Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Tue 2024-04-09 09:45:00 UTC, end at Tue 2024-04-09 09:45:06 UTC. -- Apr 09 09:45:00.476890 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:45:00.513903 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:45:01.295918 osdx osdx-coredump[6328]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:45:01.306759 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:45:02.103859 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:45:02.465802 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:02.591704 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:02.743391 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:02.980382 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:45:03.096640 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:03.161061 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:03.195874 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:03.477301 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 09 09:45:03.781668 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:03.900865 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:45:04.005643 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:45:04.166050 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:45:04.277983 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:45:04.415298 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:45:04.554698 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Apr 09 09:45:04.670084 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:45:04.813851 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:05.019146 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:05.227763 osdx ca-certificates[6448]: Updating certificates in /etc/ssl/certs... Apr 09 09:45:05.973559 osdx ca-certificates[7437]: 1 added, 0 removed; done. Apr 09 09:45:05.978074 osdx ca-certificates[7443]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:45:05.982502 osdx ca-certificates[7445]: done. Apr 09 09:45:06.051801 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:45:06.054714 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:06.058373 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:06.081824 osdx dnscrypt-proxy[7449]: dnscrypt-proxy 2.0.45 Apr 09 09:45:06.081916 osdx dnscrypt-proxy[7449]: Network connectivity detected Apr 09 09:45:06.082327 osdx dnscrypt-proxy[7449]: Dropping privileges Apr 09 09:45:06.085543 osdx dnscrypt-proxy[7449]: Network connectivity detected Apr 09 09:45:06.085601 osdx dnscrypt-proxy[7449]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:45:06.085611 osdx dnscrypt-proxy[7449]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:45:06.085651 osdx dnscrypt-proxy[7449]: Firefox workaround initialized Apr 09 09:45:06.085662 osdx dnscrypt-proxy[7449]: Loading the set of cloaking rules from [/tmp/tmpCWdF2L] Apr 09 09:45:06.100418 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:06.249947 osdx dnscrypt-proxy[7449]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Apr 09 09:45:06.249993 osdx dnscrypt-proxy[7449]: [RD] OK (DoH) - rtt: 124ms Apr 09 09:45:06.250009 osdx dnscrypt-proxy[7449]: Server with the lowest initial latency: RD (rtt: 124ms) Apr 09 09:45:06.250019 osdx dnscrypt-proxy[7449]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:45:06.292360 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Tue 2024-04-09 09:45:20 UTC, end at Tue 2024-04-09 09:45:25 UTC. -- Apr 09 09:45:20.385141 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:45:20.414911 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:45:21.094653 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:45:21.095613 osdx osdx-coredump[9077]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:45:21.107090 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:45:22.143227 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:22.291865 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:22.393102 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:22.570395 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:45:22.662169 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:22.712065 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:22.768098 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:22.952226 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 09 09:45:23.147746 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:23.252787 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:45:23.362382 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:45:23.533818 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:45:23.689292 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:45:23.847814 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:45:24.010321 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Apr 09 09:45:24.139948 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:45:24.292746 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:24.411231 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:24.604624 osdx ca-certificates[9192]: Updating certificates in /etc/ssl/certs... Apr 09 09:45:25.366881 osdx ca-certificates[10175]: 1 added, 0 removed; done. Apr 09 09:45:25.371666 osdx ca-certificates[10182]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:45:25.377476 osdx ca-certificates[10184]: done. Apr 09 09:45:25.453090 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:45:25.455838 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:25.459848 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:25.486607 osdx dnscrypt-proxy[10188]: dnscrypt-proxy 2.0.45 Apr 09 09:45:25.486704 osdx dnscrypt-proxy[10188]: Network connectivity detected Apr 09 09:45:25.487167 osdx dnscrypt-proxy[10188]: Dropping privileges Apr 09 09:45:25.491204 osdx dnscrypt-proxy[10188]: Network connectivity detected Apr 09 09:45:25.491258 osdx dnscrypt-proxy[10188]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:45:25.491267 osdx dnscrypt-proxy[10188]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:45:25.491298 osdx dnscrypt-proxy[10188]: Firefox workaround initialized Apr 09 09:45:25.491307 osdx dnscrypt-proxy[10188]: Loading the set of cloaking rules from [/tmp/tmp7LRu5y] Apr 09 09:45:25.499968 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:25.665594 osdx dnscrypt-proxy[10188]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Apr 09 09:45:25.665628 osdx dnscrypt-proxy[10188]: [RD] OK (DoH) - rtt: 125ms Apr 09 09:45:25.665645 osdx dnscrypt-proxy[10188]: Server with the lowest initial latency: RD (rtt: 125ms) Apr 09 09:45:25.665656 osdx dnscrypt-proxy[10188]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:45:25.690859 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Tue 2024-04-09 09:45:26 UTC, end at Tue 2024-04-09 09:45:32 UTC. -- Apr 09 09:45:26.019519 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:45:26.049242 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:45:26.101413 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:45:26.493196 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:26.587225 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:45:26.743146 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:45:26.879460 osdx dnscrypt-proxy[10188]: Stopped. Apr 09 09:45:26.879545 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:45:26.881024 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:45:26.881353 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:45:27.003189 osdx ca-certificates[10265]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:45:27.420902 osdx ca-certificates[10823]: done. Apr 09 09:45:27.427851 osdx ca-certificates[10832]: Updating certificates in /etc/ssl/certs... Apr 09 09:45:28.063005 osdx ca-certificates[11666]: 137 added, 0 removed; done. Apr 09 09:45:28.069501 osdx ca-certificates[11673]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:45:28.075961 osdx ca-certificates[11675]: done. Apr 09 09:45:28.139181 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:28.144311 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:28.187326 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:28.225047 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:45:29.804682 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:29.915438 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:45:30.019807 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:45:30.137023 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:45:30.250945 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:45:30.371780 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:45:30.469958 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Apr 09 09:45:30.590956 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:45:30.725908 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:30.817519 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:30.989400 osdx ca-certificates[11719]: Updating certificates in /etc/ssl/certs... Apr 09 09:45:31.757047 osdx ca-certificates[12704]: 1 added, 0 removed; done. Apr 09 09:45:31.761742 osdx ca-certificates[12710]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:45:31.766494 osdx ca-certificates[12712]: done. Apr 09 09:45:31.786379 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:45:31.978670 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:45:31.981541 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:31.993936 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:45:32.010434 osdx dnscrypt-proxy[12749]: dnscrypt-proxy 2.0.45 Apr 09 09:45:32.010531 osdx dnscrypt-proxy[12749]: Network connectivity detected Apr 09 09:45:32.011019 osdx dnscrypt-proxy[12749]: Dropping privileges Apr 09 09:45:32.014629 osdx dnscrypt-proxy[12749]: Network connectivity detected Apr 09 09:45:32.014687 osdx dnscrypt-proxy[12749]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:45:32.014697 osdx dnscrypt-proxy[12749]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:45:32.014730 osdx dnscrypt-proxy[12749]: Firefox workaround initialized Apr 09 09:45:32.014739 osdx dnscrypt-proxy[12749]: Loading the set of cloaking rules from [/tmp/tmpo9RdCJ] Apr 09 09:45:32.042592 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:32.076890 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:32.186790 osdx dnscrypt-proxy[12749]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Apr 09 09:45:32.186822 osdx dnscrypt-proxy[12749]: [RD] OK (DoH) - rtt: 125ms Apr 09 09:45:32.186836 osdx dnscrypt-proxy[12749]: Server with the lowest initial latency: RD (rtt: 125ms) Apr 09 09:45:32.186845 osdx dnscrypt-proxy[12749]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:45:32.271239 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Tue 2024-04-09 09:45:32 UTC, end at Tue 2024-04-09 09:45:38 UTC. -- Apr 09 09:45:32.546694 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:45:32.584838 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:45:33.046030 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:33.170365 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:45:33.325138 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:45:33.450170 osdx dnscrypt-proxy[12749]: Stopped. Apr 09 09:45:33.450246 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:45:33.451494 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:45:33.451830 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:45:33.562764 osdx ca-certificates[12843]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:45:33.964611 osdx ca-certificates[13400]: done. Apr 09 09:45:33.971893 osdx ca-certificates[13411]: Updating certificates in /etc/ssl/certs... Apr 09 09:45:34.581431 osdx ca-certificates[14243]: 137 added, 0 removed; done. Apr 09 09:45:34.587153 osdx ca-certificates[14250]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:45:34.591833 osdx ca-certificates[14252]: done. Apr 09 09:45:34.639152 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:34.642632 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:34.669556 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:36.095681 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:45:36.171475 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:36.282543 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:45:36.407244 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:45:36.577208 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:45:36.689776 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:45:36.834608 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:45:36.953443 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Apr 09 09:45:37.059728 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:45:37.172978 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:37.290206 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:37.465535 osdx ca-certificates[14299]: Updating certificates in /etc/ssl/certs... Apr 09 09:45:38.251488 osdx ca-certificates[15280]: 1 added, 0 removed; done. Apr 09 09:45:38.257578 osdx ca-certificates[15287]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:45:38.265050 osdx ca-certificates[15289]: done. Apr 09 09:45:38.294372 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:45:38.507363 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:45:38.509951 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:38.535061 osdx dnscrypt-proxy[15326]: dnscrypt-proxy 2.0.45 Apr 09 09:45:38.535155 osdx dnscrypt-proxy[15326]: Network connectivity detected Apr 09 09:45:38.535608 osdx dnscrypt-proxy[15326]: Dropping privileges Apr 09 09:45:38.538919 osdx dnscrypt-proxy[15326]: Network connectivity detected Apr 09 09:45:38.538962 osdx dnscrypt-proxy[15326]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:45:38.538969 osdx dnscrypt-proxy[15326]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:45:38.539003 osdx dnscrypt-proxy[15326]: Firefox workaround initialized Apr 09 09:45:38.539009 osdx dnscrypt-proxy[15326]: Loading the set of cloaking rules from [/tmp/tmptd1qMJ] Apr 09 09:45:38.556259 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:38.602439 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:38.709234 osdx dnscrypt-proxy[15326]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Apr 09 09:45:38.709444 osdx dnscrypt-proxy[15326]: [RD] OK (DoH) - rtt: 118ms Apr 09 09:45:38.709534 osdx dnscrypt-proxy[15326]: Server with the lowest initial latency: RD (rtt: 118ms) Apr 09 09:45:38.709616 osdx dnscrypt-proxy[15326]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:45:38.784383 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Tue 2024-04-09 09:45:48 UTC, end at Tue 2024-04-09 09:45:53 UTC. -- Apr 09 09:45:48.456237 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:45:48.489975 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:45:49.246192 osdx osdx-coredump[16970]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:45:49.254567 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:45:50.217157 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:50.339096 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:50.470617 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:50.612778 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:45:50.725791 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:50.782598 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:50.831888 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:51.027005 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 09 09:45:51.074120 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:45:51.244558 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:45:51.359363 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:45:51.470112 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:45:51.595993 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:45:51.684076 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:45:51.821806 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:45:51.917878 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Apr 09 09:45:52.009816 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:45:52.132599 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:45:52.221557 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:45:52.382947 osdx ca-certificates[17085]: Updating certificates in /etc/ssl/certs... Apr 09 09:45:53.155152 osdx ca-certificates[18071]: 1 added, 0 removed; done. Apr 09 09:45:53.161502 osdx ca-certificates[18077]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:45:53.165999 osdx ca-certificates[18079]: done. Apr 09 09:45:53.261778 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:45:53.264906 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:45:53.269283 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:45:53.292702 osdx dnscrypt-proxy[18083]: dnscrypt-proxy 2.0.45 Apr 09 09:45:53.292824 osdx dnscrypt-proxy[18083]: Network connectivity detected Apr 09 09:45:53.293305 osdx dnscrypt-proxy[18083]: Dropping privileges Apr 09 09:45:53.298529 osdx dnscrypt-proxy[18083]: Network connectivity detected Apr 09 09:45:53.298596 osdx dnscrypt-proxy[18083]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:45:53.298607 osdx dnscrypt-proxy[18083]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:45:53.298643 osdx dnscrypt-proxy[18083]: Firefox workaround initialized Apr 09 09:45:53.298652 osdx dnscrypt-proxy[18083]: Loading the set of cloaking rules from [/tmp/tmpqE9VYV] Apr 09 09:45:53.298928 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:45:53.299754 osdx dnscrypt-proxy[18083]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Tue 2024-04-09 09:46:03 UTC, end at Tue 2024-04-09 09:46:09 UTC. -- Apr 09 09:46:03.394550 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:46:03.432385 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:46:04.152715 osdx osdx-coredump[19708]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:46:04.162316 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:46:05.174713 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:05.316879 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:46:05.488937 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:46:05.650313 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:46:05.759768 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:05.813934 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:05.848535 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:06.065982 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 09 09:46:06.131734 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:06.349462 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:06.479716 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:46:06.592730 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:46:06.735959 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:46:06.861192 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:46:07.007118 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:46:07.213235 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Apr 09 09:46:07.337658 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:46:07.525335 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:46:07.716048 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:46:07.930265 osdx ca-certificates[19823]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:08.897414 osdx ca-certificates[20807]: 1 added, 0 removed; done. Apr 09 09:46:08.908881 osdx ca-certificates[20813]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:08.916573 osdx ca-certificates[20815]: done. Apr 09 09:46:09.009829 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:46:09.013086 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:09.020312 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:09.062610 osdx dnscrypt-proxy[20819]: dnscrypt-proxy 2.0.45 Apr 09 09:46:09.062725 osdx dnscrypt-proxy[20819]: Network connectivity detected Apr 09 09:46:09.063162 osdx dnscrypt-proxy[20819]: Dropping privileges Apr 09 09:46:09.071991 osdx dnscrypt-proxy[20819]: Network connectivity detected Apr 09 09:46:09.072064 osdx dnscrypt-proxy[20819]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:46:09.072074 osdx dnscrypt-proxy[20819]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:46:09.072123 osdx dnscrypt-proxy[20819]: Firefox workaround initialized Apr 09 09:46:09.072133 osdx dnscrypt-proxy[20819]: Loading the set of cloaking rules from [/tmp/tmpzpGc3f] Apr 09 09:46:09.073307 osdx dnscrypt-proxy[20819]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Apr 09 09:46:09.085786 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:09.247681 osdx dnscrypt-proxy[20819]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Apr 09 09:46:09.247726 osdx dnscrypt-proxy[20819]: [RD] OK (DoH) - rtt: 139ms Apr 09 09:46:09.247739 osdx dnscrypt-proxy[20819]: Server with the lowest initial latency: RD (rtt: 139ms) Apr 09 09:46:09.247748 osdx dnscrypt-proxy[20819]: dnscrypt-proxy is ready - live servers: 1
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Tue 2024-04-09 09:46:09 UTC, end at Tue 2024-04-09 09:46:16 UTC. -- Apr 09 09:46:09.523117 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:46:09.575217 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:46:10.051182 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:10.157527 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:46:10.325416 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:46:10.470920 osdx dnscrypt-proxy[20819]: Stopped. Apr 09 09:46:10.470944 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:46:10.478056 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:46:10.478427 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:46:10.628582 osdx ca-certificates[20892]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:46:11.091690 osdx ca-certificates[21450]: done. Apr 09 09:46:11.099051 osdx ca-certificates[21455]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:11.134712 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:11.786156 osdx ca-certificates[22294]: 137 added, 0 removed; done. Apr 09 09:46:11.795540 osdx ca-certificates[22298]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:11.801785 osdx ca-certificates[22301]: done. Apr 09 09:46:11.859596 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:11.863899 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:11.895391 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:13.263811 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:13.685563 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:13.816770 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:46:13.967770 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:46:14.145729 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:46:14.244927 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:46:14.356658 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:46:14.557978 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Apr 09 09:46:14.719602 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:46:14.862524 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:46:14.961529 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:46:15.164907 osdx ca-certificates[22345]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:16.205272 osdx ca-certificates[23331]: 1 added, 0 removed; done. Apr 09 09:46:16.211028 osdx ca-certificates[23338]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:16.216632 osdx ca-certificates[23340]: done. Apr 09 09:46:16.242354 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:46:16.418020 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:46:16.421426 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:16.448114 osdx dnscrypt-proxy[23377]: dnscrypt-proxy 2.0.45 Apr 09 09:46:16.448233 osdx dnscrypt-proxy[23377]: Network connectivity detected Apr 09 09:46:16.448721 osdx dnscrypt-proxy[23377]: Dropping privileges Apr 09 09:46:16.451954 osdx dnscrypt-proxy[23377]: Network connectivity detected Apr 09 09:46:16.452015 osdx dnscrypt-proxy[23377]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:46:16.452025 osdx dnscrypt-proxy[23377]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:46:16.452061 osdx dnscrypt-proxy[23377]: Firefox workaround initialized Apr 09 09:46:16.452071 osdx dnscrypt-proxy[23377]: Loading the set of cloaking rules from [/tmp/tmpkrDltf] Apr 09 09:46:16.453350 osdx dnscrypt-proxy[23377]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Apr 09 09:46:16.485770 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:16.540276 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:16.633344 osdx dnscrypt-proxy[23377]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Apr 09 09:46:16.633380 osdx dnscrypt-proxy[23377]: [RD] OK (DoH) - rtt: 131ms Apr 09 09:46:16.633398 osdx dnscrypt-proxy[23377]: Server with the lowest initial latency: RD (rtt: 131ms) Apr 09 09:46:16.633407 osdx dnscrypt-proxy[23377]: dnscrypt-proxy is ready - live servers: 1
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Tue 2024-04-09 09:46:16 UTC, end at Tue 2024-04-09 09:46:24 UTC. -- Apr 09 09:46:16.952702 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:46:16.978683 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:46:17.033406 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:17.526953 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:17.651921 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:46:17.782636 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:46:17.962304 osdx dnscrypt-proxy[23377]: Stopped. Apr 09 09:46:17.962830 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:46:17.970886 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:46:17.971426 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:46:18.108337 osdx ca-certificates[23465]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:46:18.620129 osdx ca-certificates[24023]: done. Apr 09 09:46:18.627216 osdx ca-certificates[24028]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:19.487842 osdx ca-certificates[24866]: 137 added, 0 removed; done. Apr 09 09:46:19.494964 osdx ca-certificates[24872]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:19.501832 osdx ca-certificates[24875]: done. Apr 09 09:46:19.561432 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:19.567804 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:19.608436 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:21.132798 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:21.569867 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:21.724593 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:46:21.908239 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:46:22.065733 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:46:22.221891 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:46:22.360022 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:46:22.473775 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Apr 09 09:46:22.613836 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Apr 09 09:46:22.775832 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:46:22.944634 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:46:23.057768 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:46:23.277418 osdx ca-certificates[24920]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:24.216154 osdx ca-certificates[25903]: 1 added, 0 removed; done. Apr 09 09:46:24.221250 osdx ca-certificates[25910]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:24.226405 osdx ca-certificates[25912]: done. Apr 09 09:46:24.254319 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:46:24.531668 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:46:24.562811 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:24.597444 osdx dnscrypt-proxy[25949]: dnscrypt-proxy 2.0.45 Apr 09 09:46:24.597548 osdx dnscrypt-proxy[25949]: Network connectivity detected Apr 09 09:46:24.598052 osdx dnscrypt-proxy[25949]: Dropping privileges Apr 09 09:46:24.641647 osdx dnscrypt-proxy[25949]: Network connectivity detected Apr 09 09:46:24.642057 osdx dnscrypt-proxy[25949]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:46:24.642154 osdx dnscrypt-proxy[25949]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:46:24.642272 osdx dnscrypt-proxy[25949]: Firefox workaround initialized Apr 09 09:46:24.642394 osdx dnscrypt-proxy[25949]: Loading the set of cloaking rules from [/tmp/tmpTKWpgt] Apr 09 09:46:24.649856 osdx dnscrypt-proxy[25949]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Apr 09 09:46:24.685314 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:24.745858 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:24.855363 osdx dnscrypt-proxy[25949]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Apr 09 09:46:24.855389 osdx dnscrypt-proxy[25949]: [RD] OK (DoH) - rtt: 120ms Apr 09 09:46:24.855402 osdx dnscrypt-proxy[25949]: Server with the lowest initial latency: RD (rtt: 120ms) Apr 09 09:46:24.855412 osdx dnscrypt-proxy[25949]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Tue 2024-04-09 09:46:35 UTC, end at Tue 2024-04-09 09:46:47 UTC. -- Apr 09 09:46:35.000456 osdx systemd-timedated[27558]: Changed local time to Tue Apr 9 09:46:35 2024 Apr 09 09:46:35.016911 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'set date 2024-04-09 09:46:35'. Apr 09 09:46:35.571692 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 4.0M, max 16.0M, 11.9M free. Apr 09 09:46:35.593374 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:46:35.949573 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:36.334737 osdx osdx-coredump[27591]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:46:36.343016 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:46:37.386941 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:37.534527 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:46:37.628916 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:46:37.929985 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:46:38.141777 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:38.199198 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:38.288928 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:38.501379 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 09 09:46:38.740495 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:38.841417 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:46:38.981717 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:46:39.113345 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:46:39.219169 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:46:39.374069 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:46:39.524988 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Apr 09 09:46:39.679744 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Apr 09 09:46:39.826159 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:46:39.966592 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:46:40.094381 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:46:40.273543 osdx ca-certificates[27708]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:40.947991 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:41.213360 osdx ca-certificates[28693]: 1 added, 0 removed; done. Apr 09 09:46:41.220667 osdx ca-certificates[28699]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:41.225872 osdx ca-certificates[28701]: done. Apr 09 09:46:41.320361 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:46:41.334532 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:41.340427 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:41.347443 osdx dnscrypt-proxy[28705]: dnscrypt-proxy 2.0.45 Apr 09 09:46:41.347550 osdx dnscrypt-proxy[28705]: Network connectivity detected Apr 09 09:46:41.347987 osdx dnscrypt-proxy[28705]: Dropping privileges Apr 09 09:46:41.351513 osdx dnscrypt-proxy[28705]: Network connectivity detected Apr 09 09:46:41.351572 osdx dnscrypt-proxy[28705]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:46:41.351579 osdx dnscrypt-proxy[28705]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:46:41.351607 osdx dnscrypt-proxy[28705]: Firefox workaround initialized Apr 09 09:46:41.351613 osdx dnscrypt-proxy[28705]: Loading the set of cloaking rules from [/tmp/tmp4VccBh] Apr 09 09:46:41.391162 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:41.784545 osdx dnscrypt-proxy[28705]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Apr 09 09:46:41.784575 osdx dnscrypt-proxy[28705]: [RD] OK (DoH) - rtt: 338ms Apr 09 09:46:41.784592 osdx dnscrypt-proxy[28705]: Server with the lowest initial latency: RD (rtt: 338ms) Apr 09 09:46:41.784603 osdx dnscrypt-proxy[28705]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:46:43.086816 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:46.847025 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:47.650749 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Tue 2024-04-09 09:46:48 UTC, end at Tue 2024-04-09 09:46:56 UTC. -- Apr 09 09:46:48.099307 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 4.0M, max 16.0M, 11.9M free. Apr 09 09:46:48.136744 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:46:48.787661 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:48.971616 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:46:49.288366 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:46:49.450070 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:46:49.450467 osdx dnscrypt-proxy[28705]: Stopped. Apr 09 09:46:49.460652 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:46:49.461051 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:46:49.713459 osdx ca-certificates[28784]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:46:50.559359 osdx ca-certificates[29347]: done. Apr 09 09:46:50.570332 osdx ca-certificates[29354]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:50.949606 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:51.607045 osdx ca-certificates[30186]: 137 added, 0 removed; done. Apr 09 09:46:51.615085 osdx ca-certificates[30189]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:51.625519 osdx ca-certificates[30193]: done. Apr 09 09:46:51.693672 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:51.697516 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:51.744694 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:53.715945 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:53.872435 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:46:54.058371 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:46:54.236485 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:46:54.386870 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:46:54.536712 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:46:54.730162 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Apr 09 09:46:54.889891 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Apr 09 09:46:55.030815 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:46:55.181311 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:46:55.298237 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:46:55.489669 osdx ca-certificates[30238]: Updating certificates in /etc/ssl/certs... Apr 09 09:46:55.948063 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:56.334667 osdx ca-certificates[31221]: 1 added, 0 removed; done. Apr 09 09:46:56.341223 osdx ca-certificates[31228]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:46:56.348199 osdx ca-certificates[31230]: done. Apr 09 09:46:56.383698 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:46:56.588458 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:46:56.590153 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:46:56.608028 osdx dnscrypt-proxy[31267]: dnscrypt-proxy 2.0.45 Apr 09 09:46:56.608118 osdx dnscrypt-proxy[31267]: Network connectivity detected Apr 09 09:46:56.608530 osdx dnscrypt-proxy[31267]: Dropping privileges Apr 09 09:46:56.611698 osdx dnscrypt-proxy[31267]: Network connectivity detected Apr 09 09:46:56.612172 osdx dnscrypt-proxy[31267]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:46:56.612317 osdx dnscrypt-proxy[31267]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:46:56.612488 osdx dnscrypt-proxy[31267]: Firefox workaround initialized Apr 09 09:46:56.612623 osdx dnscrypt-proxy[31267]: Loading the set of cloaking rules from [/tmp/tmpysoCOK] Apr 09 09:46:56.661181 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:46:56.706046 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:46:56.808833 osdx dnscrypt-proxy[31267]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Apr 09 09:46:56.808863 osdx dnscrypt-proxy[31267]: [RD] OK (DoH) - rtt: 129ms Apr 09 09:46:56.808882 osdx dnscrypt-proxy[31267]: Server with the lowest initial latency: RD (rtt: 129ms) Apr 09 09:46:56.808893 osdx dnscrypt-proxy[31267]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:46:56.990194 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Tue 2024-04-09 09:46:57 UTC, end at Tue 2024-04-09 09:47:04 UTC. -- Apr 09 09:46:57.437454 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:46:57.472002 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:46:58.088437 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:46:58.163792 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:46:58.321384 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:46:58.513957 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:46:58.713446 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:46:58.714196 osdx dnscrypt-proxy[31267]: Stopped. Apr 09 09:46:58.720809 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:46:58.721266 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:46:58.910068 osdx ca-certificates[31360]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:46:59.399188 osdx ca-certificates[31917]: done. Apr 09 09:46:59.405262 osdx ca-certificates[31927]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:00.119094 osdx ca-certificates[32761]: 137 added, 0 removed; done. Apr 09 09:47:00.125763 osdx ca-certificates[300]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:00.132466 osdx ca-certificates[302]: done. Apr 09 09:47:00.182885 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:00.188392 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:00.231257 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:01.844839 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:47:02.057145 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:47:02.202041 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:47:02.338602 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:47:02.466676 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:47:02.568273 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:47:02.690169 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:47:02.803813 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Apr 09 09:47:02.913360 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Apr 09 09:47:03.062490 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:47:03.198253 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:47:03.288493 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:47:03.510627 osdx ca-certificates[352]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:04.398861 osdx ca-certificates[1371]: 1 added, 0 removed; done. Apr 09 09:47:04.405499 osdx ca-certificates[1378]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:04.412559 osdx ca-certificates[1380]: done. Apr 09 09:47:04.435593 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:47:04.596664 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:47:04.599967 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:04.616524 osdx dnscrypt-proxy[1417]: dnscrypt-proxy 2.0.45 Apr 09 09:47:04.616601 osdx dnscrypt-proxy[1417]: Network connectivity detected Apr 09 09:47:04.616917 osdx dnscrypt-proxy[1417]: Dropping privileges Apr 09 09:47:04.619506 osdx dnscrypt-proxy[1417]: Network connectivity detected Apr 09 09:47:04.619594 osdx dnscrypt-proxy[1417]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:47:04.619601 osdx dnscrypt-proxy[1417]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:47:04.619626 osdx dnscrypt-proxy[1417]: Firefox workaround initialized Apr 09 09:47:04.619632 osdx dnscrypt-proxy[1417]: Loading the set of cloaking rules from [/tmp/tmp54J59l] Apr 09 09:47:04.658278 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:04.687807 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:04.796201 osdx dnscrypt-proxy[1417]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Apr 09 09:47:04.796230 osdx dnscrypt-proxy[1417]: [RD] OK (DoH) - rtt: 124ms Apr 09 09:47:04.796244 osdx dnscrypt-proxy[1417]: Server with the lowest initial latency: RD (rtt: 124ms) Apr 09 09:47:04.796253 osdx dnscrypt-proxy[1417]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:47:04.874811 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Tue 2024-04-09 09:47:05 UTC, end at Tue 2024-04-09 09:47:13 UTC. -- Apr 09 09:47:05.223610 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:47:05.256440 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:47:05.691224 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:47:05.802285 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:47:05.953151 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:47:05.961236 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:47:06.089061 osdx dnscrypt-proxy[1417]: Stopped. Apr 09 09:47:06.089139 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:47:06.090444 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:47:06.090770 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:47:06.257102 osdx ca-certificates[1511]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:47:06.743063 osdx ca-certificates[2069]: done. Apr 09 09:47:06.748724 osdx ca-certificates[2079]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:07.463303 osdx ca-certificates[2912]: 137 added, 0 removed; done. Apr 09 09:47:07.477307 osdx ca-certificates[2919]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:07.485172 osdx ca-certificates[2921]: done. Apr 09 09:47:07.544438 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:07.549625 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:07.589127 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:09.539863 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:47:09.717491 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:47:09.851222 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:47:10.116921 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:47:10.296369 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:47:10.511596 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:47:10.698654 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Apr 09 09:47:10.790863 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Apr 09 09:47:10.915765 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:47:10.951028 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:47:11.068404 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:47:11.275054 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:47:11.545065 osdx ca-certificates[2966]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:12.392057 osdx ca-certificates[3951]: 1 added, 0 removed; done. Apr 09 09:47:12.398743 osdx ca-certificates[3956]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:12.412138 osdx ca-certificates[3958]: done. Apr 09 09:47:12.439675 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:47:12.647088 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:47:12.650448 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:12.688367 osdx dnscrypt-proxy[3995]: dnscrypt-proxy 2.0.45 Apr 09 09:47:12.688444 osdx dnscrypt-proxy[3995]: Network connectivity detected Apr 09 09:47:12.688767 osdx dnscrypt-proxy[3995]: Dropping privileges Apr 09 09:47:12.691687 osdx dnscrypt-proxy[3995]: Network connectivity detected Apr 09 09:47:12.691740 osdx dnscrypt-proxy[3995]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:47:12.691750 osdx dnscrypt-proxy[3995]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:47:12.691781 osdx dnscrypt-proxy[3995]: Firefox workaround initialized Apr 09 09:47:12.691790 osdx dnscrypt-proxy[3995]: Loading the set of cloaking rules from [/tmp/tmpPH5t0V] Apr 09 09:47:12.709329 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:12.764800 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:12.867769 osdx dnscrypt-proxy[3995]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Apr 09 09:47:12.867797 osdx dnscrypt-proxy[3995]: [RD] OK (DoH) - rtt: 121ms Apr 09 09:47:12.867811 osdx dnscrypt-proxy[3995]: Server with the lowest initial latency: RD (rtt: 121ms) Apr 09 09:47:12.867819 osdx dnscrypt-proxy[3995]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:47:12.986771 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'. Apr 09 09:47:13.107384 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]):
Example 5
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Tue 2024-04-09 09:47:13 UTC, end at Tue 2024-04-09 09:47:21 UTC. -- Apr 09 09:47:13.393914 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:47:13.436705 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:47:13.994378 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:47:14.165040 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:47:14.380037 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:47:14.542283 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:47:14.543090 osdx dnscrypt-proxy[3995]: Stopped. Apr 09 09:47:14.544780 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:47:14.545156 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:47:14.677411 osdx ca-certificates[4088]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:47:15.130324 osdx ca-certificates[4645]: done. Apr 09 09:47:15.136503 osdx ca-certificates[4653]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:16.050502 osdx ca-certificates[5492]: 137 added, 0 removed; done. Apr 09 09:47:16.056781 osdx ca-certificates[5499]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:16.063689 osdx ca-certificates[5501]: done. Apr 09 09:47:16.123967 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:16.129433 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:16.157284 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:16.844864 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:47:17.892662 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:47:18.034754 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:47:18.206709 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:47:18.367707 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:47:18.492545 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:47:18.668487 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:47:18.829061 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Apr 09 09:47:19.005977 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Apr 09 09:47:19.161152 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:47:19.294134 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:47:19.422324 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:47:19.629508 osdx ca-certificates[5546]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:20.697178 osdx ca-certificates[6529]: 1 added, 0 removed; done. Apr 09 09:47:20.712600 osdx ca-certificates[6535]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:20.719052 osdx ca-certificates[6538]: done. Apr 09 09:47:20.743620 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:47:20.950597 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:47:20.979815 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:47:20.983931 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:21.052860 osdx dnscrypt-proxy[6575]: dnscrypt-proxy 2.0.45 Apr 09 09:47:21.052956 osdx dnscrypt-proxy[6575]: Network connectivity detected Apr 09 09:47:21.053397 osdx dnscrypt-proxy[6575]: Dropping privileges Apr 09 09:47:21.064054 osdx dnscrypt-proxy[6575]: Network connectivity detected Apr 09 09:47:21.064115 osdx dnscrypt-proxy[6575]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:47:21.064127 osdx dnscrypt-proxy[6575]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:47:21.064168 osdx dnscrypt-proxy[6575]: Firefox workaround initialized Apr 09 09:47:21.064176 osdx dnscrypt-proxy[6575]: Loading the set of cloaking rules from [/tmp/tmpN5dBGk] Apr 09 09:47:21.094095 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:21.169379 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:21.317309 osdx dnscrypt-proxy[6575]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Apr 09 09:47:21.317336 osdx dnscrypt-proxy[6575]: [RD] OK (DoH) - rtt: 134ms Apr 09 09:47:21.317351 osdx dnscrypt-proxy[6575]: Server with the lowest initial latency: RD (rtt: 134ms) Apr 09 09:47:21.317374 osdx dnscrypt-proxy[6575]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:47:21.390145 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Tue 2024-04-09 09:47:21 UTC, end at Tue 2024-04-09 09:47:30 UTC. -- Apr 09 09:47:21.835431 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:47:21.872139 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:47:22.345393 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:47:22.478739 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'delete'. Apr 09 09:47:22.667469 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Apr 09 09:47:22.779896 osdx systemd[1]: Stopping DNSCrypt client proxy... Apr 09 09:47:22.780133 osdx dnscrypt-proxy[6575]: Stopped. Apr 09 09:47:22.782813 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Apr 09 09:47:22.783165 osdx systemd[1]: Stopped DNSCrypt client proxy. Apr 09 09:47:22.934700 osdx ca-certificates[6669]: Clearing symlinks in /etc/ssl/certs... Apr 09 09:47:23.481230 osdx ca-certificates[7229]: done. Apr 09 09:47:23.491516 osdx ca-certificates[7232]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:24.617190 osdx ca-certificates[8072]: 137 added, 0 removed; done. Apr 09 09:47:24.622618 osdx ca-certificates[8075]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:24.629878 osdx ca-certificates[8079]: done. Apr 09 09:47:24.682528 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:24.692358 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:24.738697 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:25.951755 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:47:26.876863 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:47:27.066854 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:47:27.230293 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Apr 09 09:47:27.444396 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Apr 09 09:47:27.611987 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Apr 09 09:47:27.778775 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Apr 09 09:47:27.913649 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Apr 09 09:47:28.080396 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Apr 09 09:47:28.085082 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:47:28.206500 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:47:28.386705 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:47:28.493657 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:47:28.676530 osdx ca-certificates[8125]: Updating certificates in /etc/ssl/certs... Apr 09 09:47:29.776506 osdx ca-certificates[9111]: 1 added, 0 removed; done. Apr 09 09:47:29.787640 osdx ca-certificates[9118]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:47:29.793980 osdx ca-certificates[9120]: done. Apr 09 09:47:29.823593 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:47:30.068142 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:47:30.073313 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:47:30.095947 osdx dnscrypt-proxy[9157]: dnscrypt-proxy 2.0.45 Apr 09 09:47:30.096088 osdx dnscrypt-proxy[9157]: Network connectivity detected Apr 09 09:47:30.096587 osdx dnscrypt-proxy[9157]: Dropping privileges Apr 09 09:47:30.101130 osdx dnscrypt-proxy[9157]: Network connectivity detected Apr 09 09:47:30.101558 osdx dnscrypt-proxy[9157]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:47:30.101693 osdx dnscrypt-proxy[9157]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:47:30.101834 osdx dnscrypt-proxy[9157]: Firefox workaround initialized Apr 09 09:47:30.101951 osdx dnscrypt-proxy[9157]: Loading the set of cloaking rules from [/tmp/tmpVWWsxG] Apr 09 09:47:30.134209 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:47:30.184974 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:47:30.261129 osdx dnscrypt-proxy[9157]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Apr 09 09:47:30.261354 osdx dnscrypt-proxy[9157]: [RD] OK (DoH) - rtt: 115ms Apr 09 09:47:30.261460 osdx dnscrypt-proxy[9157]: Server with the lowest initial latency: RD (rtt: 115ms) Apr 09 09:47:30.261556 osdx dnscrypt-proxy[9157]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:47:30.411102 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.