Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWRTxXX0W8myDHopm35ZLZxURiBXCX3jB3eeMjQZy6hgNwntlzGXynsJ set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 11 19:42:01.299333 osdx systemd-journald[265387]: Runtime Journal (/run/log/journal/ff8de1b7feed4cd0a923a6e53f75b1b9) is 1.8M, max 13.8M, 11.9M free. Dec 11 19:42:01.300291 osdx systemd-journald[265387]: Received client request to rotate journal, rotating. Dec 11 19:42:01.300357 osdx systemd-journald[265387]: Vacuuming done, freed 0B of archived journals from /run/log/journal/ff8de1b7feed4cd0a923a6e53f75b1b9. Dec 11 19:42:01.311287 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'system journal clear'. Dec 11 19:42:01.527457 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'system coredump delete all'. Dec 11 19:42:01.783317 osdx OSDxCLI[544029]: User 'admin' entered the configuration menu. Dec 11 19:42:01.950534 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 11 19:42:02.016323 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 11 19:42:02.132730 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'show working'. Dec 11 19:42:02.220321 osdx ubnt-cfgd[608807]: inactive Dec 11 19:42:02.240476 osdx INFO[608813]: FRR daemons did not change Dec 11 19:42:02.276264 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 11 19:42:02.327421 osdx WARNING[608882]: No supported link modes on interface eth0 Dec 11 19:42:02.329084 osdx modulelauncher[608882]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 11 19:42:02.329095 osdx modulelauncher[608882]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 11 19:42:02.330565 osdx modulelauncher[608882]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 11 19:42:02.330573 osdx modulelauncher[608882]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 11 19:42:02.365704 osdx cfgd[1647]: [544029]Completed change to active configuration Dec 11 19:42:02.379852 osdx OSDxCLI[544029]: User 'admin' committed the configuration. Dec 11 19:42:02.396047 osdx OSDxCLI[544029]: User 'admin' left the configuration menu. Dec 11 19:42:02.563834 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 11 19:42:02.643688 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'system journal show | cat'. Dec 11 19:42:02.830115 osdx OSDxCLI[544029]: User 'admin' entered the configuration menu. Dec 11 19:42:02.906640 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 11 19:42:02.996883 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 11 19:42:03.052978 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRTxXX0W8myDHopm35ZLZxURiBXCX3jB3eeMjQZy6hgNwntlzGXynsJ'. Dec 11 19:42:03.143609 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Dec 11 19:42:03.259496 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'show working'. Dec 11 19:42:03.317924 osdx ubnt-cfgd[608976]: inactive Dec 11 19:42:03.337749 osdx INFO[608984]: FRR daemons did not change Dec 11 19:42:03.350118 osdx ca-certificates[609000]: Updating certificates in /etc/ssl/certs... Dec 11 19:42:03.924270 osdx ubnt-cfgd[610012]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 11 19:42:03.934187 osdx ca-certificates[610018]: 1 added, 0 removed; done. Dec 11 19:42:03.937232 osdx ca-certificates[610024]: Running hooks in /etc/ca-certificates/update.d... Dec 11 19:42:03.940057 osdx ca-certificates[610026]: done. Dec 11 19:42:04.016656 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 11 19:42:04.018061 osdx cfgd[1647]: [544029]Completed change to active configuration Dec 11 19:42:04.020908 osdx OSDxCLI[544029]: User 'admin' committed the configuration. Dec 11 19:42:04.038563 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] dnscrypt-proxy 2.0.45 Dec 11 19:42:04.038761 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Network connectivity detected Dec 11 19:42:04.038808 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Dropping privileges Dec 11 19:42:04.041260 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Network connectivity detected Dec 11 19:42:04.041331 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 11 19:42:04.041331 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 11 19:42:04.042311 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ocr6yv2m3onh5gip.tmp: permission denied Dec 11 19:42:04.042311 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Source [RD] loaded Dec 11 19:42:04.042403 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [WARNING] Missing stamp for server [server-name`] Dec 11 19:42:04.042403 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Dec 11 19:42:04.042403 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Firefox workaround initialized Dec 11 19:42:04.042403 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpbw3h2jaq] Dec 11 19:42:04.054697 osdx OSDxCLI[544029]: User 'admin' left the configuration menu. Dec 11 19:42:04.205582 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] [rd-server] OK (DoH) - rtt: 107ms Dec 11 19:42:04.205582 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 107ms) Dec 11 19:42:04.205582 osdx dnscrypt-proxy[610030]: [2025-12-11 19:42:04] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Dec 11 19:42:04.217305 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWRTxXX0W8myDHopm35ZLZxURiBXCX3jB3eeMjQZy6hgNwntlzGXynsJ set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Dec 11 19:42:11.347590 osdx systemd-journald[265387]: Runtime Journal (/run/log/journal/ff8de1b7feed4cd0a923a6e53f75b1b9) is 1.8M, max 13.8M, 11.9M free. Dec 11 19:42:11.351075 osdx systemd-journald[265387]: Received client request to rotate journal, rotating. Dec 11 19:42:11.351166 osdx systemd-journald[265387]: Vacuuming done, freed 0B of archived journals from /run/log/journal/ff8de1b7feed4cd0a923a6e53f75b1b9. Dec 11 19:42:11.359858 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'system journal clear'. Dec 11 19:42:11.654073 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'system coredump delete all'. Dec 11 19:42:12.046497 osdx OSDxCLI[544029]: User 'admin' entered the configuration menu. Dec 11 19:42:12.144636 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 11 19:42:12.239871 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 11 19:42:12.400651 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'show working'. Dec 11 19:42:12.465212 osdx ubnt-cfgd[611725]: inactive Dec 11 19:42:12.488320 osdx INFO[611731]: FRR daemons did not change Dec 11 19:42:12.539491 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 11 19:42:12.591441 osdx WARNING[611800]: No supported link modes on interface eth0 Dec 11 19:42:12.592908 osdx modulelauncher[611800]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 11 19:42:12.592920 osdx modulelauncher[611800]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 11 19:42:12.594162 osdx modulelauncher[611800]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 11 19:42:12.594171 osdx modulelauncher[611800]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 11 19:42:12.636413 osdx cfgd[1647]: [544029]Completed change to active configuration Dec 11 19:42:12.651996 osdx OSDxCLI[544029]: User 'admin' committed the configuration. Dec 11 19:42:12.684524 osdx OSDxCLI[544029]: User 'admin' left the configuration menu. Dec 11 19:42:12.866654 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 11 19:42:12.952269 osdx OSDxCLI[544029]: User 'admin' executed a new command: 'system journal show | cat'. Dec 11 19:42:13.139433 osdx OSDxCLI[544029]: User 'admin' entered the configuration menu. Dec 11 19:42:13.252884 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 11 19:42:13.325790 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Dec 11 19:42:13.417382 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRTxXX0W8myDHopm35ZLZxURiBXCX3jB3eeMjQZy6hgNwntlzGXynsJ'. Dec 11 19:42:13.469773 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Dec 11 19:42:13.567113 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Dec 11 19:42:13.653076 osdx OSDxCLI[544029]: User 'admin' added a new cfg line: 'show working'. Dec 11 19:42:13.786523 osdx ubnt-cfgd[611895]: inactive Dec 11 19:42:13.806066 osdx INFO[611903]: FRR daemons did not change Dec 11 19:42:13.818860 osdx ca-certificates[611919]: Updating certificates in /etc/ssl/certs... Dec 11 19:42:14.389273 osdx ubnt-cfgd[612931]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 11 19:42:14.397229 osdx ca-certificates[612937]: 1 added, 0 removed; done. Dec 11 19:42:14.400092 osdx ca-certificates[612943]: Running hooks in /etc/ca-certificates/update.d... Dec 11 19:42:14.402866 osdx ca-certificates[612945]: done. Dec 11 19:42:14.459431 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 11 19:42:14.460927 osdx cfgd[1647]: [544029]Completed change to active configuration Dec 11 19:42:14.463500 osdx OSDxCLI[544029]: User 'admin' committed the configuration. Dec 11 19:42:14.483144 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] dnscrypt-proxy 2.0.45 Dec 11 19:42:14.483398 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Network connectivity detected Dec 11 19:42:14.483429 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Dropping privileges Dec 11 19:42:14.486335 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Network connectivity detected Dec 11 19:42:14.486402 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Dec 11 19:42:14.486402 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Dec 11 19:42:14.487503 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-mfb6pbxjcerxjj45.tmp: permission denied Dec 11 19:42:14.487503 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Source [RD] loaded Dec 11 19:42:14.487503 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [WARNING] Missing stamp for server [PRIVATE-server-name`] Dec 11 19:42:14.487612 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Dec 11 19:42:14.487612 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Firefox workaround initialized Dec 11 19:42:14.487612 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpz1z_iuhx] Dec 11 19:42:14.509315 osdx OSDxCLI[544029]: User 'admin' left the configuration menu. Dec 11 19:42:14.654152 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 112ms Dec 11 19:42:14.654152 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 112ms) Dec 11 19:42:14.654152 osdx dnscrypt-proxy[612949]: [2025-12-11 19:42:14] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key 5ZFQm1VQKbVewC4Jhzqqorrn set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'