [WARNING] Missing stamp for server [server-name`] Nov 12 16:29:24.992754 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Nov 12 16:29:24.992754 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Firefox workaround initialized Nov 12 16:29:24.992754 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:24] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp92ezdzwa] Nov 12 16:29:24.998757 osdx OSDxCLI[123608]: User 'admin' left the configuration menu. Nov 12 16:29:25.168190 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal show | cat'. Nov 12 16:29:25.194926 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:25] [NOTICE] [rd-server] OK (DoH) - rtt: 127ms Nov 12 16:29:25.194926 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:25] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 127ms) Nov 12 16:29:25.194926 osdx dnscrypt-proxy[278153]: [2025-11-12 16:29:25] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWRllbitmtufX+k41v8CFHbDM6zrtjCrh4lLiQ1I3/vyj9BhoNr4Y18C set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Nov 12 16:29:33.319790 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free. Nov 12 16:29:33.323316 osdx systemd-journald[1872]: Received client request to rotate journal, rotating. Nov 12 16:29:33.323390 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99. Nov 12 16:29:33.332191 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'. Nov 12 16:29:33.603829 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system coredump delete all'. Nov 12 16:29:33.874136 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu. Nov 12 16:29:33.961302 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Nov 12 16:29:34.043728 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 12 16:29:34.133420 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'. Nov 12 16:29:34.221653 osdx ubnt-cfgd[279840]: inactive Nov 12 16:29:34.246730 osdx INFO[279846]: FRR daemons did not change Nov 12 16:29:34.271319 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 12 16:29:34.318707 osdx WARNING[279914]: No supported link modes on interface eth0 Nov 12 16:29:34.320361 osdx modulelauncher[279914]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Nov 12 16:29:34.320376 osdx modulelauncher[279914]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Nov 12 16:29:34.322108 osdx modulelauncher[279914]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Nov 12 16:29:34.322121 osdx modulelauncher[279914]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Nov 12 16:29:34.358847 osdx cfgd[1666]: [123608]Completed change to active configuration Nov 12 16:29:34.370658 osdx OSDxCLI[123608]: User 'admin' committed the configuration. Nov 12 16:29:34.398854 osdx OSDxCLI[123608]: User 'admin' left the configuration menu. Nov 12 16:29:34.568106 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 12 16:29:34.745580 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu. Nov 12 16:29:34.970322 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 12 16:29:35.042514 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Nov 12 16:29:35.188022 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRllbitmtufX+k41v8CFHbDM6zrtjCrh4lLiQ1I3/vyj9BhoNr4Y18C'. Nov 12 16:29:35.259035 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Nov 12 16:29:35.359456 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Nov 12 16:29:35.432855 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'. Nov 12 16:29:35.526415 osdx ubnt-cfgd[280002]: inactive Nov 12 16:29:35.548001 osdx INFO[280010]: FRR daemons did not change Nov 12 16:29:35.562356 osdx ca-certificates[280026]: Updating certificates in /etc/ssl/certs... Nov 12 16:29:36.136364 osdx ubnt-cfgd[281038]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Nov 12 16:29:36.147108 osdx ca-certificates[281044]: 1 added, 0 removed; done. Nov 12 16:29:36.150231 osdx ca-certificates[281050]: Running hooks in /etc/ca-certificates/update.d... Nov 12 16:29:36.153126 osdx ca-certificates[281052]: done. Nov 12 16:29:36.219614 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Nov 12 16:29:36.220944 osdx cfgd[1666]: [123608]Completed change to active configuration Nov 12 16:29:36.222943 osdx OSDxCLI[123608]: User 'admin' committed the configuration. Nov 12 16:29:36.247331 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] dnscrypt-proxy 2.0.45 Nov 12 16:29:36.247590 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Network connectivity detected Nov 12 16:29:36.247726 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Dropping privileges Nov 12 16:29:36.250494 osdx OSDxCLI[123608]: User 'admin' left the configuration menu. Nov 12 16:29:36.251918 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Network connectivity detected Nov 12 16:29:36.251985 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Nov 12 16:29:36.251985 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Nov 12 16:29:36.253654 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-youvo6lhgfmafq6w.tmp: permission denied Nov 12 16:29:36.253654 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Source [RD] loaded Nov 12 16:29:36.253729 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [WARNING] Missing stamp for server [PRIVATE-server-name`] Nov 12 16:29:36.253729 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Nov 12 16:29:36.253729 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Firefox workaround initialized Nov 12 16:29:36.253729 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpoqm8h8jw] Nov 12 16:29:36.415975 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal show | cat'. Nov 12 16:29:36.416916 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 102ms Nov 12 16:29:36.416916 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 102ms) Nov 12 16:29:36.416916 osdx dnscrypt-proxy[281056]: [2025-11-12 16:29:36] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key mtavRLxG1pts0SLkMQsFFY8B set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'