Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWTrsxhAITKw6Gf+BlIBPajLnD08DDbndVkksFtpr4XJhlFBimoPuy7j set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 23 10:20:48.310118 osdx systemd-journald[2086]: Runtime Journal (/run/log/journal/6b3b4e4818aa404284bc644df40f6904) is 1.8M, max 13.8M, 11.9M free. Mar 23 10:20:48.312897 osdx systemd-journald[2086]: Received client request to rotate journal, rotating. Mar 23 10:20:48.312972 osdx systemd-journald[2086]: Vacuuming done, freed 0B of archived journals from /run/log/journal/6b3b4e4818aa404284bc644df40f6904. Mar 23 10:20:48.319904 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'system journal clear'. Mar 23 10:20:48.522156 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'system coredump delete all'. Mar 23 10:20:48.760074 osdx OSDxCLI[140369]: User 'admin' entered the configuration menu. Mar 23 10:20:48.842407 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 23 10:20:48.905007 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 23 10:20:48.999651 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'show working'. Mar 23 10:20:49.058566 osdx ubnt-cfgd[226708]: inactive Mar 23 10:20:49.080571 osdx INFO[226714]: FRR daemons did not change Mar 23 10:20:49.108929 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 23 10:20:49.153785 osdx WARNING[226783]: No supported link modes on interface eth0 Mar 23 10:20:49.155325 osdx modulelauncher[226783]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Mar 23 10:20:49.155339 osdx modulelauncher[226783]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Mar 23 10:20:49.156805 osdx modulelauncher[226783]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Mar 23 10:20:49.156813 osdx modulelauncher[226783]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Mar 23 10:20:49.190174 osdx cfgd[1828]: [140369]Completed change to active configuration Mar 23 10:20:49.201299 osdx OSDxCLI[140369]: User 'admin' committed the configuration. Mar 23 10:20:49.216547 osdx OSDxCLI[140369]: User 'admin' left the configuration menu. Mar 23 10:20:49.364584 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 23 10:20:49.429983 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'system journal show | cat'. Mar 23 10:20:49.612052 osdx OSDxCLI[140369]: User 'admin' entered the configuration menu. Mar 23 10:20:49.691940 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 23 10:20:49.797976 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 23 10:20:49.861956 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTrsxhAITKw6Gf+BlIBPajLnD08DDbndVkksFtpr4XJhlFBimoPuy7j'. Mar 23 10:20:49.955945 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Mar 23 10:20:50.061908 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'show working'. Mar 23 10:20:50.134829 osdx ubnt-cfgd[226877]: inactive Mar 23 10:20:50.154706 osdx INFO[226885]: FRR daemons did not change Mar 23 10:20:50.170411 osdx ca-certificates[226901]: Updating certificates in /etc/ssl/certs... Mar 23 10:20:50.736009 osdx ubnt-cfgd[227913]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Mar 23 10:20:50.745368 osdx ca-certificates[227919]: 1 added, 0 removed; done. Mar 23 10:20:50.748120 osdx ca-certificates[227925]: Running hooks in /etc/ca-certificates/update.d... Mar 23 10:20:50.750911 osdx ca-certificates[227927]: done. Mar 23 10:20:50.809203 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 23 10:20:50.810282 osdx cfgd[1828]: [140369]Completed change to active configuration Mar 23 10:20:50.812302 osdx OSDxCLI[140369]: User 'admin' committed the configuration. Mar 23 10:20:50.827127 osdx OSDxCLI[140369]: User 'admin' left the configuration menu. Mar 23 10:20:50.828618 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] dnscrypt-proxy 2.0.45 Mar 23 10:20:50.828772 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Network connectivity detected Mar 23 10:20:50.828885 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Dropping privileges Mar 23 10:20:50.831328 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Network connectivity detected Mar 23 10:20:50.831360 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 23 10:20:50.831360 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 23 10:20:50.832372 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rgbhezmxig3d73ne.tmp: permission denied Mar 23 10:20:50.832372 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Source [RD] loaded Mar 23 10:20:50.832452 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [WARNING] Missing stamp for server [server-name`] Mar 23 10:20:50.832452 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Mar 23 10:20:50.832452 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Firefox workaround initialized Mar 23 10:20:50.832452 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpiio2murw] Mar 23 10:20:50.857975 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] [rd-server] OK (DoH) - rtt: 10ms Mar 23 10:20:50.857975 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 10ms) Mar 23 10:20:50.857975 osdx dnscrypt-proxy[227931]: [2026-03-23 10:20:50] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWTrsxhAITKw6Gf+BlIBPajLnD08DDbndVkksFtpr4XJhlFBimoPuy7j set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Mar 23 10:20:56.299524 osdx systemd-journald[2086]: Runtime Journal (/run/log/journal/6b3b4e4818aa404284bc644df40f6904) is 1.8M, max 13.8M, 11.9M free. Mar 23 10:20:56.300658 osdx systemd-journald[2086]: Received client request to rotate journal, rotating. Mar 23 10:20:56.300714 osdx systemd-journald[2086]: Vacuuming done, freed 0B of archived journals from /run/log/journal/6b3b4e4818aa404284bc644df40f6904. Mar 23 10:20:56.308815 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'system journal clear'. Mar 23 10:20:56.505581 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'system coredump delete all'. Mar 23 10:20:56.731222 osdx OSDxCLI[140369]: User 'admin' entered the configuration menu. Mar 23 10:20:56.825157 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Mar 23 10:20:56.891004 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Mar 23 10:20:56.995955 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'show working'. Mar 23 10:20:57.055564 osdx ubnt-cfgd[229623]: inactive Mar 23 10:20:57.075343 osdx INFO[229629]: FRR daemons did not change Mar 23 10:20:57.104666 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Mar 23 10:20:57.152028 osdx WARNING[229698]: No supported link modes on interface eth0 Mar 23 10:20:57.153329 osdx modulelauncher[229698]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Mar 23 10:20:57.153342 osdx modulelauncher[229698]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Mar 23 10:20:57.154451 osdx modulelauncher[229698]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Mar 23 10:20:57.154458 osdx modulelauncher[229698]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Mar 23 10:20:57.191921 osdx cfgd[1828]: [140369]Completed change to active configuration Mar 23 10:20:57.202827 osdx OSDxCLI[140369]: User 'admin' committed the configuration. Mar 23 10:20:57.216993 osdx OSDxCLI[140369]: User 'admin' left the configuration menu. Mar 23 10:20:57.378925 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Mar 23 10:20:57.449206 osdx OSDxCLI[140369]: User 'admin' executed a new command: 'system journal show | cat'. Mar 23 10:20:57.624200 osdx OSDxCLI[140369]: User 'admin' entered the configuration menu. Mar 23 10:20:57.680809 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Mar 23 10:20:57.779560 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Mar 23 10:20:57.833185 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWTrsxhAITKw6Gf+BlIBPajLnD08DDbndVkksFtpr4XJhlFBimoPuy7j'. Mar 23 10:20:57.936139 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Mar 23 10:20:57.998167 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Mar 23 10:20:58.102905 osdx OSDxCLI[140369]: User 'admin' added a new cfg line: 'show working'. Mar 23 10:20:58.165460 osdx ubnt-cfgd[229793]: inactive Mar 23 10:20:58.185971 osdx INFO[229801]: FRR daemons did not change Mar 23 10:20:58.197678 osdx ca-certificates[229817]: Updating certificates in /etc/ssl/certs... Mar 23 10:20:58.693403 osdx ubnt-cfgd[230829]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Mar 23 10:20:58.701023 osdx ca-certificates[230835]: 1 added, 0 removed; done. Mar 23 10:20:58.703868 osdx ca-certificates[230841]: Running hooks in /etc/ca-certificates/update.d... Mar 23 10:20:58.707210 osdx ca-certificates[230843]: done. Mar 23 10:20:58.769055 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Mar 23 10:20:58.770247 osdx cfgd[1828]: [140369]Completed change to active configuration Mar 23 10:20:58.772775 osdx OSDxCLI[140369]: User 'admin' committed the configuration. Mar 23 10:20:58.800528 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] dnscrypt-proxy 2.0.45 Mar 23 10:20:58.800734 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Network connectivity detected Mar 23 10:20:58.800795 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Dropping privileges Mar 23 10:20:58.802881 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Network connectivity detected Mar 23 10:20:58.802917 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Mar 23 10:20:58.802917 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Mar 23 10:20:58.804140 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ruewf2tmqpqvgoty.tmp: permission denied Mar 23 10:20:58.804140 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Source [RD] loaded Mar 23 10:20:58.804226 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [WARNING] Missing stamp for server [PRIVATE-server-name`] Mar 23 10:20:58.804251 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Mar 23 10:20:58.804251 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Firefox workaround initialized Mar 23 10:20:58.804321 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp8yhn8gxp] Mar 23 10:20:58.818895 osdx OSDxCLI[140369]: User 'admin' left the configuration menu. Mar 23 10:20:58.830897 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 11ms Mar 23 10:20:58.830897 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 11ms) Mar 23 10:20:58.830897 osdx dnscrypt-proxy[230847]: [2026-03-23 10:20:58] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key VyW7R51pmnJdGbdjDaPq30Cm set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'