Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Wed 2023-12-13 01:00:24 UTC, end at Wed 2023-12-13 01:00:35 UTC. -- Dec 13 01:00:24.413039 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:00:24.426575 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:00:25.001863 osdx osdx-coredump[24605]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 13 01:00:25.010739 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system coredump delete all'. Dec 13 01:00:25.939109 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:00:26.016989 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:00:26.066242 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:00:26.172880 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:00:26.344390 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:00:26.459407 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:00:26.508948 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:00:26.561145 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:00:26.744722 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 13 01:00:26.962370 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:00:27.060663 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:00:27.180757 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:00:27.277996 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:00:27.370129 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:00:27.470132 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:00:27.558976 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 13 01:00:27.674973 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:00:27.799163 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:00:27.909003 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:00:28.079079 osdx ca-certificates[24744]: Updating certificates in /etc/ssl/certs... Dec 13 01:00:28.738223 osdx ca-certificates[25728]: 1 added, 0 removed; done. Dec 13 01:00:28.744111 osdx ca-certificates[25732]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:00:28.749572 osdx ca-certificates[25736]: done. Dec 13 01:00:28.815639 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:00:28.818400 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:00:28.825752 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:00:28.845330 osdx dnscrypt-proxy[25740]: dnscrypt-proxy 2.0.45 Dec 13 01:00:28.845772 osdx dnscrypt-proxy[25740]: Network connectivity detected Dec 13 01:00:28.846386 osdx dnscrypt-proxy[25740]: Dropping privileges Dec 13 01:00:28.848913 osdx dnscrypt-proxy[25740]: Network connectivity detected Dec 13 01:00:28.849310 osdx dnscrypt-proxy[25740]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:00:28.849317 osdx dnscrypt-proxy[25740]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:00:28.849344 osdx dnscrypt-proxy[25740]: Firefox workaround initialized Dec 13 01:00:28.849351 osdx dnscrypt-proxy[25740]: Loading the set of cloaking rules from [/tmp/tmpQSzqhZ] Dec 13 01:00:28.852922 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:00:29.079384 osdx dnscrypt-proxy[25740]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 13 01:00:29.079410 osdx dnscrypt-proxy[25740]: [RD] OK (DoH) - rtt: 197ms Dec 13 01:00:29.079423 osdx dnscrypt-proxy[25740]: Server with the lowest initial latency: RD (rtt: 197ms) Dec 13 01:00:29.079430 osdx dnscrypt-proxy[25740]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:00:35.032448 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Wed 2023-12-13 01:00:45 UTC, end at Wed 2023-12-13 01:00:56 UTC. -- Dec 13 01:00:45.407549 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:00:45.427189 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:00:46.045036 osdx osdx-coredump[27363]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 13 01:00:46.053387 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system coredump delete all'. Dec 13 01:00:46.989061 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:00:47.109972 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:00:47.249904 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:00:47.412856 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:00:47.507128 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:00:47.548054 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:00:47.586201 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:00:47.796147 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 13 01:00:48.027385 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:00:48.135688 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:00:48.257396 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:00:48.368975 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:00:48.486586 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:00:48.610504 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:00:48.705883 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 13 01:00:48.792921 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:00:48.886851 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:00:48.979390 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:00:49.098195 osdx ca-certificates[27502]: Updating certificates in /etc/ssl/certs... Dec 13 01:00:49.723347 osdx ca-certificates[28487]: 1 added, 0 removed; done. Dec 13 01:00:49.729286 osdx ca-certificates[28491]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:00:49.734488 osdx ca-certificates[28495]: done. Dec 13 01:00:49.799482 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:00:49.802256 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:00:49.806699 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:00:49.829353 osdx dnscrypt-proxy[28499]: dnscrypt-proxy 2.0.45 Dec 13 01:00:49.829739 osdx dnscrypt-proxy[28499]: Network connectivity detected Dec 13 01:00:49.830277 osdx dnscrypt-proxy[28499]: Dropping privileges Dec 13 01:00:49.832519 osdx dnscrypt-proxy[28499]: Network connectivity detected Dec 13 01:00:49.832822 osdx dnscrypt-proxy[28499]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:00:49.833000 osdx dnscrypt-proxy[28499]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:00:49.833022 osdx dnscrypt-proxy[28499]: Firefox workaround initialized Dec 13 01:00:49.833028 osdx dnscrypt-proxy[28499]: Loading the set of cloaking rules from [/tmp/tmp9PvX4u] Dec 13 01:00:49.852556 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:00:50.092979 osdx dnscrypt-proxy[28499]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 13 01:00:50.092998 osdx dnscrypt-proxy[28499]: [RD] OK (DoH) - rtt: 226ms Dec 13 01:00:50.093007 osdx dnscrypt-proxy[28499]: Server with the lowest initial latency: RD (rtt: 226ms) Dec 13 01:00:50.093014 osdx dnscrypt-proxy[28499]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:00:51.214923 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:00:51.217446 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:00:51.219962 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:00:51.222187 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:00:51.229819 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:00:52.529847 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:00:56.037442 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Wed 2023-12-13 01:00:56 UTC, end at Wed 2023-12-13 01:01:08 UTC. -- Dec 13 01:00:56.384538 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:00:56.401616 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:00:56.859186 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:00:56.953339 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:00:57.089193 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:00:57.175784 osdx dnscrypt-proxy[28499]: Stopped. Dec 13 01:00:57.177135 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:00:57.177762 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:00:57.178190 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:00:57.296213 osdx ca-certificates[28572]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:00:57.669805 osdx ca-certificates[29133]: done. Dec 13 01:00:57.678116 osdx ca-certificates[29137]: Updating certificates in /etc/ssl/certs... Dec 13 01:00:58.277513 osdx ca-certificates[29976]: 137 added, 0 removed; done. Dec 13 01:00:58.286825 osdx ca-certificates[29981]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:00:58.294650 osdx ca-certificates[29984]: done. Dec 13 01:00:58.360413 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:00:58.365998 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:00:58.403716 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:00:59.891033 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:00:59.999592 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:01:00.094610 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:01:00.209310 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:01:00.308645 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:01:00.407019 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:01:00.492661 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 13 01:01:00.605516 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:01:00.725400 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:00.815723 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:00.945729 osdx ca-certificates[30030]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:01.624117 osdx ca-certificates[31014]: 1 added, 0 removed; done. Dec 13 01:01:01.633134 osdx ca-certificates[31018]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:01.639828 osdx ca-certificates[31022]: done. Dec 13 01:01:01.672969 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:01:01.901421 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:01:01.905259 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:01.966457 osdx dnscrypt-proxy[31081]: dnscrypt-proxy 2.0.45 Dec 13 01:01:01.966981 osdx dnscrypt-proxy[31081]: Network connectivity detected Dec 13 01:01:01.969702 osdx dnscrypt-proxy[31081]: Dropping privileges Dec 13 01:01:01.978573 osdx dnscrypt-proxy[31081]: Network connectivity detected Dec 13 01:01:01.978969 osdx dnscrypt-proxy[31081]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:01:01.979088 osdx dnscrypt-proxy[31081]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:01:01.979214 osdx dnscrypt-proxy[31081]: Firefox workaround initialized Dec 13 01:01:01.979318 osdx dnscrypt-proxy[31081]: Loading the set of cloaking rules from [/tmp/tmpAAWp67] Dec 13 01:01:02.028518 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:02.080719 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:02.306956 osdx dnscrypt-proxy[31081]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 13 01:01:02.306974 osdx dnscrypt-proxy[31081]: [RD] OK (DoH) - rtt: 214ms Dec 13 01:01:02.306983 osdx dnscrypt-proxy[31081]: Server with the lowest initial latency: RD (rtt: 214ms) Dec 13 01:01:02.306989 osdx dnscrypt-proxy[31081]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:01:06.214727 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:06.216983 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:06.219275 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:06.222053 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:06.229210 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:07.530780 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:08.276294 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Wed 2023-12-13 01:01:08 UTC, end at Wed 2023-12-13 01:01:20 UTC. -- Dec 13 01:01:08.604407 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:01:08.617545 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:01:09.012236 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:09.104540 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:01:09.238349 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:01:09.329820 osdx dnscrypt-proxy[31081]: Stopped. Dec 13 01:01:09.331057 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:01:09.331695 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:01:09.332086 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:01:09.468366 osdx ca-certificates[31174]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:01:09.901731 osdx ca-certificates[31732]: done. Dec 13 01:01:09.909451 osdx ca-certificates[31736]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:10.509347 osdx ca-certificates[32575]: 137 added, 0 removed; done. Dec 13 01:01:10.515141 osdx ca-certificates[32579]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:10.520194 osdx ca-certificates[32583]: done. Dec 13 01:01:10.562487 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:10.566553 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:10.600558 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:11.205852 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:12.227368 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:12.333786 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:01:12.430792 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:01:12.528083 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:01:12.620863 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:01:12.724446 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:01:12.822674 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 13 01:01:12.932326 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:01:13.057059 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:13.153410 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:13.297712 osdx ca-certificates[32630]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:13.936787 osdx ca-certificates[1180]: 1 added, 0 removed; done. Dec 13 01:01:13.942583 osdx ca-certificates[1185]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:13.948188 osdx ca-certificates[1189]: done. Dec 13 01:01:13.980851 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:01:14.140488 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:01:14.143232 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:14.185920 osdx dnscrypt-proxy[1248]: dnscrypt-proxy 2.0.45 Dec 13 01:01:14.186330 osdx dnscrypt-proxy[1248]: Network connectivity detected Dec 13 01:01:14.187191 osdx dnscrypt-proxy[1248]: Dropping privileges Dec 13 01:01:14.194008 osdx dnscrypt-proxy[1248]: Network connectivity detected Dec 13 01:01:14.194324 osdx dnscrypt-proxy[1248]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:01:14.194413 osdx dnscrypt-proxy[1248]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:01:14.194509 osdx dnscrypt-proxy[1248]: Firefox workaround initialized Dec 13 01:01:14.194608 osdx dnscrypt-proxy[1248]: Loading the set of cloaking rules from [/tmp/tmpoX6qhq] Dec 13 01:01:14.225106 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:14.276499 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:14.490898 osdx dnscrypt-proxy[1248]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 13 01:01:14.490924 osdx dnscrypt-proxy[1248]: [RD] OK (DoH) - rtt: 225ms Dec 13 01:01:14.490937 osdx dnscrypt-proxy[1248]: Server with the lowest initial latency: RD (rtt: 225ms) Dec 13 01:01:14.490945 osdx dnscrypt-proxy[1248]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:01:15.031787 osdx systemd[1]: systemd-timedated.service: Succeeded. Dec 13 01:01:20.490118 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Wed 2023-12-13 01:01:29 UTC, end at Wed 2023-12-13 01:01:34 UTC. -- Dec 13 01:01:29.000259 osdx systemd-timedated[2861]: Changed local time to Wed Dec 13 01:01:29 2023 Dec 13 01:01:29.002502 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'set date 2023-12-13 01:01:29'. Dec 13 01:01:29.406807 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 4.0M, max 16.0M, 12.0M free. Dec 13 01:01:29.419916 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:01:30.095737 osdx osdx-coredump[2894]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 13 01:01:30.107845 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system coredump delete all'. Dec 13 01:01:31.029140 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:31.177890 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:31.273232 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:31.419738 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:01:31.530817 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:31.575511 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:31.641628 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:31.890331 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 13 01:01:32.127174 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:32.263939 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:01:32.395825 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:01:32.553176 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:01:32.679711 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:01:32.809160 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:01:32.926318 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 13 01:01:33.046359 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:01:33.146347 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:33.290676 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:33.448819 osdx ca-certificates[3033]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:34.165779 osdx ca-certificates[4017]: 1 added, 0 removed; done. Dec 13 01:01:34.172153 osdx ca-certificates[4021]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:34.177767 osdx ca-certificates[4025]: done. Dec 13 01:01:34.258477 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:01:34.262582 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:34.272542 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:34.292011 osdx dnscrypt-proxy[4029]: dnscrypt-proxy 2.0.45 Dec 13 01:01:34.292415 osdx dnscrypt-proxy[4029]: Network connectivity detected Dec 13 01:01:34.292947 osdx dnscrypt-proxy[4029]: Dropping privileges Dec 13 01:01:34.295422 osdx dnscrypt-proxy[4029]: Network connectivity detected Dec 13 01:01:34.295733 osdx dnscrypt-proxy[4029]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:01:34.295823 osdx dnscrypt-proxy[4029]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:01:34.295918 osdx dnscrypt-proxy[4029]: Firefox workaround initialized Dec 13 01:01:34.296000 osdx dnscrypt-proxy[4029]: Loading the set of cloaking rules from [/tmp/tmpG4aAC8] Dec 13 01:01:34.297174 osdx dnscrypt-proxy[4029]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 13 01:01:34.334084 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:34.526807 osdx dnscrypt-proxy[4029]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 13 01:01:34.526824 osdx dnscrypt-proxy[4029]: [RD] OK (DoH) - rtt: 185ms Dec 13 01:01:34.526833 osdx dnscrypt-proxy[4029]: Server with the lowest initial latency: RD (rtt: 185ms) Dec 13 01:01:34.526839 osdx dnscrypt-proxy[4029]: dnscrypt-proxy is ready - live servers: 1
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Wed 2023-12-13 01:01:43 UTC, end at Wed 2023-12-13 01:01:47 UTC. -- Dec 13 01:01:43.379014 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:01:43.398157 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:01:43.976404 osdx osdx-coredump[5644]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 13 01:01:43.985960 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system coredump delete all'. Dec 13 01:01:44.837336 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:44.987154 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:45.095850 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:45.257523 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:01:45.376407 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:45.425126 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:45.470828 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:45.642563 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 13 01:01:45.838553 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:45.937028 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:01:46.078176 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:01:46.175868 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:01:46.268317 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:01:46.366760 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:01:46.455017 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 13 01:01:46.552470 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:01:46.659553 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:46.786295 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:46.927560 osdx ca-certificates[5783]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:47.644202 osdx ca-certificates[6767]: 1 added, 0 removed; done. Dec 13 01:01:47.650602 osdx ca-certificates[6771]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:47.656368 osdx ca-certificates[6775]: done. Dec 13 01:01:47.726946 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:01:47.730118 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:47.738977 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:47.759303 osdx dnscrypt-proxy[6779]: dnscrypt-proxy 2.0.45 Dec 13 01:01:47.759751 osdx dnscrypt-proxy[6779]: Network connectivity detected Dec 13 01:01:47.760380 osdx dnscrypt-proxy[6779]: Dropping privileges Dec 13 01:01:47.763189 osdx dnscrypt-proxy[6779]: Network connectivity detected Dec 13 01:01:47.763605 osdx dnscrypt-proxy[6779]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:01:47.763613 osdx dnscrypt-proxy[6779]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:01:47.763644 osdx dnscrypt-proxy[6779]: Firefox workaround initialized Dec 13 01:01:47.763650 osdx dnscrypt-proxy[6779]: Loading the set of cloaking rules from [/tmp/tmpBSu_Qc] Dec 13 01:01:47.764671 osdx dnscrypt-proxy[6779]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 13 01:01:47.786793 osdx OSDxCLI[28897]: User 'admin' left the configuration menu.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Wed 2023-12-13 01:01:48 UTC, end at Wed 2023-12-13 01:01:53 UTC. -- Dec 13 01:01:48.158805 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:01:48.177363 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:01:48.557295 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:48.652261 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:01:48.761698 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:01:48.875273 osdx dnscrypt-proxy[6779]: Stopped. Dec 13 01:01:48.876531 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:01:48.877172 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:01:48.877797 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:01:48.978806 osdx ca-certificates[6846]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:01:49.304060 osdx ca-certificates[7404]: done. Dec 13 01:01:49.311652 osdx ca-certificates[7408]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:49.866980 osdx ca-certificates[8247]: 137 added, 0 removed; done. Dec 13 01:01:49.873642 osdx ca-certificates[8251]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:49.881584 osdx ca-certificates[8255]: done. Dec 13 01:01:49.931233 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:49.935528 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:49.963088 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:50.613455 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:50.615741 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:50.618252 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:50.620771 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:50.628145 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:51.356366 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:51.453963 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:01:51.571476 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:01:51.671399 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:01:51.760159 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:01:51.859170 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:01:51.929773 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:51.952135 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 13 01:01:52.043909 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:01:52.140824 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:52.235017 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:52.379246 osdx ca-certificates[8301]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:53.046805 osdx ca-certificates[9285]: 1 added, 0 removed; done. Dec 13 01:01:53.053612 osdx ca-certificates[9289]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:53.058714 osdx ca-certificates[9293]: done. Dec 13 01:01:53.089518 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:01:53.247728 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:01:53.250497 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:53.295201 osdx dnscrypt-proxy[9352]: dnscrypt-proxy 2.0.45 Dec 13 01:01:53.295275 osdx dnscrypt-proxy[9352]: Network connectivity detected Dec 13 01:01:53.295584 osdx dnscrypt-proxy[9352]: Dropping privileges Dec 13 01:01:53.302720 osdx dnscrypt-proxy[9352]: Network connectivity detected Dec 13 01:01:53.303042 osdx dnscrypt-proxy[9352]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:01:53.303126 osdx dnscrypt-proxy[9352]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:01:53.303220 osdx dnscrypt-proxy[9352]: Firefox workaround initialized Dec 13 01:01:53.303296 osdx dnscrypt-proxy[9352]: Loading the set of cloaking rules from [/tmp/tmpo0h_Ot] Dec 13 01:01:53.306104 osdx dnscrypt-proxy[9352]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 13 01:01:53.331766 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:53.373488 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:53.511432 osdx dnscrypt-proxy[9352]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 13 01:01:53.511456 osdx dnscrypt-proxy[9352]: [RD] OK (DoH) - rtt: 144ms Dec 13 01:01:53.511468 osdx dnscrypt-proxy[9352]: Server with the lowest initial latency: RD (rtt: 144ms) Dec 13 01:01:53.511478 osdx dnscrypt-proxy[9352]: dnscrypt-proxy is ready - live servers: 1
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Wed 2023-12-13 01:01:53 UTC, end at Wed 2023-12-13 01:01:59 UTC. -- Dec 13 01:01:53.728913 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:01:53.743206 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:01:54.187781 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:54.317472 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:01:54.460080 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:01:54.551871 osdx dnscrypt-proxy[9352]: Stopped. Dec 13 01:01:54.553093 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:01:54.553759 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:01:54.554134 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:01:54.672627 osdx ca-certificates[9434]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:01:54.995007 osdx ca-certificates[9992]: done. Dec 13 01:01:55.002017 osdx ca-certificates[9996]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:55.539158 osdx ca-certificates[10835]: 137 added, 0 removed; done. Dec 13 01:01:55.544992 osdx ca-certificates[10839]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:55.550267 osdx ca-certificates[10843]: done. Dec 13 01:01:55.592856 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:55.596611 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:55.606541 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:01:55.621655 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:57.021893 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:01:57.120848 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:01:57.265963 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:01:57.395691 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:01:57.525217 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:01:57.626173 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:01:57.714333 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 13 01:01:57.834863 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 13 01:01:57.923744 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:01:58.021090 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:01:58.116033 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:01:58.243836 osdx ca-certificates[10892]: Updating certificates in /etc/ssl/certs... Dec 13 01:01:58.950317 osdx ca-certificates[11876]: 1 added, 0 removed; done. Dec 13 01:01:58.959816 osdx ca-certificates[11880]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:01:58.967575 osdx ca-certificates[11884]: done. Dec 13 01:01:59.001832 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:01:59.167062 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:01:59.169771 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:01:59.214624 osdx dnscrypt-proxy[11943]: dnscrypt-proxy 2.0.45 Dec 13 01:01:59.215033 osdx dnscrypt-proxy[11943]: Network connectivity detected Dec 13 01:01:59.217575 osdx dnscrypt-proxy[11943]: Dropping privileges Dec 13 01:01:59.226032 osdx dnscrypt-proxy[11943]: Network connectivity detected Dec 13 01:01:59.226387 osdx dnscrypt-proxy[11943]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:01:59.226478 osdx dnscrypt-proxy[11943]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:01:59.226581 osdx dnscrypt-proxy[11943]: Firefox workaround initialized Dec 13 01:01:59.226663 osdx dnscrypt-proxy[11943]: Loading the set of cloaking rules from [/tmp/tmprBmnjf] Dec 13 01:01:59.227770 osdx dnscrypt-proxy[11943]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 13 01:01:59.256083 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:01:59.305695 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:01:59.460318 osdx dnscrypt-proxy[11943]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 13 01:01:59.460342 osdx dnscrypt-proxy[11943]: [RD] OK (DoH) - rtt: 166ms Dec 13 01:01:59.460355 osdx dnscrypt-proxy[11943]: Server with the lowest initial latency: RD (rtt: 166ms) Dec 13 01:01:59.460365 osdx dnscrypt-proxy[11943]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Wed 2023-12-13 01:02:09 UTC, end at Wed 2023-12-13 01:02:20 UTC. -- Dec 13 01:02:09.452517 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:02:09.466338 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:02:10.145083 osdx osdx-coredump[13578]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 13 01:02:10.153017 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system coredump delete all'. Dec 13 01:02:11.106517 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:11.221493 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:02:11.276900 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:11.339940 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:02:11.495458 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:02:11.590352 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:11.636021 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:11.666744 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:11.868452 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 13 01:02:12.098786 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:12.200859 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:02:12.293373 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:02:12.393842 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:02:12.489489 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:02:12.586321 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:02:12.683000 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 13 01:02:12.798873 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 13 01:02:12.937765 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:02:13.045705 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:02:13.142444 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:02:13.288235 osdx ca-certificates[13719]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:13.925637 osdx ca-certificates[14703]: 1 added, 0 removed; done. Dec 13 01:02:13.931715 osdx ca-certificates[14707]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:13.937073 osdx ca-certificates[14711]: done. Dec 13 01:02:14.003428 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:02:14.006190 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:14.012883 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:14.033061 osdx dnscrypt-proxy[14715]: dnscrypt-proxy 2.0.45 Dec 13 01:02:14.033451 osdx dnscrypt-proxy[14715]: Network connectivity detected Dec 13 01:02:14.033959 osdx dnscrypt-proxy[14715]: Dropping privileges Dec 13 01:02:14.036329 osdx dnscrypt-proxy[14715]: Network connectivity detected Dec 13 01:02:14.036619 osdx dnscrypt-proxy[14715]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:02:14.036705 osdx dnscrypt-proxy[14715]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:02:14.036799 osdx dnscrypt-proxy[14715]: Firefox workaround initialized Dec 13 01:02:14.036876 osdx dnscrypt-proxy[14715]: Loading the set of cloaking rules from [/tmp/tmpZuS70e] Dec 13 01:02:14.047272 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:14.248748 osdx dnscrypt-proxy[14715]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 13 01:02:14.248766 osdx dnscrypt-proxy[14715]: [RD] OK (DoH) - rtt: 119ms Dec 13 01:02:14.248775 osdx dnscrypt-proxy[14715]: Server with the lowest initial latency: RD (rtt: 119ms) Dec 13 01:02:14.248782 osdx dnscrypt-proxy[14715]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:02:20.241289 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Wed 2023-12-13 01:02:20 UTC, end at Wed 2023-12-13 01:02:31 UTC. -- Dec 13 01:02:20.525550 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:02:20.538716 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:02:20.966296 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:21.058207 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:02:21.172131 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:02:21.285589 osdx dnscrypt-proxy[14715]: Stopped. Dec 13 01:02:21.286783 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:02:21.287384 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:02:21.287800 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:02:26.289407 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:26.289521 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:26.289603 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:26.289683 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:26.289761 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:26.289838 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:26.289917 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:26.289940 osdx zebra[1040]: [PHJDC-499N2][EC 100663314] STARVATION: task agentx_timeout (7f36178acc70) ran for 5005ms (cpu time 0ms) Dec 13 01:02:26.343937 osdx ca-certificates[14788]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:02:26.686528 osdx ca-certificates[15347]: done. Dec 13 01:02:26.694740 osdx ca-certificates[15351]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:27.264996 osdx ca-certificates[16190]: 137 added, 0 removed; done. Dec 13 01:02:27.270700 osdx ca-certificates[16194]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:27.275755 osdx ca-certificates[16198]: done. Dec 13 01:02:27.317993 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:27.321455 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:27.345883 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:28.771949 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:28.896530 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:02:29.016896 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:02:29.131089 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:02:29.229063 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:02:29.340015 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:02:29.428556 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 13 01:02:29.560838 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 13 01:02:29.650704 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:02:29.791192 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:02:29.900241 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:02:30.061417 osdx ca-certificates[16245]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:30.777861 osdx ca-certificates[17229]: 1 added, 0 removed; done. Dec 13 01:02:30.783783 osdx ca-certificates[17233]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:30.789107 osdx ca-certificates[17237]: done. Dec 13 01:02:30.819464 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:02:30.997987 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:02:31.000630 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:31.044837 osdx dnscrypt-proxy[17296]: dnscrypt-proxy 2.0.45 Dec 13 01:02:31.044905 osdx dnscrypt-proxy[17296]: Network connectivity detected Dec 13 01:02:31.045222 osdx dnscrypt-proxy[17296]: Dropping privileges Dec 13 01:02:31.052646 osdx dnscrypt-proxy[17296]: Network connectivity detected Dec 13 01:02:31.052974 osdx dnscrypt-proxy[17296]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:02:31.053082 osdx dnscrypt-proxy[17296]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:02:31.053185 osdx dnscrypt-proxy[17296]: Firefox workaround initialized Dec 13 01:02:31.053266 osdx dnscrypt-proxy[17296]: Loading the set of cloaking rules from [/tmp/tmp_Bt1th] Dec 13 01:02:31.066356 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:31.121465 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:31.249189 osdx dnscrypt-proxy[17296]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 13 01:02:31.249207 osdx dnscrypt-proxy[17296]: [RD] OK (DoH) - rtt: 124ms Dec 13 01:02:31.249216 osdx dnscrypt-proxy[17296]: Server with the lowest initial latency: RD (rtt: 124ms) Dec 13 01:02:31.249223 osdx dnscrypt-proxy[17296]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:02:31.319873 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Wed 2023-12-13 01:02:31 UTC, end at Wed 2023-12-13 01:02:43 UTC. -- Dec 13 01:02:31.577849 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:02:31.590970 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:02:32.029512 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:32.135136 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:02:32.274698 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:02:32.378500 osdx dnscrypt-proxy[17296]: Stopped. Dec 13 01:02:32.379739 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:02:32.380351 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:02:32.380721 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:02:32.482666 osdx ca-certificates[17384]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:02:32.846634 osdx ca-certificates[17942]: done. Dec 13 01:02:32.854204 osdx ca-certificates[17947]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:33.476684 osdx ca-certificates[18785]: 137 added, 0 removed; done. Dec 13 01:02:33.483532 osdx ca-certificates[18789]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:33.488368 osdx ca-certificates[18793]: done. Dec 13 01:02:33.532853 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:33.536364 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:33.561929 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:35.062901 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:35.211567 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:02:35.354969 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:02:35.525512 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:02:35.672608 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:02:35.863861 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:02:36.034438 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 13 01:02:36.223112 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 13 01:02:36.284340 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:36.369430 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:02:36.493874 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:02:36.602560 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:02:36.758905 osdx ca-certificates[18840]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:37.399944 osdx ca-certificates[19824]: 1 added, 0 removed; done. Dec 13 01:02:37.405859 osdx ca-certificates[19828]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:37.411175 osdx ca-certificates[19832]: done. Dec 13 01:02:37.451481 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:02:37.659316 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:02:37.662247 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:37.700662 osdx dnscrypt-proxy[19891]: dnscrypt-proxy 2.0.45 Dec 13 01:02:37.703401 osdx dnscrypt-proxy[19891]: Network connectivity detected Dec 13 01:02:37.707649 osdx dnscrypt-proxy[19891]: Dropping privileges Dec 13 01:02:37.716727 osdx dnscrypt-proxy[19891]: Network connectivity detected Dec 13 01:02:37.717112 osdx dnscrypt-proxy[19891]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:02:37.717213 osdx dnscrypt-proxy[19891]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:02:37.717317 osdx dnscrypt-proxy[19891]: Firefox workaround initialized Dec 13 01:02:37.717399 osdx dnscrypt-proxy[19891]: Loading the set of cloaking rules from [/tmp/tmp2IWZWL] Dec 13 01:02:37.752610 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:37.798032 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:38.049397 osdx dnscrypt-proxy[19891]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 13 01:02:38.049422 osdx dnscrypt-proxy[19891]: [RD] OK (DoH) - rtt: 229ms Dec 13 01:02:38.049435 osdx dnscrypt-proxy[19891]: Server with the lowest initial latency: RD (rtt: 229ms) Dec 13 01:02:38.049444 osdx dnscrypt-proxy[19891]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:02:39.005491 osdx systemd[1]: systemd-timedated.service: Succeeded. Dec 13 01:02:41.294306 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:41.296285 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:41.298174 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:41.299881 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:41.301565 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:41.303253 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:43.946644 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Wed 2023-12-13 01:02:44 UTC, end at Wed 2023-12-13 01:02:50 UTC. -- Dec 13 01:02:44.258073 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:02:44.277079 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:02:44.666051 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:44.762960 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:02:44.922956 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:02:45.035386 osdx dnscrypt-proxy[19891]: Stopped. Dec 13 01:02:45.037110 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:02:45.037984 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:02:45.038494 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:02:45.167633 osdx ca-certificates[19981]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:02:45.561447 osdx ca-certificates[20539]: done. Dec 13 01:02:45.569088 osdx ca-certificates[20543]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:46.180011 osdx ca-certificates[21382]: 137 added, 0 removed; done. Dec 13 01:02:46.185775 osdx ca-certificates[21386]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:46.190983 osdx ca-certificates[21390]: done. Dec 13 01:02:46.234841 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:46.238514 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:46.274924 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:47.859345 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:47.957349 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:02:48.092065 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:02:48.193818 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:02:48.328635 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:02:48.466361 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:02:48.559949 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 13 01:02:48.687018 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 13 01:02:48.796878 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:02:48.939986 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:02:49.095204 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:02:49.245303 osdx ca-certificates[21437]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:50.016774 osdx ca-certificates[22421]: 1 added, 0 removed; done. Dec 13 01:02:50.022612 osdx ca-certificates[22425]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:50.027887 osdx ca-certificates[22429]: done. Dec 13 01:02:50.059481 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:02:50.216782 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:02:50.219396 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:50.263813 osdx dnscrypt-proxy[22488]: dnscrypt-proxy 2.0.45 Dec 13 01:02:50.263881 osdx dnscrypt-proxy[22488]: Network connectivity detected Dec 13 01:02:50.264206 osdx dnscrypt-proxy[22488]: Dropping privileges Dec 13 01:02:50.272565 osdx dnscrypt-proxy[22488]: Network connectivity detected Dec 13 01:02:50.272898 osdx dnscrypt-proxy[22488]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:02:50.273024 osdx dnscrypt-proxy[22488]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:02:50.273119 osdx dnscrypt-proxy[22488]: Firefox workaround initialized Dec 13 01:02:50.273218 osdx dnscrypt-proxy[22488]: Loading the set of cloaking rules from [/tmp/tmpsOMhFh] Dec 13 01:02:50.299199 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:50.340921 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:50.476184 osdx dnscrypt-proxy[22488]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 13 01:02:50.476200 osdx dnscrypt-proxy[22488]: [RD] OK (DoH) - rtt: 139ms Dec 13 01:02:50.476210 osdx dnscrypt-proxy[22488]: Server with the lowest initial latency: RD (rtt: 139ms) Dec 13 01:02:50.476217 osdx dnscrypt-proxy[22488]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:02:50.516624 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Wed 2023-12-13 01:02:50 UTC, end at Wed 2023-12-13 01:02:56 UTC. -- Dec 13 01:02:50.837299 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:02:50.857002 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:02:51.265946 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:51.286647 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:51.371623 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:02:51.508820 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:02:51.608333 osdx dnscrypt-proxy[22488]: Stopped. Dec 13 01:02:51.610089 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:02:51.610922 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:02:51.611429 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:02:51.721848 osdx ca-certificates[22576]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:02:52.058349 osdx ca-certificates[23135]: done. Dec 13 01:02:52.066493 osdx ca-certificates[23139]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:52.604066 osdx ca-certificates[23978]: 137 added, 0 removed; done. Dec 13 01:02:52.610064 osdx ca-certificates[23982]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:52.615218 osdx ca-certificates[23986]: done. Dec 13 01:02:52.657631 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:52.661016 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:52.686902 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:54.155115 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:54.266198 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:02:54.388157 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:02:54.501885 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:02:54.621191 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:02:54.748919 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:02:54.851723 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 13 01:02:54.958161 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 13 01:02:55.074138 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:02:55.196524 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:02:55.298502 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:02:55.447983 osdx ca-certificates[24033]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:56.072382 osdx ca-certificates[25017]: 1 added, 0 removed; done. Dec 13 01:02:56.078238 osdx ca-certificates[25021]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:56.083482 osdx ca-certificates[25025]: done. Dec 13 01:02:56.119463 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:02:56.291924 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:56.294460 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:56.296428 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:56.298326 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:56.300035 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:56.301728 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Dec 13 01:02:56.311719 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:02:56.315557 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:56.377258 osdx dnscrypt-proxy[25084]: dnscrypt-proxy 2.0.45 Dec 13 01:02:56.377823 osdx dnscrypt-proxy[25084]: Network connectivity detected Dec 13 01:02:56.378503 osdx dnscrypt-proxy[25084]: Dropping privileges Dec 13 01:02:56.389099 osdx dnscrypt-proxy[25084]: Network connectivity detected Dec 13 01:02:56.389949 osdx dnscrypt-proxy[25084]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:02:56.390079 osdx dnscrypt-proxy[25084]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:02:56.390225 osdx dnscrypt-proxy[25084]: Firefox workaround initialized Dec 13 01:02:56.390347 osdx dnscrypt-proxy[25084]: Loading the set of cloaking rules from [/tmp/tmpSb_2rb] Dec 13 01:02:56.448342 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:56.484905 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:02:56.620531 osdx dnscrypt-proxy[25084]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 13 01:02:56.620555 osdx dnscrypt-proxy[25084]: [RD] OK (DoH) - rtt: 142ms Dec 13 01:02:56.620568 osdx dnscrypt-proxy[25084]: Server with the lowest initial latency: RD (rtt: 142ms) Dec 13 01:02:56.620577 osdx dnscrypt-proxy[25084]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:02:56.665411 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Wed 2023-12-13 01:02:56 UTC, end at Wed 2023-12-13 01:03:02 UTC. -- Dec 13 01:02:56.947590 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 2.0M, max 16.0M, 14.0M free. Dec 13 01:02:56.963477 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'. Dec 13 01:02:57.368908 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:02:57.461718 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'delete'. Dec 13 01:02:57.596338 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 13 01:02:57.688666 osdx dnscrypt-proxy[25084]: Stopped. Dec 13 01:02:57.690372 osdx systemd[1]: Stopping DNSCrypt client proxy... Dec 13 01:02:57.691221 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Dec 13 01:02:57.691740 osdx systemd[1]: Stopped DNSCrypt client proxy. Dec 13 01:02:57.826983 osdx ca-certificates[25171]: Clearing symlinks in /etc/ssl/certs... Dec 13 01:02:58.201451 osdx ca-certificates[25729]: done. Dec 13 01:02:58.209577 osdx ca-certificates[25734]: Updating certificates in /etc/ssl/certs... Dec 13 01:02:58.780638 osdx ca-certificates[26572]: 137 added, 0 removed; done. Dec 13 01:02:58.786374 osdx ca-certificates[26576]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:02:58.791334 osdx ca-certificates[26580]: done. Dec 13 01:02:58.833448 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:02:58.836926 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:02:58.873512 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:03:00.327449 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu. Dec 13 01:03:00.425536 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 13 01:03:00.551863 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 13 01:03:00.650521 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 13 01:03:00.741126 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 13 01:03:00.839091 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Dec 13 01:03:00.925455 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 13 01:03:01.068341 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 13 01:03:01.163624 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 13 01:03:01.274603 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 13 01:03:01.385621 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 13 01:03:01.529719 osdx ca-certificates[26627]: Updating certificates in /etc/ssl/certs... Dec 13 01:03:02.213429 osdx ca-certificates[27616]: 1 added, 0 removed; done. Dec 13 01:03:02.219354 osdx ca-certificates[27620]: Running hooks in /etc/ca-certificates/update.d... Dec 13 01:03:02.224627 osdx ca-certificates[27624]: done. Dec 13 01:03:02.255484 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 13 01:03:02.465933 osdx systemd[1]: Started DNSCrypt client proxy. Dec 13 01:03:02.468694 osdx cfgd[1102]: [28897]Completed change to active configuration Dec 13 01:03:02.520754 osdx dnscrypt-proxy[27683]: dnscrypt-proxy 2.0.45 Dec 13 01:03:02.521244 osdx dnscrypt-proxy[27683]: Network connectivity detected Dec 13 01:03:02.522861 osdx dnscrypt-proxy[27683]: Dropping privileges Dec 13 01:03:02.531993 osdx dnscrypt-proxy[27683]: Network connectivity detected Dec 13 01:03:02.532315 osdx dnscrypt-proxy[27683]: Now listening to 127.0.0.1:53 [UDP] Dec 13 01:03:02.532407 osdx dnscrypt-proxy[27683]: Now listening to 127.0.0.1:53 [TCP] Dec 13 01:03:02.532501 osdx dnscrypt-proxy[27683]: Firefox workaround initialized Dec 13 01:03:02.532598 osdx dnscrypt-proxy[27683]: Loading the set of cloaking rules from [/tmp/tmpOtqZYR] Dec 13 01:03:02.565922 osdx OSDxCLI[28897]: User 'admin' committed the configuration. Dec 13 01:03:02.616503 osdx OSDxCLI[28897]: User 'admin' left the configuration menu. Dec 13 01:03:02.725189 osdx dnscrypt-proxy[27683]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 13 01:03:02.725211 osdx dnscrypt-proxy[27683]: [RD] OK (DoH) - rtt: 133ms Dec 13 01:03:02.725223 osdx dnscrypt-proxy[27683]: Server with the lowest initial latency: RD (rtt: 133ms) Dec 13 01:03:02.725232 osdx dnscrypt-proxy[27683]: dnscrypt-proxy is ready - live servers: 1 Dec 13 01:03:02.796339 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.