Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWSp+fLgUiQZJWe5Ee+Vp3PM/pKBcULw0l6/NtDiDKcv3mbcvXq5YUGT set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Apr 06 14:19:32.307724 osdx systemd-journald[1969]: Runtime Journal (/run/log/journal/8555dfc266884f30a3544832475c4d6c) is 1.8M, max 13.8M, 11.9M free. Apr 06 14:19:32.308665 osdx systemd-journald[1969]: Received client request to rotate journal, rotating. Apr 06 14:19:32.308731 osdx systemd-journald[1969]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8555dfc266884f30a3544832475c4d6c. Apr 06 14:19:32.319471 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'system journal clear'. Apr 06 14:19:32.591514 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'system coredump delete all'. Apr 06 14:19:32.849467 osdx OSDxCLI[10275]: User 'admin' entered the configuration menu. Apr 06 14:19:32.928038 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 06 14:19:33.016409 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 06 14:19:33.077353 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'show working'. Apr 06 14:19:33.167115 osdx ubnt-cfgd[23447]: inactive Apr 06 14:19:33.184830 osdx INFO[23453]: FRR daemons did not change Apr 06 14:19:33.208664 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 06 14:19:33.252005 osdx WARNING[23521]: No supported link modes on interface eth0 Apr 06 14:19:33.253563 osdx modulelauncher[23521]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Apr 06 14:19:33.253577 osdx modulelauncher[23521]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Apr 06 14:19:33.255208 osdx modulelauncher[23521]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Apr 06 14:19:33.255215 osdx modulelauncher[23521]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Apr 06 14:19:33.288437 osdx cfgd[1666]: [10275]Completed change to active configuration Apr 06 14:19:33.309524 osdx OSDxCLI[10275]: User 'admin' committed the configuration. Apr 06 14:19:33.325838 osdx OSDxCLI[10275]: User 'admin' left the configuration menu. Apr 06 14:19:33.464664 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 06 14:19:33.530587 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'system journal show | cat'. Apr 06 14:19:33.666163 osdx OSDxCLI[10275]: User 'admin' entered the configuration menu. Apr 06 14:19:33.733891 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 06 14:19:33.827908 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 06 14:19:33.882612 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSp+fLgUiQZJWe5Ee+Vp3PM/pKBcULw0l6/NtDiDKcv3mbcvXq5YUGT'. Apr 06 14:19:33.963432 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Apr 06 14:19:34.026993 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'show working'. Apr 06 14:19:34.119617 osdx ubnt-cfgd[23613]: inactive Apr 06 14:19:34.139862 osdx INFO[23621]: FRR daemons did not change Apr 06 14:19:34.162403 osdx ca-certificates[23637]: Updating certificates in /etc/ssl/certs... Apr 06 14:19:34.700943 osdx ubnt-cfgd[24649]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Apr 06 14:19:34.714345 osdx ca-certificates[24653]: 1 added, 0 removed; done. Apr 06 14:19:34.718095 osdx ca-certificates[24661]: Running hooks in /etc/ca-certificates/update.d... Apr 06 14:19:34.720826 osdx ca-certificates[24663]: done. Apr 06 14:19:34.797609 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Apr 06 14:19:34.800603 osdx cfgd[1666]: [10275]Completed change to active configuration Apr 06 14:19:34.805864 osdx OSDxCLI[10275]: User 'admin' committed the configuration. Apr 06 14:19:34.839321 osdx OSDxCLI[10275]: User 'admin' left the configuration menu. Apr 06 14:19:35.009024 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] dnscrypt-proxy 2.0.45 Apr 06 14:19:35.009319 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Network connectivity detected Apr 06 14:19:35.009319 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Dropping privileges Apr 06 14:19:35.012535 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Network connectivity detected Apr 06 14:19:35.012619 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 06 14:19:35.012619 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 06 14:19:35.018026 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-zpuwzx7nb7m7ivhx.tmp: permission denied Apr 06 14:19:35.018026 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Source [RD] loaded Apr 06 14:19:35.018110 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [WARNING] Missing stamp for server [server-name`] Apr 06 14:19:35.018110 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Apr 06 14:19:35.018110 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Firefox workaround initialized Apr 06 14:19:35.018110 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpxnqos8wb] Apr 06 14:19:35.055701 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'system journal show | cat'. Apr 06 14:19:35.069454 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] [rd-server] OK (DoH) - rtt: 24ms Apr 06 14:19:35.069454 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 24ms) Apr 06 14:19:35.069454 osdx dnscrypt-proxy[24667]: [2026-04-06 14:19:35] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWSp+fLgUiQZJWe5Ee+Vp3PM/pKBcULw0l6/NtDiDKcv3mbcvXq5YUGT set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Apr 06 14:19:42.280864 osdx systemd-journald[1969]: Runtime Journal (/run/log/journal/8555dfc266884f30a3544832475c4d6c) is 1.8M, max 13.8M, 11.9M free. Apr 06 14:19:42.284336 osdx systemd-journald[1969]: Received client request to rotate journal, rotating. Apr 06 14:19:42.284386 osdx systemd-journald[1969]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8555dfc266884f30a3544832475c4d6c. Apr 06 14:19:42.291660 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'system journal clear'. Apr 06 14:19:42.502042 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'system coredump delete all'. Apr 06 14:19:42.711658 osdx OSDxCLI[10275]: User 'admin' entered the configuration menu. Apr 06 14:19:42.834841 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 06 14:19:42.890701 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 06 14:19:42.992621 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'show working'. Apr 06 14:19:43.051038 osdx ubnt-cfgd[26363]: inactive Apr 06 14:19:43.068803 osdx INFO[26369]: FRR daemons did not change Apr 06 14:19:43.092345 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 06 14:19:43.135466 osdx WARNING[26437]: No supported link modes on interface eth0 Apr 06 14:19:43.136921 osdx modulelauncher[26437]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Apr 06 14:19:43.136931 osdx modulelauncher[26437]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Apr 06 14:19:43.138123 osdx modulelauncher[26437]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Apr 06 14:19:43.138133 osdx modulelauncher[26437]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Apr 06 14:19:43.175579 osdx cfgd[1666]: [10275]Completed change to active configuration Apr 06 14:19:43.186326 osdx OSDxCLI[10275]: User 'admin' committed the configuration. Apr 06 14:19:43.220093 osdx OSDxCLI[10275]: User 'admin' left the configuration menu. Apr 06 14:19:43.370965 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 06 14:19:43.445870 osdx OSDxCLI[10275]: User 'admin' executed a new command: 'system journal show | cat'. Apr 06 14:19:43.576938 osdx OSDxCLI[10275]: User 'admin' entered the configuration menu. Apr 06 14:19:43.633322 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 06 14:19:43.731039 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 06 14:19:43.783097 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSp+fLgUiQZJWe5Ee+Vp3PM/pKBcULw0l6/NtDiDKcv3mbcvXq5YUGT'. Apr 06 14:19:43.874130 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Apr 06 14:19:43.927919 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Apr 06 14:19:44.035635 osdx OSDxCLI[10275]: User 'admin' added a new cfg line: 'show working'. Apr 06 14:19:44.094728 osdx ubnt-cfgd[26530]: inactive Apr 06 14:19:44.112967 osdx INFO[26538]: FRR daemons did not change Apr 06 14:19:44.125383 osdx ca-certificates[26553]: Updating certificates in /etc/ssl/certs... Apr 06 14:19:44.635881 osdx ubnt-cfgd[27566]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Apr 06 14:19:44.643242 osdx ca-certificates[27572]: 1 added, 0 removed; done. Apr 06 14:19:44.646103 osdx ca-certificates[27578]: Running hooks in /etc/ca-certificates/update.d... Apr 06 14:19:44.648798 osdx ca-certificates[27580]: done. Apr 06 14:19:44.732703 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Apr 06 14:19:44.733958 osdx cfgd[1666]: [10275]Completed change to active configuration Apr 06 14:19:44.735952 osdx OSDxCLI[10275]: User 'admin' committed the configuration. Apr 06 14:19:44.750498 osdx OSDxCLI[10275]: User 'admin' left the configuration menu. Apr 06 14:19:44.751974 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] dnscrypt-proxy 2.0.45 Apr 06 14:19:44.752166 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Network connectivity detected Apr 06 14:19:44.752238 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Dropping privileges Apr 06 14:19:44.754507 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Network connectivity detected Apr 06 14:19:44.754561 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 06 14:19:44.754561 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 06 14:19:44.755496 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-vsq7jpuj3cl7up56.tmp: permission denied Apr 06 14:19:44.755496 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Source [RD] loaded Apr 06 14:19:44.755586 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [WARNING] Missing stamp for server [PRIVATE-server-name`] Apr 06 14:19:44.755586 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Apr 06 14:19:44.755586 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Firefox workaround initialized Apr 06 14:19:44.755586 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpfcgh56j3] Apr 06 14:19:44.783787 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 12ms Apr 06 14:19:44.783787 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 12ms) Apr 06 14:19:44.783787 osdx dnscrypt-proxy[27584]: [2026-04-06 14:19:44] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key ZoVqiAoW1FUi52DQWGhkf4Jm set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'