Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 13 16:27:10.293188 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.2M free.
May 13 16:27:10.295482 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:27:10.295550 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:27:10.303774 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:27:10.649083 osdx osdx-coredump[139563]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 13 16:27:10.657674 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system coredump delete all'.
May 13 16:27:11.185118 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:11.317687 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:11.380165 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:11.493241 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:11.563753 osdx ubnt-cfgd[139581]: inactive
May 13 16:27:11.589740 osdx INFO[139589]: FRR daemons did not change
May 13 16:27:11.696200 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:11.710072 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:11.726354 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:11.888736 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 13 16:27:12.062240 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:12.124070 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:27:12.225573 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:27:12.292336 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:27:12.378365 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:27:12.441652 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:27:12.540205 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 13 16:27:12.592967 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:27:12.698015 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:12.752899 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:12.875125 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:12.945067 osdx ubnt-cfgd[139750]: inactive
May 13 16:27:12.970920 osdx INFO[139758]: FRR daemons did not change
May 13 16:27:12.984556 osdx ca-certificates[139773]: Updating certificates in /etc/ssl/certs...
May 13 16:27:13.506560 osdx ca-certificates[140778]: 1 added, 0 removed; done.
May 13 16:27:13.509778 osdx ca-certificates[140784]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:27:13.512548 osdx ca-certificates[140786]: done.
May 13 16:27:13.579808 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:27:13.581082 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:13.583448 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:13.602014 osdx dnscrypt-proxy[140790]: dnscrypt-proxy 2.0.45
May 13 16:27:13.602087 osdx dnscrypt-proxy[140790]: Network connectivity detected
May 13 16:27:13.602338 osdx dnscrypt-proxy[140790]: Dropping privileges
May 13 16:27:13.604938 osdx dnscrypt-proxy[140790]: Network connectivity detected
May 13 16:27:13.604971 osdx dnscrypt-proxy[140790]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:27:13.604977 osdx dnscrypt-proxy[140790]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:27:13.605004 osdx dnscrypt-proxy[140790]: Firefox workaround initialized
May 13 16:27:13.605009 osdx dnscrypt-proxy[140790]: Loading the set of cloaking rules from [/tmp/tmp28rwkgb8]
May 13 16:27:13.615721 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:13.752496 osdx dnscrypt-proxy[140790]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 13 16:27:13.752519 osdx dnscrypt-proxy[140790]: [RD] OK (DoH) - rtt: 115ms
May 13 16:27:13.752530 osdx dnscrypt-proxy[140790]: Server with the lowest initial latency: RD (rtt: 115ms)
May 13 16:27:13.752537 osdx dnscrypt-proxy[140790]: dnscrypt-proxy is ready - live servers: 1
May 13 16:27:13.792026 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 13 16:27:21.339057 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:27:21.340320 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:27:21.340379 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:27:21.348393 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:27:21.704168 osdx osdx-coredump[142465]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 13 16:27:21.711488 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system coredump delete all'.
May 13 16:27:22.201352 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:22.279665 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:22.390141 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:22.458064 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:22.552491 osdx ubnt-cfgd[142483]: inactive
May 13 16:27:22.575440 osdx INFO[142491]: FRR daemons did not change
May 13 16:27:22.678111 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:22.689486 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:22.715670 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:22.866076 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 13 16:27:23.042140 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:23.114030 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:27:23.201632 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:27:23.269235 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:27:23.353815 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:27:23.422437 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:27:23.521723 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 13 16:27:23.576805 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:27:23.703786 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:23.769602 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:23.903533 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:23.985932 osdx ubnt-cfgd[142652]: inactive
May 13 16:27:24.009370 osdx INFO[142660]: FRR daemons did not change
May 13 16:27:24.022082 osdx ca-certificates[142676]: Updating certificates in /etc/ssl/certs...
May 13 16:27:24.536272 osdx ca-certificates[143679]: 1 added, 0 removed; done.
May 13 16:27:24.539411 osdx ca-certificates[143686]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:27:24.543109 osdx ca-certificates[143688]: done.
May 13 16:27:24.624840 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:27:24.627012 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:24.629960 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:24.648001 osdx dnscrypt-proxy[143692]: dnscrypt-proxy 2.0.45
May 13 16:27:24.648345 osdx dnscrypt-proxy[143692]: Network connectivity detected
May 13 16:27:24.648549 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:24.648924 osdx dnscrypt-proxy[143692]: Dropping privileges
May 13 16:27:24.651570 osdx dnscrypt-proxy[143692]: Network connectivity detected
May 13 16:27:24.651601 osdx dnscrypt-proxy[143692]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:27:24.651606 osdx dnscrypt-proxy[143692]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:27:24.651629 osdx dnscrypt-proxy[143692]: Firefox workaround initialized
May 13 16:27:24.651634 osdx dnscrypt-proxy[143692]: Loading the set of cloaking rules from [/tmp/tmpixbjq5e5]
May 13 16:27:24.795987 osdx dnscrypt-proxy[143692]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 13 16:27:24.796003 osdx dnscrypt-proxy[143692]: [RD] OK (DoH) - rtt: 121ms
May 13 16:27:24.796013 osdx dnscrypt-proxy[143692]: Server with the lowest initial latency: RD (rtt: 121ms)
May 13 16:27:24.796019 osdx dnscrypt-proxy[143692]: dnscrypt-proxy is ready - live servers: 1
May 13 16:27:24.814070 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 13 16:27:25.022011 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:27:25.024319 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:27:25.024378 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:27:25.031687 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:27:25.338675 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:25.409005 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:27:25.552363 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:27:25.620735 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:25.731679 osdx ubnt-cfgd[143745]: inactive
May 13 16:27:25.751875 osdx dnscrypt-proxy[143692]: Stopped.
May 13 16:27:25.751925 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:27:25.752771 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:27:25.752869 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:27:25.831043 osdx ca-certificates[143831]: Clearing symlinks in /etc/ssl/certs...
May 13 16:27:26.100898 osdx ca-certificates[144401]: done.
May 13 16:27:26.104602 osdx ca-certificates[144408]: Updating certificates in /etc/ssl/certs...
May 13 16:27:26.536549 osdx ca-certificates[145260]: 140 added, 0 removed; done.
May 13 16:27:26.539455 osdx ca-certificates[145267]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:27:26.542432 osdx ca-certificates[145269]: done.
May 13 16:27:26.556400 osdx INFO[145272]: FRR daemons did not change
May 13 16:27:26.556719 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:26.559060 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:26.577391 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:27.853576 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:27.913459 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:27:28.012978 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:27:28.076841 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:27:28.170281 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:27:28.231946 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:27:28.343665 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 13 16:27:28.416031 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:27:28.542687 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:28.604788 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:28.738952 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:28.805026 osdx ubnt-cfgd[145306]: inactive
May 13 16:27:28.827154 osdx INFO[145316]: FRR daemons did not change
May 13 16:27:28.839381 osdx ca-certificates[145331]: Updating certificates in /etc/ssl/certs...
May 13 16:27:29.367419 osdx ca-certificates[146336]: 1 added, 0 removed; done.
May 13 16:27:29.370281 osdx ca-certificates[146342]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:27:29.373140 osdx ca-certificates[146344]: done.
May 13 16:27:29.560619 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:27:29.562383 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:29.575085 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:29.588856 osdx dnscrypt-proxy[146454]: dnscrypt-proxy 2.0.45
May 13 16:27:29.589222 osdx dnscrypt-proxy[146454]: Network connectivity detected
May 13 16:27:29.589516 osdx dnscrypt-proxy[146454]: Dropping privileges
May 13 16:27:29.592238 osdx dnscrypt-proxy[146454]: Network connectivity detected
May 13 16:27:29.592279 osdx dnscrypt-proxy[146454]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:27:29.592285 osdx dnscrypt-proxy[146454]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:27:29.592412 osdx dnscrypt-proxy[146454]: Firefox workaround initialized
May 13 16:27:29.592417 osdx dnscrypt-proxy[146454]: Loading the set of cloaking rules from [/tmp/tmphbxswkip]
May 13 16:27:29.597911 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:29.764009 osdx dnscrypt-proxy[146454]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 13 16:27:29.764033 osdx dnscrypt-proxy[146454]: [RD] OK (DoH) - rtt: 135ms
May 13 16:27:29.764044 osdx dnscrypt-proxy[146454]: Server with the lowest initial latency: RD (rtt: 135ms)
May 13 16:27:29.764050 osdx dnscrypt-proxy[146454]: dnscrypt-proxy is ready - live servers: 1
May 13 16:27:34.766332 osdx OSDxCLI[30995]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
May 13 16:27:36.861648 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 13 16:27:37.094557 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:27:37.096314 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:27:37.096362 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:27:37.106571 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:27:37.478067 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:37.537429 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:27:37.654598 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:27:37.735360 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:37.852462 osdx ubnt-cfgd[146530]: inactive
May 13 16:27:37.873910 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:27:37.874075 osdx dnscrypt-proxy[146454]: Stopped.
May 13 16:27:37.875137 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:27:37.875254 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:27:37.958132 osdx ca-certificates[146617]: Clearing symlinks in /etc/ssl/certs...
May 13 16:27:38.220245 osdx ca-certificates[147186]: done.
May 13 16:27:38.224125 osdx ca-certificates[147195]: Updating certificates in /etc/ssl/certs...
May 13 16:27:38.686971 osdx ca-certificates[148046]: 140 added, 0 removed; done.
May 13 16:27:38.689853 osdx ca-certificates[148053]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:27:38.692655 osdx ca-certificates[148055]: done.
May 13 16:27:38.707741 osdx INFO[148058]: FRR daemons did not change
May 13 16:27:38.708056 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:38.710790 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:38.729324 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:40.020139 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:40.093392 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:27:40.204924 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:27:40.309060 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:27:40.411074 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:27:40.473287 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:27:40.566072 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 13 16:27:40.620114 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:27:40.732435 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:40.796285 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:40.911766 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:40.996141 osdx ubnt-cfgd[148092]: inactive
May 13 16:27:41.020194 osdx INFO[148102]: FRR daemons did not change
May 13 16:27:41.033036 osdx ca-certificates[148118]: Updating certificates in /etc/ssl/certs...
May 13 16:27:41.565852 osdx ca-certificates[149122]: 1 added, 0 removed; done.
May 13 16:27:41.568851 osdx ca-certificates[149128]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:27:41.571867 osdx ca-certificates[149130]: done.
May 13 16:27:41.768719 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:27:41.770227 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:41.782117 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:41.801454 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:41.802974 osdx dnscrypt-proxy[149240]: dnscrypt-proxy 2.0.45
May 13 16:27:41.803052 osdx dnscrypt-proxy[149240]: Network connectivity detected
May 13 16:27:41.804022 osdx dnscrypt-proxy[149240]: Dropping privileges
May 13 16:27:41.806726 osdx dnscrypt-proxy[149240]: Network connectivity detected
May 13 16:27:41.806755 osdx dnscrypt-proxy[149240]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:27:41.806759 osdx dnscrypt-proxy[149240]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:27:41.806781 osdx dnscrypt-proxy[149240]: Firefox workaround initialized
May 13 16:27:41.806785 osdx dnscrypt-proxy[149240]: Loading the set of cloaking rules from [/tmp/tmp0qqp2e0s]
May 13 16:27:41.961155 osdx dnscrypt-proxy[149240]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 13 16:27:41.961170 osdx dnscrypt-proxy[149240]: [RD] OK (DoH) - rtt: 125ms
May 13 16:27:41.961177 osdx dnscrypt-proxy[149240]: Server with the lowest initial latency: RD (rtt: 125ms)
May 13 16:27:41.961181 osdx dnscrypt-proxy[149240]: dnscrypt-proxy is ready - live servers: 1
May 13 16:27:46.962821 osdx OSDxCLI[30995]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
May 13 16:27:49.066999 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 13 16:27:56.000486 osdx systemd-timedated[150928]: Changed local time to Tue 2025-05-13 16:27:56 UTC
May 13 16:27:56.002643 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'set date 2025-05-13 16:27:56'.
May 13 16:27:56.003111 osdx systemd-journald[27261]: Time jumped backwards, rotating.
May 13 16:27:56.389338 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:27:56.391102 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:27:56.391178 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:27:56.400919 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:27:56.758623 osdx osdx-coredump[150946]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 13 16:27:56.769372 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system coredump delete all'.
May 13 16:27:57.290382 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:57.419470 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:57.487552 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:57.648914 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:57.709817 osdx ubnt-cfgd[150964]: inactive
May 13 16:27:57.730136 osdx INFO[150972]: FRR daemons did not change
May 13 16:27:57.829141 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:57.840063 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:57.856524 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:58.004653 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 13 16:27:58.210913 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:27:58.286235 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:27:58.375022 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:27:58.441672 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:27:58.538735 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:27:58.638318 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:27:58.694202 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 13 16:27:58.789913 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:27:58.863632 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:27:58.948865 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:27:59.026856 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:27:59.134981 osdx ubnt-cfgd[151133]: inactive
May 13 16:27:59.158568 osdx INFO[151141]: FRR daemons did not change
May 13 16:27:59.172676 osdx ca-certificates[151157]: Updating certificates in /etc/ssl/certs...
May 13 16:27:59.695587 osdx ca-certificates[152160]: 1 added, 0 removed; done.
May 13 16:27:59.698510 osdx ca-certificates[152167]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:27:59.701490 osdx ca-certificates[152169]: done.
May 13 16:27:59.771474 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:27:59.772715 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:27:59.779019 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:27:59.808106 osdx dnscrypt-proxy[152173]: dnscrypt-proxy 2.0.45
May 13 16:27:59.808220 osdx dnscrypt-proxy[152173]: Network connectivity detected
May 13 16:27:59.808526 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:27:59.808560 osdx dnscrypt-proxy[152173]: Dropping privileges
May 13 16:27:59.811981 osdx dnscrypt-proxy[152173]: Network connectivity detected
May 13 16:27:59.812029 osdx dnscrypt-proxy[152173]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:27:59.812037 osdx dnscrypt-proxy[152173]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:27:59.812069 osdx dnscrypt-proxy[152173]: Firefox workaround initialized
May 13 16:27:59.812075 osdx dnscrypt-proxy[152173]: Loading the set of cloaking rules from [/tmp/tmpn6rrtp6v]
May 13 16:27:59.813272 osdx dnscrypt-proxy[152173]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

---

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 13 16:28:07.299662 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.1M, max 15.3M, 13.2M free.
May 13 16:28:07.300542 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:07.300591 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:07.312108 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:07.663238 osdx osdx-coredump[153847]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 13 16:28:07.671851 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system coredump delete all'.
May 13 16:28:08.201004 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:08.287749 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:08.378491 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:08.459232 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:08.555424 osdx ubnt-cfgd[153865]: inactive
May 13 16:28:08.576105 osdx INFO[153873]: FRR daemons did not change
May 13 16:28:08.683615 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:08.694431 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:08.710982 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:08.861700 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 13 16:28:09.029672 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:09.109410 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:09.212705 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:09.279321 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:09.365551 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:09.430086 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:09.524750 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 13 16:28:09.582912 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:09.721960 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:09.782715 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:09.903769 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:09.975446 osdx ubnt-cfgd[154034]: inactive
May 13 16:28:10.002401 osdx INFO[154042]: FRR daemons did not change
May 13 16:28:10.018847 osdx ca-certificates[154058]: Updating certificates in /etc/ssl/certs...
May 13 16:28:10.511393 osdx ca-certificates[155061]: 1 added, 0 removed; done.
May 13 16:28:10.514554 osdx ca-certificates[155068]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:10.517392 osdx ca-certificates[155070]: done.
May 13 16:28:10.584866 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:10.586173 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:10.589129 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:10.606961 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:10.608303 osdx dnscrypt-proxy[155074]: dnscrypt-proxy 2.0.45
May 13 16:28:10.608366 osdx dnscrypt-proxy[155074]: Network connectivity detected
May 13 16:28:10.608589 osdx dnscrypt-proxy[155074]: Dropping privileges
May 13 16:28:10.610973 osdx dnscrypt-proxy[155074]: Network connectivity detected
May 13 16:28:10.611004 osdx dnscrypt-proxy[155074]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:10.611009 osdx dnscrypt-proxy[155074]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:10.611027 osdx dnscrypt-proxy[155074]: Firefox workaround initialized
May 13 16:28:10.611031 osdx dnscrypt-proxy[155074]: Loading the set of cloaking rules from [/tmp/tmpa53015v4]
May 13 16:28:10.611797 osdx dnscrypt-proxy[155074]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 13 16:28:10.848746 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:28:10.852541 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:10.852592 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:10.858585 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:11.131297 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:11.191354 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:28:11.302300 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:28:11.390363 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:11.459227 osdx ubnt-cfgd[155122]: inactive
May 13 16:28:11.481664 osdx dnscrypt-proxy[155074]: Stopped.
May 13 16:28:11.481770 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:28:11.482907 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:28:11.483054 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:11.570610 osdx ca-certificates[155208]: Clearing symlinks in /etc/ssl/certs...
May 13 16:28:11.855372 osdx ca-certificates[155777]: done.
May 13 16:28:11.858767 osdx ca-certificates[155787]: Updating certificates in /etc/ssl/certs...
May 13 16:28:12.372744 osdx ca-certificates[156637]: 140 added, 0 removed; done.
May 13 16:28:12.376564 osdx ca-certificates[156644]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:12.380333 osdx ca-certificates[156646]: done.
May 13 16:28:12.398431 osdx INFO[156649]: FRR daemons did not change
May 13 16:28:12.398963 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:12.402580 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:12.420500 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:13.757018 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:13.818465 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:13.922476 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:14.011250 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:14.134846 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:14.197930 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:14.306859 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 13 16:28:14.368647 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:14.503585 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:14.612253 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:14.719488 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:14.845921 osdx ubnt-cfgd[156683]: inactive
May 13 16:28:14.870364 osdx INFO[156693]: FRR daemons did not change
May 13 16:28:14.882933 osdx ca-certificates[156709]: Updating certificates in /etc/ssl/certs...
May 13 16:28:15.418112 osdx ca-certificates[157712]: 1 added, 0 removed; done.
May 13 16:28:15.421005 osdx ca-certificates[157719]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:15.424668 osdx ca-certificates[157721]: done.
May 13 16:28:15.616875 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:15.618422 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:15.631798 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:15.644725 osdx dnscrypt-proxy[157831]: dnscrypt-proxy 2.0.45
May 13 16:28:15.644796 osdx dnscrypt-proxy[157831]: Network connectivity detected
May 13 16:28:15.645022 osdx dnscrypt-proxy[157831]: Dropping privileges
May 13 16:28:15.647434 osdx dnscrypt-proxy[157831]: Network connectivity detected
May 13 16:28:15.647463 osdx dnscrypt-proxy[157831]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:15.647468 osdx dnscrypt-proxy[157831]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:15.647496 osdx dnscrypt-proxy[157831]: Firefox workaround initialized
May 13 16:28:15.647501 osdx dnscrypt-proxy[157831]: Loading the set of cloaking rules from [/tmp/tmpo6zhrn06]
May 13 16:28:15.648349 osdx dnscrypt-proxy[157831]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
May 13 16:28:15.658413 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 13 16:28:16.001963 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:28:16.004541 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:16.004589 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:16.012396 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:16.284607 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:16.340355 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:28:16.456097 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:28:16.522795 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:16.617414 osdx ubnt-cfgd[157898]: inactive
May 13 16:28:16.638804 osdx dnscrypt-proxy[157831]: Stopped.
May 13 16:28:16.638874 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:28:16.639831 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:28:16.639963 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:16.722448 osdx ca-certificates[157984]: Clearing symlinks in /etc/ssl/certs...
May 13 16:28:17.007881 osdx ca-certificates[158554]: done.
May 13 16:28:17.011280 osdx ca-certificates[158563]: Updating certificates in /etc/ssl/certs...
May 13 16:28:17.439925 osdx ca-certificates[159415]: 140 added, 0 removed; done.
May 13 16:28:17.443806 osdx ca-certificates[159420]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:17.446563 osdx ca-certificates[159422]: done.
May 13 16:28:17.461374 osdx INFO[159425]: FRR daemons did not change
May 13 16:28:17.461666 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:17.463968 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:17.491173 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:18.811580 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:18.873190 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:18.975515 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:19.045154 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:19.146649 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:19.241412 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:19.313141 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 13 16:28:19.425771 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 13 16:28:19.478876 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:19.601879 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:19.662204 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:19.807874 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:19.895220 osdx ubnt-cfgd[159462]: inactive
May 13 16:28:19.923755 osdx INFO[159472]: FRR daemons did not change
May 13 16:28:19.937735 osdx ca-certificates[159487]: Updating certificates in /etc/ssl/certs...
May 13 16:28:20.483373 osdx ca-certificates[160492]: 1 added, 0 removed; done.
May 13 16:28:20.486498 osdx ca-certificates[160498]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:20.489300 osdx ca-certificates[160500]: done.
May 13 16:28:20.681119 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:20.683064 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:20.698608 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:20.715201 osdx dnscrypt-proxy[160610]: dnscrypt-proxy 2.0.45
May 13 16:28:20.715286 osdx dnscrypt-proxy[160610]: Network connectivity detected
May 13 16:28:20.715605 osdx dnscrypt-proxy[160610]: Dropping privileges
May 13 16:28:20.718436 osdx dnscrypt-proxy[160610]: Network connectivity detected
May 13 16:28:20.718472 osdx dnscrypt-proxy[160610]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:20.718478 osdx dnscrypt-proxy[160610]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:20.718512 osdx dnscrypt-proxy[160610]: Firefox workaround initialized
May 13 16:28:20.718517 osdx dnscrypt-proxy[160610]: Loading the set of cloaking rules from [/tmp/tmp9ue02ctv]
May 13 16:28:20.719511 osdx dnscrypt-proxy[160610]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
May 13 16:28:20.724915 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:20.868366 osdx dnscrypt-proxy[160610]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 13 16:28:20.868389 osdx dnscrypt-proxy[160610]: [RD] OK (DoH) - rtt: 118ms
May 13 16:28:20.868399 osdx dnscrypt-proxy[160610]: Server with the lowest initial latency: RD (rtt: 118ms)
May 13 16:28:20.868405 osdx dnscrypt-proxy[160610]: dnscrypt-proxy is ready - live servers: 1

---

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 13 16:28:27.000205 osdx systemd-timedated[150928]: Changed local time to Tue 2025-05-13 16:28:27 UTC
May 13 16:28:27.001680 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'set date 2025-05-13 16:28:27'.
May 13 16:28:27.004194 osdx systemd-journald[27261]: Time jumped backwards, rotating.
May 13 16:28:27.308773 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:28:27.312201 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:27.312250 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:27.320561 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:27.647538 osdx osdx-coredump[162301]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 13 16:28:27.655347 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system coredump delete all'.
May 13 16:28:28.127517 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:28.205071 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:28.291462 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:28.358443 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:28.454028 osdx ubnt-cfgd[162319]: inactive
May 13 16:28:28.472697 osdx INFO[162327]: FRR daemons did not change
May 13 16:28:28.577642 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:28.588736 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:28.604491 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:28.763150 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 13 16:28:28.936950 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:29.054721 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:29.114543 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:29.213197 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:29.270417 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:29.372425 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:29.431166 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 13 16:28:29.530698 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 13 16:28:29.585631 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:29.730099 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:29.815600 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:29.896989 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:29.991989 osdx ubnt-cfgd[162491]: inactive
May 13 16:28:30.017769 osdx INFO[162499]: FRR daemons did not change
May 13 16:28:30.031158 osdx ca-certificates[162515]: Updating certificates in /etc/ssl/certs...
May 13 16:28:30.527834 osdx ca-certificates[163519]: 1 added, 0 removed; done.
May 13 16:28:30.530856 osdx ca-certificates[163525]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:30.533653 osdx ca-certificates[163527]: done.
May 13 16:28:30.600458 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:30.601814 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:30.604158 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:30.624565 osdx dnscrypt-proxy[163531]: dnscrypt-proxy 2.0.45
May 13 16:28:30.624641 osdx dnscrypt-proxy[163531]: Network connectivity detected
May 13 16:28:30.624865 osdx dnscrypt-proxy[163531]: Dropping privileges
May 13 16:28:30.627620 osdx dnscrypt-proxy[163531]: Network connectivity detected
May 13 16:28:30.627653 osdx dnscrypt-proxy[163531]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:30.627658 osdx dnscrypt-proxy[163531]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:30.627682 osdx dnscrypt-proxy[163531]: Firefox workaround initialized
May 13 16:28:30.627687 osdx dnscrypt-proxy[163531]: Loading the set of cloaking rules from [/tmp/tmpyvxm5sb4]
May 13 16:28:30.629461 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:30.763070 osdx dnscrypt-proxy[163531]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 13 16:28:30.763084 osdx dnscrypt-proxy[163531]: [RD] OK (DoH) - rtt: 108ms
May 13 16:28:30.763092 osdx dnscrypt-proxy[163531]: Server with the lowest initial latency: RD (rtt: 108ms)
May 13 16:28:30.763096 osdx dnscrypt-proxy[163531]: dnscrypt-proxy is ready - live servers: 1
May 13 16:28:30.776733 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 13 16:28:30.978086 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.2M free.
May 13 16:28:30.980196 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:30.980265 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:30.988561 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:31.286512 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:31.346809 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:28:31.468602 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:28:31.536076 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:31.630110 osdx ubnt-cfgd[163583]: inactive
May 13 16:28:31.650210 osdx dnscrypt-proxy[163531]: Stopped.
May 13 16:28:31.650234 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:28:31.651041 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:28:31.651147 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:31.733301 osdx ca-certificates[163669]: Clearing symlinks in /etc/ssl/certs...
May 13 16:28:32.023259 osdx ca-certificates[164239]: done.
May 13 16:28:32.026279 osdx ca-certificates[164247]: Updating certificates in /etc/ssl/certs...
May 13 16:28:32.510484 osdx ca-certificates[165098]: 140 added, 0 removed; done.
May 13 16:28:32.514489 osdx ca-certificates[165105]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:32.517520 osdx ca-certificates[165107]: done.
May 13 16:28:32.536405 osdx INFO[165110]: FRR daemons did not change
May 13 16:28:32.536752 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:32.540520 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:32.562781 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:34.118764 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:34.190949 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:34.260896 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:34.380746 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:34.453368 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:34.573140 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:34.629142 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 13 16:28:34.727587 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 13 16:28:34.781350 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:34.898920 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:34.954560 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:35.140241 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:35.225351 osdx ubnt-cfgd[165147]: inactive
May 13 16:28:35.251374 osdx INFO[165157]: FRR daemons did not change
May 13 16:28:35.266525 osdx ca-certificates[165173]: Updating certificates in /etc/ssl/certs...
May 13 16:28:35.785797 osdx ca-certificates[166177]: 1 added, 0 removed; done.
May 13 16:28:35.788707 osdx ca-certificates[166183]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:35.792583 osdx ca-certificates[166185]: done.
May 13 16:28:35.996569 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:35.997897 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:36.013224 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:36.023240 osdx dnscrypt-proxy[166295]: dnscrypt-proxy 2.0.45
May 13 16:28:36.023320 osdx dnscrypt-proxy[166295]: Network connectivity detected
May 13 16:28:36.023561 osdx dnscrypt-proxy[166295]: Dropping privileges
May 13 16:28:36.026583 osdx dnscrypt-proxy[166295]: Network connectivity detected
May 13 16:28:36.026613 osdx dnscrypt-proxy[166295]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:36.026617 osdx dnscrypt-proxy[166295]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:36.026638 osdx dnscrypt-proxy[166295]: Firefox workaround initialized
May 13 16:28:36.026643 osdx dnscrypt-proxy[166295]: Loading the set of cloaking rules from [/tmp/tmpeyjf553r]
May 13 16:28:36.044361 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:36.163479 osdx dnscrypt-proxy[166295]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 13 16:28:36.163494 osdx dnscrypt-proxy[166295]: [RD] OK (DoH) - rtt: 114ms
May 13 16:28:36.163503 osdx dnscrypt-proxy[166295]: Server with the lowest initial latency: RD (rtt: 114ms)
May 13 16:28:36.163510 osdx dnscrypt-proxy[166295]: dnscrypt-proxy is ready - live servers: 1
May 13 16:28:36.203118 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 13 16:28:36.410622 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.1M, max 15.3M, 13.2M free.
May 13 16:28:36.412196 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:36.412242 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:36.420203 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:36.704921 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:36.777853 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:28:36.900601 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:28:36.971169 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:37.092348 osdx ubnt-cfgd[166365]: inactive
May 13 16:28:37.115475 osdx dnscrypt-proxy[166295]: Stopped.
May 13 16:28:37.115519 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:28:37.116885 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:28:37.116990 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:37.194120 osdx ca-certificates[166452]: Clearing symlinks in /etc/ssl/certs...
May 13 16:28:37.460984 osdx ca-certificates[167021]: done.
May 13 16:28:37.464617 osdx ca-certificates[167031]: Updating certificates in /etc/ssl/certs...
May 13 16:28:37.927040 osdx ca-certificates[167881]: 140 added, 0 removed; done.
May 13 16:28:37.930020 osdx ca-certificates[167888]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:37.932820 osdx ca-certificates[167890]: done.
May 13 16:28:37.949924 osdx INFO[167893]: FRR daemons did not change
May 13 16:28:37.950392 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:37.953519 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:37.973494 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:39.306881 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:39.371711 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:39.473370 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:39.540670 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:39.637316 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:39.760748 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:39.817165 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 13 16:28:39.915701 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 13 16:28:39.969709 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:40.071701 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:40.126252 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:40.246879 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:40.311139 osdx ubnt-cfgd[167930]: inactive
May 13 16:28:40.334830 osdx INFO[167940]: FRR daemons did not change
May 13 16:28:40.351283 osdx ca-certificates[167956]: Updating certificates in /etc/ssl/certs...
May 13 16:28:40.833002 osdx ca-certificates[168959]: 1 added, 0 removed; done.
May 13 16:28:40.835882 osdx ca-certificates[168966]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:40.838822 osdx ca-certificates[168968]: done.
May 13 16:28:41.000518 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:41.001822 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:41.014651 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:41.025351 osdx dnscrypt-proxy[169078]: dnscrypt-proxy 2.0.45
May 13 16:28:41.025453 osdx dnscrypt-proxy[169078]: Network connectivity detected
May 13 16:28:41.025744 osdx dnscrypt-proxy[169078]: Dropping privileges
May 13 16:28:41.029065 osdx dnscrypt-proxy[169078]: Network connectivity detected
May 13 16:28:41.029102 osdx dnscrypt-proxy[169078]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:41.029107 osdx dnscrypt-proxy[169078]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:41.029136 osdx dnscrypt-proxy[169078]: Firefox workaround initialized
May 13 16:28:41.029141 osdx dnscrypt-proxy[169078]: Loading the set of cloaking rules from [/tmp/tmpx073yyd8]
May 13 16:28:41.042323 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:41.181159 osdx dnscrypt-proxy[169078]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 13 16:28:41.181178 osdx dnscrypt-proxy[169078]: [RD] OK (DoH) - rtt: 122ms
May 13 16:28:41.181188 osdx dnscrypt-proxy[169078]: Server with the lowest initial latency: RD (rtt: 122ms)
May 13 16:28:41.181194 osdx dnscrypt-proxy[169078]: dnscrypt-proxy is ready - live servers: 1
May 13 16:28:41.229517 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 13 16:28:41.435755 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:28:41.436402 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:41.436446 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:41.447144 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:41.705489 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:41.766435 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:28:41.885177 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:28:41.963818 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:42.057140 osdx ubnt-cfgd[169148]: inactive
May 13 16:28:42.076082 osdx dnscrypt-proxy[169078]: Stopped.
May 13 16:28:42.076089 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:28:42.076785 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:28:42.076896 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:42.152573 osdx ca-certificates[169233]: Clearing symlinks in /etc/ssl/certs...
May 13 16:28:42.412949 osdx ca-certificates[169803]: done.
May 13 16:28:42.416266 osdx ca-certificates[169814]: Updating certificates in /etc/ssl/certs...
May 13 16:28:42.862079 osdx ca-certificates[170664]: 140 added, 0 removed; done.
May 13 16:28:42.864950 osdx ca-certificates[170670]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:42.867739 osdx ca-certificates[170672]: done.
May 13 16:28:42.881998 osdx INFO[170675]: FRR daemons did not change
May 13 16:28:42.882281 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:42.885322 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:42.905097 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:44.378048 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:44.440063 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:44.543563 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:44.616117 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:44.708538 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:44.774484 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:44.868599 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 13 16:28:44.928475 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 13 16:28:45.034079 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:45.154859 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:45.218076 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:45.329308 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:45.398258 osdx ubnt-cfgd[170712]: inactive
May 13 16:28:45.423610 osdx INFO[170722]: FRR daemons did not change
May 13 16:28:45.435569 osdx ca-certificates[170738]: Updating certificates in /etc/ssl/certs...
May 13 16:28:45.945749 osdx ca-certificates[171742]: 1 added, 0 removed; done.
May 13 16:28:45.948694 osdx ca-certificates[171748]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:45.951569 osdx ca-certificates[171750]: done.
May 13 16:28:46.136489 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:46.137748 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:46.149168 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:46.159560 osdx dnscrypt-proxy[171860]: dnscrypt-proxy 2.0.45
May 13 16:28:46.159629 osdx dnscrypt-proxy[171860]: Network connectivity detected
May 13 16:28:46.159815 osdx dnscrypt-proxy[171860]: Dropping privileges
May 13 16:28:46.161864 osdx dnscrypt-proxy[171860]: Network connectivity detected
May 13 16:28:46.161898 osdx dnscrypt-proxy[171860]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:46.161904 osdx dnscrypt-proxy[171860]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:46.161936 osdx dnscrypt-proxy[171860]: Firefox workaround initialized
May 13 16:28:46.161942 osdx dnscrypt-proxy[171860]: Loading the set of cloaking rules from [/tmp/tmp95_mzi3e]
May 13 16:28:46.168880 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:46.307155 osdx dnscrypt-proxy[171860]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 13 16:28:46.307178 osdx dnscrypt-proxy[171860]: [RD] OK (DoH) - rtt: 118ms
May 13 16:28:46.307189 osdx dnscrypt-proxy[171860]: Server with the lowest initial latency: RD (rtt: 118ms)
May 13 16:28:46.307199 osdx dnscrypt-proxy[171860]: dnscrypt-proxy is ready - live servers: 1
May 13 16:28:46.341087 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 13 16:28:46.536873 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:28:46.540199 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:46.540253 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:46.547620 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:46.883973 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:47.000587 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:28:47.093639 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:28:47.206035 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:47.275786 osdx ubnt-cfgd[171930]: inactive
May 13 16:28:47.296013 osdx dnscrypt-proxy[171860]: Stopped.
May 13 16:28:47.296050 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:28:47.297253 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:28:47.297352 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:47.392095 osdx ca-certificates[172016]: Clearing symlinks in /etc/ssl/certs...
May 13 16:28:47.650253 osdx ca-certificates[172585]: done.
May 13 16:28:47.655168 osdx ca-certificates[172594]: Updating certificates in /etc/ssl/certs...
May 13 16:28:48.097219 osdx ca-certificates[173446]: 140 added, 0 removed; done.
May 13 16:28:48.100125 osdx ca-certificates[173452]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:48.103049 osdx ca-certificates[173454]: done.
May 13 16:28:48.117387 osdx INFO[173457]: FRR daemons did not change
May 13 16:28:48.118117 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:48.121724 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:48.152993 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:49.380485 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:49.440502 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:49.541854 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:49.609674 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:49.711230 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:49.814405 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:49.873280 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 13 16:28:50.009462 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 13 16:28:50.071784 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:50.185398 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:50.242619 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:50.363599 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:50.430054 osdx ubnt-cfgd[173494]: inactive
May 13 16:28:50.452116 osdx INFO[173504]: FRR daemons did not change
May 13 16:28:50.464382 osdx ca-certificates[173520]: Updating certificates in /etc/ssl/certs...
May 13 16:28:50.953821 osdx ca-certificates[174523]: 1 added, 0 removed; done.
May 13 16:28:50.957639 osdx ca-certificates[174530]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:50.960677 osdx ca-certificates[174532]: done.
May 13 16:28:51.128442 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:51.129655 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:51.144446 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:51.162966 osdx dnscrypt-proxy[174642]: dnscrypt-proxy 2.0.45
May 13 16:28:51.163025 osdx dnscrypt-proxy[174642]: Network connectivity detected
May 13 16:28:51.163219 osdx dnscrypt-proxy[174642]: Dropping privileges
May 13 16:28:51.165422 osdx dnscrypt-proxy[174642]: Network connectivity detected
May 13 16:28:51.165459 osdx dnscrypt-proxy[174642]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:51.165465 osdx dnscrypt-proxy[174642]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:51.165493 osdx dnscrypt-proxy[174642]: Firefox workaround initialized
May 13 16:28:51.165498 osdx dnscrypt-proxy[174642]: Loading the set of cloaking rules from [/tmp/tmp6kslihq6]
May 13 16:28:51.169465 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:51.317973 osdx dnscrypt-proxy[174642]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 13 16:28:51.317985 osdx dnscrypt-proxy[174642]: [RD] OK (DoH) - rtt: 129ms
May 13 16:28:51.317992 osdx dnscrypt-proxy[174642]: Server with the lowest initial latency: RD (rtt: 129ms)
May 13 16:28:51.318000 osdx dnscrypt-proxy[174642]: dnscrypt-proxy is ready - live servers: 1
May 13 16:28:51.358840 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 13 16:28:51.555542 osdx systemd-journald[27261]: Runtime Journal (/run/log/journal/29acf74054db4c3a94b562797c4c13a9) is 2.0M, max 15.3M, 13.3M free.
May 13 16:28:51.556233 osdx systemd-journald[27261]: Received client request to rotate journal, rotating.
May 13 16:28:51.556282 osdx systemd-journald[27261]: Vacuuming done, freed 0B of archived journals from /run/log/journal/29acf74054db4c3a94b562797c4c13a9.
May 13 16:28:51.566917 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'system journal clear'.
May 13 16:28:51.840445 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:51.899504 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'delete '.
May 13 16:28:52.018098 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 13 16:28:52.080337 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:52.180645 osdx ubnt-cfgd[174713]: inactive
May 13 16:28:52.202084 osdx dnscrypt-proxy[174642]: Stopped.
May 13 16:28:52.202184 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 13 16:28:52.203548 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 13 16:28:52.203708 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:52.287236 osdx ca-certificates[174799]: Clearing symlinks in /etc/ssl/certs...
May 13 16:28:52.547512 osdx ca-certificates[175368]: done.
May 13 16:28:52.551186 osdx ca-certificates[175377]: Updating certificates in /etc/ssl/certs...
May 13 16:28:53.011634 osdx ca-certificates[176229]: 140 added, 0 removed; done.
May 13 16:28:53.014466 osdx ca-certificates[176235]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:53.017386 osdx ca-certificates[176237]: done.
May 13 16:28:53.035506 osdx INFO[176240]: FRR daemons did not change
May 13 16:28:53.036152 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:53.038943 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:53.064010 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:54.324942 osdx OSDxCLI[30995]: User 'admin' entered the configuration menu.
May 13 16:28:54.395588 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 13 16:28:54.500354 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 13 16:28:54.572569 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 13 16:28:54.693843 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 13 16:28:54.769104 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 13 16:28:54.873995 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 13 16:28:54.934156 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 13 16:28:55.025803 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 13 16:28:55.106372 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 13 16:28:55.181311 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 13 16:28:55.309208 osdx OSDxCLI[30995]: User 'admin' added a new cfg line: 'show working'.
May 13 16:28:55.434013 osdx ubnt-cfgd[176277]: inactive
May 13 16:28:55.459190 osdx INFO[176287]: FRR daemons did not change
May 13 16:28:55.474004 osdx ca-certificates[176303]: Updating certificates in /etc/ssl/certs...
May 13 16:28:56.029006 osdx ca-certificates[177307]: 1 added, 0 removed; done.
May 13 16:28:56.032291 osdx ca-certificates[177313]: Running hooks in /etc/ca-certificates/update.d...
May 13 16:28:56.036250 osdx ca-certificates[177315]: done.
May 13 16:28:56.248855 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 13 16:28:56.251415 osdx cfgd[1470]: [30995]Completed change to active configuration
May 13 16:28:56.264167 osdx OSDxCLI[30995]: User 'admin' committed the configuration.
May 13 16:28:56.276456 osdx dnscrypt-proxy[177425]: dnscrypt-proxy 2.0.45
May 13 16:28:56.276522 osdx dnscrypt-proxy[177425]: Network connectivity detected
May 13 16:28:56.276735 osdx dnscrypt-proxy[177425]: Dropping privileges
May 13 16:28:56.279148 osdx dnscrypt-proxy[177425]: Network connectivity detected
May 13 16:28:56.279180 osdx dnscrypt-proxy[177425]: Now listening to 127.0.0.1:53 [UDP]
May 13 16:28:56.279186 osdx dnscrypt-proxy[177425]: Now listening to 127.0.0.1:53 [TCP]
May 13 16:28:56.279208 osdx dnscrypt-proxy[177425]: Firefox workaround initialized
May 13 16:28:56.279213 osdx dnscrypt-proxy[177425]: Loading the set of cloaking rules from [/tmp/tmpjxbk7d9f]
May 13 16:28:56.292487 osdx OSDxCLI[30995]: User 'admin' left the configuration menu.
May 13 16:28:56.429135 osdx dnscrypt-proxy[177425]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 13 16:28:56.429152 osdx dnscrypt-proxy[177425]: [RD] OK (DoH) - rtt: 120ms
May 13 16:28:56.429160 osdx dnscrypt-proxy[177425]: Server with the lowest initial latency: RD (rtt: 120ms)
May 13 16:28:56.429166 osdx dnscrypt-proxy[177425]: dnscrypt-proxy is ready - live servers: 1
May 13 16:28:56.440174 osdx OSDxCLI[30995]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---