Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWTZ6wetiXLceClFeytKtKaNauSI1WVwS7kQsyVQ8Wzx819hvdwEgNjg set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 17 21:37:56.404354 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:37:56.407934 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:37:56.408003 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:37:56.414346 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:37:56.661870 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system coredump delete all'. Dec 17 21:37:56.875533 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:37:57.035583 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:37:57.091678 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:37:57.232026 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:37:57.315475 osdx ubnt-cfgd[535324]: inactive Dec 17 21:37:57.343608 osdx INFO[535330]: FRR daemons did not change Dec 17 21:37:57.371959 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:37:57.429810 osdx WARNING[535398]: No supported link modes on interface eth0 Dec 17 21:37:57.431757 osdx modulelauncher[535398]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:37:57.431775 osdx modulelauncher[535398]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:37:57.433452 osdx modulelauncher[535398]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:37:57.433465 osdx modulelauncher[535398]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:37:57.476504 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:37:57.491967 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:37:57.510508 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:37:57.666209 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 17 21:37:57.776258 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:37:57.968617 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:37:58.087187 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:37:58.192263 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 17 21:37:58.262544 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTZ6wetiXLceClFeytKtKaNauSI1WVwS7kQsyVQ8Wzx819hvdwEgNjg'. Dec 17 21:37:58.398277 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Dec 17 21:38:00.009015 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:38:00.083938 osdx ubnt-cfgd[535490]: inactive Dec 17 21:38:00.107127 osdx INFO[535498]: FRR daemons did not change Dec 17 21:38:00.122361 osdx ca-certificates[535514]: Updating certificates in /etc/ssl/certs... Dec 17 21:38:00.771579 osdx ubnt-cfgd[536526]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:38:00.780837 osdx ca-certificates[536532]: 1 added, 0 removed; done. Dec 17 21:38:00.783877 osdx ca-certificates[536538]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:38:00.786766 osdx ca-certificates[536540]: done. Dec 17 21:38:00.864379 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:38:00.865921 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:38:00.868595 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:38:00.885289 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] dnscrypt-proxy 2.0.45 Dec 17 21:38:00.885596 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Network connectivity detected Dec 17 21:38:00.885649 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Dropping privileges Dec 17 21:38:00.888534 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Network connectivity detected Dec 17 21:38:00.888633 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 17 21:38:00.888633 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 17 21:38:00.889904 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-hun3cvyhuvpbssnl.tmp: permission denied Dec 17 21:38:00.889904 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Source [RD] loaded Dec 17 21:38:00.890014 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [WARNING] Missing stamp for server [server-name`] Dec 17 21:38:00.890162 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Dec 17 21:38:00.890162 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Firefox workaround initialized Dec 17 21:38:00.890250 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:00] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpoprdzry_] Dec 17 21:38:00.892168 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:38:01.061349 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:38:01.065445 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:01] [NOTICE] [rd-server] OK (DoH) - rtt: 119ms Dec 17 21:38:01.065445 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:01] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 119ms) Dec 17 21:38:01.065445 osdx dnscrypt-proxy[536544]: [2025-12-17 21:38:01] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWTZ6wetiXLceClFeytKtKaNauSI1WVwS7kQsyVQ8Wzx819hvdwEgNjg set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 17 21:38:09.356382 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:38:09.364394 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:38:09.364490 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:38:09.378622 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:38:09.714950 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system coredump delete all'. Dec 17 21:38:10.093414 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:38:10.236679 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:38:10.307579 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:38:10.478687 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:38:10.555285 osdx ubnt-cfgd[538230]: inactive Dec 17 21:38:10.581230 osdx INFO[538236]: FRR daemons did not change Dec 17 21:38:10.614349 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:38:10.678578 osdx WARNING[538304]: No supported link modes on interface eth0 Dec 17 21:38:10.681141 osdx modulelauncher[538304]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:38:10.681158 osdx modulelauncher[538304]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:38:10.682891 osdx modulelauncher[538304]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:38:10.682903 osdx modulelauncher[538304]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:38:10.737260 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:38:10.751636 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:38:10.770819 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:38:10.953471 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 17 21:38:11.035675 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:38:11.228415 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:38:11.319669 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:38:11.387816 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 17 21:38:11.488288 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTZ6wetiXLceClFeytKtKaNauSI1WVwS7kQsyVQ8Wzx819hvdwEgNjg'. Dec 17 21:38:11.576677 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Dec 17 21:38:11.680218 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Dec 17 21:38:11.865425 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:38:11.946386 osdx ubnt-cfgd[538397]: inactive Dec 17 21:38:11.977427 osdx INFO[538405]: FRR daemons did not change Dec 17 21:38:11.996501 osdx ca-certificates[538421]: Updating certificates in /etc/ssl/certs... Dec 17 21:38:12.669616 osdx ubnt-cfgd[539433]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:38:12.678029 osdx ca-certificates[539439]: 1 added, 0 removed; done. Dec 17 21:38:12.681493 osdx ca-certificates[539445]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:38:12.685186 osdx ca-certificates[539447]: done. Dec 17 21:38:12.758916 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:38:12.760905 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:38:12.763936 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:38:12.788133 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] dnscrypt-proxy 2.0.45 Dec 17 21:38:12.788427 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Network connectivity detected Dec 17 21:38:12.788468 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Dropping privileges Dec 17 21:38:12.791291 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Network connectivity detected Dec 17 21:38:12.791365 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 17 21:38:12.791365 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 17 21:38:12.792882 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-3nlyxcgsojrbgebk.tmp: permission denied Dec 17 21:38:12.792882 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Source [RD] loaded Dec 17 21:38:12.792957 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [WARNING] Missing stamp for server [PRIVATE-server-name`] Dec 17 21:38:12.792957 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Dec 17 21:38:12.792957 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Firefox workaround initialized Dec 17 21:38:12.792957 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Loading the set of cloaking rules from [/tmp/tmps2991ykf] Dec 17 21:38:12.793471 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:38:12.968608 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 116ms Dec 17 21:38:12.968608 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 116ms) Dec 17 21:38:12.968608 osdx dnscrypt-proxy[539451]: [2025-12-17 21:38:12] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key 5AJWKKLj0j5dQ6nbDXkqLZ0t set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'