Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Nov 12 16:25:42.311883 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:25:42.313898 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:25:42.313962 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:25:42.322972 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:25:42.581444 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system coredump delete all'.
Nov 12 16:25:42.852842 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:25:42.944592 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:25:43.027490 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:25:43.143100 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:25:43.201799 osdx ubnt-cfgd[221601]: inactive
Nov 12 16:25:43.221066 osdx INFO[221607]: FRR daemons did not change
Nov 12 16:25:43.245895 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:25:43.288551 osdx WARNING[221675]: No supported link modes on interface eth0
Nov 12 16:25:43.289846 osdx modulelauncher[221675]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:25:43.289857 osdx modulelauncher[221675]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:25:43.290914 osdx modulelauncher[221675]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:25:43.290922 osdx modulelauncher[221675]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:25:43.326609 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:25:43.337729 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:25:43.352817 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:25:43.528108 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Nov 12 16:25:43.819595 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:25:43.913188 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:25:44.004656 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:25:44.124160 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:25:44.190918 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:25:44.314592 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:25:44.423977 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Nov 12 16:25:44.516900 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:25:44.640208 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:25:44.695332 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:25:44.846180 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:25:44.918717 osdx ubnt-cfgd[221773]: inactive
Nov 12 16:25:44.989335 osdx INFO[221781]: FRR daemons did not change
Nov 12 16:25:45.004753 osdx ca-certificates[221797]: Updating certificates in /etc/ssl/certs...
Nov 12 16:25:45.683137 osdx ubnt-cfgd[222809]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:25:45.692960 osdx ca-certificates[222814]: 1 added, 0 removed; done.
Nov 12 16:25:45.700835 osdx ca-certificates[222821]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:25:45.705744 osdx ca-certificates[222823]: done.
Nov 12 16:25:45.790464 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:25:45.792284 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:25:45.795905 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:25:45.816781 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:25:45.830031 osdx dnscrypt-proxy[222827]: dnscrypt-proxy 2.0.45
Nov 12 16:25:45.830193 osdx dnscrypt-proxy[222827]: Network connectivity detected
Nov 12 16:25:45.830500 osdx dnscrypt-proxy[222827]: Dropping privileges
Nov 12 16:25:45.834193 osdx dnscrypt-proxy[222827]: Network connectivity detected
Nov 12 16:25:45.834238 osdx dnscrypt-proxy[222827]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:25:45.834243 osdx dnscrypt-proxy[222827]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:25:45.834265 osdx dnscrypt-proxy[222827]: Firefox workaround initialized
Nov 12 16:25:45.834271 osdx dnscrypt-proxy[222827]: Loading the set of cloaking rules from [/tmp/tmpq_3ribed]
Nov 12 16:25:46.059071 osdx dnscrypt-proxy[222827]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Nov 12 16:25:46.059094 osdx dnscrypt-proxy[222827]: [RD] OK (DoH) - rtt: 153ms
Nov 12 16:25:46.059124 osdx dnscrypt-proxy[222827]: Server with the lowest initial latency: RD (rtt: 153ms)
Nov 12 16:25:46.059129 osdx dnscrypt-proxy[222827]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:25:51.010159 osdx OSDxCLI[123608]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Nov 12 16:25:53.089859 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Nov 12 16:26:00.000218 osdx systemd-timedated[166405]: Changed local time to Wed 2025-11-12 16:26:00 UTC
Nov 12 16:26:00.001382 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'set date 2025-11-12 16:26:00'.
Nov 12 16:26:00.003239 osdx systemd-journald[1872]: Time jumped backwards, rotating.
Nov 12 16:26:00.341360 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:26:00.343238 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:26:00.343302 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:26:00.353445 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:26:00.664440 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system coredump delete all'.
Nov 12 16:26:01.008355 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:01.126380 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:01.206487 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:01.331940 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:01.408915 osdx ubnt-cfgd[224541]: inactive
Nov 12 16:26:01.444191 osdx INFO[224547]: FRR daemons did not change
Nov 12 16:26:01.475305 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:26:01.536239 osdx WARNING[224615]: No supported link modes on interface eth0
Nov 12 16:26:01.537789 osdx modulelauncher[224615]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:01.537802 osdx modulelauncher[224615]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:01.539478 osdx modulelauncher[224615]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:01.539502 osdx modulelauncher[224615]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:01.592743 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:01.610332 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:01.675375 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:01.846735 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Nov 12 16:26:02.092416 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:02.170916 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:26:02.281029 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:26:02.378044 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:26:02.454433 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:26:02.570830 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:26:02.647246 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Nov 12 16:26:02.731172 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:26:02.863337 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:02.918924 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:03.030856 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:03.114986 osdx ubnt-cfgd[224713]: inactive
Nov 12 16:26:03.138199 osdx INFO[224721]: FRR daemons did not change
Nov 12 16:26:03.151321 osdx ca-certificates[224737]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:03.698615 osdx ubnt-cfgd[225749]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:03.706706 osdx ca-certificates[225754]: 1 added, 0 removed; done.
Nov 12 16:26:03.710398 osdx ca-certificates[225761]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:03.714061 osdx ca-certificates[225763]: done.
Nov 12 16:26:03.783681 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:03.785221 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:03.787864 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:03.804511 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:03.805729 osdx dnscrypt-proxy[225767]: dnscrypt-proxy 2.0.45
Nov 12 16:26:03.805793 osdx dnscrypt-proxy[225767]: Network connectivity detected
Nov 12 16:26:03.806002 osdx dnscrypt-proxy[225767]: Dropping privileges
Nov 12 16:26:03.808607 osdx dnscrypt-proxy[225767]: Network connectivity detected
Nov 12 16:26:03.808644 osdx dnscrypt-proxy[225767]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:26:03.808650 osdx dnscrypt-proxy[225767]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:26:03.808670 osdx dnscrypt-proxy[225767]: Firefox workaround initialized
Nov 12 16:26:03.808676 osdx dnscrypt-proxy[225767]: Loading the set of cloaking rules from [/tmp/tmpeqfwwvio]
Nov 12 16:26:04.049984 osdx dnscrypt-proxy[225767]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Nov 12 16:26:04.050003 osdx dnscrypt-proxy[225767]: [RD] OK (DoH) - rtt: 129ms
Nov 12 16:26:04.050011 osdx dnscrypt-proxy[225767]: Server with the lowest initial latency: RD (rtt: 129ms)
Nov 12 16:26:04.050016 osdx dnscrypt-proxy[225767]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:26:08.963616 osdx OSDxCLI[123608]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Nov 12 16:26:11.041219 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Nov 12 16:26:11.302726 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:26:11.303235 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:26:11.303301 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:26:11.315552 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:26:11.597497 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:11.654552 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:26:11.773416 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:26:11.842303 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:11.959404 osdx ubnt-cfgd[225823]: inactive
Nov 12 16:26:11.981110 osdx dnscrypt-proxy[225767]: Stopped.
Nov 12 16:26:11.981201 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:26:11.982133 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:26:11.982296 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:12.043380 osdx WARNING[225887]: No supported link modes on interface eth0
Nov 12 16:26:12.044827 osdx modulelauncher[225887]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:12.044841 osdx modulelauncher[225887]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:12.046329 osdx modulelauncher[225887]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:12.046338 osdx modulelauncher[225887]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:12.064643 osdx ca-certificates[225911]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:26:12.371669 osdx ca-certificates[226489]: done.
Nov 12 16:26:12.375022 osdx ca-certificates[226500]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:12.875973 osdx ubnt-cfgd[227356]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:12.884211 osdx ca-certificates[227362]: 142 added, 0 removed; done.
Nov 12 16:26:12.887172 osdx ca-certificates[227368]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:12.890932 osdx ca-certificates[227370]: done.
Nov 12 16:26:12.912785 osdx INFO[227373]: FRR daemons did not change
Nov 12 16:26:12.913124 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:12.916244 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:12.938195 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:14.343439 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:14.399937 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:26:14.494236 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:26:14.555015 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:26:14.645305 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:26:14.701873 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:26:14.795421 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Nov 12 16:26:14.845892 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:26:14.959267 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:15.016122 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:15.141892 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:15.202918 osdx ubnt-cfgd[227407]: inactive
Nov 12 16:26:15.225126 osdx INFO[227415]: FRR daemons did not change
Nov 12 16:26:15.243894 osdx ca-certificates[227431]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:15.754701 osdx ubnt-cfgd[228443]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:15.763569 osdx ca-certificates[228449]: 1 added, 0 removed; done.
Nov 12 16:26:15.767460 osdx ca-certificates[228455]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:15.770459 osdx ca-certificates[228457]: done.
Nov 12 16:26:15.791243 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:26:15.836044 osdx WARNING[228523]: No supported link modes on interface eth0
Nov 12 16:26:15.837718 osdx modulelauncher[228523]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:15.837730 osdx modulelauncher[228523]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:15.838923 osdx modulelauncher[228523]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:15.838931 osdx modulelauncher[228523]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:15.943578 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:15.944897 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:15.959584 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:15.967301 osdx dnscrypt-proxy[228572]: dnscrypt-proxy 2.0.45
Nov 12 16:26:15.967373 osdx dnscrypt-proxy[228572]: Network connectivity detected
Nov 12 16:26:15.967660 osdx dnscrypt-proxy[228572]: Dropping privileges
Nov 12 16:26:15.970197 osdx dnscrypt-proxy[228572]: Network connectivity detected
Nov 12 16:26:15.970234 osdx dnscrypt-proxy[228572]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:26:15.970238 osdx dnscrypt-proxy[228572]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:26:15.970256 osdx dnscrypt-proxy[228572]: Firefox workaround initialized
Nov 12 16:26:15.970261 osdx dnscrypt-proxy[228572]: Loading the set of cloaking rules from [/tmp/tmpjq1ltqik]
Nov 12 16:26:15.988392 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:16.115928 osdx dnscrypt-proxy[228572]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Nov 12 16:26:16.115945 osdx dnscrypt-proxy[228572]: [RD] OK (DoH) - rtt: 94ms
Nov 12 16:26:16.115954 osdx dnscrypt-proxy[228572]: Server with the lowest initial latency: RD (rtt: 94ms)
Nov 12 16:26:16.115960 osdx dnscrypt-proxy[228572]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:26:16.201011 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Nov 12 16:26:16.455455 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.9M, max 13.8M, 11.9M free.
Nov 12 16:26:16.459252 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:26:16.459353 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:26:16.468112 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:26:16.740293 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:16.803955 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:26:16.981361 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:26:17.045548 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:17.164200 osdx ubnt-cfgd[228644]: inactive
Nov 12 16:26:17.185364 osdx dnscrypt-proxy[228572]: Stopped.
Nov 12 16:26:17.185375 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:26:17.186310 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:26:17.186408 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:17.239655 osdx WARNING[228708]: No supported link modes on interface eth0
Nov 12 16:26:17.240966 osdx modulelauncher[228708]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:17.240977 osdx modulelauncher[228708]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:17.242066 osdx modulelauncher[228708]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:17.242074 osdx modulelauncher[228708]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:17.258000 osdx ca-certificates[228733]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:26:17.529086 osdx ca-certificates[229310]: done.
Nov 12 16:26:17.532024 osdx ca-certificates[229319]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:18.024197 osdx ubnt-cfgd[230177]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:18.034812 osdx ca-certificates[230182]: 142 added, 0 removed; done.
Nov 12 16:26:18.038264 osdx ca-certificates[230189]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:18.041463 osdx ca-certificates[230191]: done.
Nov 12 16:26:18.059774 osdx INFO[230194]: FRR daemons did not change
Nov 12 16:26:18.060066 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:18.062383 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:18.094642 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:19.565000 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:19.630155 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:26:19.785070 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:26:19.849992 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:26:19.942446 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:26:19.998133 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:26:20.131311 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Nov 12 16:26:20.193792 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:26:20.309127 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:20.364346 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:20.463979 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:20.530590 osdx ubnt-cfgd[230228]: inactive
Nov 12 16:26:20.554817 osdx INFO[230236]: FRR daemons did not change
Nov 12 16:26:20.569959 osdx ca-certificates[230252]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:21.090516 osdx ubnt-cfgd[231264]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:21.098333 osdx ca-certificates[231270]: 1 added, 0 removed; done.
Nov 12 16:26:21.101209 osdx ca-certificates[231276]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:21.103934 osdx ca-certificates[231278]: done.
Nov 12 16:26:21.127241 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:26:21.164384 osdx WARNING[231344]: No supported link modes on interface eth0
Nov 12 16:26:21.165679 osdx modulelauncher[231344]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:21.165690 osdx modulelauncher[231344]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:21.166858 osdx modulelauncher[231344]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:21.166867 osdx modulelauncher[231344]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:21.267535 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:21.268728 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:21.290835 osdx dnscrypt-proxy[231393]: dnscrypt-proxy 2.0.45
Nov 12 16:26:21.290905 osdx dnscrypt-proxy[231393]: Network connectivity detected
Nov 12 16:26:21.291140 osdx dnscrypt-proxy[231393]: Dropping privileges
Nov 12 16:26:21.293488 osdx dnscrypt-proxy[231393]: Network connectivity detected
Nov 12 16:26:21.293522 osdx dnscrypt-proxy[231393]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:26:21.293526 osdx dnscrypt-proxy[231393]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:26:21.293540 osdx dnscrypt-proxy[231393]: Firefox workaround initialized
Nov 12 16:26:21.293546 osdx dnscrypt-proxy[231393]: Loading the set of cloaking rules from [/tmp/tmpsyj_dhfn]
Nov 12 16:26:21.312263 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:21.329855 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:21.459321 osdx dnscrypt-proxy[231393]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Nov 12 16:26:21.459340 osdx dnscrypt-proxy[231393]: [RD] OK (DoH) - rtt: 114ms
Nov 12 16:26:21.459349 osdx dnscrypt-proxy[231393]: Server with the lowest initial latency: RD (rtt: 114ms)
Nov 12 16:26:21.459354 osdx dnscrypt-proxy[231393]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:26:21.481630 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Nov 12 16:26:29.283729 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:26:29.284565 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:26:29.284615 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:26:29.294545 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:26:29.503137 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system coredump delete all'.
Nov 12 16:26:29.778587 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:29.861513 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:29.956012 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:30.041870 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:30.114104 osdx ubnt-cfgd[233120]: inactive
Nov 12 16:26:30.134641 osdx INFO[233126]: FRR daemons did not change
Nov 12 16:26:30.160578 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:26:30.209744 osdx WARNING[233194]: No supported link modes on interface eth0
Nov 12 16:26:30.211625 osdx modulelauncher[233194]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:30.211639 osdx modulelauncher[233194]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:30.213117 osdx modulelauncher[233194]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:30.213126 osdx modulelauncher[233194]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:30.258528 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:30.272755 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:30.291543 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:30.488529 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Nov 12 16:26:30.765529 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:30.916654 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:26:30.999942 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:26:31.075189 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:26:31.193530 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:26:31.278091 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:26:31.367464 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Nov 12 16:26:31.418316 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:26:31.529632 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:31.582104 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:31.696226 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:31.774370 osdx ubnt-cfgd[233292]: inactive
Nov 12 16:26:31.794131 osdx INFO[233300]: FRR daemons did not change
Nov 12 16:26:31.806329 osdx ca-certificates[233316]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:32.315976 osdx ubnt-cfgd[234328]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:32.323842 osdx ca-certificates[234334]: 1 added, 0 removed; done.
Nov 12 16:26:32.326816 osdx ca-certificates[234340]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:32.329924 osdx ca-certificates[234342]: done.
Nov 12 16:26:32.384918 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:32.386286 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:32.388375 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:32.404371 osdx dnscrypt-proxy[234346]: dnscrypt-proxy 2.0.45
Nov 12 16:26:32.404427 osdx dnscrypt-proxy[234346]: Network connectivity detected
Nov 12 16:26:32.404637 osdx dnscrypt-proxy[234346]: Dropping privileges
Nov 12 16:26:32.406852 osdx dnscrypt-proxy[234346]: Network connectivity detected
Nov 12 16:26:32.406890 osdx dnscrypt-proxy[234346]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:26:32.406895 osdx dnscrypt-proxy[234346]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:26:32.406915 osdx dnscrypt-proxy[234346]: Firefox workaround initialized
Nov 12 16:26:32.406921 osdx dnscrypt-proxy[234346]: Loading the set of cloaking rules from [/tmp/tmpna66twup]
Nov 12 16:26:32.407728 osdx dnscrypt-proxy[234346]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Nov 12 16:26:32.411689 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.

---

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Nov 12 16:26:39.353618 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:26:39.356211 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:26:39.356266 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:26:39.364262 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:26:39.583539 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system coredump delete all'.
Nov 12 16:26:39.831979 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:39.917508 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:39.989408 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:40.087048 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:40.159202 osdx ubnt-cfgd[236052]: inactive
Nov 12 16:26:40.176807 osdx INFO[236058]: FRR daemons did not change
Nov 12 16:26:40.204219 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:26:40.248599 osdx WARNING[236126]: No supported link modes on interface eth0
Nov 12 16:26:40.250396 osdx modulelauncher[236126]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:40.250409 osdx modulelauncher[236126]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:40.251911 osdx modulelauncher[236126]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:40.251925 osdx modulelauncher[236126]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:40.289864 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:40.300888 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:40.316913 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:40.464833 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Nov 12 16:26:40.657241 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:40.746783 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:26:40.871851 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:26:40.963392 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:26:41.062220 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:26:41.157882 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:26:41.283128 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Nov 12 16:26:41.369614 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:26:41.488445 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:41.555780 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:41.694296 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:41.784814 osdx ubnt-cfgd[236224]: inactive
Nov 12 16:26:41.808914 osdx INFO[236232]: FRR daemons did not change
Nov 12 16:26:41.822341 osdx ca-certificates[236247]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:42.382845 osdx ubnt-cfgd[237260]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:42.390796 osdx ca-certificates[237266]: 1 added, 0 removed; done.
Nov 12 16:26:42.393654 osdx ca-certificates[237272]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:42.396290 osdx ca-certificates[237274]: done.
Nov 12 16:26:42.472598 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:42.473976 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:42.476564 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:42.491554 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:42.494991 osdx dnscrypt-proxy[237278]: dnscrypt-proxy 2.0.45
Nov 12 16:26:42.495057 osdx dnscrypt-proxy[237278]: Network connectivity detected
Nov 12 16:26:42.495308 osdx dnscrypt-proxy[237278]: Dropping privileges
Nov 12 16:26:42.498062 osdx dnscrypt-proxy[237278]: Network connectivity detected
Nov 12 16:26:42.498095 osdx dnscrypt-proxy[237278]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:26:42.498100 osdx dnscrypt-proxy[237278]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:26:42.498119 osdx dnscrypt-proxy[237278]: Firefox workaround initialized
Nov 12 16:26:42.498125 osdx dnscrypt-proxy[237278]: Loading the set of cloaking rules from [/tmp/tmpdg1jm29w]
Nov 12 16:26:42.499368 osdx dnscrypt-proxy[237278]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Nov 12 16:26:42.765830 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:26:42.768217 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:26:42.768273 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:26:42.776510 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:26:43.094991 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:43.147473 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:26:43.260063 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:26:43.321332 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:43.418921 osdx ubnt-cfgd[237328]: inactive
Nov 12 16:26:43.473356 osdx dnscrypt-proxy[237278]: Stopped.
Nov 12 16:26:43.473425 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:26:43.474354 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:26:43.474471 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:43.528640 osdx WARNING[237392]: No supported link modes on interface eth0
Nov 12 16:26:43.529983 osdx modulelauncher[237392]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:43.529997 osdx modulelauncher[237392]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:43.531064 osdx modulelauncher[237392]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:43.531071 osdx modulelauncher[237392]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:43.547049 osdx ca-certificates[237417]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:26:43.826414 osdx ca-certificates[237994]: done.
Nov 12 16:26:43.829247 osdx ca-certificates[238004]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:44.316502 osdx ubnt-cfgd[238861]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:44.327544 osdx ca-certificates[238866]: 142 added, 0 removed; done.
Nov 12 16:26:44.330509 osdx ca-certificates[238873]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:44.333731 osdx ca-certificates[238875]: done.
Nov 12 16:26:44.352585 osdx INFO[238878]: FRR daemons did not change
Nov 12 16:26:44.352902 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:44.355226 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:44.388082 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:46.266976 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:46.369996 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:26:46.492672 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:26:46.647624 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:26:46.742967 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:26:46.855074 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:26:46.952389 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Nov 12 16:26:47.042161 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:26:47.183893 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:47.272695 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:47.428831 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:47.551363 osdx ubnt-cfgd[238912]: inactive
Nov 12 16:26:47.578066 osdx INFO[238920]: FRR daemons did not change
Nov 12 16:26:47.598158 osdx ca-certificates[238938]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:48.333736 osdx ubnt-cfgd[239948]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:48.344636 osdx ca-certificates[239954]: 1 added, 0 removed; done.
Nov 12 16:26:48.348523 osdx ca-certificates[239960]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:48.352264 osdx ca-certificates[239962]: done.
Nov 12 16:26:48.380235 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:26:48.428320 osdx WARNING[240028]: No supported link modes on interface eth0
Nov 12 16:26:48.429769 osdx modulelauncher[240028]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:48.429782 osdx modulelauncher[240028]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:48.430940 osdx modulelauncher[240028]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:48.430950 osdx modulelauncher[240028]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:48.544937 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:48.549630 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:48.575103 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:48.585161 osdx dnscrypt-proxy[240077]: dnscrypt-proxy 2.0.45
Nov 12 16:26:48.585496 osdx dnscrypt-proxy[240077]: Network connectivity detected
Nov 12 16:26:48.585727 osdx dnscrypt-proxy[240077]: Dropping privileges
Nov 12 16:26:48.588958 osdx dnscrypt-proxy[240077]: Network connectivity detected
Nov 12 16:26:48.588995 osdx dnscrypt-proxy[240077]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:26:48.589000 osdx dnscrypt-proxy[240077]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:26:48.589018 osdx dnscrypt-proxy[240077]: Firefox workaround initialized
Nov 12 16:26:48.589023 osdx dnscrypt-proxy[240077]: Loading the set of cloaking rules from [/tmp/tmp5xsq5ob1]
Nov 12 16:26:48.590050 osdx dnscrypt-proxy[240077]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Nov 12 16:26:48.598617 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Nov 12 16:26:48.895320 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:26:48.896237 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:26:48.896290 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:26:48.905571 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:26:49.199822 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:49.257890 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:26:49.433490 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:26:49.517350 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:49.605960 osdx ubnt-cfgd[240146]: inactive
Nov 12 16:26:49.628014 osdx dnscrypt-proxy[240077]: Stopped.
Nov 12 16:26:49.628094 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:26:49.628975 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:26:49.629081 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:49.692487 osdx WARNING[240210]: No supported link modes on interface eth0
Nov 12 16:26:49.694137 osdx modulelauncher[240210]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:49.694152 osdx modulelauncher[240210]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:49.695539 osdx modulelauncher[240210]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:49.695547 osdx modulelauncher[240210]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:49.713232 osdx ca-certificates[240235]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:26:50.065749 osdx ca-certificates[240812]: done.
Nov 12 16:26:50.069445 osdx ca-certificates[240820]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:50.625237 osdx ubnt-cfgd[241679]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:50.633903 osdx ca-certificates[241684]: 142 added, 0 removed; done.
Nov 12 16:26:50.637952 osdx ca-certificates[241691]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:50.641575 osdx ca-certificates[241693]: done.
Nov 12 16:26:50.657816 osdx INFO[241696]: FRR daemons did not change
Nov 12 16:26:50.658119 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:50.676718 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:50.718946 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:26:52.264155 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:26:52.336617 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:26:52.436412 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:26:52.509626 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:26:52.646315 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:26:52.767083 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:26:52.866727 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Nov 12 16:26:52.967836 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Nov 12 16:26:53.084164 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:26:53.211985 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:26:53.311385 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:26:53.388753 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:26:53.482580 osdx ubnt-cfgd[241733]: inactive
Nov 12 16:26:53.506510 osdx INFO[241741]: FRR daemons did not change
Nov 12 16:26:53.520910 osdx ca-certificates[241757]: Updating certificates in /etc/ssl/certs...
Nov 12 16:26:54.128414 osdx ubnt-cfgd[242769]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:26:54.138719 osdx ca-certificates[242774]: 1 added, 0 removed; done.
Nov 12 16:26:54.142138 osdx ca-certificates[242781]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:26:54.145536 osdx ca-certificates[242783]: done.
Nov 12 16:26:54.172221 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:26:54.229490 osdx WARNING[242849]: No supported link modes on interface eth0
Nov 12 16:26:54.230902 osdx modulelauncher[242849]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:26:54.230916 osdx modulelauncher[242849]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:26:54.232275 osdx modulelauncher[242849]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:26:54.232285 osdx modulelauncher[242849]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:26:54.358767 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:26:54.360583 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:26:54.375502 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:26:54.381506 osdx dnscrypt-proxy[242898]: dnscrypt-proxy 2.0.45
Nov 12 16:26:54.381579 osdx dnscrypt-proxy[242898]: Network connectivity detected
Nov 12 16:26:54.381811 osdx dnscrypt-proxy[242898]: Dropping privileges
Nov 12 16:26:54.384548 osdx dnscrypt-proxy[242898]: Network connectivity detected
Nov 12 16:26:54.384581 osdx dnscrypt-proxy[242898]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:26:54.384584 osdx dnscrypt-proxy[242898]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:26:54.384598 osdx dnscrypt-proxy[242898]: Firefox workaround initialized
Nov 12 16:26:54.384603 osdx dnscrypt-proxy[242898]: Loading the set of cloaking rules from [/tmp/tmpobu1mvit]
Nov 12 16:26:54.385486 osdx dnscrypt-proxy[242898]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Nov 12 16:26:54.398621 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.

---

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Nov 12 16:27:03.325510 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:27:03.328435 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:27:03.328510 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:27:03.337240 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:27:03.595350 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system coredump delete all'.
Nov 12 16:27:03.928126 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:04.048631 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:27:04.136376 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:27:04.243055 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:04.353912 osdx ubnt-cfgd[244623]: inactive
Nov 12 16:27:04.375377 osdx INFO[244629]: FRR daemons did not change
Nov 12 16:27:04.400439 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:27:04.446097 osdx WARNING[244697]: No supported link modes on interface eth0
Nov 12 16:27:04.447677 osdx modulelauncher[244697]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:04.447694 osdx modulelauncher[244697]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:04.449321 osdx modulelauncher[244697]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:04.449332 osdx modulelauncher[244697]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:04.489695 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:04.501672 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:04.519672 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:04.675909 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Nov 12 16:27:04.852126 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:05.493226 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:27:05.582404 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:27:05.653922 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:27:05.747222 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:27:05.849116 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:27:05.916135 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Nov 12 16:27:06.023469 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Nov 12 16:27:06.078558 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:27:06.191647 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:27:06.246412 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:27:06.369526 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:06.473247 osdx ubnt-cfgd[244798]: inactive
Nov 12 16:27:06.498720 osdx INFO[244806]: FRR daemons did not change
Nov 12 16:27:06.514356 osdx ca-certificates[244821]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:07.131569 osdx ubnt-cfgd[245834]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:07.141641 osdx ca-certificates[245839]: 1 added, 0 removed; done.
Nov 12 16:27:07.144693 osdx ca-certificates[245846]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:07.147605 osdx ca-certificates[245848]: done.
Nov 12 16:27:07.225431 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:07.226989 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:07.229538 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:07.250733 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:07.253577 osdx dnscrypt-proxy[245852]: dnscrypt-proxy 2.0.45
Nov 12 16:27:07.253648 osdx dnscrypt-proxy[245852]: Network connectivity detected
Nov 12 16:27:07.253868 osdx dnscrypt-proxy[245852]: Dropping privileges
Nov 12 16:27:07.257057 osdx dnscrypt-proxy[245852]: Network connectivity detected
Nov 12 16:27:07.257098 osdx dnscrypt-proxy[245852]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:27:07.257103 osdx dnscrypt-proxy[245852]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:27:07.257123 osdx dnscrypt-proxy[245852]: Firefox workaround initialized
Nov 12 16:27:07.257129 osdx dnscrypt-proxy[245852]: Loading the set of cloaking rules from [/tmp/tmpp5l4o9og]
Nov 12 16:27:07.443934 osdx dnscrypt-proxy[245852]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Nov 12 16:27:07.443956 osdx dnscrypt-proxy[245852]: [RD] OK (DoH) - rtt: 121ms
Nov 12 16:27:07.443979 osdx dnscrypt-proxy[245852]: Server with the lowest initial latency: RD (rtt: 121ms)
Nov 12 16:27:07.443985 osdx dnscrypt-proxy[245852]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:27:07.475882 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Nov 12 16:27:07.722845 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:27:07.724432 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:27:07.724495 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:27:07.735052 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:27:08.089554 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:08.159291 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:27:08.288566 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:27:08.377381 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:08.495442 osdx ubnt-cfgd[245906]: inactive
Nov 12 16:27:08.528432 osdx dnscrypt-proxy[245852]: Stopped.
Nov 12 16:27:08.528475 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:27:08.529738 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:27:08.529841 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:08.607138 osdx WARNING[245970]: No supported link modes on interface eth0
Nov 12 16:27:08.609511 osdx modulelauncher[245970]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:08.609528 osdx modulelauncher[245970]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:08.611157 osdx modulelauncher[245970]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:08.611172 osdx modulelauncher[245970]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:08.638678 osdx ca-certificates[245995]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:27:09.019024 osdx ca-certificates[246572]: done.
Nov 12 16:27:09.024172 osdx ca-certificates[246581]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:09.517895 osdx ubnt-cfgd[247439]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:09.526704 osdx ca-certificates[247444]: 142 added, 0 removed; done.
Nov 12 16:27:09.530083 osdx ca-certificates[247451]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:09.533214 osdx ca-certificates[247453]: done.
Nov 12 16:27:09.552236 osdx INFO[247456]: FRR daemons did not change
Nov 12 16:27:09.552613 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:09.661383 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:09.692429 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:10.934051 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:11.596498 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:27:11.656056 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:27:11.771718 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:27:11.834762 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:27:11.936163 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:27:11.992972 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Nov 12 16:27:12.126811 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Nov 12 16:27:12.217773 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:27:12.345681 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:27:12.428659 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:27:12.567040 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:12.632566 osdx ubnt-cfgd[247493]: inactive
Nov 12 16:27:12.669638 osdx INFO[247501]: FRR daemons did not change
Nov 12 16:27:12.684508 osdx ca-certificates[247517]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:13.395118 osdx ubnt-cfgd[248529]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:13.406957 osdx ca-certificates[248535]: 1 added, 0 removed; done.
Nov 12 16:27:13.411850 osdx ca-certificates[248541]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:13.423725 osdx ca-certificates[248543]: done.
Nov 12 16:27:13.460467 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:27:13.526473 osdx WARNING[248609]: No supported link modes on interface eth0
Nov 12 16:27:13.528761 osdx modulelauncher[248609]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:13.528776 osdx modulelauncher[248609]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:13.530340 osdx modulelauncher[248609]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:13.530352 osdx modulelauncher[248609]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:13.645873 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:13.648183 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:13.668489 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:13.681021 osdx dnscrypt-proxy[248658]: dnscrypt-proxy 2.0.45
Nov 12 16:27:13.681439 osdx dnscrypt-proxy[248658]: Network connectivity detected
Nov 12 16:27:13.681717 osdx dnscrypt-proxy[248658]: Dropping privileges
Nov 12 16:27:13.686531 osdx dnscrypt-proxy[248658]: Network connectivity detected
Nov 12 16:27:13.686570 osdx dnscrypt-proxy[248658]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:27:13.686576 osdx dnscrypt-proxy[248658]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:27:13.686597 osdx dnscrypt-proxy[248658]: Firefox workaround initialized
Nov 12 16:27:13.686603 osdx dnscrypt-proxy[248658]: Loading the set of cloaking rules from [/tmp/tmptrhtghg_]
Nov 12 16:27:13.702294 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:13.870596 osdx dnscrypt-proxy[248658]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Nov 12 16:27:13.870619 osdx dnscrypt-proxy[248658]: [RD] OK (DoH) - rtt: 108ms
Nov 12 16:27:13.870629 osdx dnscrypt-proxy[248658]: Server with the lowest initial latency: RD (rtt: 108ms)
Nov 12 16:27:13.870638 osdx dnscrypt-proxy[248658]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:27:13.901392 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Nov 12 16:27:14.183122 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:27:14.184430 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:27:14.184478 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:27:14.200454 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:27:14.544834 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:14.623575 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:27:14.815567 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:27:14.902292 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:14.960030 osdx ubnt-cfgd[248730]: inactive
Nov 12 16:27:14.985400 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:27:14.985729 osdx dnscrypt-proxy[248658]: Stopped.
Nov 12 16:27:14.986910 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:27:14.987078 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:15.045966 osdx WARNING[248794]: No supported link modes on interface eth0
Nov 12 16:27:15.047702 osdx modulelauncher[248794]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:15.047722 osdx modulelauncher[248794]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:15.049315 osdx modulelauncher[248794]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:15.049325 osdx modulelauncher[248794]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:15.067046 osdx ca-certificates[248819]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:27:15.362372 osdx ca-certificates[249396]: done.
Nov 12 16:27:15.365737 osdx ca-certificates[249405]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:15.843818 osdx ubnt-cfgd[250263]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:15.852451 osdx ca-certificates[250269]: 142 added, 0 removed; done.
Nov 12 16:27:15.855363 osdx ca-certificates[250275]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:15.858201 osdx ca-certificates[250277]: done.
Nov 12 16:27:15.873017 osdx INFO[250280]: FRR daemons did not change
Nov 12 16:27:15.873352 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:15.919434 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:15.948472 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:17.419402 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:18.080796 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:27:18.147030 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:27:18.253848 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:27:18.319574 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:27:18.468802 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:27:18.536849 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Nov 12 16:27:18.638807 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Nov 12 16:27:18.762203 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:27:18.891705 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:27:18.960299 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:27:19.075514 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:19.154308 osdx ubnt-cfgd[250317]: inactive
Nov 12 16:27:19.176781 osdx INFO[250325]: FRR daemons did not change
Nov 12 16:27:19.191784 osdx ca-certificates[250341]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:19.784348 osdx ubnt-cfgd[251354]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:19.794431 osdx ca-certificates[251359]: 1 added, 0 removed; done.
Nov 12 16:27:19.797771 osdx ca-certificates[251366]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:19.801650 osdx ca-certificates[251368]: done.
Nov 12 16:27:19.824436 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:27:19.870201 osdx WARNING[251434]: No supported link modes on interface eth0
Nov 12 16:27:19.871677 osdx modulelauncher[251434]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:19.871693 osdx modulelauncher[251434]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:19.873213 osdx modulelauncher[251434]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:19.873226 osdx modulelauncher[251434]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:19.996824 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:19.998093 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:20.010191 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:20.014839 osdx dnscrypt-proxy[251483]: dnscrypt-proxy 2.0.45
Nov 12 16:27:20.014904 osdx dnscrypt-proxy[251483]: Network connectivity detected
Nov 12 16:27:20.015112 osdx dnscrypt-proxy[251483]: Dropping privileges
Nov 12 16:27:20.017484 osdx dnscrypt-proxy[251483]: Network connectivity detected
Nov 12 16:27:20.017519 osdx dnscrypt-proxy[251483]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:27:20.017524 osdx dnscrypt-proxy[251483]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:27:20.017544 osdx dnscrypt-proxy[251483]: Firefox workaround initialized
Nov 12 16:27:20.017553 osdx dnscrypt-proxy[251483]: Loading the set of cloaking rules from [/tmp/tmpdlwi2tlj]
Nov 12 16:27:20.026230 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:20.185275 osdx dnscrypt-proxy[251483]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Nov 12 16:27:20.185299 osdx dnscrypt-proxy[251483]: [RD] OK (DoH) - rtt: 104ms
Nov 12 16:27:20.185308 osdx dnscrypt-proxy[251483]: Server with the lowest initial latency: RD (rtt: 104ms)
Nov 12 16:27:20.185314 osdx dnscrypt-proxy[251483]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:27:20.227443 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Nov 12 16:27:20.434326 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:27:20.436439 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:27:20.436526 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:27:20.445905 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:27:20.732433 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:20.801210 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:27:20.918554 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:27:20.989070 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:21.066858 osdx ubnt-cfgd[251554]: inactive
Nov 12 16:27:21.091749 osdx dnscrypt-proxy[251483]: Stopped.
Nov 12 16:27:21.091786 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:27:21.092705 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:27:21.092800 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:21.148521 osdx WARNING[251618]: No supported link modes on interface eth0
Nov 12 16:27:21.149937 osdx modulelauncher[251618]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:21.149949 osdx modulelauncher[251618]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:21.151147 osdx modulelauncher[251618]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:21.151156 osdx modulelauncher[251618]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:21.172019 osdx ca-certificates[251643]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:27:21.466599 osdx ca-certificates[252221]: done.
Nov 12 16:27:21.469401 osdx ca-certificates[252229]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:21.940408 osdx ubnt-cfgd[253087]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:21.949960 osdx ca-certificates[253092]: 142 added, 0 removed; done.
Nov 12 16:27:21.953338 osdx ca-certificates[253099]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:21.956637 osdx ca-certificates[253101]: done.
Nov 12 16:27:21.975466 osdx INFO[253104]: FRR daemons did not change
Nov 12 16:27:21.975832 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:21.978323 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:21.997178 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:23.446420 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:24.171473 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:27:24.230821 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:27:24.357069 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:27:24.415880 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:27:24.506077 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:27:24.592480 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Nov 12 16:27:24.682477 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Nov 12 16:27:24.795583 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:27:24.947004 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:27:25.008383 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:27:25.142715 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:25.210323 osdx ubnt-cfgd[253141]: inactive
Nov 12 16:27:25.239310 osdx INFO[253149]: FRR daemons did not change
Nov 12 16:27:25.258441 osdx ca-certificates[253164]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:25.883827 osdx ubnt-cfgd[254177]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:25.894213 osdx ca-certificates[254182]: 1 added, 0 removed; done.
Nov 12 16:27:25.898056 osdx ca-certificates[254189]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:25.901171 osdx ca-certificates[254191]: done.
Nov 12 16:27:25.924453 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:27:25.967557 osdx WARNING[254257]: No supported link modes on interface eth0
Nov 12 16:27:25.968920 osdx modulelauncher[254257]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:25.968931 osdx modulelauncher[254257]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:25.970116 osdx modulelauncher[254257]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:25.970124 osdx modulelauncher[254257]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:26.072872 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:26.074204 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:26.086823 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:26.092839 osdx dnscrypt-proxy[254306]: dnscrypt-proxy 2.0.45
Nov 12 16:27:26.092898 osdx dnscrypt-proxy[254306]: Network connectivity detected
Nov 12 16:27:26.093097 osdx dnscrypt-proxy[254306]: Dropping privileges
Nov 12 16:27:26.095564 osdx dnscrypt-proxy[254306]: Network connectivity detected
Nov 12 16:27:26.095606 osdx dnscrypt-proxy[254306]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:27:26.095611 osdx dnscrypt-proxy[254306]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:27:26.095629 osdx dnscrypt-proxy[254306]: Firefox workaround initialized
Nov 12 16:27:26.095634 osdx dnscrypt-proxy[254306]: Loading the set of cloaking rules from [/tmp/tmpn2ok7m1j]
Nov 12 16:27:26.107315 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:26.268086 osdx dnscrypt-proxy[254306]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Nov 12 16:27:26.268107 osdx dnscrypt-proxy[254306]: [RD] OK (DoH) - rtt: 110ms
Nov 12 16:27:26.268116 osdx dnscrypt-proxy[254306]: Server with the lowest initial latency: RD (rtt: 110ms)
Nov 12 16:27:26.268121 osdx dnscrypt-proxy[254306]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:27:31.253713 osdx OSDxCLI[123608]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Nov 12 16:27:33.030382 osdx systemd[1]: systemd-timedated.service: Deactivated successfully.
Nov 12 16:27:33.349651 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Nov 12 16:27:33.635185 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:27:33.636433 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:27:33.636513 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:27:33.652364 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:27:34.086978 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:34.213073 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:27:34.390566 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:27:34.462506 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:34.583668 osdx ubnt-cfgd[254384]: inactive
Nov 12 16:27:34.606835 osdx dnscrypt-proxy[254306]: Stopped.
Nov 12 16:27:34.606864 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:27:34.608040 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:27:34.608159 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:34.666700 osdx WARNING[254448]: No supported link modes on interface eth0
Nov 12 16:27:34.668452 osdx modulelauncher[254448]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:34.668469 osdx modulelauncher[254448]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:34.669871 osdx modulelauncher[254448]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:34.669880 osdx modulelauncher[254448]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:34.688816 osdx ca-certificates[254472]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:27:35.002713 osdx ca-certificates[255051]: done.
Nov 12 16:27:35.006979 osdx ca-certificates[255060]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:35.505758 osdx ubnt-cfgd[255917]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:35.514127 osdx ca-certificates[255922]: 142 added, 0 removed; done.
Nov 12 16:27:35.517028 osdx ca-certificates[255929]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:35.519757 osdx ca-certificates[255931]: done.
Nov 12 16:27:35.537664 osdx INFO[255934]: FRR daemons did not change
Nov 12 16:27:35.537950 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:35.539891 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:35.557072 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:37.011173 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:37.770800 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:27:37.874729 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:27:38.020063 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:27:38.090749 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:27:38.207660 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:27:38.279254 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Nov 12 16:27:38.409261 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Nov 12 16:27:38.471700 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:27:38.595078 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:27:38.660853 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:27:38.823770 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:38.944752 osdx ubnt-cfgd[255971]: inactive
Nov 12 16:27:38.972406 osdx INFO[255979]: FRR daemons did not change
Nov 12 16:27:38.988518 osdx ca-certificates[255995]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:39.647874 osdx ubnt-cfgd[257007]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:39.657044 osdx ca-certificates[257013]: 1 added, 0 removed; done.
Nov 12 16:27:39.660926 osdx ca-certificates[257019]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:39.664705 osdx ca-certificates[257021]: done.
Nov 12 16:27:39.688440 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:27:39.740126 osdx WARNING[257087]: No supported link modes on interface eth0
Nov 12 16:27:39.742165 osdx modulelauncher[257087]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:39.742180 osdx modulelauncher[257087]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:39.744713 osdx modulelauncher[257087]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:39.744727 osdx modulelauncher[257087]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:39.849324 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:39.851441 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:39.865979 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:39.883050 osdx dnscrypt-proxy[257136]: dnscrypt-proxy 2.0.45
Nov 12 16:27:39.883124 osdx dnscrypt-proxy[257136]: Network connectivity detected
Nov 12 16:27:39.883510 osdx dnscrypt-proxy[257136]: Dropping privileges
Nov 12 16:27:39.886720 osdx dnscrypt-proxy[257136]: Network connectivity detected
Nov 12 16:27:39.886761 osdx dnscrypt-proxy[257136]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:27:39.886766 osdx dnscrypt-proxy[257136]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:27:39.886785 osdx dnscrypt-proxy[257136]: Firefox workaround initialized
Nov 12 16:27:39.886791 osdx dnscrypt-proxy[257136]: Loading the set of cloaking rules from [/tmp/tmpxll8y3p7]
Nov 12 16:27:39.907358 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:40.056087 osdx dnscrypt-proxy[257136]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Nov 12 16:27:40.056101 osdx dnscrypt-proxy[257136]: [RD] OK (DoH) - rtt: 102ms
Nov 12 16:27:40.056109 osdx dnscrypt-proxy[257136]: Server with the lowest initial latency: RD (rtt: 102ms)
Nov 12 16:27:40.056113 osdx dnscrypt-proxy[257136]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:27:40.251321 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Nov 12 16:27:40.476781 osdx systemd-journald[1872]: Runtime Journal (/run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99) is 1.8M, max 13.8M, 11.9M free.
Nov 12 16:27:40.480439 osdx systemd-journald[1872]: Received client request to rotate journal, rotating.
Nov 12 16:27:40.480516 osdx systemd-journald[1872]: Vacuuming done, freed 0B of archived journals from /run/log/journal/04bdf7f70d714c0fb0ef3d9377529e99.
Nov 12 16:27:40.490654 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'system journal clear'.
Nov 12 16:27:40.777451 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:40.831823 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'delete '.
Nov 12 16:27:40.995994 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Nov 12 16:27:41.065289 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:41.168565 osdx ubnt-cfgd[257209]: inactive
Nov 12 16:27:41.191971 osdx dnscrypt-proxy[257136]: Stopped.
Nov 12 16:27:41.192028 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Nov 12 16:27:41.193090 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Nov 12 16:27:41.193197 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:41.252429 osdx WARNING[257273]: No supported link modes on interface eth0
Nov 12 16:27:41.254122 osdx modulelauncher[257273]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:41.254134 osdx modulelauncher[257273]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:41.255558 osdx modulelauncher[257273]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:41.255566 osdx modulelauncher[257273]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:41.272833 osdx ca-certificates[257298]: Clearing symlinks in /etc/ssl/certs...
Nov 12 16:27:41.581478 osdx ca-certificates[257875]: done.
Nov 12 16:27:41.584973 osdx ca-certificates[257883]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:42.107451 osdx ubnt-cfgd[258742]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:42.116311 osdx ca-certificates[258747]: 142 added, 0 removed; done.
Nov 12 16:27:42.120472 osdx ca-certificates[258754]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:42.124156 osdx ca-certificates[258756]: done.
Nov 12 16:27:42.143413 osdx INFO[258759]: FRR daemons did not change
Nov 12 16:27:42.143707 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:42.190530 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:42.207022 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:43.769573 osdx OSDxCLI[123608]: User 'admin' entered the configuration menu.
Nov 12 16:27:44.510943 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Nov 12 16:27:44.590218 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Nov 12 16:27:44.733097 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Nov 12 16:27:44.836477 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Nov 12 16:27:44.916736 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 99b11ac235cc5a678a924b00c9715f9d99120fb82ed6b147374fd0a314e61844'.
Nov 12 16:27:45.056226 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Nov 12 16:27:45.163141 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Nov 12 16:27:45.278672 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Nov 12 16:27:45.406997 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Nov 12 16:27:45.502340 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Nov 12 16:27:45.611212 osdx OSDxCLI[123608]: User 'admin' added a new cfg line: 'show working'.
Nov 12 16:27:45.708826 osdx ubnt-cfgd[258796]: inactive
Nov 12 16:27:45.739191 osdx INFO[258804]: FRR daemons did not change
Nov 12 16:27:45.757571 osdx ca-certificates[258819]: Updating certificates in /etc/ssl/certs...
Nov 12 16:27:46.596363 osdx ubnt-cfgd[259832]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Nov 12 16:27:46.607986 osdx ca-certificates[259838]: 1 added, 0 removed; done.
Nov 12 16:27:46.611703 osdx ca-certificates[259844]: Running hooks in /etc/ca-certificates/update.d...
Nov 12 16:27:46.615785 osdx ca-certificates[259846]: done.
Nov 12 16:27:46.652497 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Nov 12 16:27:46.741234 osdx WARNING[259912]: No supported link modes on interface eth0
Nov 12 16:27:46.743539 osdx modulelauncher[259912]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Nov 12 16:27:46.743558 osdx modulelauncher[259912]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Nov 12 16:27:46.745382 osdx modulelauncher[259912]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Nov 12 16:27:46.745395 osdx modulelauncher[259912]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Nov 12 16:27:46.888876 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Nov 12 16:27:46.890207 osdx cfgd[1666]: [123608]Completed change to active configuration
Nov 12 16:27:46.905010 osdx OSDxCLI[123608]: User 'admin' committed the configuration.
Nov 12 16:27:46.911602 osdx dnscrypt-proxy[259961]: dnscrypt-proxy 2.0.45
Nov 12 16:27:46.911675 osdx dnscrypt-proxy[259961]: Network connectivity detected
Nov 12 16:27:46.911901 osdx dnscrypt-proxy[259961]: Dropping privileges
Nov 12 16:27:46.919316 osdx dnscrypt-proxy[259961]: Network connectivity detected
Nov 12 16:27:46.919357 osdx dnscrypt-proxy[259961]: Now listening to 127.0.0.1:53 [UDP]
Nov 12 16:27:46.919362 osdx dnscrypt-proxy[259961]: Now listening to 127.0.0.1:53 [TCP]
Nov 12 16:27:46.919396 osdx dnscrypt-proxy[259961]: Firefox workaround initialized
Nov 12 16:27:46.919401 osdx dnscrypt-proxy[259961]: Loading the set of cloaking rules from [/tmp/tmpiai8r0nu]
Nov 12 16:27:46.962181 osdx OSDxCLI[123608]: User 'admin' left the configuration menu.
Nov 12 16:27:47.190693 osdx dnscrypt-proxy[259961]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Nov 12 16:27:47.190721 osdx dnscrypt-proxy[259961]: [RD] OK (DoH) - rtt: 116ms
Nov 12 16:27:47.190730 osdx dnscrypt-proxy[259961]: Server with the lowest initial latency: RD (rtt: 116ms)
Nov 12 16:27:47.190735 osdx dnscrypt-proxy[259961]: dnscrypt-proxy is ready - live servers: 1
Nov 12 16:27:52.171659 osdx OSDxCLI[123608]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Nov 12 16:27:54.286981 osdx OSDxCLI[123608]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---