Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWRde0L6uNbYB/hwk/QabZ9SjVPDSRA6woUgkGLJE/eeA8lNNXhvUmMA set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jan 27 12:39:14.324355 osdx systemd-journald[1949]: Runtime Journal (/run/log/journal/19d27b7fd9034c15b59c452d6ca2fcd4) is 1.8M, max 13.8M, 11.9M free. Jan 27 12:39:14.325862 osdx systemd-journald[1949]: Received client request to rotate journal, rotating. Jan 27 12:39:14.325922 osdx systemd-journald[1949]: Vacuuming done, freed 0B of archived journals from /run/log/journal/19d27b7fd9034c15b59c452d6ca2fcd4. Jan 27 12:39:14.336886 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system journal clear'. Jan 27 12:39:14.547487 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system coredump delete all'. Jan 27 12:39:14.821048 osdx OSDxCLI[182842]: User 'admin' entered the configuration menu. Jan 27 12:39:14.907407 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 27 12:39:14.975077 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 27 12:39:15.074388 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'show working'. Jan 27 12:39:15.132459 osdx ubnt-cfgd[359794]: inactive Jan 27 12:39:15.152493 osdx INFO[359800]: FRR daemons did not change Jan 27 12:39:15.181868 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 27 12:39:15.221434 osdx WARNING[359869]: No supported link modes on interface eth0 Jan 27 12:39:15.222956 osdx modulelauncher[359869]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Jan 27 12:39:15.222967 osdx modulelauncher[359869]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Jan 27 12:39:15.224143 osdx modulelauncher[359869]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Jan 27 12:39:15.224153 osdx modulelauncher[359869]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Jan 27 12:39:15.261245 osdx cfgd[1624]: [182842]Completed change to active configuration Jan 27 12:39:15.272699 osdx OSDxCLI[182842]: User 'admin' committed the configuration. Jan 27 12:39:15.288723 osdx OSDxCLI[182842]: User 'admin' left the configuration menu. Jan 27 12:39:15.452431 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 27 12:39:15.519890 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system journal show | cat'. Jan 27 12:39:15.690110 osdx OSDxCLI[182842]: User 'admin' entered the configuration menu. Jan 27 12:39:15.759783 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 27 12:39:15.872416 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jan 27 12:39:15.933518 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRde0L6uNbYB/hwk/QabZ9SjVPDSRA6woUgkGLJE/eeA8lNNXhvUmMA'. Jan 27 12:39:16.030543 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jan 27 12:39:16.126445 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'show working'. Jan 27 12:39:16.197107 osdx ubnt-cfgd[359963]: inactive Jan 27 12:39:16.220445 osdx INFO[359971]: FRR daemons did not change Jan 27 12:39:16.233989 osdx ca-certificates[359987]: Updating certificates in /etc/ssl/certs... Jan 27 12:39:16.761712 osdx ubnt-cfgd[360999]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jan 27 12:39:16.769154 osdx ca-certificates[361005]: 1 added, 0 removed; done. Jan 27 12:39:16.771923 osdx ca-certificates[361011]: Running hooks in /etc/ca-certificates/update.d... Jan 27 12:39:16.774542 osdx ca-certificates[361013]: done. Jan 27 12:39:16.858352 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 27 12:39:16.859844 osdx cfgd[1624]: [182842]Completed change to active configuration Jan 27 12:39:16.862116 osdx OSDxCLI[182842]: User 'admin' committed the configuration. Jan 27 12:39:16.880734 osdx OSDxCLI[182842]: User 'admin' left the configuration menu. Jan 27 12:39:16.886150 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] dnscrypt-proxy 2.0.45 Jan 27 12:39:16.886333 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Network connectivity detected Jan 27 12:39:16.886445 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Dropping privileges Jan 27 12:39:16.888928 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Network connectivity detected Jan 27 12:39:16.888982 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jan 27 12:39:16.888982 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jan 27 12:39:16.890071 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-3gflkalhkes67rqs.tmp: permission denied Jan 27 12:39:16.890071 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Source [RD] loaded Jan 27 12:39:16.890122 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [WARNING] Missing stamp for server [server-name`] Jan 27 12:39:16.890122 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jan 27 12:39:16.890122 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Firefox workaround initialized Jan 27 12:39:16.890122 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:16] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp5a9uqkb5] Jan 27 12:39:17.045977 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system journal show | cat'. Jan 27 12:39:17.156084 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:17] [NOTICE] [rd-server] OK (DoH) - rtt: 128ms Jan 27 12:39:17.156084 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:17] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 128ms) Jan 27 12:39:17.156084 osdx dnscrypt-proxy[361017]: [2026-01-27 12:39:17] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWRde0L6uNbYB/hwk/QabZ9SjVPDSRA6woUgkGLJE/eeA8lNNXhvUmMA set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jan 27 12:39:25.307515 osdx systemd-journald[1949]: Runtime Journal (/run/log/journal/19d27b7fd9034c15b59c452d6ca2fcd4) is 1.8M, max 13.8M, 11.9M free. Jan 27 12:39:25.307970 osdx systemd-journald[1949]: Received client request to rotate journal, rotating. Jan 27 12:39:25.308000 osdx systemd-journald[1949]: Vacuuming done, freed 0B of archived journals from /run/log/journal/19d27b7fd9034c15b59c452d6ca2fcd4. Jan 27 12:39:25.317725 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system journal clear'. Jan 27 12:39:25.541277 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system coredump delete all'. Jan 27 12:39:25.779940 osdx OSDxCLI[182842]: User 'admin' entered the configuration menu. Jan 27 12:39:25.879543 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 27 12:39:25.984213 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 27 12:39:26.114557 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'show working'. Jan 27 12:39:26.185616 osdx ubnt-cfgd[362712]: inactive Jan 27 12:39:26.210197 osdx INFO[362718]: FRR daemons did not change Jan 27 12:39:26.243751 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 27 12:39:26.287950 osdx WARNING[362787]: No supported link modes on interface eth0 Jan 27 12:39:26.289574 osdx modulelauncher[362787]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Jan 27 12:39:26.289585 osdx modulelauncher[362787]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Jan 27 12:39:26.290965 osdx modulelauncher[362787]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Jan 27 12:39:26.290974 osdx modulelauncher[362787]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Jan 27 12:39:26.331931 osdx cfgd[1624]: [182842]Completed change to active configuration Jan 27 12:39:26.343478 osdx OSDxCLI[182842]: User 'admin' committed the configuration. Jan 27 12:39:26.360202 osdx OSDxCLI[182842]: User 'admin' left the configuration menu. Jan 27 12:39:26.711136 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 27 12:39:27.097193 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system journal show | cat'. Jan 27 12:39:27.244618 osdx OSDxCLI[182842]: User 'admin' entered the configuration menu. Jan 27 12:39:27.312538 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 27 12:39:27.847067 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jan 27 12:39:27.907586 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRde0L6uNbYB/hwk/QabZ9SjVPDSRA6woUgkGLJE/eeA8lNNXhvUmMA'. Jan 27 12:39:28.040369 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jan 27 12:39:28.100543 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jan 27 12:39:28.238919 osdx OSDxCLI[182842]: User 'admin' added a new cfg line: 'show working'. Jan 27 12:39:28.328079 osdx ubnt-cfgd[362882]: inactive Jan 27 12:39:28.347469 osdx INFO[362890]: FRR daemons did not change Jan 27 12:39:28.359438 osdx ca-certificates[362906]: Updating certificates in /etc/ssl/certs... Jan 27 12:39:28.995138 osdx ubnt-cfgd[363918]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jan 27 12:39:29.005252 osdx ca-certificates[363924]: 1 added, 0 removed; done. Jan 27 12:39:29.009018 osdx ca-certificates[363930]: Running hooks in /etc/ca-certificates/update.d... Jan 27 12:39:29.012645 osdx ca-certificates[363932]: done. Jan 27 12:39:29.080291 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 27 12:39:29.082233 osdx cfgd[1624]: [182842]Completed change to active configuration Jan 27 12:39:29.085489 osdx OSDxCLI[182842]: User 'admin' committed the configuration. Jan 27 12:39:29.106969 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] dnscrypt-proxy 2.0.45 Jan 27 12:39:29.107245 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Network connectivity detected Jan 27 12:39:29.107301 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Dropping privileges Jan 27 12:39:29.110130 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Network connectivity detected Jan 27 12:39:29.110227 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jan 27 12:39:29.110227 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jan 27 12:39:29.111268 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-nsgqm4lett7hbujo.tmp: permission denied Jan 27 12:39:29.111268 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Source [RD] loaded Jan 27 12:39:29.111449 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jan 27 12:39:29.111481 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jan 27 12:39:29.111481 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Firefox workaround initialized Jan 27 12:39:29.111481 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp5a6r2eim] Jan 27 12:39:29.116935 osdx OSDxCLI[182842]: User 'admin' left the configuration menu. Jan 27 12:39:29.272797 osdx OSDxCLI[182842]: User 'admin' executed a new command: 'system journal show | cat'. Jan 27 12:39:29.351176 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 157ms Jan 27 12:39:29.351176 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 157ms) Jan 27 12:39:29.351176 osdx dnscrypt-proxy[363936]: [2026-01-27 12:39:29] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key DECNEFMwDc2CAxhSff8OmLXP set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'