Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWR37xtbvb4Tj0D9zLnTZpDzeMEBoa2b9y/pYP092Tp+/WDL8yG6ZKI4 set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 05 21:32:31.287085 osdx systemd-journald[466780]: Runtime Journal (/run/log/journal/78445f9299f9414990e66dc8aa510838) is 1.8M, max 13.8M, 11.9M free. Mar 05 21:32:31.288579 osdx systemd-journald[466780]: Received client request to rotate journal, rotating. Mar 05 21:32:31.288640 osdx systemd-journald[466780]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78445f9299f9414990e66dc8aa510838. Mar 05 21:32:31.296358 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'system journal clear'. Mar 05 21:32:31.520603 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'system coredump delete all'. Mar 05 21:32:31.788341 osdx OSDxCLI[849840]: User 'admin' entered the configuration menu. Mar 05 21:32:31.918516 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 05 21:32:31.970635 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 05 21:32:32.094814 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'show working'. Mar 05 21:32:32.165821 osdx ubnt-cfgd[977673]: inactive Mar 05 21:32:32.187529 osdx INFO[977679]: FRR daemons did not change Mar 05 21:32:32.216590 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 05 21:32:32.261933 osdx WARNING[977748]: No supported link modes on interface eth0 Mar 05 21:32:32.263291 osdx modulelauncher[977748]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Mar 05 21:32:32.263305 osdx modulelauncher[977748]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Mar 05 21:32:32.264483 osdx modulelauncher[977748]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Mar 05 21:32:32.264491 osdx modulelauncher[977748]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Mar 05 21:32:32.296956 osdx cfgd[1863]: [849840]Completed change to active configuration Mar 05 21:32:32.308360 osdx OSDxCLI[849840]: User 'admin' committed the configuration. Mar 05 21:32:32.323091 osdx OSDxCLI[849840]: User 'admin' left the configuration menu. Mar 05 21:32:32.470338 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 05 21:32:32.544777 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'system journal show | cat'. Mar 05 21:32:32.706710 osdx OSDxCLI[849840]: User 'admin' entered the configuration menu. Mar 05 21:32:32.761476 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 05 21:32:32.860075 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 05 21:32:32.911494 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWR37xtbvb4Tj0D9zLnTZpDzeMEBoa2b9y/pYP092Tp+/WDL8yG6ZKI4'. Mar 05 21:32:33.002042 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Mar 05 21:32:33.088145 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'show working'. Mar 05 21:32:33.155156 osdx ubnt-cfgd[977844]: inactive Mar 05 21:32:33.175388 osdx INFO[977852]: FRR daemons did not change Mar 05 21:32:33.188982 osdx ca-certificates[977868]: Updating certificates in /etc/ssl/certs... Mar 05 21:32:33.687404 osdx ubnt-cfgd[978880]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Mar 05 21:32:33.697570 osdx ca-certificates[978886]: 1 added, 0 removed; done. Mar 05 21:32:33.701231 osdx ca-certificates[978892]: Running hooks in /etc/ca-certificates/update.d... Mar 05 21:32:33.703941 osdx ca-certificates[978894]: done. Mar 05 21:32:33.772952 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 05 21:32:33.774063 osdx cfgd[1863]: [849840]Completed change to active configuration Mar 05 21:32:33.776131 osdx OSDxCLI[849840]: User 'admin' committed the configuration. Mar 05 21:32:33.799900 osdx OSDxCLI[849840]: User 'admin' left the configuration menu. Mar 05 21:32:33.800236 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] dnscrypt-proxy 2.0.45 Mar 05 21:32:33.800236 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Network connectivity detected Mar 05 21:32:33.800441 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Dropping privileges Mar 05 21:32:33.802560 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Network connectivity detected Mar 05 21:32:33.802602 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 05 21:32:33.802602 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 05 21:32:33.805865 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-k55b73uaaa3t6s3x.tmp: permission denied Mar 05 21:32:33.805865 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Source [RD] loaded Mar 05 21:32:33.805945 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [WARNING] Missing stamp for server [server-name`] Mar 05 21:32:33.805945 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Mar 05 21:32:33.805945 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Firefox workaround initialized Mar 05 21:32:33.805945 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp45ei764y] Mar 05 21:32:33.892833 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] [rd-server] OK (DoH) - rtt: 71ms Mar 05 21:32:33.892833 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 71ms) Mar 05 21:32:33.892833 osdx dnscrypt-proxy[978898]: [2026-03-05 21:32:33] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWR37xtbvb4Tj0D9zLnTZpDzeMEBoa2b9y/pYP092Tp+/WDL8yG6ZKI4 set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 05 21:32:39.350306 osdx systemd-journald[466780]: Runtime Journal (/run/log/journal/78445f9299f9414990e66dc8aa510838) is 1.8M, max 13.8M, 11.9M free. Mar 05 21:32:39.354041 osdx systemd-journald[466780]: Received client request to rotate journal, rotating. Mar 05 21:32:39.354100 osdx systemd-journald[466780]: Vacuuming done, freed 0B of archived journals from /run/log/journal/78445f9299f9414990e66dc8aa510838. Mar 05 21:32:39.362892 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'system journal clear'. Mar 05 21:32:39.616136 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'system coredump delete all'. Mar 05 21:32:39.829514 osdx OSDxCLI[849840]: User 'admin' entered the configuration menu. Mar 05 21:32:39.924897 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 05 21:32:39.999478 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 05 21:32:40.061783 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'show working'. Mar 05 21:32:40.152494 osdx ubnt-cfgd[980591]: inactive Mar 05 21:32:40.171259 osdx INFO[980597]: FRR daemons did not change Mar 05 21:32:40.206097 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 05 21:32:40.251665 osdx WARNING[980666]: No supported link modes on interface eth0 Mar 05 21:32:40.253001 osdx modulelauncher[980666]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Mar 05 21:32:40.253012 osdx modulelauncher[980666]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Mar 05 21:32:40.254151 osdx modulelauncher[980666]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Mar 05 21:32:40.254160 osdx modulelauncher[980666]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Mar 05 21:32:40.287504 osdx cfgd[1863]: [849840]Completed change to active configuration Mar 05 21:32:40.298823 osdx OSDxCLI[849840]: User 'admin' committed the configuration. Mar 05 21:32:40.315203 osdx OSDxCLI[849840]: User 'admin' left the configuration menu. Mar 05 21:32:40.454697 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 05 21:32:40.519902 osdx OSDxCLI[849840]: User 'admin' executed a new command: 'system journal show | cat'. Mar 05 21:32:40.643349 osdx OSDxCLI[849840]: User 'admin' entered the configuration menu. Mar 05 21:32:40.706517 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 05 21:32:40.805210 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 05 21:32:40.856864 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWR37xtbvb4Tj0D9zLnTZpDzeMEBoa2b9y/pYP092Tp+/WDL8yG6ZKI4'. Mar 05 21:32:40.949096 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Mar 05 21:32:41.002043 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Mar 05 21:32:41.105569 osdx OSDxCLI[849840]: User 'admin' added a new cfg line: 'show working'. Mar 05 21:32:41.166695 osdx ubnt-cfgd[980761]: inactive Mar 05 21:32:41.193339 osdx INFO[980769]: FRR daemons did not change Mar 05 21:32:41.216236 osdx ca-certificates[980785]: Updating certificates in /etc/ssl/certs... Mar 05 21:32:41.732588 osdx ubnt-cfgd[981797]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Mar 05 21:32:41.740024 osdx ca-certificates[981803]: 1 added, 0 removed; done. Mar 05 21:32:41.742988 osdx ca-certificates[981809]: Running hooks in /etc/ca-certificates/update.d... Mar 05 21:32:41.745725 osdx ca-certificates[981811]: done. Mar 05 21:32:41.810416 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 05 21:32:41.812833 osdx cfgd[1863]: [849840]Completed change to active configuration Mar 05 21:32:41.815198 osdx OSDxCLI[849840]: User 'admin' committed the configuration. Mar 05 21:32:41.831264 osdx OSDxCLI[849840]: User 'admin' left the configuration menu. Mar 05 21:32:41.834298 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] dnscrypt-proxy 2.0.45 Mar 05 21:32:41.834492 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Network connectivity detected Mar 05 21:32:41.834543 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Dropping privileges Mar 05 21:32:41.836846 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Network connectivity detected Mar 05 21:32:41.836895 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 05 21:32:41.836895 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 05 21:32:41.838098 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-6zhfipqc6j5w67kn.tmp: permission denied Mar 05 21:32:41.838098 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Source [RD] loaded Mar 05 21:32:41.838154 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [WARNING] Missing stamp for server [PRIVATE-server-name`] Mar 05 21:32:41.838178 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Mar 05 21:32:41.838178 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Firefox workaround initialized Mar 05 21:32:41.838221 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpc1u43huo] Mar 05 21:32:41.932822 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 73ms Mar 05 21:32:41.932822 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 73ms) Mar 05 21:32:41.932822 osdx dnscrypt-proxy[981815]: [2026-03-05 21:32:41] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key q8d7KixZ7xxbepuIVWDtbVdd set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'