Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWRXp18Uy11j8CUCAAAZkDpEYqJnOvu21XQ2ATHi7W+Rmv9Ktzj+ncFI set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 19 10:33:51.346147 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.3M, max 17.2M, 14.9M free. Feb 19 10:33:51.349595 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 10:33:51.349682 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 10:33:51.358395 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'. Feb 19 10:33:51.590766 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 10:33:51.828041 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu. Feb 19 10:33:51.909184 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 10:33:52.016502 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 10:33:52.140448 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'. Feb 19 10:33:52.253719 osdx ubnt-cfgd[414457]: inactive Feb 19 10:33:52.277328 osdx INFO[414463]: FRR daemons did not change Feb 19 10:33:52.409565 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 10:33:52.447643 osdx WARNING[414532]: No supported link modes on interface eth0 Feb 19 10:33:52.449295 osdx modulelauncher[414532]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Feb 19 10:33:52.449306 osdx modulelauncher[414532]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Feb 19 10:33:52.450737 osdx modulelauncher[414532]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Feb 19 10:33:52.450747 osdx modulelauncher[414532]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Feb 19 10:33:52.485605 osdx cfgd[1859]: [273452]Completed change to active configuration Feb 19 10:33:52.496955 osdx OSDxCLI[273452]: User 'admin' committed the configuration. Feb 19 10:33:52.513395 osdx OSDxCLI[273452]: User 'admin' left the configuration menu. Feb 19 10:33:52.659272 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 10:33:52.741010 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'. Feb 19 10:33:52.923497 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu. Feb 19 10:33:52.991363 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 19 10:33:53.096152 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 19 10:33:53.165241 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRXp18Uy11j8CUCAAAZkDpEYqJnOvu21XQ2ATHi7W+Rmv9Ktzj+ncFI'. Feb 19 10:33:53.259779 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Feb 19 10:33:53.350397 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'. Feb 19 10:33:53.454289 osdx ubnt-cfgd[414626]: inactive Feb 19 10:33:53.508987 osdx INFO[414634]: FRR daemons did not change Feb 19 10:33:53.521526 osdx ca-certificates[414650]: Updating certificates in /etc/ssl/certs... Feb 19 10:33:54.088338 osdx ubnt-cfgd[415662]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Feb 19 10:33:54.097497 osdx ca-certificates[415667]: 1 added, 0 removed; done. Feb 19 10:33:54.100335 osdx ca-certificates[415674]: Running hooks in /etc/ca-certificates/update.d... Feb 19 10:33:54.103053 osdx ca-certificates[415676]: done. Feb 19 10:33:54.177962 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 19 10:33:54.179207 osdx cfgd[1859]: [273452]Completed change to active configuration Feb 19 10:33:54.181718 osdx OSDxCLI[273452]: User 'admin' committed the configuration. Feb 19 10:33:54.206252 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] dnscrypt-proxy 2.0.45 Feb 19 10:33:54.206455 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Network connectivity detected Feb 19 10:33:54.206550 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Dropping privileges Feb 19 10:33:54.209282 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Network connectivity detected Feb 19 10:33:54.209354 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 19 10:33:54.209354 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 19 10:33:54.209869 osdx OSDxCLI[273452]: User 'admin' left the configuration menu. Feb 19 10:33:54.237010 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-fhq46jpjijje32g7.tmp: permission denied Feb 19 10:33:54.237010 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Source [RD] loaded Feb 19 10:33:54.237152 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [WARNING] Missing stamp for server [server-name`] Feb 19 10:33:54.237152 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Feb 19 10:33:54.237152 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Firefox workaround initialized Feb 19 10:33:54.237152 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpfe9xjr4h] Feb 19 10:33:54.390654 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'. Feb 19 10:33:54.533833 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] [rd-server] OK (DoH) - rtt: 276ms Feb 19 10:33:54.533833 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 276ms) Feb 19 10:33:54.533833 osdx dnscrypt-proxy[415680]: [2026-02-19 10:33:54] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWRXp18Uy11j8CUCAAAZkDpEYqJnOvu21XQ2ATHi7W+Rmv9Ktzj+ncFI set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Feb 19 10:34:02.337010 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free. Feb 19 10:34:02.338749 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 10:34:02.338826 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 10:34:02.350643 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'. Feb 19 10:34:02.581865 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system coredump delete all'. Feb 19 10:34:02.829635 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu. Feb 19 10:34:03.230276 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Feb 19 10:34:03.286491 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Feb 19 10:34:03.409104 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'. Feb 19 10:34:03.481074 osdx ubnt-cfgd[417381]: inactive Feb 19 10:34:03.883980 osdx INFO[417387]: FRR daemons did not change Feb 19 10:34:03.918740 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Feb 19 10:34:03.967603 osdx WARNING[417456]: No supported link modes on interface eth0 Feb 19 10:34:03.969157 osdx modulelauncher[417456]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Feb 19 10:34:03.969169 osdx modulelauncher[417456]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Feb 19 10:34:03.970418 osdx modulelauncher[417456]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Feb 19 10:34:03.970427 osdx modulelauncher[417456]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Feb 19 10:34:04.006575 osdx cfgd[1859]: [273452]Completed change to active configuration Feb 19 10:34:04.018347 osdx OSDxCLI[273452]: User 'admin' committed the configuration. Feb 19 10:34:04.033693 osdx OSDxCLI[273452]: User 'admin' left the configuration menu. Feb 19 10:34:04.280958 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Feb 19 10:34:04.364241 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'. Feb 19 10:34:04.709277 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu. Feb 19 10:34:04.845302 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Feb 19 10:34:04.913766 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Feb 19 10:34:05.142629 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRXp18Uy11j8CUCAAAZkDpEYqJnOvu21XQ2ATHi7W+Rmv9Ktzj+ncFI'. Feb 19 10:34:05.231066 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Feb 19 10:34:05.327138 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Feb 19 10:34:05.393374 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'. Feb 19 10:34:05.486651 osdx ubnt-cfgd[417551]: inactive Feb 19 10:34:05.505933 osdx INFO[417559]: FRR daemons did not change Feb 19 10:34:05.518273 osdx ca-certificates[417575]: Updating certificates in /etc/ssl/certs... Feb 19 10:34:06.110141 osdx ubnt-cfgd[418587]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Feb 19 10:34:06.121452 osdx ca-certificates[418592]: 1 added, 0 removed; done. Feb 19 10:34:06.125339 osdx ca-certificates[418599]: Running hooks in /etc/ca-certificates/update.d... Feb 19 10:34:06.129186 osdx ca-certificates[418601]: done. Feb 19 10:34:06.187131 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Feb 19 10:34:06.188316 osdx cfgd[1859]: [273452]Completed change to active configuration Feb 19 10:34:06.194972 osdx OSDxCLI[273452]: User 'admin' committed the configuration. Feb 19 10:34:06.215728 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] dnscrypt-proxy 2.0.45 Feb 19 10:34:06.216082 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Network connectivity detected Feb 19 10:34:06.216189 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Dropping privileges Feb 19 10:34:06.218826 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Network connectivity detected Feb 19 10:34:06.218896 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Feb 19 10:34:06.218896 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Feb 19 10:34:06.220668 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-6mdohixvtsavk6r3.tmp: permission denied Feb 19 10:34:06.220668 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Source [RD] loaded Feb 19 10:34:06.220772 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [WARNING] Missing stamp for server [PRIVATE-server-name`] Feb 19 10:34:06.220772 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Feb 19 10:34:06.220772 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Firefox workaround initialized Feb 19 10:34:06.220772 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpm7stbgpe] Feb 19 10:34:06.224665 osdx OSDxCLI[273452]: User 'admin' left the configuration menu. Feb 19 10:34:06.300711 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 51ms Feb 19 10:34:06.300711 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 51ms) Feb 19 10:34:06.300711 osdx dnscrypt-proxy[418605]: [2026-02-19 10:34:06] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RO8lPyCqb6a0XNCwKOoQ4HoF set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'