Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key RWRxiSJ82PPbHuDfI6UjSwsIQaPzxC9oLfq6T6ybtos04MRkIfwJfS+u set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 04 19:38:57.342301 osdx systemd-journald[172397]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 19:38:57.343932 osdx systemd-journald[172397]: Received client request to rotate journal, rotating. Jun 04 19:38:57.344014 osdx systemd-journald[172397]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 19:38:57.353383 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'system journal clear'. Jun 04 19:38:57.596990 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'system coredump delete all'. Jun 04 19:38:57.848309 osdx OSDxCLI[937600]: User 'admin' entered the configuration menu. Jun 04 19:38:57.950606 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 04 19:38:58.031106 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 04 19:38:58.143362 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'show working'. Jun 04 19:38:58.205146 osdx ubnt-cfgd[1003312]: inactive Jun 04 19:38:58.227697 osdx INFO[1003318]: FRR daemons did not change Jun 04 19:38:58.260021 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 04 19:38:58.307254 osdx WARNING[1003387]: No supported link modes on interface eth0 Jun 04 19:38:58.309093 osdx modulelauncher[1003387]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Jun 04 19:38:58.309107 osdx modulelauncher[1003387]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Jun 04 19:38:58.310360 osdx modulelauncher[1003387]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Jun 04 19:38:58.310371 osdx modulelauncher[1003387]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Jun 04 19:38:58.351089 osdx cfgd[1850]: [937600]Completed change to active configuration Jun 04 19:38:58.366938 osdx OSDxCLI[937600]: User 'admin' committed the configuration. Jun 04 19:38:58.402625 osdx OSDxCLI[937600]: User 'admin' left the configuration menu. Jun 04 19:38:58.554223 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 04 19:38:58.628796 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'system journal show | cat'. Jun 04 19:38:58.802942 osdx OSDxCLI[937600]: User 'admin' entered the configuration menu. Jun 04 19:38:58.861161 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 04 19:38:58.961793 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 04 19:38:59.024696 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRxiSJ82PPbHuDfI6UjSwsIQaPzxC9oLfq6T6ybtos04MRkIfwJfS+u'. Jun 04 19:38:59.117009 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 04 19:38:59.180618 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'show working'. Jun 04 19:38:59.285244 osdx ubnt-cfgd[1003482]: inactive Jun 04 19:38:59.303321 osdx INFO[1003490]: FRR daemons did not change Jun 04 19:38:59.315467 osdx ca-certificates[1003506]: Updating certificates in /etc/ssl/certs... Jun 04 19:38:59.832510 osdx ubnt-cfgd[1004518]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 04 19:38:59.840267 osdx ca-certificates[1004523]: 1 added, 0 removed; done. Jun 04 19:38:59.843201 osdx ca-certificates[1004530]: Running hooks in /etc/ca-certificates/update.d... Jun 04 19:38:59.845925 osdx ca-certificates[1004532]: done. Jun 04 19:38:59.904299 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 04 19:38:59.905669 osdx cfgd[1850]: [937600]Completed change to active configuration Jun 04 19:38:59.907712 osdx OSDxCLI[937600]: User 'admin' committed the configuration. Jun 04 19:38:59.924091 osdx OSDxCLI[937600]: User 'admin' left the configuration menu. Jun 04 19:38:59.925145 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] dnscrypt-proxy 2.0.45 Jun 04 19:38:59.925352 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Network connectivity detected Jun 04 19:38:59.925509 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Dropping privileges Jun 04 19:38:59.928305 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Network connectivity detected Jun 04 19:38:59.928374 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 04 19:38:59.928374 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 04 19:38:59.929640 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-hmb2l5lvhrga5ndh.tmp: permission denied Jun 04 19:38:59.929640 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Source [RD] loaded Jun 04 19:38:59.929732 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [WARNING] Missing stamp for server [server-name`] Jun 04 19:38:59.929732 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 04 19:38:59.929732 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Firefox workaround initialized Jun 04 19:38:59.929732 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:38:59] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpf74omi18] Jun 04 19:39:00.060753 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:39:00] [NOTICE] [rd-server] OK (DoH) - rtt: 113ms Jun 04 19:39:00.060753 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:39:00] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 113ms) Jun 04 19:39:00.060753 osdx dnscrypt-proxy[1004536]: [2026-06-04 19:39:00] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server-name PRIVATE-rd-server set service dns proxy source RD minisign-key RWRxiSJ82PPbHuDfI6UjSwsIQaPzxC9oLfq6T6ybtos04MRkIfwJfS+u set service dns proxy source RD prefix PRIVATE- set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
Jun 04 19:39:05.332740 osdx systemd-journald[172397]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 19:39:05.333447 osdx systemd-journald[172397]: Received client request to rotate journal, rotating. Jun 04 19:39:05.333487 osdx systemd-journald[172397]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 19:39:05.344329 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'system journal clear'. Jun 04 19:39:05.588612 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'system coredump delete all'. Jun 04 19:39:05.863291 osdx OSDxCLI[937600]: User 'admin' entered the configuration menu. Jun 04 19:39:05.947254 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 04 19:39:06.015564 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 04 19:39:06.107831 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'show working'. Jun 04 19:39:06.171542 osdx ubnt-cfgd[1006228]: inactive Jun 04 19:39:06.189437 osdx INFO[1006234]: FRR daemons did not change Jun 04 19:39:06.221121 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 04 19:39:06.264389 osdx WARNING[1006303]: No supported link modes on interface eth0 Jun 04 19:39:06.265850 osdx modulelauncher[1006303]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Jun 04 19:39:06.265863 osdx modulelauncher[1006303]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Jun 04 19:39:06.267022 osdx modulelauncher[1006303]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Jun 04 19:39:06.267031 osdx modulelauncher[1006303]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Jun 04 19:39:06.302577 osdx cfgd[1850]: [937600]Completed change to active configuration Jun 04 19:39:06.316818 osdx OSDxCLI[937600]: User 'admin' committed the configuration. Jun 04 19:39:06.335878 osdx OSDxCLI[937600]: User 'admin' left the configuration menu. Jun 04 19:39:06.491219 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 04 19:39:06.564879 osdx OSDxCLI[937600]: User 'admin' executed a new command: 'system journal show | cat'. Jun 04 19:39:06.814720 osdx OSDxCLI[937600]: User 'admin' entered the configuration menu. Jun 04 19:39:06.874254 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 04 19:39:06.990851 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 04 19:39:07.071599 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key RWRxiSJ82PPbHuDfI6UjSwsIQaPzxC9oLfq6T6ybtos04MRkIfwJfS+u'. Jun 04 19:39:07.126064 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 04 19:39:07.255437 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 04 19:39:07.358001 osdx OSDxCLI[937600]: User 'admin' added a new cfg line: 'show working'. Jun 04 19:39:07.442780 osdx ubnt-cfgd[1006399]: inactive Jun 04 19:39:07.466091 osdx INFO[1006407]: FRR daemons did not change Jun 04 19:39:07.478703 osdx ca-certificates[1006423]: Updating certificates in /etc/ssl/certs... Jun 04 19:39:08.086689 osdx ubnt-cfgd[1007435]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Jun 04 19:39:08.096923 osdx ca-certificates[1007440]: 1 added, 0 removed; done. Jun 04 19:39:08.100171 osdx ca-certificates[1007447]: Running hooks in /etc/ca-certificates/update.d... Jun 04 19:39:08.103906 osdx ca-certificates[1007449]: done. Jun 04 19:39:08.177531 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jun 04 19:39:08.179148 osdx cfgd[1850]: [937600]Completed change to active configuration Jun 04 19:39:08.181863 osdx OSDxCLI[937600]: User 'admin' committed the configuration. Jun 04 19:39:08.196312 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] dnscrypt-proxy 2.0.45 Jun 04 19:39:08.196521 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Network connectivity detected Jun 04 19:39:08.196628 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Dropping privileges Jun 04 19:39:08.198994 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Network connectivity detected Jun 04 19:39:08.199043 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 04 19:39:08.199043 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 04 19:39:08.200444 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-fqfmeed2ctkmll7s.tmp: permission denied Jun 04 19:39:08.200444 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Source [RD] loaded Jun 04 19:39:08.200523 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 04 19:39:08.200523 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 04 19:39:08.200523 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Firefox workaround initialized Jun 04 19:39:08.200523 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpn69szoo6] Jun 04 19:39:08.216879 osdx OSDxCLI[937600]: User 'admin' left the configuration menu. Jun 04 19:39:08.337970 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 119ms Jun 04 19:39:08.337970 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 119ms) Jun 04 19:39:08.337970 osdx dnscrypt-proxy[1007453]: [2026-06-04 19:39:08] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key vastfbx3cO42rswoknEVyg2W set service dns proxy source RD url 'http://10.215.168.1/~robot/invalid-source' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name rd-server set service dns proxy source RD minisign-key InvalidMinisignKey== set service dns proxy source RD url 'http://10.215.168.1/~robot/RD-resolver.md' set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'