Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWSFCra0tAC4M8HQcfb8nGkLpCVFEy2F3OAfhEXpze8pyNOh1TjRTacK set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 04 23:12:14.283622 osdx systemd-journald[1908]: Runtime Journal (/run/log/journal/9e2a66651dea45ed982d8152051049c2) is 1.9M, max 13.8M, 11.8M free. May 04 23:12:14.284432 osdx systemd-journald[1908]: Received client request to rotate journal, rotating. May 04 23:12:14.284467 osdx systemd-journald[1908]: Vacuuming done, freed 0B of archived journals from /run/log/journal/9e2a66651dea45ed982d8152051049c2. May 04 23:12:14.294480 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system journal clear'. May 04 23:12:14.490934 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system coredump delete all'. May 04 23:12:14.744581 osdx OSDxCLI[130064]: User 'admin' entered the configuration menu. May 04 23:12:14.848655 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 04 23:12:14.924708 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 04 23:12:15.025840 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'show working'. May 04 23:12:15.084273 osdx ubnt-cfgd[302357]: inactive May 04 23:12:15.102890 osdx INFO[302363]: FRR daemons did not change May 04 23:12:15.132466 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 04 23:12:15.176368 osdx WARNING[302432]: No supported link modes on interface eth0 May 04 23:12:15.177629 osdx modulelauncher[302432]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on May 04 23:12:15.177640 osdx modulelauncher[302432]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. May 04 23:12:15.178827 osdx modulelauncher[302432]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- May 04 23:12:15.178836 osdx modulelauncher[302432]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. May 04 23:12:15.216442 osdx cfgd[1648]: [130064]Completed change to active configuration May 04 23:12:15.227713 osdx OSDxCLI[130064]: User 'admin' committed the configuration. May 04 23:12:15.247076 osdx OSDxCLI[130064]: User 'admin' left the configuration menu. May 04 23:12:15.387819 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 04 23:12:15.454238 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system journal show | cat'. May 04 23:12:15.648147 osdx OSDxCLI[130064]: User 'admin' entered the configuration menu. May 04 23:12:15.702266 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 04 23:12:15.802908 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 04 23:12:15.855080 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSFCra0tAC4M8HQcfb8nGkLpCVFEy2F3OAfhEXpze8pyNOh1TjRTacK'. May 04 23:12:15.945256 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. May 04 23:12:16.009253 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'show working'. May 04 23:12:16.098246 osdx ubnt-cfgd[302527]: inactive May 04 23:12:16.117278 osdx INFO[302535]: FRR daemons did not change May 04 23:12:16.128355 osdx ca-certificates[302551]: Updating certificates in /etc/ssl/certs... May 04 23:12:16.608276 osdx ubnt-cfgd[303563]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL May 04 23:12:16.616073 osdx ca-certificates[303569]: 1 added, 0 removed; done. May 04 23:12:16.618927 osdx ca-certificates[303575]: Running hooks in /etc/ca-certificates/update.d... May 04 23:12:16.621636 osdx ca-certificates[303577]: done. May 04 23:12:16.672809 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 04 23:12:16.673610 osdx cfgd[1648]: [130064]Completed change to active configuration May 04 23:12:16.675912 osdx OSDxCLI[130064]: User 'admin' committed the configuration. May 04 23:12:16.701529 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] dnscrypt-proxy 2.0.45 May 04 23:12:16.701736 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Network connectivity detected May 04 23:12:16.701851 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Dropping privileges May 04 23:12:16.703049 osdx OSDxCLI[130064]: User 'admin' left the configuration menu. May 04 23:12:16.704669 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Network connectivity detected May 04 23:12:16.704716 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 04 23:12:16.704716 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 04 23:12:16.705904 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-j6fb3uvfopdwlw3a.tmp: permission denied May 04 23:12:16.705904 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Source [RD] loaded May 04 23:12:16.705989 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [WARNING] Missing stamp for server [server-name`] May 04 23:12:16.705989 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] May 04 23:12:16.705989 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Firefox workaround initialized May 04 23:12:16.705989 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:16] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp_kthgo9o] May 04 23:12:16.846308 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system journal show | cat'. May 04 23:12:17.181468 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:17] [NOTICE] [rd-server] OK (DoH) - rtt: 450ms May 04 23:12:17.181468 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:17] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 450ms) May 04 23:12:17.181468 osdx dnscrypt-proxy[303581]: [2026-05-04 23:12:17] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWSFCra0tAC4M8HQcfb8nGkLpCVFEy2F3OAfhEXpze8pyNOh1TjRTacK set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
May 04 23:12:24.286973 osdx systemd-journald[1908]: Runtime Journal (/run/log/journal/9e2a66651dea45ed982d8152051049c2) is 1.8M, max 13.8M, 11.9M free. May 04 23:12:24.288316 osdx systemd-journald[1908]: Received client request to rotate journal, rotating. May 04 23:12:24.288385 osdx systemd-journald[1908]: Vacuuming done, freed 0B of archived journals from /run/log/journal/9e2a66651dea45ed982d8152051049c2. May 04 23:12:24.298097 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system journal clear'. May 04 23:12:24.522817 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system coredump delete all'. May 04 23:12:24.760054 osdx OSDxCLI[130064]: User 'admin' entered the configuration menu. May 04 23:12:24.844173 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 04 23:12:24.911492 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 04 23:12:25.010675 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'show working'. May 04 23:12:25.072762 osdx ubnt-cfgd[305277]: inactive May 04 23:12:25.101200 osdx INFO[305283]: FRR daemons did not change May 04 23:12:25.132282 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 04 23:12:25.177215 osdx WARNING[305352]: No supported link modes on interface eth0 May 04 23:12:25.178535 osdx modulelauncher[305352]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on May 04 23:12:25.178547 osdx modulelauncher[305352]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. May 04 23:12:25.179625 osdx modulelauncher[305352]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- May 04 23:12:25.179632 osdx modulelauncher[305352]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. May 04 23:12:25.211058 osdx cfgd[1648]: [130064]Completed change to active configuration May 04 23:12:25.221590 osdx OSDxCLI[130064]: User 'admin' committed the configuration. May 04 23:12:25.237333 osdx OSDxCLI[130064]: User 'admin' left the configuration menu. May 04 23:12:25.384458 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 04 23:12:25.450880 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system journal show | cat'. May 04 23:12:25.574714 osdx OSDxCLI[130064]: User 'admin' entered the configuration menu. May 04 23:12:25.629822 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 04 23:12:25.725543 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. May 04 23:12:25.777411 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWSFCra0tAC4M8HQcfb8nGkLpCVFEy2F3OAfhEXpze8pyNOh1TjRTacK'. May 04 23:12:25.866346 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. May 04 23:12:25.916912 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. May 04 23:12:26.022485 osdx OSDxCLI[130064]: User 'admin' added a new cfg line: 'show working'. May 04 23:12:26.082406 osdx ubnt-cfgd[305449]: inactive May 04 23:12:26.102044 osdx INFO[305457]: FRR daemons did not change May 04 23:12:26.114414 osdx ca-certificates[305473]: Updating certificates in /etc/ssl/certs... May 04 23:12:26.623465 osdx ubnt-cfgd[306485]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL May 04 23:12:26.632033 osdx ca-certificates[306491]: 1 added, 0 removed; done. May 04 23:12:26.635662 osdx ca-certificates[306497]: Running hooks in /etc/ca-certificates/update.d... May 04 23:12:26.639095 osdx ca-certificates[306499]: done. May 04 23:12:26.712549 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 04 23:12:26.714282 osdx cfgd[1648]: [130064]Completed change to active configuration May 04 23:12:26.716342 osdx OSDxCLI[130064]: User 'admin' committed the configuration. May 04 23:12:26.731952 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] dnscrypt-proxy 2.0.45 May 04 23:12:26.732124 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Network connectivity detected May 04 23:12:26.732179 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Dropping privileges May 04 23:12:26.734057 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Network connectivity detected May 04 23:12:26.734087 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Now listening to 127.0.0.1:53 [UDP] May 04 23:12:26.734087 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Now listening to 127.0.0.1:53 [TCP] May 04 23:12:26.735088 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rphjk2rp6xqfkdss.tmp: permission denied May 04 23:12:26.735088 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Source [RD] loaded May 04 23:12:26.735256 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [WARNING] Missing stamp for server [PRIVATE-server-name`] May 04 23:12:26.735275 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] May 04 23:12:26.735275 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Firefox workaround initialized May 04 23:12:26.735275 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:26] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpdm8lk6x3] May 04 23:12:26.738260 osdx OSDxCLI[130064]: User 'admin' left the configuration menu. May 04 23:12:26.889465 osdx OSDxCLI[130064]: User 'admin' executed a new command: 'system journal show | cat'. May 04 23:12:27.218467 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:27] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 465ms May 04 23:12:27.218467 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:27] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 465ms) May 04 23:12:27.218467 osdx dnscrypt-proxy[306503]: [2026-05-04 23:12:27] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key 0PDRhalAVBFI3vNC1Ak6Nzac set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'