Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2023-11-23 22:35:35 UTC, end at Thu 2023-11-23 22:35:44 UTC. -- Nov 23 22:35:35.386064 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:35:35.405245 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:35:35.893182 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:35:36.025992 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:35:36.132663 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:35:36.305083 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:35:36.420858 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:35:36.476066 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:35:36.522468 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:35:36.687158 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 23 22:35:36.879819 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:35:37.002601 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:35:37.125116 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:35:37.272477 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:35:37.383230 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:35:37.511503 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:35:37.615081 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Nov 23 22:35:37.728853 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:35:37.830047 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:35:37.847528 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:35:37.941862 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:35:38.058553 osdx ca-certificates[11065]: Updating certificates in /etc/ssl/certs... Nov 23 22:35:38.688413 osdx ca-certificates[12049]: 1 added, 0 removed; done. Nov 23 22:35:38.694167 osdx ca-certificates[12053]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:35:38.699241 osdx ca-certificates[12057]: done. Nov 23 22:35:38.766822 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:35:38.769630 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:35:38.778107 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:35:38.795534 osdx dnscrypt-proxy[12061]: dnscrypt-proxy 2.0.45 Nov 23 22:35:38.795909 osdx dnscrypt-proxy[12061]: Network connectivity detected Nov 23 22:35:38.796418 osdx dnscrypt-proxy[12061]: Dropping privileges Nov 23 22:35:38.798797 osdx dnscrypt-proxy[12061]: Network connectivity detected Nov 23 22:35:38.799202 osdx dnscrypt-proxy[12061]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:35:38.799210 osdx dnscrypt-proxy[12061]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:35:38.799250 osdx dnscrypt-proxy[12061]: Firefox workaround initialized Nov 23 22:35:38.799256 osdx dnscrypt-proxy[12061]: Loading the set of cloaking rules from [/tmp/tmpxFiKyJ] Nov 23 22:35:38.805288 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:35:38.987332 osdx dnscrypt-proxy[12061]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Nov 23 22:35:38.987350 osdx dnscrypt-proxy[12061]: [RD] OK (DoH) - rtt: 154ms Nov 23 22:35:38.987359 osdx dnscrypt-proxy[12061]: Server with the lowest initial latency: RD (rtt: 154ms) Nov 23 22:35:38.987365 osdx dnscrypt-proxy[12061]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:35:39.757085 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:35:44.986239 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2023-11-23 22:35:53 UTC, end at Thu 2023-11-23 22:35:56 UTC. -- Nov 23 22:35:53.461258 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:35:53.475068 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:35:53.917243 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:35:54.043232 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:35:54.135744 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:35:54.277431 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:35:54.291247 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:35:54.371822 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:35:54.416190 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:35:54.457279 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:35:54.625164 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 23 22:35:54.809952 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:35:54.921225 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:35:55.047154 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:35:55.145238 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:35:55.236348 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:35:55.332716 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:35:55.422268 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Nov 23 22:35:55.575450 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:35:55.703476 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:35:55.841492 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:35:55.996913 osdx ca-certificates[13778]: Updating certificates in /etc/ssl/certs... Nov 23 22:35:56.645813 osdx ca-certificates[14763]: 1 added, 0 removed; done. Nov 23 22:35:56.651555 osdx ca-certificates[14767]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:35:56.656651 osdx ca-certificates[14771]: done. Nov 23 22:35:56.724001 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:35:56.726744 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:35:56.731200 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:35:56.752771 osdx dnscrypt-proxy[14775]: dnscrypt-proxy 2.0.45 Nov 23 22:35:56.755350 osdx dnscrypt-proxy[14775]: Network connectivity detected Nov 23 22:35:56.755944 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:35:56.756654 osdx dnscrypt-proxy[14775]: Dropping privileges Nov 23 22:35:56.759032 osdx dnscrypt-proxy[14775]: Network connectivity detected Nov 23 22:35:56.759308 osdx dnscrypt-proxy[14775]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:35:56.759395 osdx dnscrypt-proxy[14775]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:35:56.759493 osdx dnscrypt-proxy[14775]: Firefox workaround initialized Nov 23 22:35:56.759571 osdx dnscrypt-proxy[14775]: Loading the set of cloaking rules from [/tmp/tmpA0CpDU] Nov 23 22:35:56.908711 osdx dnscrypt-proxy[14775]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Nov 23 22:35:56.908728 osdx dnscrypt-proxy[14775]: [RD] OK (DoH) - rtt: 119ms Nov 23 22:35:56.908738 osdx dnscrypt-proxy[14775]: Server with the lowest initial latency: RD (rtt: 119ms) Nov 23 22:35:56.908745 osdx dnscrypt-proxy[14775]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:35:56.923121 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Thu 2023-11-23 22:35:57 UTC, end at Thu 2023-11-23 22:36:03 UTC. -- Nov 23 22:35:57.182839 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:35:57.195807 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:35:57.600473 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:35:57.697730 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:35:57.814788 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:35:57.932687 osdx dnscrypt-proxy[14775]: Stopped. Nov 23 22:35:57.933951 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:35:57.934722 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:35:57.935118 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:35:58.041584 osdx ca-certificates[14847]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:35:58.450134 osdx ca-certificates[15406]: done. Nov 23 22:35:58.458413 osdx ca-certificates[15413]: Updating certificates in /etc/ssl/certs... Nov 23 22:35:59.024926 osdx ca-certificates[16249]: 137 added, 0 removed; done. Nov 23 22:35:59.031032 osdx ca-certificates[16253]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:35:59.037076 osdx ca-certificates[16257]: done. Nov 23 22:35:59.080675 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:35:59.084362 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:35:59.108943 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:00.586752 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:00.691135 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:36:00.788163 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:36:00.892033 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:36:01.020426 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:36:01.167438 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:36:01.280474 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Nov 23 22:36:01.397401 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:36:01.562814 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:01.693795 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:01.828858 osdx ca-certificates[16308]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:02.565429 osdx ca-certificates[17292]: 1 added, 0 removed; done. Nov 23 22:36:02.571516 osdx ca-certificates[17296]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:02.576877 osdx ca-certificates[17300]: done. Nov 23 22:36:02.609439 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:36:02.769951 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:36:02.772853 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:02.814586 osdx dnscrypt-proxy[17359]: dnscrypt-proxy 2.0.45 Nov 23 22:36:02.814994 osdx dnscrypt-proxy[17359]: Network connectivity detected Nov 23 22:36:02.817321 osdx dnscrypt-proxy[17359]: Dropping privileges Nov 23 22:36:02.830186 osdx dnscrypt-proxy[17359]: Network connectivity detected Nov 23 22:36:02.830227 osdx dnscrypt-proxy[17359]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:36:02.830234 osdx dnscrypt-proxy[17359]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:36:02.830256 osdx dnscrypt-proxy[17359]: Firefox workaround initialized Nov 23 22:36:02.830263 osdx dnscrypt-proxy[17359]: Loading the set of cloaking rules from [/tmp/tmpksCX4e] Nov 23 22:36:02.846130 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:02.889784 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:03.037786 osdx dnscrypt-proxy[17359]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Nov 23 22:36:03.037804 osdx dnscrypt-proxy[17359]: [RD] OK (DoH) - rtt: 126ms Nov 23 22:36:03.037814 osdx dnscrypt-proxy[17359]: Server with the lowest initial latency: RD (rtt: 126ms) Nov 23 22:36:03.037820 osdx dnscrypt-proxy[17359]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:36:03.054881 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Thu 2023-11-23 22:36:03 UTC, end at Thu 2023-11-23 22:36:09 UTC. -- Nov 23 22:36:03.391789 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:36:03.405267 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:36:03.834510 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:03.935692 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:36:04.088628 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:36:04.202506 osdx dnscrypt-proxy[17359]: Stopped. Nov 23 22:36:04.204255 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:36:04.205156 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:36:04.205867 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:36:04.302029 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:04.304290 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:04.306878 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:04.309336 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:04.311437 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:04.334299 osdx ca-certificates[17447]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:36:04.712760 osdx ca-certificates[18005]: done. Nov 23 22:36:04.719501 osdx ca-certificates[18010]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:05.311298 osdx ca-certificates[18851]: 137 added, 0 removed; done. Nov 23 22:36:05.317721 osdx ca-certificates[18855]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:05.323334 osdx ca-certificates[18859]: done. Nov 23 22:36:05.366543 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:05.370395 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:05.400177 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:06.958147 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:07.066500 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:36:07.184771 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:36:07.305754 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:36:07.370894 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:07.436809 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:36:07.588346 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:36:07.697100 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Nov 23 22:36:07.814135 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:36:07.925228 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:08.074862 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:08.238860 osdx ca-certificates[18905]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:08.884870 osdx ca-certificates[19889]: 1 added, 0 removed; done. Nov 23 22:36:08.890875 osdx ca-certificates[19893]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:08.896356 osdx ca-certificates[19897]: done. Nov 23 22:36:08.929429 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:36:09.089274 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:36:09.092053 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:09.134473 osdx dnscrypt-proxy[19956]: dnscrypt-proxy 2.0.45 Nov 23 22:36:09.134869 osdx dnscrypt-proxy[19956]: Network connectivity detected Nov 23 22:36:09.136151 osdx dnscrypt-proxy[19956]: Dropping privileges Nov 23 22:36:09.145293 osdx dnscrypt-proxy[19956]: Network connectivity detected Nov 23 22:36:09.145335 osdx dnscrypt-proxy[19956]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:36:09.145341 osdx dnscrypt-proxy[19956]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:36:09.145364 osdx dnscrypt-proxy[19956]: Firefox workaround initialized Nov 23 22:36:09.145370 osdx dnscrypt-proxy[19956]: Loading the set of cloaking rules from [/tmp/tmpo9v70S] Nov 23 22:36:09.176931 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:09.237094 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:09.328851 osdx dnscrypt-proxy[19956]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Nov 23 22:36:09.328868 osdx dnscrypt-proxy[19956]: [RD] OK (DoH) - rtt: 116ms Nov 23 22:36:09.328878 osdx dnscrypt-proxy[19956]: Server with the lowest initial latency: RD (rtt: 116ms) Nov 23 22:36:09.328884 osdx dnscrypt-proxy[19956]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:36:09.404723 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2023-11-23 22:36:22 UTC, end at Thu 2023-11-23 22:36:25 UTC. -- Nov 23 22:36:22.400254 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:36:22.419395 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:36:22.484758 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:22.801976 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:22.927832 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:23.022125 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:23.156993 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:36:23.250186 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:23.291859 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:23.329742 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:23.500627 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 23 22:36:23.677992 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:23.774574 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:36:23.889144 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:36:23.985801 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:36:24.079553 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:36:24.176652 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:36:24.265117 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Nov 23 22:36:24.355524 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:36:24.402227 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:24.449287 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:24.542065 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:24.667267 osdx ca-certificates[21688]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:25.381035 osdx ca-certificates[22672]: 1 added, 0 removed; done. Nov 23 22:36:25.386993 osdx ca-certificates[22676]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:25.392564 osdx ca-certificates[22680]: done. Nov 23 22:36:25.469483 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:36:25.473175 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:25.477958 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:25.501018 osdx dnscrypt-proxy[22684]: dnscrypt-proxy 2.0.45 Nov 23 22:36:25.501423 osdx dnscrypt-proxy[22684]: Network connectivity detected Nov 23 22:36:25.502093 osdx dnscrypt-proxy[22684]: Dropping privileges Nov 23 22:36:25.508359 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:25.509144 osdx dnscrypt-proxy[22684]: Network connectivity detected Nov 23 22:36:25.509482 osdx dnscrypt-proxy[22684]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:36:25.509604 osdx dnscrypt-proxy[22684]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:36:25.509736 osdx dnscrypt-proxy[22684]: Firefox workaround initialized Nov 23 22:36:25.509846 osdx dnscrypt-proxy[22684]: Loading the set of cloaking rules from [/tmp/tmpv_fTgf] Nov 23 22:36:25.510973 osdx dnscrypt-proxy[22684]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Nov 23 22:36:25.664544 osdx dnscrypt-proxy[22684]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Nov 23 22:36:25.664569 osdx dnscrypt-proxy[22684]: [RD] OK (DoH) - rtt: 112ms Nov 23 22:36:25.664591 osdx dnscrypt-proxy[22684]: Server with the lowest initial latency: RD (rtt: 112ms) Nov 23 22:36:25.664601 osdx dnscrypt-proxy[22684]: dnscrypt-proxy is ready - live servers: 1
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2023-11-23 22:36:35 UTC, end at Thu 2023-11-23 22:36:38 UTC. -- Nov 23 22:36:35.353105 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:36:35.366242 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:36:35.720114 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:35.867748 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:35.989368 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:36.130771 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:36:36.237543 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:36.289975 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:36.317540 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:36.488095 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 23 22:36:36.663624 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:36.760030 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:36:36.876766 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:36:36.973986 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:36:37.067317 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:36:37.162495 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:36:37.276140 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Nov 23 22:36:37.376229 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:36:37.483358 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:37.622225 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:37.744434 osdx ca-certificates[24394]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:38.031157 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:38.391301 osdx ca-certificates[25378]: 1 added, 0 removed; done. Nov 23 22:36:38.397153 osdx ca-certificates[25382]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:38.402277 osdx ca-certificates[25386]: done. Nov 23 22:36:38.469938 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:36:38.472689 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:38.480499 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:38.499667 osdx dnscrypt-proxy[25390]: dnscrypt-proxy 2.0.45 Nov 23 22:36:38.500068 osdx dnscrypt-proxy[25390]: Network connectivity detected Nov 23 22:36:38.500617 osdx dnscrypt-proxy[25390]: Dropping privileges Nov 23 22:36:38.503083 osdx dnscrypt-proxy[25390]: Network connectivity detected Nov 23 22:36:38.503387 osdx dnscrypt-proxy[25390]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:36:38.503475 osdx dnscrypt-proxy[25390]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:36:38.503569 osdx dnscrypt-proxy[25390]: Firefox workaround initialized Nov 23 22:36:38.503651 osdx dnscrypt-proxy[25390]: Loading the set of cloaking rules from [/tmp/tmphf9Obq] Nov 23 22:36:38.504642 osdx dnscrypt-proxy[25390]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Nov 23 22:36:38.521745 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:38.644920 osdx dnscrypt-proxy[25390]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Nov 23 22:36:38.644947 osdx dnscrypt-proxy[25390]: [RD] OK (DoH) - rtt: 107ms Nov 23 22:36:38.644960 osdx dnscrypt-proxy[25390]: Server with the lowest initial latency: RD (rtt: 107ms) Nov 23 22:36:38.644969 osdx dnscrypt-proxy[25390]: dnscrypt-proxy is ready - live servers: 1
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2023-11-23 22:36:38 UTC, end at Thu 2023-11-23 22:36:44 UTC. -- Nov 23 22:36:38.880595 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:36:38.900194 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:36:39.409535 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:39.526325 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:36:39.641301 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:36:39.808530 osdx dnscrypt-proxy[25390]: Stopped. Nov 23 22:36:39.810218 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:36:39.811092 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:36:39.811600 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:36:39.929928 osdx ca-certificates[25457]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:36:39.948685 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:40.315162 osdx ca-certificates[26015]: done. Nov 23 22:36:40.322466 osdx ca-certificates[26022]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:40.900646 osdx ca-certificates[26859]: 137 added, 0 removed; done. Nov 23 22:36:40.907016 osdx ca-certificates[26863]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:40.914553 osdx ca-certificates[26867]: done. Nov 23 22:36:40.980983 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:40.986131 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:41.030289 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:42.673987 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:42.770317 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:36:42.862863 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:36:42.979973 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:36:43.102547 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:36:43.223537 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:36:43.310351 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Nov 23 22:36:43.399628 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:36:43.492940 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:43.583408 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:43.712987 osdx ca-certificates[26913]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:44.362088 osdx ca-certificates[27898]: 1 added, 0 removed; done. Nov 23 22:36:44.367892 osdx ca-certificates[27902]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:44.372975 osdx ca-certificates[27906]: done. Nov 23 22:36:44.403087 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:36:44.561355 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:36:44.564065 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:44.606686 osdx dnscrypt-proxy[27965]: dnscrypt-proxy 2.0.45 Nov 23 22:36:44.606768 osdx dnscrypt-proxy[27965]: Network connectivity detected Nov 23 22:36:44.607130 osdx dnscrypt-proxy[27965]: Dropping privileges Nov 23 22:36:44.615835 osdx dnscrypt-proxy[27965]: Network connectivity detected Nov 23 22:36:44.616170 osdx dnscrypt-proxy[27965]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:36:44.616285 osdx dnscrypt-proxy[27965]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:36:44.616383 osdx dnscrypt-proxy[27965]: Firefox workaround initialized Nov 23 22:36:44.616482 osdx dnscrypt-proxy[27965]: Loading the set of cloaking rules from [/tmp/tmpXSjcXk] Nov 23 22:36:44.619318 osdx dnscrypt-proxy[27965]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Nov 23 22:36:44.641069 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:44.692307 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:44.806971 osdx dnscrypt-proxy[27965]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Nov 23 22:36:44.806989 osdx dnscrypt-proxy[27965]: [RD] OK (DoH) - rtt: 130ms Nov 23 22:36:44.806999 osdx dnscrypt-proxy[27965]: Server with the lowest initial latency: RD (rtt: 130ms) Nov 23 22:36:44.807006 osdx dnscrypt-proxy[27965]: dnscrypt-proxy is ready - live servers: 1
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2023-11-23 22:36:44 UTC, end at Thu 2023-11-23 22:36:50 UTC. -- Nov 23 22:36:44.999944 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:36:45.013010 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:36:45.373474 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:45.464482 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:36:45.576902 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:36:45.708845 osdx dnscrypt-proxy[27965]: Stopped. Nov 23 22:36:45.710201 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:36:45.710830 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:36:45.711198 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:36:45.832620 osdx ca-certificates[28047]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:36:46.174673 osdx ca-certificates[28605]: done. Nov 23 22:36:46.183278 osdx ca-certificates[28610]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:46.770537 osdx ca-certificates[29448]: 137 added, 0 removed; done. Nov 23 22:36:46.776478 osdx ca-certificates[29452]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:46.781838 osdx ca-certificates[29456]: done. Nov 23 22:36:46.824046 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:46.827735 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:46.860256 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:48.315215 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:48.442822 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:36:48.566099 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:36:48.660415 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:36:48.750598 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:36:48.846286 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:36:48.932338 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Nov 23 22:36:49.051274 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Nov 23 22:36:49.142132 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:36:49.238308 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:49.331443 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:49.453766 osdx ca-certificates[29505]: Updating certificates in /etc/ssl/certs... Nov 23 22:36:49.966071 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:49.966181 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:49.966297 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:49.966664 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:49.968767 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:36:50.095923 osdx ca-certificates[30489]: 1 added, 0 removed; done. Nov 23 22:36:50.101970 osdx ca-certificates[30493]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:36:50.107324 osdx ca-certificates[30497]: done. Nov 23 22:36:50.147238 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:36:50.309568 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:36:50.312401 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:50.351934 osdx dnscrypt-proxy[30556]: dnscrypt-proxy 2.0.45 Nov 23 22:36:50.352329 osdx dnscrypt-proxy[30556]: Network connectivity detected Nov 23 22:36:50.354634 osdx dnscrypt-proxy[30556]: Dropping privileges Nov 23 22:36:50.363255 osdx dnscrypt-proxy[30556]: Network connectivity detected Nov 23 22:36:50.363574 osdx dnscrypt-proxy[30556]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:36:50.363683 osdx dnscrypt-proxy[30556]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:36:50.363783 osdx dnscrypt-proxy[30556]: Firefox workaround initialized Nov 23 22:36:50.363868 osdx dnscrypt-proxy[30556]: Loading the set of cloaking rules from [/tmp/tmph89jhG] Nov 23 22:36:50.365132 osdx dnscrypt-proxy[30556]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Nov 23 22:36:50.393645 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:50.425938 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:50.551088 osdx dnscrypt-proxy[30556]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Nov 23 22:36:50.551114 osdx dnscrypt-proxy[30556]: [RD] OK (DoH) - rtt: 120ms Nov 23 22:36:50.551128 osdx dnscrypt-proxy[30556]: Server with the lowest initial latency: RD (rtt: 120ms) Nov 23 22:36:50.551138 osdx dnscrypt-proxy[30556]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2023-11-23 22:36:58 UTC, end at Thu 2023-11-23 22:37:01 UTC. -- Nov 23 22:36:58.346519 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:36:58.360192 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:36:58.704313 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:58.827193 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:36:58.923994 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:36:59.060984 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:36:59.195601 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:36:59.247437 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:36:59.307330 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:36:59.489911 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 23 22:36:59.669220 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:36:59.764986 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:36:59.858615 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:36:59.967186 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:37:00.085065 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:37:00.206163 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:37:00.290731 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Nov 23 22:37:00.382667 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Nov 23 22:37:00.497393 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:37:00.617868 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:37:00.710526 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:37:00.827954 osdx ca-certificates[32284]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:01.475683 osdx ca-certificates[807]: 1 added, 0 removed; done. Nov 23 22:37:01.481472 osdx ca-certificates[811]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:01.488116 osdx ca-certificates[815]: done. Nov 23 22:37:01.571256 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:37:01.574562 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:01.583454 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:01.609324 osdx dnscrypt-proxy[819]: dnscrypt-proxy 2.0.45 Nov 23 22:37:01.609794 osdx dnscrypt-proxy[819]: Network connectivity detected Nov 23 22:37:01.610464 osdx dnscrypt-proxy[819]: Dropping privileges Nov 23 22:37:01.613608 osdx dnscrypt-proxy[819]: Network connectivity detected Nov 23 22:37:01.614102 osdx dnscrypt-proxy[819]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:37:01.614114 osdx dnscrypt-proxy[819]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:37:01.614145 osdx dnscrypt-proxy[819]: Firefox workaround initialized Nov 23 22:37:01.614155 osdx dnscrypt-proxy[819]: Loading the set of cloaking rules from [/tmp/tmp6HZzCb] Nov 23 22:37:01.626863 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:01.778967 osdx dnscrypt-proxy[819]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Nov 23 22:37:01.778985 osdx dnscrypt-proxy[819]: [RD] OK (DoH) - rtt: 118ms Nov 23 22:37:01.778996 osdx dnscrypt-proxy[819]: Server with the lowest initial latency: RD (rtt: 118ms) Nov 23 22:37:01.779002 osdx dnscrypt-proxy[819]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:37:01.798572 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Thu 2023-11-23 22:37:02 UTC, end at Thu 2023-11-23 22:37:08 UTC. -- Nov 23 22:37:02.067694 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:37:02.080972 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:37:02.474421 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:02.566008 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:37:02.696235 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:37:02.779401 osdx dnscrypt-proxy[819]: Stopped. Nov 23 22:37:02.780637 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:37:02.781287 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:37:02.781656 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:37:02.909870 osdx ca-certificates[899]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:37:03.284257 osdx ca-certificates[1482]: done. Nov 23 22:37:03.294342 osdx ca-certificates[1486]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:03.943642 osdx ca-certificates[2326]: 137 added, 0 removed; done. Nov 23 22:37:03.951778 osdx ca-certificates[2330]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:03.959202 osdx ca-certificates[2334]: done. Nov 23 22:37:04.005446 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:04.010479 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:04.052533 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:04.360402 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:04.360508 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:04.360604 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:04.360922 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:04.363090 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:05.463431 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:05.571526 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:37:05.692031 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:37:05.876926 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:37:06.052701 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:37:06.202946 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:37:06.306388 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Nov 23 22:37:06.437805 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Nov 23 22:37:06.569458 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:37:06.694787 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:37:06.800440 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:37:06.965546 osdx ca-certificates[2381]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:07.425507 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:07.667223 osdx ca-certificates[3366]: 1 added, 0 removed; done. Nov 23 22:37:07.673498 osdx ca-certificates[3370]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:07.678831 osdx ca-certificates[3374]: done. Nov 23 22:37:07.709381 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:37:07.869370 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:37:07.872194 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:07.914545 osdx dnscrypt-proxy[3433]: dnscrypt-proxy 2.0.45 Nov 23 22:37:07.917336 osdx dnscrypt-proxy[3433]: Network connectivity detected Nov 23 22:37:07.917654 osdx dnscrypt-proxy[3433]: Dropping privileges Nov 23 22:37:07.926195 osdx dnscrypt-proxy[3433]: Network connectivity detected Nov 23 22:37:07.926514 osdx dnscrypt-proxy[3433]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:37:07.926604 osdx dnscrypt-proxy[3433]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:37:07.926697 osdx dnscrypt-proxy[3433]: Firefox workaround initialized Nov 23 22:37:07.926794 osdx dnscrypt-proxy[3433]: Loading the set of cloaking rules from [/tmp/tmpInxJso] Nov 23 22:37:07.953975 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:07.982056 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:08.128474 osdx dnscrypt-proxy[3433]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Nov 23 22:37:08.128491 osdx dnscrypt-proxy[3433]: [RD] OK (DoH) - rtt: 139ms Nov 23 22:37:08.128502 osdx dnscrypt-proxy[3433]: Server with the lowest initial latency: RD (rtt: 139ms) Nov 23 22:37:08.128508 osdx dnscrypt-proxy[3433]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:37:08.171073 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Thu 2023-11-23 22:37:08 UTC, end at Thu 2023-11-23 22:37:14 UTC. -- Nov 23 22:37:08.469526 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:37:08.488658 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:37:08.905543 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:08.995798 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:37:09.130637 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:37:09.217794 osdx dnscrypt-proxy[3433]: Stopped. Nov 23 22:37:09.219129 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:37:09.219757 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:37:09.220142 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:37:09.318677 osdx ca-certificates[3521]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:37:09.344670 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:09.657865 osdx ca-certificates[4079]: done. Nov 23 22:37:09.666296 osdx ca-certificates[4083]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:10.213379 osdx ca-certificates[4922]: 137 added, 0 removed; done. Nov 23 22:37:10.219222 osdx ca-certificates[4926]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:10.224788 osdx ca-certificates[4930]: done. Nov 23 22:37:10.267876 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:10.271715 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:10.326310 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:11.806237 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:11.918670 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:37:12.058480 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:37:12.168627 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:37:12.284383 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:37:12.408179 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:37:12.493337 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Nov 23 22:37:12.619026 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Nov 23 22:37:12.724989 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:37:12.843974 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:37:12.947622 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:37:13.097275 osdx ca-certificates[4977]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:13.857963 osdx ca-certificates[5961]: 1 added, 0 removed; done. Nov 23 22:37:13.866837 osdx ca-certificates[5965]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:13.874682 osdx ca-certificates[5969]: done. Nov 23 22:37:13.917929 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:37:14.088890 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:37:14.091856 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:14.145342 osdx dnscrypt-proxy[6028]: dnscrypt-proxy 2.0.45 Nov 23 22:37:14.145771 osdx dnscrypt-proxy[6028]: Network connectivity detected Nov 23 22:37:14.146878 osdx dnscrypt-proxy[6028]: Dropping privileges Nov 23 22:37:14.154029 osdx dnscrypt-proxy[6028]: Network connectivity detected Nov 23 22:37:14.154354 osdx dnscrypt-proxy[6028]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:37:14.154445 osdx dnscrypt-proxy[6028]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:37:14.154544 osdx dnscrypt-proxy[6028]: Firefox workaround initialized Nov 23 22:37:14.154625 osdx dnscrypt-proxy[6028]: Loading the set of cloaking rules from [/tmp/tmpwY4RxD] Nov 23 22:37:14.192929 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:14.244265 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:14.385294 osdx dnscrypt-proxy[6028]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Nov 23 22:37:14.385319 osdx dnscrypt-proxy[6028]: [RD] OK (DoH) - rtt: 123ms Nov 23 22:37:14.385332 osdx dnscrypt-proxy[6028]: Server with the lowest initial latency: RD (rtt: 123ms) Nov 23 22:37:14.385341 osdx dnscrypt-proxy[6028]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:37:14.421634 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2023-11-23 22:37:14 UTC, end at Thu 2023-11-23 22:37:20 UTC. -- Nov 23 22:37:14.723442 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:37:14.740906 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:37:15.136183 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:15.227379 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:37:15.333650 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:37:15.444296 osdx dnscrypt-proxy[6028]: Stopped. Nov 23 22:37:15.445601 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:37:15.446228 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:37:15.446616 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:37:15.549558 osdx ca-certificates[6116]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:37:15.914658 osdx ca-certificates[6674]: done. Nov 23 22:37:15.921877 osdx ca-certificates[6679]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:16.527101 osdx ca-certificates[7518]: 137 added, 0 removed; done. Nov 23 22:37:16.533054 osdx ca-certificates[7522]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:16.538619 osdx ca-certificates[7526]: done. Nov 23 22:37:16.581571 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:16.585360 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:16.622336 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:18.245696 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:18.343531 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:37:18.465051 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:37:18.566151 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:37:18.672402 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:37:18.809685 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:37:18.913593 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Nov 23 22:37:19.051570 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Nov 23 22:37:19.152317 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:37:19.276754 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:37:19.363181 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:19.363293 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:19.363392 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:19.363490 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:19.363586 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:19.437410 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:37:19.610576 osdx ca-certificates[7573]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:20.350935 osdx ca-certificates[8557]: 1 added, 0 removed; done. Nov 23 22:37:20.356876 osdx ca-certificates[8561]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:20.362124 osdx ca-certificates[8565]: done. Nov 23 22:37:20.400996 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:37:20.570658 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:37:20.573507 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:20.614105 osdx dnscrypt-proxy[8624]: dnscrypt-proxy 2.0.45 Nov 23 22:37:20.616994 osdx dnscrypt-proxy[8624]: Network connectivity detected Nov 23 22:37:20.617320 osdx dnscrypt-proxy[8624]: Dropping privileges Nov 23 22:37:20.626097 osdx dnscrypt-proxy[8624]: Network connectivity detected Nov 23 22:37:20.626409 osdx dnscrypt-proxy[8624]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:37:20.626497 osdx dnscrypt-proxy[8624]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:37:20.626597 osdx dnscrypt-proxy[8624]: Firefox workaround initialized Nov 23 22:37:20.626695 osdx dnscrypt-proxy[8624]: Loading the set of cloaking rules from [/tmp/tmphre93G] Nov 23 22:37:20.645701 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:20.673531 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:20.826578 osdx dnscrypt-proxy[8624]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Nov 23 22:37:20.826604 osdx dnscrypt-proxy[8624]: [RD] OK (DoH) - rtt: 129ms Nov 23 22:37:20.826617 osdx dnscrypt-proxy[8624]: Server with the lowest initial latency: RD (rtt: 129ms) Nov 23 22:37:20.826626 osdx dnscrypt-proxy[8624]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:37:20.849566 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Thu 2023-11-23 22:37:21 UTC, end at Thu 2023-11-23 22:37:27 UTC. -- Nov 23 22:37:21.152622 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:37:21.172035 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:37:21.612797 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:21.707295 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:37:21.874778 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:37:21.982212 osdx dnscrypt-proxy[8624]: Stopped. Nov 23 22:37:21.983801 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:37:21.984576 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:37:21.985077 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:37:22.118860 osdx ca-certificates[8712]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:37:22.425530 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:22.450217 osdx ca-certificates[9270]: done. Nov 23 22:37:22.457912 osdx ca-certificates[9274]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:23.054233 osdx ca-certificates[10114]: 137 added, 0 removed; done. Nov 23 22:37:23.059997 osdx ca-certificates[10118]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:23.065147 osdx ca-certificates[10122]: done. Nov 23 22:37:23.106524 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:23.110094 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:23.142736 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:24.345732 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:37:24.608172 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:24.705390 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:37:24.852126 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:37:24.983475 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:37:25.084489 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:37:25.221194 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:37:25.354238 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Nov 23 22:37:25.478522 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Nov 23 22:37:25.589032 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:37:25.708276 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:37:25.799327 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:37:25.929538 osdx ca-certificates[10169]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:26.571195 osdx ca-certificates[11157]: 1 added, 0 removed; done. Nov 23 22:37:26.577042 osdx ca-certificates[11161]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:26.582199 osdx ca-certificates[11165]: done. Nov 23 22:37:26.613040 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:37:26.779007 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:37:26.781980 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:26.825435 osdx dnscrypt-proxy[11224]: dnscrypt-proxy 2.0.45 Nov 23 22:37:26.825857 osdx dnscrypt-proxy[11224]: Network connectivity detected Nov 23 22:37:26.827099 osdx dnscrypt-proxy[11224]: Dropping privileges Nov 23 22:37:26.834098 osdx dnscrypt-proxy[11224]: Network connectivity detected Nov 23 22:37:26.834467 osdx dnscrypt-proxy[11224]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:37:26.834561 osdx dnscrypt-proxy[11224]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:37:26.834660 osdx dnscrypt-proxy[11224]: Firefox workaround initialized Nov 23 22:37:26.834742 osdx dnscrypt-proxy[11224]: Loading the set of cloaking rules from [/tmp/tmpkU7BZu] Nov 23 22:37:26.871638 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:26.943880 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:27.012632 osdx dnscrypt-proxy[11224]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Nov 23 22:37:27.012657 osdx dnscrypt-proxy[11224]: [RD] OK (DoH) - rtt: 115ms Nov 23 22:37:27.012671 osdx dnscrypt-proxy[11224]: Server with the lowest initial latency: RD (rtt: 115ms) Nov 23 22:37:27.012681 osdx dnscrypt-proxy[11224]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:37:27.115701 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.10/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Thu 2023-11-23 22:37:27 UTC, end at Thu 2023-11-23 22:37:33 UTC. -- Nov 23 22:37:27.388996 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:37:27.403170 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:37:27.782867 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:27.883845 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'delete'. Nov 23 22:37:28.003129 osdx systemd[1]: systemd-timedated.service: Succeeded. Nov 23 22:37:28.039006 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Nov 23 22:37:28.159940 osdx dnscrypt-proxy[11224]: Stopped. Nov 23 22:37:28.161179 osdx systemd[1]: Stopping DNSCrypt client proxy... Nov 23 22:37:28.161653 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Nov 23 22:37:28.162015 osdx systemd[1]: Stopped DNSCrypt client proxy. Nov 23 22:37:28.261603 osdx ca-certificates[11313]: Clearing symlinks in /etc/ssl/certs... Nov 23 22:37:28.637803 osdx ca-certificates[11871]: done. Nov 23 22:37:28.645910 osdx ca-certificates[11876]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:29.215666 osdx ca-certificates[12714]: 137 added, 0 removed; done. Nov 23 22:37:29.224220 osdx ca-certificates[12718]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:29.231715 osdx ca-certificates[12722]: done. Nov 23 22:37:29.296549 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:29.301497 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:29.344721 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:30.798839 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:37:30.897436 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:37:31.012973 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Nov 23 22:37:31.108045 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Nov 23 22:37:31.198901 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Nov 23 22:37:31.291509 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 49f1ad88a12ee9d7d2acc5f1be8e1c526fa803f3edb1ce34a8e7ac2004df5bb8'. Nov 23 22:37:31.404376 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Nov 23 22:37:31.495582 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Nov 23 22:37:31.610345 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Nov 23 22:37:31.703117 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:37:31.793884 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:37:31.916195 osdx ca-certificates[12769]: Updating certificates in /etc/ssl/certs... Nov 23 22:37:32.538535 osdx ca-certificates[13753]: 1 added, 0 removed; done. Nov 23 22:37:32.544147 osdx ca-certificates[13757]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:37:32.549323 osdx ca-certificates[13761]: done. Nov 23 22:37:32.580979 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:37:32.747224 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:37:32.751139 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:37:32.798188 osdx dnscrypt-proxy[13820]: dnscrypt-proxy 2.0.45 Nov 23 22:37:32.798609 osdx dnscrypt-proxy[13820]: Network connectivity detected Nov 23 22:37:32.800456 osdx dnscrypt-proxy[13820]: Dropping privileges Nov 23 22:37:32.807094 osdx dnscrypt-proxy[13820]: Network connectivity detected Nov 23 22:37:32.809721 osdx dnscrypt-proxy[13820]: Now listening to 127.0.0.1:53 [UDP] Nov 23 22:37:32.809734 osdx dnscrypt-proxy[13820]: Now listening to 127.0.0.1:53 [TCP] Nov 23 22:37:32.809757 osdx dnscrypt-proxy[13820]: Firefox workaround initialized Nov 23 22:37:32.809763 osdx dnscrypt-proxy[13820]: Loading the set of cloaking rules from [/tmp/tmpSuSvsU] Nov 23 22:37:32.832445 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:37:32.862353 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:37:33.001886 osdx dnscrypt-proxy[13820]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Nov 23 22:37:33.001904 osdx dnscrypt-proxy[13820]: [RD] OK (DoH) - rtt: 121ms Nov 23 22:37:33.001914 osdx dnscrypt-proxy[13820]: Server with the lowest initial latency: RD (rtt: 121ms) Nov 23 22:37:33.001921 osdx dnscrypt-proxy[13820]: dnscrypt-proxy is ready - live servers: 1 Nov 23 22:37:33.030383 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.