Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Feb 19 10:23:39.311629 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 3.0M, max 17.2M, 14.1M free.
Feb 19 10:23:39.313791 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:23:39.313861 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:23:39.323220 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:23:39.604599 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 19 10:23:39.894553 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:23:40.059899 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:23:40.143753 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:23:40.256429 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:23:40.333345 osdx ubnt-cfgd[301118]: inactive
Feb 19 10:23:40.367203 osdx INFO[301124]: FRR daemons did not change
Feb 19 10:23:40.397771 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:23:40.456152 osdx WARNING[301193]: No supported link modes on interface eth0
Feb 19 10:23:40.458637 osdx modulelauncher[301193]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:23:40.458654 osdx modulelauncher[301193]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:23:40.460754 osdx modulelauncher[301193]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:23:40.460766 osdx modulelauncher[301193]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:23:40.512639 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:23:40.528095 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:23:40.566235 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:23:40.716448 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 19 10:23:40.819063 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'.
Feb 19 10:23:41.016873 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:23:41.136396 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:23:41.277140 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:23:41.397039 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:23:41.458678 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:23:41.560011 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:23:41.641679 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 19 10:23:41.750461 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:23:41.896936 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:23:41.954010 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:23:42.089926 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:23:42.164653 osdx ubnt-cfgd[301297]: inactive
Feb 19 10:23:42.188399 osdx INFO[301305]: FRR daemons did not change
Feb 19 10:23:42.213183 osdx ca-certificates[301321]: Updating certificates in /etc/ssl/certs...
Feb 19 10:23:42.938182 osdx ubnt-cfgd[302333]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:23:42.949845 osdx ca-certificates[302337]: 1 added, 0 removed; done.
Feb 19 10:23:42.953751 osdx ca-certificates[302345]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:23:42.957652 osdx ca-certificates[302347]: done.
Feb 19 10:23:43.046218 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:23:43.047493 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:23:43.049729 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:23:43.079453 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:23:43.322908 osdx dnscrypt-proxy[302351]: dnscrypt-proxy 2.0.45
Feb 19 10:23:43.322980 osdx dnscrypt-proxy[302351]: Network connectivity detected
Feb 19 10:23:43.323206 osdx dnscrypt-proxy[302351]: Dropping privileges
Feb 19 10:23:43.327119 osdx dnscrypt-proxy[302351]: Network connectivity detected
Feb 19 10:23:43.327162 osdx dnscrypt-proxy[302351]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:23:43.327167 osdx dnscrypt-proxy[302351]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:23:43.327184 osdx dnscrypt-proxy[302351]: Firefox workaround initialized
Feb 19 10:23:43.327190 osdx dnscrypt-proxy[302351]: Loading the set of cloaking rules from [/tmp/tmpwgs6qdwb]
Feb 19 10:23:44.112048 osdx dnscrypt-proxy[302351]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 19 10:23:44.112065 osdx dnscrypt-proxy[302351]: [RD] OK (DoH) - rtt: 98ms
Feb 19 10:23:44.112072 osdx dnscrypt-proxy[302351]: Server with the lowest initial latency: RD (rtt: 98ms)
Feb 19 10:23:44.112076 osdx dnscrypt-proxy[302351]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:23:48.379052 osdx OSDxCLI[273452]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Feb 19 10:23:58.479895 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Feb 19 10:24:06.358501 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:24:06.362059 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:24:06.362141 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:24:06.372285 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:24:06.612578 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 19 10:24:06.948266 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:07.072981 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:07.130171 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:07.231242 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:07.290478 osdx ubnt-cfgd[304080]: inactive
Feb 19 10:24:07.311249 osdx INFO[304086]: FRR daemons did not change
Feb 19 10:24:07.346058 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:24:07.394471 osdx WARNING[304155]: No supported link modes on interface eth0
Feb 19 10:24:07.395784 osdx modulelauncher[304155]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:07.395796 osdx modulelauncher[304155]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:07.396937 osdx modulelauncher[304155]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:07.396944 osdx modulelauncher[304155]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:07.441665 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:07.455063 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:07.486427 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:07.652747 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 19 10:24:07.728542 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'.
Feb 19 10:24:07.942624 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:07.999466 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:24:08.099225 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:24:08.176546 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:24:08.274386 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:24:08.408424 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:24:08.517946 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 19 10:24:08.581553 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:24:08.706006 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:08.763325 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:08.868488 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:08.948169 osdx ubnt-cfgd[304259]: inactive
Feb 19 10:24:08.967730 osdx INFO[304267]: FRR daemons did not change
Feb 19 10:24:08.980522 osdx ca-certificates[304282]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:09.533079 osdx ubnt-cfgd[305295]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:09.541597 osdx ca-certificates[305301]: 1 added, 0 removed; done.
Feb 19 10:24:09.545259 osdx ca-certificates[305307]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:09.547934 osdx ca-certificates[305309]: done.
Feb 19 10:24:09.622525 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:09.624118 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:09.626757 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:09.645614 osdx dnscrypt-proxy[305313]: dnscrypt-proxy 2.0.45
Feb 19 10:24:09.645680 osdx dnscrypt-proxy[305313]: Network connectivity detected
Feb 19 10:24:09.645908 osdx dnscrypt-proxy[305313]: Dropping privileges
Feb 19 10:24:09.648298 osdx dnscrypt-proxy[305313]: Network connectivity detected
Feb 19 10:24:09.648328 osdx dnscrypt-proxy[305313]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:24:09.648333 osdx dnscrypt-proxy[305313]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:24:09.648349 osdx dnscrypt-proxy[305313]: Firefox workaround initialized
Feb 19 10:24:09.648356 osdx dnscrypt-proxy[305313]: Loading the set of cloaking rules from [/tmp/tmpub5oyq7z]
Feb 19 10:24:09.651286 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:09.754732 osdx dnscrypt-proxy[305313]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 19 10:24:09.754756 osdx dnscrypt-proxy[305313]: [RD] OK (DoH) - rtt: 53ms
Feb 19 10:24:09.754768 osdx dnscrypt-proxy[305313]: Server with the lowest initial latency: RD (rtt: 53ms)
Feb 19 10:24:09.754774 osdx dnscrypt-proxy[305313]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:24:09.809732 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Feb 19 10:24:10.078278 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:24:10.082069 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:24:10.082175 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:24:10.090366 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:24:10.552202 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:10.678987 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:24:10.850889 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:24:10.935080 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:11.053402 osdx ubnt-cfgd[305366]: inactive
Feb 19 10:24:11.080286 osdx dnscrypt-proxy[305313]: Stopped.
Feb 19 10:24:11.080374 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:24:11.081404 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:24:11.081530 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:11.155615 osdx WARNING[305430]: No supported link modes on interface eth0
Feb 19 10:24:11.157428 osdx modulelauncher[305430]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:11.157442 osdx modulelauncher[305430]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:11.159596 osdx modulelauncher[305430]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:11.159608 osdx modulelauncher[305430]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:11.181771 osdx ca-certificates[305455]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:24:11.537442 osdx ca-certificates[306032]: done.
Feb 19 10:24:11.540678 osdx ca-certificates[306041]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:12.005578 osdx ubnt-cfgd[306899]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:12.014562 osdx ca-certificates[306905]: 142 added, 0 removed; done.
Feb 19 10:24:12.018243 osdx ca-certificates[306911]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:12.021840 osdx ca-certificates[306913]: done.
Feb 19 10:24:12.036523 osdx INFO[306916]: FRR daemons did not change
Feb 19 10:24:12.036799 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:12.039067 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:12.057250 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:13.799570 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:13.855366 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:24:13.970956 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:24:14.046619 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:24:14.144197 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:24:14.305910 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:24:14.417535 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Feb 19 10:24:14.509078 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:24:14.617111 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:14.705542 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:14.779248 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:14.866267 osdx ubnt-cfgd[306949]: inactive
Feb 19 10:24:14.886647 osdx INFO[306957]: FRR daemons did not change
Feb 19 10:24:14.901208 osdx ca-certificates[306973]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:15.487518 osdx ubnt-cfgd[307985]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:15.494826 osdx ca-certificates[307990]: 1 added, 0 removed; done.
Feb 19 10:24:15.497743 osdx ca-certificates[307997]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:15.500610 osdx ca-certificates[307999]: done.
Feb 19 10:24:15.538066 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:24:15.589852 osdx WARNING[308066]: No supported link modes on interface eth0
Feb 19 10:24:15.591875 osdx modulelauncher[308066]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:15.591890 osdx modulelauncher[308066]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:15.593674 osdx modulelauncher[308066]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:15.593684 osdx modulelauncher[308066]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:15.722507 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:15.725551 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:15.739541 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:15.751398 osdx dnscrypt-proxy[308115]: dnscrypt-proxy 2.0.45
Feb 19 10:24:15.751468 osdx dnscrypt-proxy[308115]: Network connectivity detected
Feb 19 10:24:15.751684 osdx dnscrypt-proxy[308115]: Dropping privileges
Feb 19 10:24:15.754598 osdx dnscrypt-proxy[308115]: Network connectivity detected
Feb 19 10:24:15.754632 osdx dnscrypt-proxy[308115]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:24:15.754636 osdx dnscrypt-proxy[308115]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:24:15.754652 osdx dnscrypt-proxy[308115]: Firefox workaround initialized
Feb 19 10:24:15.754656 osdx dnscrypt-proxy[308115]: Loading the set of cloaking rules from [/tmp/tmprlvx2c2q]
Feb 19 10:24:15.768729 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:15.898618 osdx dnscrypt-proxy[308115]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Feb 19 10:24:15.898641 osdx dnscrypt-proxy[308115]: [RD] OK (DoH) - rtt: 74ms
Feb 19 10:24:15.898650 osdx dnscrypt-proxy[308115]: Server with the lowest initial latency: RD (rtt: 74ms)
Feb 19 10:24:15.898655 osdx dnscrypt-proxy[308115]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:24:15.940810 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Feb 19 10:24:16.162953 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:24:16.166078 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:24:16.166157 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:24:16.173636 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:24:16.454183 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:16.512446 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:24:16.677266 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:24:16.755204 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:16.854441 osdx ubnt-cfgd[308187]: inactive
Feb 19 10:24:16.877840 osdx dnscrypt-proxy[308115]: Stopped.
Feb 19 10:24:16.877878 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:24:16.878981 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:24:16.879081 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:16.939721 osdx WARNING[308251]: No supported link modes on interface eth0
Feb 19 10:24:16.941151 osdx modulelauncher[308251]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:16.941162 osdx modulelauncher[308251]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:16.942302 osdx modulelauncher[308251]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:16.942312 osdx modulelauncher[308251]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:16.958495 osdx ca-certificates[308276]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:24:17.283853 osdx ca-certificates[308853]: done.
Feb 19 10:24:17.287202 osdx ca-certificates[308862]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:17.826819 osdx ubnt-cfgd[309720]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:17.835418 osdx ca-certificates[309725]: 142 added, 0 removed; done.
Feb 19 10:24:17.838390 osdx ca-certificates[309732]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:17.841263 osdx ca-certificates[309734]: done.
Feb 19 10:24:17.869280 osdx INFO[309737]: FRR daemons did not change
Feb 19 10:24:17.869620 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:17.933093 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:17.964025 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:19.529161 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:19.614865 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:24:19.727929 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:24:19.791532 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:24:19.931418 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:24:19.991750 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:24:20.093467 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Feb 19 10:24:20.173085 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:24:20.312515 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:20.393932 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:20.526988 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:20.692476 osdx ubnt-cfgd[309770]: inactive
Feb 19 10:24:20.718158 osdx INFO[309778]: FRR daemons did not change
Feb 19 10:24:20.736711 osdx ca-certificates[309794]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:21.343412 osdx ubnt-cfgd[310806]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:21.352905 osdx ca-certificates[310812]: 1 added, 0 removed; done.
Feb 19 10:24:21.356157 osdx ca-certificates[310818]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:21.360153 osdx ca-certificates[310820]: done.
Feb 19 10:24:21.394128 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:24:21.437799 osdx WARNING[310887]: No supported link modes on interface eth0
Feb 19 10:24:21.439261 osdx modulelauncher[310887]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:21.439273 osdx modulelauncher[310887]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:21.440407 osdx modulelauncher[310887]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:21.440415 osdx modulelauncher[310887]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:21.534491 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:21.536257 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:21.552240 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:21.561530 osdx dnscrypt-proxy[310936]: dnscrypt-proxy 2.0.45
Feb 19 10:24:21.561596 osdx dnscrypt-proxy[310936]: Network connectivity detected
Feb 19 10:24:21.561821 osdx dnscrypt-proxy[310936]: Dropping privileges
Feb 19 10:24:21.564513 osdx dnscrypt-proxy[310936]: Network connectivity detected
Feb 19 10:24:21.564724 osdx dnscrypt-proxy[310936]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:24:21.564766 osdx dnscrypt-proxy[310936]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:24:21.564820 osdx dnscrypt-proxy[310936]: Firefox workaround initialized
Feb 19 10:24:21.564857 osdx dnscrypt-proxy[310936]: Loading the set of cloaking rules from [/tmp/tmpcnal2cnv]
Feb 19 10:24:21.597267 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:21.648669 osdx dnscrypt-proxy[310936]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 19 10:24:21.648692 osdx dnscrypt-proxy[310936]: [RD] OK (DoH) - rtt: 63ms
Feb 19 10:24:21.648710 osdx dnscrypt-proxy[310936]: Server with the lowest initial latency: RD (rtt: 63ms)
Feb 19 10:24:21.648716 osdx dnscrypt-proxy[310936]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:24:21.784161 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Feb 19 10:24:29.332495 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:24:29.334984 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:24:29.335052 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:24:29.343624 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:24:29.560324 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 19 10:24:29.777496 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:29.857809 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:29.963364 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:30.068699 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:30.185102 osdx ubnt-cfgd[312677]: inactive
Feb 19 10:24:30.222337 osdx INFO[312683]: FRR daemons did not change
Feb 19 10:24:30.258962 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:24:30.312691 osdx WARNING[312752]: No supported link modes on interface eth0
Feb 19 10:24:30.314385 osdx modulelauncher[312752]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:30.314397 osdx modulelauncher[312752]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:30.315839 osdx modulelauncher[312752]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:30.315849 osdx modulelauncher[312752]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:30.351466 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:30.362922 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:30.379279 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:30.523860 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 19 10:24:30.625880 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'.
Feb 19 10:24:30.755671 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:30.830211 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:24:30.933586 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:24:30.997084 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:24:31.149176 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:24:31.243817 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:24:31.356231 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 19 10:24:31.410634 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:24:31.549480 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:31.603541 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:31.716448 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:31.783747 osdx ubnt-cfgd[312856]: inactive
Feb 19 10:24:31.810100 osdx INFO[312864]: FRR daemons did not change
Feb 19 10:24:31.823908 osdx ca-certificates[312880]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:32.589348 osdx ubnt-cfgd[313892]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:32.625903 osdx ca-certificates[313902]: 1 added, 0 removed; done.
Feb 19 10:24:32.630888 osdx ca-certificates[313904]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:32.640181 osdx ca-certificates[313906]: done.
Feb 19 10:24:32.715547 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:32.717481 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:32.721174 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:32.747958 osdx dnscrypt-proxy[313910]: dnscrypt-proxy 2.0.45
Feb 19 10:24:32.748379 osdx dnscrypt-proxy[313910]: Network connectivity detected
Feb 19 10:24:32.748652 osdx dnscrypt-proxy[313910]: Dropping privileges
Feb 19 10:24:32.752416 osdx dnscrypt-proxy[313910]: Network connectivity detected
Feb 19 10:24:32.752454 osdx dnscrypt-proxy[313910]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:24:32.752459 osdx dnscrypt-proxy[313910]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:24:32.752481 osdx dnscrypt-proxy[313910]: Firefox workaround initialized
Feb 19 10:24:32.752487 osdx dnscrypt-proxy[313910]: Loading the set of cloaking rules from [/tmp/tmp9pvl15om]
Feb 19 10:24:32.761436 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:32.767314 osdx dnscrypt-proxy[313910]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

---

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Feb 19 10:24:41.308624 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:24:41.309404 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:24:41.309448 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:24:41.322411 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:24:41.638855 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 19 10:24:41.946086 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:42.046417 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:42.130851 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:42.288413 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:42.381868 osdx ubnt-cfgd[315629]: inactive
Feb 19 10:24:42.401581 osdx INFO[315635]: FRR daemons did not change
Feb 19 10:24:42.433026 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:24:42.484800 osdx WARNING[315704]: No supported link modes on interface eth0
Feb 19 10:24:42.486572 osdx modulelauncher[315704]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:42.486585 osdx modulelauncher[315704]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:42.488114 osdx modulelauncher[315704]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:42.488124 osdx modulelauncher[315704]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:42.527221 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:42.538984 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:42.565598 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:42.758652 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 19 10:24:42.875393 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'.
Feb 19 10:24:43.119652 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:43.234538 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:24:43.360800 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:24:43.488263 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:24:43.547534 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:24:43.645715 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:24:43.717020 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 19 10:24:43.819209 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:24:43.949623 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:44.029318 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:44.130757 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:44.271529 osdx ubnt-cfgd[315808]: inactive
Feb 19 10:24:44.302597 osdx INFO[315816]: FRR daemons did not change
Feb 19 10:24:44.320522 osdx ca-certificates[315832]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:44.919261 osdx ubnt-cfgd[316844]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:44.928660 osdx ca-certificates[316849]: 1 added, 0 removed; done.
Feb 19 10:24:44.931680 osdx ca-certificates[316856]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:44.934688 osdx ca-certificates[316858]: done.
Feb 19 10:24:44.997364 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:44.998756 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:45.001131 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:45.025788 osdx dnscrypt-proxy[316862]: dnscrypt-proxy 2.0.45
Feb 19 10:24:45.025864 osdx dnscrypt-proxy[316862]: Network connectivity detected
Feb 19 10:24:45.026138 osdx dnscrypt-proxy[316862]: Dropping privileges
Feb 19 10:24:45.029697 osdx dnscrypt-proxy[316862]: Network connectivity detected
Feb 19 10:24:45.029736 osdx dnscrypt-proxy[316862]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:24:45.029741 osdx dnscrypt-proxy[316862]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:24:45.029790 osdx dnscrypt-proxy[316862]: Firefox workaround initialized
Feb 19 10:24:45.029799 osdx dnscrypt-proxy[316862]: Loading the set of cloaking rules from [/tmp/tmp5y31e9f6]
Feb 19 10:24:45.035878 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:45.048026 osdx dnscrypt-proxy[316862]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Feb 19 10:24:45.318488 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.5M, max 17.2M, 14.6M free.
Feb 19 10:24:45.320996 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:24:45.321068 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:24:45.331657 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:24:45.651530 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:45.776236 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:24:45.869855 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:24:45.964430 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:46.029925 osdx ubnt-cfgd[316911]: inactive
Feb 19 10:24:46.050544 osdx dnscrypt-proxy[316862]: Stopped.
Feb 19 10:24:46.050624 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:24:46.051514 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:24:46.051639 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:46.114297 osdx WARNING[316975]: No supported link modes on interface eth0
Feb 19 10:24:46.116148 osdx modulelauncher[316975]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:46.116161 osdx modulelauncher[316975]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:46.117913 osdx modulelauncher[316975]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:46.117923 osdx modulelauncher[316975]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:46.138716 osdx ca-certificates[317000]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:24:46.475484 osdx ca-certificates[317576]: done.
Feb 19 10:24:46.479558 osdx ca-certificates[317582]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:46.998951 osdx ubnt-cfgd[318444]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:47.008412 osdx ca-certificates[318449]: 142 added, 0 removed; done.
Feb 19 10:24:47.012475 osdx ca-certificates[318456]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:47.015658 osdx ca-certificates[318458]: done.
Feb 19 10:24:47.031504 osdx INFO[318461]: FRR daemons did not change
Feb 19 10:24:47.031817 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:47.034419 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:47.054835 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:48.553610 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:48.628525 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:24:48.727874 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:24:48.804009 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:24:48.956620 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:24:49.059743 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:24:49.111383 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 19 10:24:49.267697 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:24:49.352616 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:49.428439 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:49.542157 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:49.673258 osdx ubnt-cfgd[318494]: inactive
Feb 19 10:24:49.706129 osdx INFO[318502]: FRR daemons did not change
Feb 19 10:24:49.725434 osdx ca-certificates[318518]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:50.413896 osdx ubnt-cfgd[319530]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:50.422349 osdx ca-certificates[319536]: 1 added, 0 removed; done.
Feb 19 10:24:50.425608 osdx ca-certificates[319542]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:50.429974 osdx ca-certificates[319544]: done.
Feb 19 10:24:50.461005 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:24:50.531372 osdx WARNING[319611]: No supported link modes on interface eth0
Feb 19 10:24:50.533422 osdx modulelauncher[319611]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:50.533436 osdx modulelauncher[319611]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:50.535457 osdx modulelauncher[319611]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:50.535470 osdx modulelauncher[319611]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:50.657410 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:50.659975 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:50.677901 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:50.686247 osdx dnscrypt-proxy[319660]: dnscrypt-proxy 2.0.45
Feb 19 10:24:50.686332 osdx dnscrypt-proxy[319660]: Network connectivity detected
Feb 19 10:24:50.686587 osdx dnscrypt-proxy[319660]: Dropping privileges
Feb 19 10:24:50.690874 osdx dnscrypt-proxy[319660]: Network connectivity detected
Feb 19 10:24:50.690915 osdx dnscrypt-proxy[319660]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:24:50.690920 osdx dnscrypt-proxy[319660]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:24:50.690947 osdx dnscrypt-proxy[319660]: Firefox workaround initialized
Feb 19 10:24:50.690953 osdx dnscrypt-proxy[319660]: Loading the set of cloaking rules from [/tmp/tmphdluqz36]
Feb 19 10:24:50.719006 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:50.754691 osdx dnscrypt-proxy[319660]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Feb 19 10:24:51.181162 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:24:51.185040 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:24:51.185130 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:24:51.194691 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:24:51.476840 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:51.554445 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:24:51.715647 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:24:51.778637 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:51.907125 osdx ubnt-cfgd[319728]: inactive
Feb 19 10:24:51.930103 osdx dnscrypt-proxy[319660]: Stopped.
Feb 19 10:24:51.930161 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:24:51.931172 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:24:51.931282 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:51.993960 osdx WARNING[319792]: No supported link modes on interface eth0
Feb 19 10:24:51.995662 osdx modulelauncher[319792]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:51.995675 osdx modulelauncher[319792]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:51.996910 osdx modulelauncher[319792]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:51.996918 osdx modulelauncher[319792]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:52.014177 osdx ca-certificates[319817]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:24:52.341859 osdx ca-certificates[320395]: done.
Feb 19 10:24:52.347106 osdx ca-certificates[320402]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:52.880207 osdx ubnt-cfgd[321261]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:52.889168 osdx ca-certificates[321266]: 142 added, 0 removed; done.
Feb 19 10:24:52.892369 osdx ca-certificates[321273]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:52.896193 osdx ca-certificates[321275]: done.
Feb 19 10:24:52.911724 osdx INFO[321278]: FRR daemons did not change
Feb 19 10:24:52.911997 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:53.002172 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:53.024564 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:54.557664 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:24:54.671612 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:24:54.777156 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:24:54.862067 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:24:54.963202 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:24:55.029716 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:24:55.127673 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 19 10:24:55.190807 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 19 10:24:55.336691 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:24:55.425662 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:24:55.493285 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:24:55.601507 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:24:55.696716 osdx ubnt-cfgd[321312]: inactive
Feb 19 10:24:55.720541 osdx INFO[321320]: FRR daemons did not change
Feb 19 10:24:55.733032 osdx ca-certificates[321336]: Updating certificates in /etc/ssl/certs...
Feb 19 10:24:56.284234 osdx ubnt-cfgd[322348]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:24:56.294890 osdx ca-certificates[322354]: 1 added, 0 removed; done.
Feb 19 10:24:56.298276 osdx ca-certificates[322360]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:24:56.300973 osdx ca-certificates[322362]: done.
Feb 19 10:24:56.337105 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:24:56.388095 osdx WARNING[322429]: No supported link modes on interface eth0
Feb 19 10:24:56.389852 osdx modulelauncher[322429]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:24:56.389864 osdx modulelauncher[322429]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:24:56.391204 osdx modulelauncher[322429]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:24:56.391217 osdx modulelauncher[322429]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:24:56.513575 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:24:56.515986 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:24:56.531397 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:24:56.542203 osdx dnscrypt-proxy[322478]: dnscrypt-proxy 2.0.45
Feb 19 10:24:56.542273 osdx dnscrypt-proxy[322478]: Network connectivity detected
Feb 19 10:24:56.542484 osdx dnscrypt-proxy[322478]: Dropping privileges
Feb 19 10:24:56.545720 osdx dnscrypt-proxy[322478]: Network connectivity detected
Feb 19 10:24:56.545755 osdx dnscrypt-proxy[322478]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:24:56.545760 osdx dnscrypt-proxy[322478]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:24:56.545780 osdx dnscrypt-proxy[322478]: Firefox workaround initialized
Feb 19 10:24:56.545788 osdx dnscrypt-proxy[322478]: Loading the set of cloaking rules from [/tmp/tmpg3ya15qs]
Feb 19 10:24:56.547130 osdx dnscrypt-proxy[322478]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Feb 19 10:24:56.567152 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:24:56.659568 osdx dnscrypt-proxy[322478]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 19 10:24:56.659584 osdx dnscrypt-proxy[322478]: [RD] OK (DoH) - rtt: 86ms
Feb 19 10:24:56.659591 osdx dnscrypt-proxy[322478]: Server with the lowest initial latency: RD (rtt: 86ms)
Feb 19 10:24:56.659596 osdx dnscrypt-proxy[322478]: dnscrypt-proxy is ready - live servers: 1

---

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Feb 19 10:25:04.314084 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:25:04.317372 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:25:04.317462 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:25:04.327826 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:25:04.553191 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 19 10:25:04.890923 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:05.077749 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:25:05.164909 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:25:05.276012 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:05.338899 osdx ubnt-cfgd[324215]: inactive
Feb 19 10:25:05.359303 osdx INFO[324221]: FRR daemons did not change
Feb 19 10:25:05.401526 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:25:05.448495 osdx WARNING[324290]: No supported link modes on interface eth0
Feb 19 10:25:05.450163 osdx modulelauncher[324290]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:05.450180 osdx modulelauncher[324290]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:05.451907 osdx modulelauncher[324290]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:05.451917 osdx modulelauncher[324290]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:05.487560 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:05.501126 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:05.518002 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:05.708893 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 19 10:25:05.795687 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal show | cat'.
Feb 19 10:25:05.967878 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:06.682883 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:25:06.805100 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:25:06.911582 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:25:07.019277 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:25:07.150058 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:25:07.310371 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 19 10:25:07.430639 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 19 10:25:07.549792 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:25:07.705197 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:25:07.797479 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:25:07.924598 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:08.033236 osdx ubnt-cfgd[324395]: inactive
Feb 19 10:25:08.077572 osdx INFO[324403]: FRR daemons did not change
Feb 19 10:25:08.091804 osdx ca-certificates[324419]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:08.778006 osdx ubnt-cfgd[325431]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:08.788800 osdx ca-certificates[325436]: 1 added, 0 removed; done.
Feb 19 10:25:08.793021 osdx ca-certificates[325443]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:08.797266 osdx ca-certificates[325445]: done.
Feb 19 10:25:08.893996 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:08.897199 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:08.901141 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:08.926785 osdx dnscrypt-proxy[325449]: dnscrypt-proxy 2.0.45
Feb 19 10:25:08.926862 osdx dnscrypt-proxy[325449]: Network connectivity detected
Feb 19 10:25:08.927094 osdx dnscrypt-proxy[325449]: Dropping privileges
Feb 19 10:25:08.927834 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:08.932040 osdx dnscrypt-proxy[325449]: Network connectivity detected
Feb 19 10:25:08.932083 osdx dnscrypt-proxy[325449]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:25:08.932088 osdx dnscrypt-proxy[325449]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:25:08.932141 osdx dnscrypt-proxy[325449]: Firefox workaround initialized
Feb 19 10:25:08.932147 osdx dnscrypt-proxy[325449]: Loading the set of cloaking rules from [/tmp/tmpzjnornna]
Feb 19 10:25:09.107738 osdx dnscrypt-proxy[325449]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 19 10:25:09.107759 osdx dnscrypt-proxy[325449]: [RD] OK (DoH) - rtt: 150ms
Feb 19 10:25:09.107769 osdx dnscrypt-proxy[325449]: Server with the lowest initial latency: RD (rtt: 150ms)
Feb 19 10:25:09.107775 osdx dnscrypt-proxy[325449]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:25:09.125253 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Feb 19 10:25:09.399538 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:25:09.401351 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:25:09.401440 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:25:09.412246 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:25:09.828570 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:09.930295 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:25:10.091011 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:25:10.157088 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:10.253621 osdx ubnt-cfgd[325500]: inactive
Feb 19 10:25:10.284734 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:25:10.284742 osdx dnscrypt-proxy[325449]: Stopped.
Feb 19 10:25:10.285869 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:25:10.286019 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:10.356046 osdx WARNING[325564]: No supported link modes on interface eth0
Feb 19 10:25:10.358103 osdx modulelauncher[325564]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:10.358132 osdx modulelauncher[325564]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:10.360189 osdx modulelauncher[325564]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:10.360201 osdx modulelauncher[325564]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:10.395692 osdx ca-certificates[325589]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:25:10.744694 osdx ca-certificates[326167]: done.
Feb 19 10:25:10.751772 osdx ca-certificates[326175]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:11.284458 osdx ubnt-cfgd[327033]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:11.293645 osdx ca-certificates[327038]: 142 added, 0 removed; done.
Feb 19 10:25:11.296541 osdx ca-certificates[327045]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:11.299805 osdx ca-certificates[327047]: done.
Feb 19 10:25:11.315637 osdx INFO[327050]: FRR daemons did not change
Feb 19 10:25:11.315909 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:11.318114 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:11.334999 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:12.825002 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:13.481691 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:25:13.550013 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:25:13.662724 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:25:13.781194 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:25:13.849055 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:25:13.988640 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 19 10:25:14.065377 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Feb 19 10:25:14.169285 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:25:14.317484 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:25:14.373558 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:25:14.482510 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:14.579500 osdx ubnt-cfgd[327084]: inactive
Feb 19 10:25:14.603362 osdx INFO[327092]: FRR daemons did not change
Feb 19 10:25:14.616460 osdx ca-certificates[327108]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:15.156706 osdx ubnt-cfgd[328120]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:15.166388 osdx ca-certificates[328125]: 1 added, 0 removed; done.
Feb 19 10:25:15.169982 osdx ca-certificates[328130]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:15.173355 osdx ca-certificates[328134]: done.
Feb 19 10:25:15.209366 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:25:15.260117 osdx WARNING[328201]: No supported link modes on interface eth0
Feb 19 10:25:15.261653 osdx modulelauncher[328201]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:15.261665 osdx modulelauncher[328201]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:15.262874 osdx modulelauncher[328201]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:15.262882 osdx modulelauncher[328201]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:15.385775 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:15.388634 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:15.403615 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:15.411193 osdx dnscrypt-proxy[328250]: dnscrypt-proxy 2.0.45
Feb 19 10:25:15.411265 osdx dnscrypt-proxy[328250]: Network connectivity detected
Feb 19 10:25:15.411517 osdx dnscrypt-proxy[328250]: Dropping privileges
Feb 19 10:25:15.414235 osdx dnscrypt-proxy[328250]: Network connectivity detected
Feb 19 10:25:15.414296 osdx dnscrypt-proxy[328250]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:25:15.414303 osdx dnscrypt-proxy[328250]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:25:15.414328 osdx dnscrypt-proxy[328250]: Firefox workaround initialized
Feb 19 10:25:15.414333 osdx dnscrypt-proxy[328250]: Loading the set of cloaking rules from [/tmp/tmpzs6morix]
Feb 19 10:25:15.437700 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:15.502777 osdx dnscrypt-proxy[328250]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Feb 19 10:25:15.502793 osdx dnscrypt-proxy[328250]: [RD] OK (DoH) - rtt: 60ms
Feb 19 10:25:15.502800 osdx dnscrypt-proxy[328250]: Server with the lowest initial latency: RD (rtt: 60ms)
Feb 19 10:25:15.502804 osdx dnscrypt-proxy[328250]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:25:15.597176 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Feb 19 10:25:15.899679 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:25:15.901357 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:25:15.901405 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:25:15.911122 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:25:16.357925 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:16.475845 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:25:16.603050 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:25:16.732152 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:16.816098 osdx ubnt-cfgd[328322]: inactive
Feb 19 10:25:16.854566 osdx dnscrypt-proxy[328250]: Stopped.
Feb 19 10:25:16.854621 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:25:16.855893 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:25:16.856000 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:16.946514 osdx WARNING[328386]: No supported link modes on interface eth0
Feb 19 10:25:16.948118 osdx modulelauncher[328386]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:16.948130 osdx modulelauncher[328386]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:16.949546 osdx modulelauncher[328386]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:16.949556 osdx modulelauncher[328386]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:16.968048 osdx ca-certificates[328411]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:25:17.307690 osdx ca-certificates[328988]: done.
Feb 19 10:25:17.311803 osdx ca-certificates[328993]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:17.823129 osdx ubnt-cfgd[329855]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:17.833008 osdx ca-certificates[329861]: 142 added, 0 removed; done.
Feb 19 10:25:17.836826 osdx ca-certificates[329867]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:17.840493 osdx ca-certificates[329869]: done.
Feb 19 10:25:17.858286 osdx INFO[329872]: FRR daemons did not change
Feb 19 10:25:17.858675 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:17.861093 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:17.890337 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:19.315362 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:20.085777 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:25:20.149755 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:25:20.254830 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:25:20.310392 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:25:20.407478 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:25:20.460555 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 19 10:25:20.571493 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Feb 19 10:25:20.638801 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:25:20.772178 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:25:20.834758 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:25:20.991147 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:21.101494 osdx ubnt-cfgd[329906]: inactive
Feb 19 10:25:21.126948 osdx INFO[329914]: FRR daemons did not change
Feb 19 10:25:21.143725 osdx ca-certificates[329929]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:21.735160 osdx ubnt-cfgd[330942]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:21.744809 osdx ca-certificates[330947]: 1 added, 0 removed; done.
Feb 19 10:25:21.748526 osdx ca-certificates[330954]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:21.751238 osdx ca-certificates[330956]: done.
Feb 19 10:25:21.785356 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:25:21.828945 osdx WARNING[331023]: No supported link modes on interface eth0
Feb 19 10:25:21.830262 osdx modulelauncher[331023]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:21.830273 osdx modulelauncher[331023]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:21.831503 osdx modulelauncher[331023]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:21.831510 osdx modulelauncher[331023]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:21.941885 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:21.943492 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:21.959892 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:21.967717 osdx dnscrypt-proxy[331072]: dnscrypt-proxy 2.0.45
Feb 19 10:25:21.967790 osdx dnscrypt-proxy[331072]: Network connectivity detected
Feb 19 10:25:21.968076 osdx dnscrypt-proxy[331072]: Dropping privileges
Feb 19 10:25:21.971051 osdx dnscrypt-proxy[331072]: Network connectivity detected
Feb 19 10:25:21.971089 osdx dnscrypt-proxy[331072]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:25:21.971094 osdx dnscrypt-proxy[331072]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:25:21.971114 osdx dnscrypt-proxy[331072]: Firefox workaround initialized
Feb 19 10:25:21.971120 osdx dnscrypt-proxy[331072]: Loading the set of cloaking rules from [/tmp/tmpfaa4javi]
Feb 19 10:25:22.026806 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:22.157388 osdx dnscrypt-proxy[331072]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 19 10:25:22.157407 osdx dnscrypt-proxy[331072]: [RD] OK (DoH) - rtt: 168ms
Feb 19 10:25:22.157417 osdx dnscrypt-proxy[331072]: Server with the lowest initial latency: RD (rtt: 168ms)
Feb 19 10:25:22.157422 osdx dnscrypt-proxy[331072]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:25:22.173677 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Feb 19 10:25:22.438393 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:25:22.441360 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:25:22.441440 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:25:22.448860 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:25:22.812760 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:22.923941 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:25:23.065381 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:25:23.164696 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:23.264162 osdx ubnt-cfgd[331144]: inactive
Feb 19 10:25:23.285774 osdx dnscrypt-proxy[331072]: Stopped.
Feb 19 10:25:23.285836 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:25:23.286840 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:25:23.286962 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:23.353305 osdx WARNING[331208]: No supported link modes on interface eth0
Feb 19 10:25:23.355301 osdx modulelauncher[331208]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:23.355316 osdx modulelauncher[331208]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:23.357045 osdx modulelauncher[331208]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:23.357056 osdx modulelauncher[331208]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:23.378039 osdx ca-certificates[331233]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:25:23.741448 osdx ca-certificates[331811]: done.
Feb 19 10:25:23.744896 osdx ca-certificates[331820]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:24.249412 osdx ubnt-cfgd[332677]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:24.259067 osdx ca-certificates[332682]: 142 added, 0 removed; done.
Feb 19 10:25:24.261841 osdx ca-certificates[332689]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:24.264531 osdx ca-certificates[332691]: done.
Feb 19 10:25:24.280729 osdx INFO[332694]: FRR daemons did not change
Feb 19 10:25:24.281027 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:24.340161 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:24.363114 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:25.754823 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:26.511769 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:25:26.631651 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:25:26.748019 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:25:26.886421 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:25:26.966564 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:25:27.081013 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 19 10:25:27.141786 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 19 10:25:27.258497 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:25:27.443867 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:25:27.523488 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:25:27.653619 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:27.751784 osdx ubnt-cfgd[332728]: inactive
Feb 19 10:25:27.798634 osdx INFO[332736]: FRR daemons did not change
Feb 19 10:25:27.819419 osdx ca-certificates[332752]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:28.522587 osdx ubnt-cfgd[333764]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:28.532934 osdx ca-certificates[333769]: 1 added, 0 removed; done.
Feb 19 10:25:28.537042 osdx ca-certificates[333776]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:28.540920 osdx ca-certificates[333778]: done.
Feb 19 10:25:28.573352 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:25:28.620643 osdx WARNING[333845]: No supported link modes on interface eth0
Feb 19 10:25:28.622323 osdx modulelauncher[333845]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:28.622343 osdx modulelauncher[333845]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:28.623577 osdx modulelauncher[333845]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:28.623588 osdx modulelauncher[333845]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:28.721760 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:28.723150 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:28.735276 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:28.742456 osdx dnscrypt-proxy[333894]: dnscrypt-proxy 2.0.45
Feb 19 10:25:28.742518 osdx dnscrypt-proxy[333894]: Network connectivity detected
Feb 19 10:25:28.742711 osdx dnscrypt-proxy[333894]: Dropping privileges
Feb 19 10:25:28.745796 osdx dnscrypt-proxy[333894]: Network connectivity detected
Feb 19 10:25:28.745832 osdx dnscrypt-proxy[333894]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:25:28.745837 osdx dnscrypt-proxy[333894]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:25:28.745855 osdx dnscrypt-proxy[333894]: Firefox workaround initialized
Feb 19 10:25:28.745861 osdx dnscrypt-proxy[333894]: Loading the set of cloaking rules from [/tmp/tmp7nrbsvf2]
Feb 19 10:25:28.773709 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:28.851238 osdx dnscrypt-proxy[333894]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 19 10:25:28.851261 osdx dnscrypt-proxy[333894]: [RD] OK (DoH) - rtt: 79ms
Feb 19 10:25:28.851271 osdx dnscrypt-proxy[333894]: Server with the lowest initial latency: RD (rtt: 79ms)
Feb 19 10:25:28.851276 osdx dnscrypt-proxy[333894]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:25:28.936644 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Feb 19 10:25:29.178592 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:25:29.181360 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:25:29.181454 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:25:29.189754 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:25:29.457523 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:29.511715 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:25:29.646032 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:25:29.722697 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:29.811609 osdx ubnt-cfgd[333965]: inactive
Feb 19 10:25:29.834638 osdx dnscrypt-proxy[333894]: Stopped.
Feb 19 10:25:29.834681 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:25:29.835571 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:25:29.835678 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:29.890326 osdx WARNING[334029]: No supported link modes on interface eth0
Feb 19 10:25:29.891787 osdx modulelauncher[334029]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:29.891800 osdx modulelauncher[334029]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:29.892995 osdx modulelauncher[334029]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:29.893006 osdx modulelauncher[334029]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:29.914685 osdx ca-certificates[334054]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:25:30.240880 osdx ca-certificates[334632]: done.
Feb 19 10:25:30.244266 osdx ca-certificates[334641]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:30.775936 osdx ubnt-cfgd[335498]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:30.784921 osdx ca-certificates[335503]: 142 added, 0 removed; done.
Feb 19 10:25:30.787849 osdx ca-certificates[335510]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:30.790654 osdx ca-certificates[335512]: done.
Feb 19 10:25:30.807280 osdx INFO[335515]: FRR daemons did not change
Feb 19 10:25:30.807608 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:30.825483 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:30.841886 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:32.201671 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:32.924635 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:25:33.003248 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:25:33.106860 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:25:33.162914 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:25:33.264284 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:25:33.331041 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 19 10:25:33.434207 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Feb 19 10:25:33.509891 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:25:33.654883 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:25:33.709976 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:25:33.834307 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:33.906555 osdx ubnt-cfgd[335549]: inactive
Feb 19 10:25:33.938300 osdx INFO[335557]: FRR daemons did not change
Feb 19 10:25:33.951017 osdx ca-certificates[335573]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:34.031212 osdx systemd[1]: systemd-timedated.service: Deactivated successfully.
Feb 19 10:25:34.556501 osdx ubnt-cfgd[336587]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:34.564637 osdx ca-certificates[336592]: 1 added, 0 removed; done.
Feb 19 10:25:34.567795 osdx ca-certificates[336599]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:34.571570 osdx ca-certificates[336601]: done.
Feb 19 10:25:34.609604 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:25:34.666132 osdx WARNING[336668]: No supported link modes on interface eth0
Feb 19 10:25:34.668224 osdx modulelauncher[336668]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:34.668240 osdx modulelauncher[336668]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:34.670054 osdx modulelauncher[336668]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:34.670065 osdx modulelauncher[336668]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:34.773754 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:34.775125 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:34.791068 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:34.798828 osdx dnscrypt-proxy[336717]: dnscrypt-proxy 2.0.45
Feb 19 10:25:34.798899 osdx dnscrypt-proxy[336717]: Network connectivity detected
Feb 19 10:25:34.799134 osdx dnscrypt-proxy[336717]: Dropping privileges
Feb 19 10:25:34.801811 osdx dnscrypt-proxy[336717]: Network connectivity detected
Feb 19 10:25:34.801846 osdx dnscrypt-proxy[336717]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:25:34.801850 osdx dnscrypt-proxy[336717]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:25:34.801866 osdx dnscrypt-proxy[336717]: Firefox workaround initialized
Feb 19 10:25:34.801871 osdx dnscrypt-proxy[336717]: Loading the set of cloaking rules from [/tmp/tmpe4am8p2r]
Feb 19 10:25:34.813289 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:34.883911 osdx dnscrypt-proxy[336717]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Feb 19 10:25:34.883934 osdx dnscrypt-proxy[336717]: [RD] OK (DoH) - rtt: 60ms
Feb 19 10:25:34.883944 osdx dnscrypt-proxy[336717]: Server with the lowest initial latency: RD (rtt: 60ms)
Feb 19 10:25:34.883950 osdx dnscrypt-proxy[336717]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:25:34.974016 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Feb 19 10:25:35.208736 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free.
Feb 19 10:25:35.209435 osdx systemd-journald[2186]: Received client request to rotate journal, rotating.
Feb 19 10:25:35.209480 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Feb 19 10:25:35.219884 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'system journal clear'.
Feb 19 10:25:35.498818 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:35.559559 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'delete '.
Feb 19 10:25:35.701531 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 19 10:25:35.786294 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:35.885507 osdx ubnt-cfgd[336789]: inactive
Feb 19 10:25:35.910031 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 19 10:25:35.910039 osdx dnscrypt-proxy[336717]: Stopped.
Feb 19 10:25:35.910697 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 19 10:25:35.910800 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:35.971972 osdx WARNING[336853]: No supported link modes on interface eth0
Feb 19 10:25:35.973356 osdx modulelauncher[336853]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:35.973369 osdx modulelauncher[336853]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:35.974618 osdx modulelauncher[336853]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:35.974631 osdx modulelauncher[336853]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:35.994151 osdx ca-certificates[336878]: Clearing symlinks in /etc/ssl/certs...
Feb 19 10:25:36.283587 osdx ca-certificates[337455]: done.
Feb 19 10:25:36.287760 osdx ca-certificates[337465]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:36.786715 osdx ubnt-cfgd[338322]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:36.798088 osdx ca-certificates[338328]: 142 added, 0 removed; done.
Feb 19 10:25:36.802735 osdx ca-certificates[338334]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:36.807032 osdx ca-certificates[338336]: done.
Feb 19 10:25:36.826480 osdx INFO[338339]: FRR daemons did not change
Feb 19 10:25:36.826868 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:36.829363 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:36.846750 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:38.212835 osdx OSDxCLI[273452]: User 'admin' entered the configuration menu.
Feb 19 10:25:38.792151 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 19 10:25:38.870716 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 19 10:25:38.985564 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 19 10:25:39.042937 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 19 10:25:39.197443 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 61e33b590507053cca7bb79fc3cc0fec356bca904a3aa16313af16399684db2e'.
Feb 19 10:25:39.262036 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 19 10:25:39.408761 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Feb 19 10:25:39.523165 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 19 10:25:39.654021 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 19 10:25:39.714622 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 19 10:25:39.847802 osdx OSDxCLI[273452]: User 'admin' added a new cfg line: 'show working'.
Feb 19 10:25:39.912590 osdx ubnt-cfgd[338373]: inactive
Feb 19 10:25:39.934159 osdx INFO[338381]: FRR daemons did not change
Feb 19 10:25:39.949542 osdx ca-certificates[338397]: Updating certificates in /etc/ssl/certs...
Feb 19 10:25:40.496396 osdx ubnt-cfgd[339409]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Feb 19 10:25:40.505661 osdx ca-certificates[339414]: 1 added, 0 removed; done.
Feb 19 10:25:40.509324 osdx ca-certificates[339421]: Running hooks in /etc/ca-certificates/update.d...
Feb 19 10:25:40.512229 osdx ca-certificates[339423]: done.
Feb 19 10:25:40.545383 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 19 10:25:40.594435 osdx WARNING[339490]: No supported link modes on interface eth0
Feb 19 10:25:40.595753 osdx modulelauncher[339490]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Feb 19 10:25:40.595765 osdx modulelauncher[339490]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Feb 19 10:25:40.596847 osdx modulelauncher[339490]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Feb 19 10:25:40.596855 osdx modulelauncher[339490]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Feb 19 10:25:40.705737 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 19 10:25:40.707254 osdx cfgd[1859]: [273452]Completed change to active configuration
Feb 19 10:25:40.719845 osdx OSDxCLI[273452]: User 'admin' committed the configuration.
Feb 19 10:25:40.731970 osdx dnscrypt-proxy[339539]: dnscrypt-proxy 2.0.45
Feb 19 10:25:40.732045 osdx dnscrypt-proxy[339539]: Network connectivity detected
Feb 19 10:25:40.732276 osdx dnscrypt-proxy[339539]: Dropping privileges
Feb 19 10:25:40.734848 osdx dnscrypt-proxy[339539]: Network connectivity detected
Feb 19 10:25:40.734897 osdx dnscrypt-proxy[339539]: Now listening to 127.0.0.1:53 [UDP]
Feb 19 10:25:40.734905 osdx dnscrypt-proxy[339539]: Now listening to 127.0.0.1:53 [TCP]
Feb 19 10:25:40.734926 osdx dnscrypt-proxy[339539]: Firefox workaround initialized
Feb 19 10:25:40.734931 osdx dnscrypt-proxy[339539]: Loading the set of cloaking rules from [/tmp/tmpkb_w3us_]
Feb 19 10:25:40.741176 osdx OSDxCLI[273452]: User 'admin' left the configuration menu.
Feb 19 10:25:40.830158 osdx dnscrypt-proxy[339539]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 19 10:25:40.830173 osdx dnscrypt-proxy[339539]: [RD] OK (DoH) - rtt: 73ms
Feb 19 10:25:40.830183 osdx dnscrypt-proxy[339539]: Server with the lowest initial latency: RD (rtt: 73ms)
Feb 19 10:25:40.830190 osdx dnscrypt-proxy[339539]: dnscrypt-proxy is ready - live servers: 1
Feb 19 10:25:40.898127 osdx OSDxCLI[273452]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---