Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWT1YiNdeEA34m1Ok6sxVsrhe031yU/L7qE6LbwAuSeegb9j7o670ig3 set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 12 17:40:26.386003 osdx systemd-journald[1959]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.4M, max 17.2M, 14.8M free. Feb 12 17:40:26.387022 osdx systemd-journald[1959]: Received client request to rotate journal, rotating. Feb 12 17:40:26.387079 osdx systemd-journald[1959]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 17:40:26.397688 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'system journal clear'. Feb 12 17:40:26.625300 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'system coredump delete all'. Feb 12 17:40:26.860702 osdx OSDxCLI[79875]: User 'admin' entered the configuration menu. Feb 12 17:40:26.959460 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 12 17:40:27.038937 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 12 17:40:27.154922 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'show working'. Feb 12 17:40:27.227228 osdx ubnt-cfgd[132447]: inactive Feb 12 17:40:27.247096 osdx INFO[132453]: FRR daemons did not change Feb 12 17:40:27.275035 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 12 17:40:27.316548 osdx WARNING[132522]: No supported link modes on interface eth0 Feb 12 17:40:27.317924 osdx modulelauncher[132522]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Feb 12 17:40:27.317938 osdx modulelauncher[132522]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Feb 12 17:40:27.319067 osdx modulelauncher[132522]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Feb 12 17:40:27.319077 osdx modulelauncher[132522]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Feb 12 17:40:27.352899 osdx cfgd[1631]: [79875]Completed change to active configuration Feb 12 17:40:27.366972 osdx OSDxCLI[79875]: User 'admin' committed the configuration. Feb 12 17:40:27.382900 osdx OSDxCLI[79875]: User 'admin' left the configuration menu. Feb 12 17:40:27.527825 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 12 17:40:27.593362 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'system journal show | cat'. Feb 12 17:40:27.748022 osdx OSDxCLI[79875]: User 'admin' entered the configuration menu. Feb 12 17:40:27.828327 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 12 17:40:27.929380 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 12 17:40:27.984005 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT1YiNdeEA34m1Ok6sxVsrhe031yU/L7qE6LbwAuSeegb9j7o670ig3'. Feb 12 17:40:28.079153 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Feb 12 17:40:28.149404 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'show working'. Feb 12 17:40:28.253235 osdx ubnt-cfgd[132616]: inactive Feb 12 17:40:28.273575 osdx INFO[132624]: FRR daemons did not change Feb 12 17:40:28.288615 osdx ca-certificates[132640]: Updating certificates in /etc/ssl/certs... Feb 12 17:40:28.820430 osdx ubnt-cfgd[133652]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Feb 12 17:40:28.828535 osdx ca-certificates[133658]: 1 added, 0 removed; done. Feb 12 17:40:28.831647 osdx ca-certificates[133664]: Running hooks in /etc/ca-certificates/update.d... Feb 12 17:40:28.835984 osdx ca-certificates[133666]: done. Feb 12 17:40:28.919439 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 12 17:40:28.920726 osdx cfgd[1631]: [79875]Completed change to active configuration Feb 12 17:40:28.923825 osdx OSDxCLI[79875]: User 'admin' committed the configuration. Feb 12 17:40:28.945106 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] dnscrypt-proxy 2.0.45 Feb 12 17:40:28.945321 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Network connectivity detected Feb 12 17:40:28.945376 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Dropping privileges Feb 12 17:40:28.947966 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Network connectivity detected Feb 12 17:40:28.948037 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 12 17:40:28.948037 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 12 17:40:28.949100 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-zjty26gihfpuw7ma.tmp: permission denied Feb 12 17:40:28.949100 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Source [RD] loaded Feb 12 17:40:28.949158 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [WARNING] Missing stamp for server [server-name`] Feb 12 17:40:28.949158 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Feb 12 17:40:28.949158 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Firefox workaround initialized Feb 12 17:40:28.949158 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:28] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpbf9ayqlj] Feb 12 17:40:28.980487 osdx OSDxCLI[79875]: User 'admin' left the configuration menu. Feb 12 17:40:29.136739 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'system journal show | cat'. Feb 12 17:40:29.192365 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:29] [NOTICE] [rd-server] OK (DoH) - rtt: 221ms Feb 12 17:40:29.192365 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:29] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 221ms) Feb 12 17:40:29.192365 osdx dnscrypt-proxy[133670]: [2026-02-12 17:40:29] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWT1YiNdeEA34m1Ok6sxVsrhe031yU/L7qE6LbwAuSeegb9j7o670ig3 set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 12 17:40:37.370088 osdx systemd-journald[1959]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.2M, max 17.2M, 14.9M free. Feb 12 17:40:37.372556 osdx systemd-journald[1959]: Received client request to rotate journal, rotating. Feb 12 17:40:37.372626 osdx systemd-journald[1959]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 17:40:37.383158 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'system journal clear'. Feb 12 17:40:37.661659 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'system coredump delete all'. Feb 12 17:40:38.054721 osdx OSDxCLI[79875]: User 'admin' entered the configuration menu. Feb 12 17:40:38.155034 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 12 17:40:38.235118 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 12 17:40:38.353576 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'show working'. Feb 12 17:40:38.416817 osdx ubnt-cfgd[135376]: inactive Feb 12 17:40:38.440237 osdx INFO[135382]: FRR daemons did not change Feb 12 17:40:38.476486 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 12 17:40:38.528199 osdx WARNING[135451]: No supported link modes on interface eth0 Feb 12 17:40:38.529807 osdx modulelauncher[135451]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Feb 12 17:40:38.529822 osdx modulelauncher[135451]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Feb 12 17:40:38.531155 osdx modulelauncher[135451]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Feb 12 17:40:38.531167 osdx modulelauncher[135451]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Feb 12 17:40:38.585822 osdx cfgd[1631]: [79875]Completed change to active configuration Feb 12 17:40:38.597925 osdx OSDxCLI[79875]: User 'admin' committed the configuration. Feb 12 17:40:38.628143 osdx OSDxCLI[79875]: User 'admin' left the configuration menu. Feb 12 17:40:38.839114 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 12 17:40:38.939431 osdx OSDxCLI[79875]: User 'admin' executed a new command: 'system journal show | cat'. Feb 12 17:40:39.108932 osdx OSDxCLI[79875]: User 'admin' entered the configuration menu. Feb 12 17:40:39.218751 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 12 17:40:39.368191 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 12 17:40:39.430514 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWT1YiNdeEA34m1Ok6sxVsrhe031yU/L7qE6LbwAuSeegb9j7o670ig3'. Feb 12 17:40:39.549429 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Feb 12 17:40:39.630084 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Feb 12 17:40:39.717681 osdx OSDxCLI[79875]: User 'admin' added a new cfg line: 'show working'. Feb 12 17:40:39.852118 osdx ubnt-cfgd[135546]: inactive Feb 12 17:40:39.873770 osdx INFO[135554]: FRR daemons did not change Feb 12 17:40:39.886082 osdx ca-certificates[135570]: Updating certificates in /etc/ssl/certs... Feb 12 17:40:40.504906 osdx ubnt-cfgd[136582]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Feb 12 17:40:40.515497 osdx ca-certificates[136588]: 1 added, 0 removed; done. Feb 12 17:40:40.519411 osdx ca-certificates[136594]: Running hooks in /etc/ca-certificates/update.d... Feb 12 17:40:40.523235 osdx ca-certificates[136596]: done. Feb 12 17:40:40.588932 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 12 17:40:40.590776 osdx cfgd[1631]: [79875]Completed change to active configuration Feb 12 17:40:40.593132 osdx OSDxCLI[79875]: User 'admin' committed the configuration. Feb 12 17:40:40.618404 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] dnscrypt-proxy 2.0.45 Feb 12 17:40:40.618641 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Network connectivity detected Feb 12 17:40:40.618742 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Dropping privileges Feb 12 17:40:40.619066 osdx OSDxCLI[79875]: User 'admin' left the configuration menu. Feb 12 17:40:40.627729 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Network connectivity detected Feb 12 17:40:40.627729 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 12 17:40:40.627729 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 12 17:40:40.629690 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-2dq4xvef5bdssg5x.tmp: permission denied Feb 12 17:40:40.629690 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Source [RD] loaded Feb 12 17:40:40.629690 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [WARNING] Missing stamp for server [PRIVATE-server-name`] Feb 12 17:40:40.629690 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Feb 12 17:40:40.629690 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Firefox workaround initialized Feb 12 17:40:40.629690 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpcjhalroi] Feb 12 17:40:40.735093 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 85ms Feb 12 17:40:40.735093 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 85ms) Feb 12 17:40:40.735093 osdx dnscrypt-proxy[136600]: [2026-02-12 17:40:40] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key XEEjSkaSFZIfyF7tynxGRJpK set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'