Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWS0y9anNzbe/3mg1Ekf3equ9Mp1mAJYmGUq1MZf4s1P4+XQaxzyRf7b set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Apr 16 20:07:53.307188 osdx systemd-journald[126917]: Runtime Journal (/run/log/journal/a3fecc5be5e949c7a083b0adeea4bb21) is 1.8M, max 13.8M, 11.9M free. Apr 16 20:07:53.310810 osdx systemd-journald[126917]: Received client request to rotate journal, rotating. Apr 16 20:07:53.310915 osdx systemd-journald[126917]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a3fecc5be5e949c7a083b0adeea4bb21. Apr 16 20:07:53.318569 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'system journal clear'. Apr 16 20:07:53.569952 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'system coredump delete all'. Apr 16 20:07:53.845109 osdx OSDxCLI[514199]: User 'admin' entered the configuration menu. Apr 16 20:07:53.938508 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 16 20:07:54.033642 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 16 20:07:54.144557 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'show working'. Apr 16 20:07:54.217553 osdx ubnt-cfgd[652926]: inactive Apr 16 20:07:54.240282 osdx INFO[652932]: FRR daemons did not change Apr 16 20:07:54.274795 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 16 20:07:54.321774 osdx WARNING[653001]: No supported link modes on interface eth0 Apr 16 20:07:54.323602 osdx modulelauncher[653001]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Apr 16 20:07:54.323615 osdx modulelauncher[653001]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Apr 16 20:07:54.325136 osdx modulelauncher[653001]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Apr 16 20:07:54.325145 osdx modulelauncher[653001]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Apr 16 20:07:54.366972 osdx cfgd[1833]: [514199]Completed change to active configuration Apr 16 20:07:54.379996 osdx OSDxCLI[514199]: User 'admin' committed the configuration. Apr 16 20:07:54.412367 osdx OSDxCLI[514199]: User 'admin' left the configuration menu. Apr 16 20:07:54.564856 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 16 20:07:54.636421 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'system journal show | cat'. Apr 16 20:07:54.809495 osdx OSDxCLI[514199]: User 'admin' entered the configuration menu. Apr 16 20:07:54.908906 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 16 20:07:54.965927 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 16 20:07:55.060266 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWS0y9anNzbe/3mg1Ekf3equ9Mp1mAJYmGUq1MZf4s1P4+XQaxzyRf7b'. Apr 16 20:07:55.111821 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Apr 16 20:07:55.221257 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'show working'. Apr 16 20:07:55.315408 osdx ubnt-cfgd[653096]: inactive Apr 16 20:07:55.337401 osdx INFO[653104]: FRR daemons did not change Apr 16 20:07:55.351626 osdx ca-certificates[653120]: Updating certificates in /etc/ssl/certs... Apr 16 20:07:55.932595 osdx ubnt-cfgd[654132]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Apr 16 20:07:55.941172 osdx ca-certificates[654138]: 1 added, 0 removed; done. Apr 16 20:07:55.944186 osdx ca-certificates[654144]: Running hooks in /etc/ca-certificates/update.d... Apr 16 20:07:55.946923 osdx ca-certificates[654146]: done. Apr 16 20:07:56.015112 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Apr 16 20:07:56.016247 osdx cfgd[1833]: [514199]Completed change to active configuration Apr 16 20:07:56.018213 osdx OSDxCLI[514199]: User 'admin' committed the configuration. Apr 16 20:07:56.034421 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] dnscrypt-proxy 2.0.45 Apr 16 20:07:56.034645 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Network connectivity detected Apr 16 20:07:56.034682 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Dropping privileges Apr 16 20:07:56.037084 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Network connectivity detected Apr 16 20:07:56.037128 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 16 20:07:56.037128 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 16 20:07:56.038268 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rrhvqu7uwqawiomt.tmp: permission denied Apr 16 20:07:56.038268 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Source [RD] loaded Apr 16 20:07:56.038320 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [WARNING] Missing stamp for server [server-name`] Apr 16 20:07:56.038320 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Apr 16 20:07:56.038320 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Firefox workaround initialized Apr 16 20:07:56.038320 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpj8yqh7ac] Apr 16 20:07:56.064372 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] [rd-server] OK (DoH) - rtt: 10ms Apr 16 20:07:56.064372 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 10ms) Apr 16 20:07:56.064372 osdx dnscrypt-proxy[654150]: [2026-04-16 20:07:56] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Apr 16 20:07:56.070860 osdx OSDxCLI[514199]: User 'admin' left the configuration menu.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWS0y9anNzbe/3mg1Ekf3equ9Mp1mAJYmGUq1MZf4s1P4+XQaxzyRf7b set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Apr 16 20:08:02.370614 osdx systemd-journald[126917]: Runtime Journal (/run/log/journal/a3fecc5be5e949c7a083b0adeea4bb21) is 1.8M, max 13.8M, 11.9M free. Apr 16 20:08:02.374176 osdx systemd-journald[126917]: Received client request to rotate journal, rotating. Apr 16 20:08:02.374247 osdx systemd-journald[126917]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a3fecc5be5e949c7a083b0adeea4bb21. Apr 16 20:08:02.381458 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'system journal clear'. Apr 16 20:08:02.616779 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'system coredump delete all'. Apr 16 20:08:02.892392 osdx OSDxCLI[514199]: User 'admin' entered the configuration menu. Apr 16 20:08:02.987682 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 16 20:08:03.053105 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 16 20:08:03.155134 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'show working'. Apr 16 20:08:03.258857 osdx ubnt-cfgd[655848]: inactive Apr 16 20:08:03.283040 osdx INFO[655854]: FRR daemons did not change Apr 16 20:08:03.314179 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 16 20:08:03.360781 osdx WARNING[655923]: No supported link modes on interface eth0 Apr 16 20:08:03.362203 osdx modulelauncher[655923]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Apr 16 20:08:03.362217 osdx modulelauncher[655923]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Apr 16 20:08:03.363421 osdx modulelauncher[655923]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Apr 16 20:08:03.363429 osdx modulelauncher[655923]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Apr 16 20:08:03.407216 osdx cfgd[1833]: [514199]Completed change to active configuration Apr 16 20:08:03.418690 osdx OSDxCLI[514199]: User 'admin' committed the configuration. Apr 16 20:08:03.434246 osdx OSDxCLI[514199]: User 'admin' left the configuration menu. Apr 16 20:08:03.582052 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 16 20:08:03.655079 osdx OSDxCLI[514199]: User 'admin' executed a new command: 'system journal show | cat'. Apr 16 20:08:03.813989 osdx OSDxCLI[514199]: User 'admin' entered the configuration menu. Apr 16 20:08:03.881142 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 16 20:08:03.988751 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 16 20:08:04.044159 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWS0y9anNzbe/3mg1Ekf3equ9Mp1mAJYmGUq1MZf4s1P4+XQaxzyRf7b'. Apr 16 20:08:04.136423 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Apr 16 20:08:04.190356 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Apr 16 20:08:04.323616 osdx OSDxCLI[514199]: User 'admin' added a new cfg line: 'show working'. Apr 16 20:08:04.388773 osdx ubnt-cfgd[656019]: inactive Apr 16 20:08:04.411216 osdx INFO[656027]: FRR daemons did not change Apr 16 20:08:04.426462 osdx ca-certificates[656043]: Updating certificates in /etc/ssl/certs... Apr 16 20:08:04.992302 osdx ubnt-cfgd[657055]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Apr 16 20:08:05.002013 osdx ca-certificates[657061]: 1 added, 0 removed; done. Apr 16 20:08:05.004923 osdx ca-certificates[657067]: Running hooks in /etc/ca-certificates/update.d... Apr 16 20:08:05.007735 osdx ca-certificates[657069]: done. Apr 16 20:08:05.066701 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Apr 16 20:08:05.068308 osdx cfgd[1833]: [514199]Completed change to active configuration Apr 16 20:08:05.071264 osdx OSDxCLI[514199]: User 'admin' committed the configuration. Apr 16 20:08:05.089848 osdx OSDxCLI[514199]: User 'admin' left the configuration menu. Apr 16 20:08:05.097049 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] dnscrypt-proxy 2.0.45 Apr 16 20:08:05.097270 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Network connectivity detected Apr 16 20:08:05.097388 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Dropping privileges Apr 16 20:08:05.099723 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Network connectivity detected Apr 16 20:08:05.099766 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 16 20:08:05.099766 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 16 20:08:05.100940 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-pv7fq4jpkrdspmhh.tmp: permission denied Apr 16 20:08:05.100940 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Source [RD] loaded Apr 16 20:08:05.101126 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [WARNING] Missing stamp for server [PRIVATE-server-name`] Apr 16 20:08:05.101156 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Apr 16 20:08:05.101156 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Firefox workaround initialized Apr 16 20:08:05.101156 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpc8k4b7s7] Apr 16 20:08:05.126796 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 11ms Apr 16 20:08:05.126796 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 11ms) Apr 16 20:08:05.126796 osdx dnscrypt-proxy[657073]: [2026-04-16 20:08:05] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key JSksOOINglFNRUTdgI1kNItI set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'