Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2024-01-25 00:16:59 UTC, end at Thu 2024-01-25 00:17:10 UTC. -- Jan 25 00:16:59.367482 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:16:59.381500 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:16:59.999853 osdx osdx-coredump[15437]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 25 00:17:00.007779 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system coredump delete all'. Jan 25 00:17:00.844996 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:00.997693 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:17:01.054856 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:01.130653 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:17:01.311302 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:17:01.428939 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:01.481742 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:01.517432 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:01.725019 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 25 00:17:01.956943 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:02.088496 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:17:02.201244 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:17:02.312291 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:17:02.441279 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:17:02.552906 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:17:02.672050 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 25 00:17:02.772859 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:17:02.892762 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:17:02.998184 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:17:03.154703 osdx ca-certificates[15583]: Updating certificates in /etc/ssl/certs... Jan 25 00:17:03.871792 osdx ca-certificates[16567]: 1 added, 0 removed; done. Jan 25 00:17:03.877728 osdx ca-certificates[16571]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:17:03.882973 osdx ca-certificates[16575]: done. Jan 25 00:17:03.964527 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:17:03.967708 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:03.976666 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:03.994370 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:04.000657 osdx dnscrypt-proxy[16579]: dnscrypt-proxy 2.0.45 Jan 25 00:17:04.001127 osdx dnscrypt-proxy[16579]: Network connectivity detected Jan 25 00:17:04.001779 osdx dnscrypt-proxy[16579]: Dropping privileges Jan 25 00:17:04.004901 osdx dnscrypt-proxy[16579]: Network connectivity detected Jan 25 00:17:04.005257 osdx dnscrypt-proxy[16579]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:17:04.005389 osdx dnscrypt-proxy[16579]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:17:04.005540 osdx dnscrypt-proxy[16579]: Firefox workaround initialized Jan 25 00:17:04.005660 osdx dnscrypt-proxy[16579]: Loading the set of cloaking rules from [/tmp/tmpbMbub4] Jan 25 00:17:04.021844 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:04.356872 osdx dnscrypt-proxy[16579]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 25 00:17:04.356899 osdx dnscrypt-proxy[16579]: [RD] OK (DoH) - rtt: 313ms Jan 25 00:17:04.356913 osdx dnscrypt-proxy[16579]: Server with the lowest initial latency: RD (rtt: 313ms) Jan 25 00:17:04.356921 osdx dnscrypt-proxy[16579]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:17:10.192597 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2024-01-25 00:17:18 UTC, end at Thu 2024-01-25 00:17:28 UTC. -- Jan 25 00:17:18.369974 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:17:18.389796 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:17:18.439466 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:18.929814 osdx osdx-coredump[18199]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 25 00:17:18.938742 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system coredump delete all'. Jan 25 00:17:19.793923 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:19.915111 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:17:20.007923 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:17:20.161917 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:17:20.252920 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:20.296052 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:20.321959 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:20.489713 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 25 00:17:20.662255 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:20.757568 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:17:20.846219 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:17:20.972094 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:17:21.062310 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:17:21.171117 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:17:21.277382 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 25 00:17:21.360524 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:17:21.482883 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:17:21.573510 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:17:21.696674 osdx ca-certificates[18338]: Updating certificates in /etc/ssl/certs... Jan 25 00:17:22.352791 osdx ca-certificates[19323]: 1 added, 0 removed; done. Jan 25 00:17:22.359225 osdx ca-certificates[19327]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:17:22.364859 osdx ca-certificates[19331]: done. Jan 25 00:17:22.433919 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:17:22.436726 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:22.441168 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:22.465769 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:22.468671 osdx dnscrypt-proxy[19335]: dnscrypt-proxy 2.0.45 Jan 25 00:17:22.469064 osdx dnscrypt-proxy[19335]: Network connectivity detected Jan 25 00:17:22.469628 osdx dnscrypt-proxy[19335]: Dropping privileges Jan 25 00:17:22.472208 osdx dnscrypt-proxy[19335]: Network connectivity detected Jan 25 00:17:22.472528 osdx dnscrypt-proxy[19335]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:17:22.472621 osdx dnscrypt-proxy[19335]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:17:22.472717 osdx dnscrypt-proxy[19335]: Firefox workaround initialized Jan 25 00:17:22.472798 osdx dnscrypt-proxy[19335]: Loading the set of cloaking rules from [/tmp/tmpv3UxID] Jan 25 00:17:22.717680 osdx dnscrypt-proxy[19335]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 25 00:17:22.717698 osdx dnscrypt-proxy[19335]: [RD] OK (DoH) - rtt: 213ms Jan 25 00:17:22.717708 osdx dnscrypt-proxy[19335]: Server with the lowest initial latency: RD (rtt: 213ms) Jan 25 00:17:22.717714 osdx dnscrypt-proxy[19335]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:17:25.496450 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:28.676826 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Thu 2024-01-25 00:17:29 UTC, end at Thu 2024-01-25 00:17:40 UTC. -- Jan 25 00:17:29.005194 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:17:29.022586 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:17:29.471832 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:29.587983 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:17:29.730622 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:17:29.870586 osdx dnscrypt-proxy[19335]: Stopped. Jan 25 00:17:29.871891 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:17:29.872605 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:17:29.872987 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:17:29.988183 osdx ca-certificates[19410]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:17:30.353056 osdx ca-certificates[19968]: done. Jan 25 00:17:30.360949 osdx ca-certificates[19972]: Updating certificates in /etc/ssl/certs... Jan 25 00:17:30.501653 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:30.899489 osdx ca-certificates[20812]: 137 added, 0 removed; done. Jan 25 00:17:30.905213 osdx ca-certificates[20816]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:17:30.910360 osdx ca-certificates[20820]: done. Jan 25 00:17:30.952727 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:30.956377 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:30.981245 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:32.500239 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:32.598044 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:17:32.692022 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:17:32.806015 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:17:32.901209 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:17:32.997097 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:17:33.114746 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jan 25 00:17:33.229116 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:17:33.353643 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:17:33.441974 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:33.459667 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:17:33.625836 osdx ca-certificates[20866]: Updating certificates in /etc/ssl/certs... Jan 25 00:17:34.352039 osdx ca-certificates[21850]: 1 added, 0 removed; done. Jan 25 00:17:34.358332 osdx ca-certificates[21854]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:17:34.364025 osdx ca-certificates[21858]: done. Jan 25 00:17:34.397920 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:17:34.560843 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:17:34.563683 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:34.607031 osdx dnscrypt-proxy[21917]: dnscrypt-proxy 2.0.45 Jan 25 00:17:34.607464 osdx dnscrypt-proxy[21917]: Network connectivity detected Jan 25 00:17:34.610286 osdx dnscrypt-proxy[21917]: Dropping privileges Jan 25 00:17:34.618499 osdx dnscrypt-proxy[21917]: Network connectivity detected Jan 25 00:17:34.618849 osdx dnscrypt-proxy[21917]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:17:34.618943 osdx dnscrypt-proxy[21917]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:17:34.619040 osdx dnscrypt-proxy[21917]: Firefox workaround initialized Jan 25 00:17:34.619148 osdx dnscrypt-proxy[21917]: Loading the set of cloaking rules from [/tmp/tmpZ4nhoy] Jan 25 00:17:34.653007 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:34.710984 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:35.380249 osdx dnscrypt-proxy[21917]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jan 25 00:17:35.380267 osdx dnscrypt-proxy[21917]: [RD] OK (DoH) - rtt: 699ms Jan 25 00:17:35.380276 osdx dnscrypt-proxy[21917]: Server with the lowest initial latency: RD (rtt: 699ms) Jan 25 00:17:35.380282 osdx dnscrypt-proxy[21917]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:17:40.495953 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:40.892367 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Thu 2024-01-25 00:17:41 UTC, end at Thu 2024-01-25 00:17:52 UTC. -- Jan 25 00:17:41.194207 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:17:41.207999 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:17:41.590016 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:41.680496 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:17:41.785793 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:17:41.910673 osdx dnscrypt-proxy[21917]: Stopped. Jan 25 00:17:41.912363 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:17:41.913204 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:17:41.913692 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:17:42.032242 osdx ca-certificates[22004]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:17:42.355281 osdx ca-certificates[22562]: done. Jan 25 00:17:42.362451 osdx ca-certificates[22566]: Updating certificates in /etc/ssl/certs... Jan 25 00:17:42.899626 osdx ca-certificates[23406]: 137 added, 0 removed; done. Jan 25 00:17:42.905940 osdx ca-certificates[23410]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:17:42.911488 osdx ca-certificates[23414]: done. Jan 25 00:17:42.954442 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:42.958101 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:42.996475 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:44.474592 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:17:44.576105 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:17:44.674087 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:17:44.788201 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:17:44.932255 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:17:45.021333 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:17:45.154114 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jan 25 00:17:45.240882 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:17:45.335117 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:17:45.427499 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:17:45.501684 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:45.557203 osdx ca-certificates[23460]: Updating certificates in /etc/ssl/certs... Jan 25 00:17:46.231575 osdx ca-certificates[24444]: 1 added, 0 removed; done. Jan 25 00:17:46.237409 osdx ca-certificates[24448]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:17:46.242592 osdx ca-certificates[24452]: done. Jan 25 00:17:46.273955 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:17:46.433828 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:17:46.436602 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:17:46.483096 osdx dnscrypt-proxy[24511]: dnscrypt-proxy 2.0.45 Jan 25 00:17:46.484638 osdx dnscrypt-proxy[24511]: Network connectivity detected Jan 25 00:17:46.484945 osdx dnscrypt-proxy[24511]: Dropping privileges Jan 25 00:17:46.491556 osdx dnscrypt-proxy[24511]: Network connectivity detected Jan 25 00:17:46.494346 osdx dnscrypt-proxy[24511]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:17:46.494355 osdx dnscrypt-proxy[24511]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:17:46.494379 osdx dnscrypt-proxy[24511]: Firefox workaround initialized Jan 25 00:17:46.494385 osdx dnscrypt-proxy[24511]: Loading the set of cloaking rules from [/tmp/tmpruPTO2] Jan 25 00:17:46.505420 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:17:46.538408 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:17:46.731529 osdx dnscrypt-proxy[24511]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 25 00:17:46.731547 osdx dnscrypt-proxy[24511]: [RD] OK (DoH) - rtt: 171ms Jan 25 00:17:46.731556 osdx dnscrypt-proxy[24511]: Server with the lowest initial latency: RD (rtt: 171ms) Jan 25 00:17:46.731562 osdx dnscrypt-proxy[24511]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:17:48.023256 osdx systemd[1]: systemd-timedated.service: Succeeded. Jan 25 00:17:48.444297 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:17:52.728687 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2024-01-25 00:18:02 UTC, end at Thu 2024-01-25 00:18:07 UTC. -- Jan 25 00:18:02.478256 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:18:02.492455 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:18:03.153038 osdx osdx-coredump[26155]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 25 00:18:03.161289 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system coredump delete all'. Jan 25 00:18:03.957093 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:18:04.083041 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:04.182308 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:04.324964 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:04.498033 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:18:04.612924 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:04.665154 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:04.711449 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:04.911612 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 25 00:18:05.136740 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:05.276081 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:18:05.382887 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:18:05.508082 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:18:05.625812 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:18:05.753701 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:18:05.860226 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 25 00:18:05.949548 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:18:06.051833 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:06.159711 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:06.302802 osdx ca-certificates[26294]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:07.005605 osdx ca-certificates[27278]: 1 added, 0 removed; done. Jan 25 00:18:07.011922 osdx ca-certificates[27282]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:07.017635 osdx ca-certificates[27286]: done. Jan 25 00:18:07.113528 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:18:07.116608 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:07.127673 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:07.153736 osdx dnscrypt-proxy[27290]: dnscrypt-proxy 2.0.45 Jan 25 00:18:07.154281 osdx dnscrypt-proxy[27290]: Network connectivity detected Jan 25 00:18:07.154959 osdx dnscrypt-proxy[27290]: Dropping privileges Jan 25 00:18:07.158751 osdx dnscrypt-proxy[27290]: Network connectivity detected Jan 25 00:18:07.159249 osdx dnscrypt-proxy[27290]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:18:07.159431 osdx dnscrypt-proxy[27290]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:18:07.159585 osdx dnscrypt-proxy[27290]: Firefox workaround initialized Jan 25 00:18:07.159710 osdx dnscrypt-proxy[27290]: Loading the set of cloaking rules from [/tmp/tmp8wdHss] Jan 25 00:18:07.161025 osdx dnscrypt-proxy[27290]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jan 25 00:18:07.168203 osdx OSDxCLI[13176]: User 'admin' left the configuration menu.
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2024-01-25 00:18:16 UTC, end at Thu 2024-01-25 00:18:20 UTC. -- Jan 25 00:18:16.000338 osdx systemd-timedated[26123]: Changed local time to Thu Jan 25 00:18:16 2024 Jan 25 00:18:16.003318 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'set date 2024-01-25 00:18:16'. Jan 25 00:18:16.365816 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 4.0M, max 16.0M, 12.0M free. Jan 25 00:18:16.379229 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:18:16.932304 osdx osdx-coredump[28904]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 25 00:18:16.940120 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system coredump delete all'. Jan 25 00:18:17.799871 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:17.926450 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:18.030948 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:18.196300 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:18:18.302178 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:18.346948 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:18.395876 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:18.588169 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 25 00:18:18.699336 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:18:18.846847 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:18.955139 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:18:19.073160 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:18:19.169544 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:18:19.259928 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:18:19.354581 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:18:19.442609 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 25 00:18:19.558477 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:18:19.659208 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:19.756610 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:19.924812 osdx ca-certificates[29043]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:20.603293 osdx ca-certificates[30027]: 1 added, 0 removed; done. Jan 25 00:18:20.609992 osdx ca-certificates[30031]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:20.615747 osdx ca-certificates[30035]: done. Jan 25 00:18:20.686024 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:18:20.689055 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:20.694270 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:20.718322 osdx dnscrypt-proxy[30039]: dnscrypt-proxy 2.0.45 Jan 25 00:18:20.718731 osdx dnscrypt-proxy[30039]: Network connectivity detected Jan 25 00:18:20.719270 osdx dnscrypt-proxy[30039]: Dropping privileges Jan 25 00:18:20.721820 osdx dnscrypt-proxy[30039]: Network connectivity detected Jan 25 00:18:20.722164 osdx dnscrypt-proxy[30039]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:18:20.722262 osdx dnscrypt-proxy[30039]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:18:20.722360 osdx dnscrypt-proxy[30039]: Firefox workaround initialized Jan 25 00:18:20.722440 osdx dnscrypt-proxy[30039]: Loading the set of cloaking rules from [/tmp/tmph7AkCI] Jan 25 00:18:20.723461 osdx dnscrypt-proxy[30039]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jan 25 00:18:20.738385 osdx OSDxCLI[13176]: User 'admin' left the configuration menu.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2024-01-25 00:18:21 UTC, end at Thu 2024-01-25 00:18:27 UTC. -- Jan 25 00:18:21.195358 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 4.0M, max 16.0M, 12.0M free. Jan 25 00:18:21.216613 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:18:21.713668 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:21.827573 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:18:21.986743 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:18:22.086379 osdx dnscrypt-proxy[30039]: Stopped. Jan 25 00:18:22.087657 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:18:22.088317 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:18:22.088680 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:18:22.217494 osdx ca-certificates[30106]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:18:22.575332 osdx ca-certificates[30664]: done. Jan 25 00:18:22.583537 osdx ca-certificates[30668]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:23.190291 osdx ca-certificates[31507]: 137 added, 0 removed; done. Jan 25 00:18:23.196023 osdx ca-certificates[31511]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:23.201304 osdx ca-certificates[31515]: done. Jan 25 00:18:23.256207 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:23.259978 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:23.285279 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:24.986413 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:25.087003 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:18:25.190720 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:18:25.315488 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:18:25.422504 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:18:25.571376 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:18:25.681196 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 25 00:18:25.749665 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:18:25.795520 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:18:25.924633 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:26.015958 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:26.169534 osdx ca-certificates[31561]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:26.833851 osdx ca-certificates[32545]: 1 added, 0 removed; done. Jan 25 00:18:26.839823 osdx ca-certificates[32549]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:26.845782 osdx ca-certificates[32553]: done. Jan 25 00:18:26.892276 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:18:27.134815 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:18:27.138922 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:27.185529 osdx dnscrypt-proxy[32612]: dnscrypt-proxy 2.0.45 Jan 25 00:18:27.185932 osdx dnscrypt-proxy[32612]: Network connectivity detected Jan 25 00:18:27.188327 osdx dnscrypt-proxy[32612]: Dropping privileges Jan 25 00:18:27.196745 osdx dnscrypt-proxy[32612]: Network connectivity detected Jan 25 00:18:27.197102 osdx dnscrypt-proxy[32612]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:18:27.197194 osdx dnscrypt-proxy[32612]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:18:27.197292 osdx dnscrypt-proxy[32612]: Firefox workaround initialized Jan 25 00:18:27.197374 osdx dnscrypt-proxy[32612]: Loading the set of cloaking rules from [/tmp/tmpgA2YkW] Jan 25 00:18:27.198753 osdx dnscrypt-proxy[32612]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jan 25 00:18:27.231573 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:27.265655 osdx OSDxCLI[13176]: User 'admin' left the configuration menu.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
-- Logs begin at Thu 2024-01-25 00:18:27 UTC, end at Thu 2024-01-25 00:18:33 UTC. -- Jan 25 00:18:27.583619 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:18:27.594027 osdx dnscrypt-proxy[32612]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 25 00:18:27.594045 osdx dnscrypt-proxy[32612]: [RD] OK (DoH) - rtt: 312ms Jan 25 00:18:27.594056 osdx dnscrypt-proxy[32612]: Server with the lowest initial latency: RD (rtt: 312ms) Jan 25 00:18:27.594062 osdx dnscrypt-proxy[32612]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:18:27.598976 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:18:27.977968 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:28.070338 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:18:28.212988 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:18:28.326373 osdx dnscrypt-proxy[32612]: Stopped. Jan 25 00:18:28.328155 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:18:28.329058 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:18:28.329578 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:18:28.448232 osdx ca-certificates[32693]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:18:28.775167 osdx ca-certificates[789]: done. Jan 25 00:18:28.783381 osdx ca-certificates[793]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:29.321658 osdx ca-certificates[1667]: 137 added, 0 removed; done. Jan 25 00:18:29.327564 osdx ca-certificates[1671]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:29.332923 osdx ca-certificates[1675]: done. Jan 25 00:18:29.375241 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:29.379227 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:29.407160 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:30.760809 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:18:30.899683 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:30.992425 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:18:31.080415 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:18:31.209369 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:18:31.300849 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:18:31.416400 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:18:31.536772 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 25 00:18:31.627330 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 25 00:18:31.745328 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:18:31.843298 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:31.958960 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:32.080394 osdx ca-certificates[1723]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:32.728371 osdx ca-certificates[2707]: 1 added, 0 removed; done. Jan 25 00:18:32.734698 osdx ca-certificates[2711]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:32.740720 osdx ca-certificates[2715]: done. Jan 25 00:18:32.772253 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:18:32.945735 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:18:32.948993 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:32.995614 osdx dnscrypt-proxy[2774]: dnscrypt-proxy 2.0.45 Jan 25 00:18:32.996089 osdx dnscrypt-proxy[2774]: Network connectivity detected Jan 25 00:18:32.998048 osdx dnscrypt-proxy[2774]: Dropping privileges Jan 25 00:18:33.006747 osdx dnscrypt-proxy[2774]: Network connectivity detected Jan 25 00:18:33.007123 osdx dnscrypt-proxy[2774]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:18:33.008973 osdx dnscrypt-proxy[2774]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:18:33.009151 osdx dnscrypt-proxy[2774]: Firefox workaround initialized Jan 25 00:18:33.009239 osdx dnscrypt-proxy[2774]: Loading the set of cloaking rules from [/tmp/tmpdscu9g] Jan 25 00:18:33.010514 osdx dnscrypt-proxy[2774]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jan 25 00:18:33.036890 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:33.065246 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:33.257331 osdx dnscrypt-proxy[2774]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 25 00:18:33.257357 osdx dnscrypt-proxy[2774]: [RD] OK (DoH) - rtt: 164ms Jan 25 00:18:33.257369 osdx dnscrypt-proxy[2774]: Server with the lowest initial latency: RD (rtt: 164ms) Jan 25 00:18:33.257380 osdx dnscrypt-proxy[2774]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2024-01-25 00:18:42 UTC, end at Thu 2024-01-25 00:18:47 UTC. -- Jan 25 00:18:42.389107 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:18:42.407607 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:18:43.014035 osdx osdx-coredump[4404]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 25 00:18:43.022132 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system coredump delete all'. Jan 25 00:18:43.946873 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:44.067278 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:44.157733 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:44.287327 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:18:44.398209 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:44.442821 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:44.473902 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:44.648591 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 25 00:18:44.840030 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:44.947974 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:18:45.049889 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:18:45.160159 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:18:45.280475 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:18:45.339854 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:18:45.418412 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:18:45.534067 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 25 00:18:45.666842 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 25 00:18:45.794645 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:18:45.957791 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:46.103040 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:46.224886 osdx ca-certificates[4544]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:46.898645 osdx ca-certificates[5528]: 1 added, 0 removed; done. Jan 25 00:18:46.907969 osdx ca-certificates[5532]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:46.914857 osdx ca-certificates[5536]: done. Jan 25 00:18:47.006505 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:18:47.010479 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:47.021300 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:47.041494 osdx dnscrypt-proxy[5540]: dnscrypt-proxy 2.0.45 Jan 25 00:18:47.041892 osdx dnscrypt-proxy[5540]: Network connectivity detected Jan 25 00:18:47.042483 osdx dnscrypt-proxy[5540]: Dropping privileges Jan 25 00:18:47.044893 osdx dnscrypt-proxy[5540]: Network connectivity detected Jan 25 00:18:47.045203 osdx dnscrypt-proxy[5540]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:18:47.045291 osdx dnscrypt-proxy[5540]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:18:47.045388 osdx dnscrypt-proxy[5540]: Firefox workaround initialized Jan 25 00:18:47.045468 osdx dnscrypt-proxy[5540]: Loading the set of cloaking rules from [/tmp/tmp0lsuMN] Jan 25 00:18:47.056220 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:47.244808 osdx dnscrypt-proxy[5540]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 25 00:18:47.244832 osdx dnscrypt-proxy[5540]: [RD] OK (DoH) - rtt: 162ms Jan 25 00:18:47.244844 osdx dnscrypt-proxy[5540]: Server with the lowest initial latency: RD (rtt: 162ms) Jan 25 00:18:47.244853 osdx dnscrypt-proxy[5540]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:18:47.264142 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Thu 2024-01-25 00:18:47 UTC, end at Thu 2024-01-25 00:18:59 UTC. -- Jan 25 00:18:47.597485 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:18:47.615767 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:18:48.016633 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:48.109491 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:18:48.248792 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:18:48.282525 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:18:48.352446 osdx dnscrypt-proxy[5540]: Stopped. Jan 25 00:18:48.353770 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:18:48.354418 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:18:48.354793 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:18:48.474753 osdx ca-certificates[5613]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:18:48.865927 osdx ca-certificates[6171]: done. Jan 25 00:18:48.875601 osdx ca-certificates[6176]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:49.482976 osdx ca-certificates[7016]: 137 added, 0 removed; done. Jan 25 00:18:49.488964 osdx ca-certificates[7020]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:49.494313 osdx ca-certificates[7024]: done. Jan 25 00:18:49.538015 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:49.542120 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:49.585651 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:51.057426 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:18:51.154730 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:18:51.245361 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:18:51.339856 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:18:51.427980 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:18:51.522719 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:18:51.604710 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 25 00:18:51.725093 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jan 25 00:18:51.812106 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:18:51.953354 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:18:52.044245 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:18:52.210222 osdx ca-certificates[7071]: Updating certificates in /etc/ssl/certs... Jan 25 00:18:52.865561 osdx ca-certificates[8055]: 1 added, 0 removed; done. Jan 25 00:18:52.871805 osdx ca-certificates[8059]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:18:52.877170 osdx ca-certificates[8063]: done. Jan 25 00:18:52.919226 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:18:53.085372 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:18:53.088335 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:18:53.136033 osdx dnscrypt-proxy[8122]: dnscrypt-proxy 2.0.45 Jan 25 00:18:53.136427 osdx dnscrypt-proxy[8122]: Network connectivity detected Jan 25 00:18:53.137770 osdx dnscrypt-proxy[8122]: Dropping privileges Jan 25 00:18:53.144479 osdx dnscrypt-proxy[8122]: Network connectivity detected Jan 25 00:18:53.144808 osdx dnscrypt-proxy[8122]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:18:53.144898 osdx dnscrypt-proxy[8122]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:18:53.147488 osdx dnscrypt-proxy[8122]: Firefox workaround initialized Jan 25 00:18:53.147497 osdx dnscrypt-proxy[8122]: Loading the set of cloaking rules from [/tmp/tmpD8I5gb] Jan 25 00:18:53.164536 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:18:53.207837 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:18:53.407524 osdx dnscrypt-proxy[8122]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jan 25 00:18:53.407551 osdx dnscrypt-proxy[8122]: [RD] OK (DoH) - rtt: 189ms Jan 25 00:18:53.407565 osdx dnscrypt-proxy[8122]: Server with the lowest initial latency: RD (rtt: 189ms) Jan 25 00:18:53.407573 osdx dnscrypt-proxy[8122]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:18:55.331337 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:18:59.388211 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Thu 2024-01-25 00:18:59 UTC, end at Thu 2024-01-25 00:19:06 UTC. -- Jan 25 00:18:59.721903 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:18:59.735517 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:19:00.181967 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:00.284186 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:19:00.341870 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:00.419140 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:19:00.527375 osdx dnscrypt-proxy[8122]: Stopped. Jan 25 00:19:00.528794 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:19:00.529459 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:19:00.529822 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:19:00.634508 osdx ca-certificates[8210]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:19:01.023818 osdx ca-certificates[8768]: done. Jan 25 00:19:01.036143 osdx ca-certificates[8775]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:01.659393 osdx ca-certificates[9616]: 137 added, 0 removed; done. Jan 25 00:19:01.666761 osdx ca-certificates[9620]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:01.674873 osdx ca-certificates[9624]: done. Jan 25 00:19:01.743956 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:01.749309 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:01.820863 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:03.280434 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:03.540379 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:03.648641 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:19:03.766372 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:19:03.876072 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:19:03.994847 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:19:04.122236 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:19:04.236382 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 25 00:19:04.354962 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jan 25 00:19:04.439114 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:19:04.538330 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:19:04.642988 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:19:04.809251 osdx ca-certificates[9671]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:05.596791 osdx ca-certificates[10656]: 1 added, 0 removed; done. Jan 25 00:19:05.603107 osdx ca-certificates[10660]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:05.608758 osdx ca-certificates[10664]: done. Jan 25 00:19:05.643222 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:19:05.808065 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:19:05.810842 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:05.854886 osdx dnscrypt-proxy[10723]: dnscrypt-proxy 2.0.45 Jan 25 00:19:05.855365 osdx dnscrypt-proxy[10723]: Network connectivity detected Jan 25 00:19:05.855847 osdx dnscrypt-proxy[10723]: Dropping privileges Jan 25 00:19:05.864495 osdx dnscrypt-proxy[10723]: Network connectivity detected Jan 25 00:19:05.864839 osdx dnscrypt-proxy[10723]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:19:05.864966 osdx dnscrypt-proxy[10723]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:19:05.865065 osdx dnscrypt-proxy[10723]: Firefox workaround initialized Jan 25 00:19:05.865147 osdx dnscrypt-proxy[10723]: Loading the set of cloaking rules from [/tmp/tmpRqqK2E] Jan 25 00:19:05.894502 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:05.951120 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:06.131128 osdx dnscrypt-proxy[10723]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 25 00:19:06.131153 osdx dnscrypt-proxy[10723]: [RD] OK (DoH) - rtt: 200ms Jan 25 00:19:06.131166 osdx dnscrypt-proxy[10723]: Server with the lowest initial latency: RD (rtt: 200ms) Jan 25 00:19:06.131190 osdx dnscrypt-proxy[10723]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:19:06.156357 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
-- Logs begin at Thu 2024-01-25 00:19:06 UTC, end at Thu 2024-01-25 00:19:18 UTC. -- Jan 25 00:19:06.488894 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:19:06.502900 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:19:06.891756 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:06.992765 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:19:07.132606 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:19:07.232466 osdx dnscrypt-proxy[10723]: Stopped. Jan 25 00:19:07.233793 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:19:07.234433 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:19:07.234806 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:19:07.354331 osdx ca-certificates[10811]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:19:07.731957 osdx ca-certificates[11369]: done. Jan 25 00:19:07.741287 osdx ca-certificates[11374]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:08.366863 osdx ca-certificates[12212]: 137 added, 0 removed; done. Jan 25 00:19:08.376247 osdx ca-certificates[12217]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:08.383496 osdx ca-certificates[12220]: done. Jan 25 00:19:08.434334 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:08.439878 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:08.482826 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:09.975360 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:10.116055 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:19:10.204857 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:19:10.328790 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:10.337393 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:19:10.423454 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:19:10.545693 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:19:10.645003 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 25 00:19:10.748961 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 25 00:19:10.845418 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:19:10.940052 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:19:11.034584 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:19:11.170828 osdx ca-certificates[12267]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:11.819883 osdx ca-certificates[13254]: 1 added, 0 removed; done. Jan 25 00:19:11.825769 osdx ca-certificates[13258]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:11.831355 osdx ca-certificates[13262]: done. Jan 25 00:19:11.863214 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:19:12.028834 osdx systemd[1]: systemd-timedated.service: Succeeded. Jan 25 00:19:12.074880 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:19:12.077800 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:12.120920 osdx dnscrypt-proxy[13323]: dnscrypt-proxy 2.0.45 Jan 25 00:19:12.121460 osdx dnscrypt-proxy[13323]: Network connectivity detected Jan 25 00:19:12.122718 osdx dnscrypt-proxy[13323]: Dropping privileges Jan 25 00:19:12.131897 osdx dnscrypt-proxy[13323]: Network connectivity detected Jan 25 00:19:12.131938 osdx dnscrypt-proxy[13323]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:19:12.131944 osdx dnscrypt-proxy[13323]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:19:12.131967 osdx dnscrypt-proxy[13323]: Firefox workaround initialized Jan 25 00:19:12.131974 osdx dnscrypt-proxy[13323]: Loading the set of cloaking rules from [/tmp/tmp9pFLNf] Jan 25 00:19:12.167463 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:12.195164 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:12.379700 osdx dnscrypt-proxy[13323]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 25 00:19:12.379719 osdx dnscrypt-proxy[13323]: [RD] OK (DoH) - rtt: 176ms Jan 25 00:19:12.379728 osdx dnscrypt-proxy[13323]: Server with the lowest initial latency: RD (rtt: 176ms) Jan 25 00:19:12.379735 osdx dnscrypt-proxy[13323]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:19:15.342502 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:18.285044 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:18.370615 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
-- Logs begin at Thu 2024-01-25 00:19:18 UTC, end at Thu 2024-01-25 00:19:30 UTC. -- Jan 25 00:19:18.734369 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:19:18.748419 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:19:19.170812 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:19.306384 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:19:19.421688 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:19:19.502896 osdx dnscrypt-proxy[13323]: Stopped. Jan 25 00:19:19.504321 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:19:19.504968 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:19:19.505328 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:19:19.617737 osdx ca-certificates[13411]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:19:20.004991 osdx ca-certificates[13969]: done. Jan 25 00:19:20.016768 osdx ca-certificates[13974]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:20.594621 osdx ca-certificates[14812]: 137 added, 0 removed; done. Jan 25 00:19:20.600931 osdx ca-certificates[14816]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:20.606496 osdx ca-certificates[14820]: done. Jan 25 00:19:20.650231 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:20.654395 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:20.687799 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:22.127831 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:22.236548 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:19:22.376735 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:19:22.506801 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:19:22.627766 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:19:22.744501 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:19:22.829779 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 25 00:19:22.920248 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jan 25 00:19:23.009700 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:19:23.129267 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:19:23.224767 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:19:23.354753 osdx ca-certificates[14867]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:24.049846 osdx ca-certificates[15851]: 1 added, 0 removed; done. Jan 25 00:19:24.055668 osdx ca-certificates[15855]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:24.060748 osdx ca-certificates[15859]: done. Jan 25 00:19:24.091215 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:19:24.252264 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:19:24.255088 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:24.298873 osdx dnscrypt-proxy[15918]: dnscrypt-proxy 2.0.45 Jan 25 00:19:24.299288 osdx dnscrypt-proxy[15918]: Network connectivity detected Jan 25 00:19:24.299758 osdx dnscrypt-proxy[15918]: Dropping privileges Jan 25 00:19:24.308365 osdx dnscrypt-proxy[15918]: Network connectivity detected Jan 25 00:19:24.308683 osdx dnscrypt-proxy[15918]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:19:24.308798 osdx dnscrypt-proxy[15918]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:19:24.308905 osdx dnscrypt-proxy[15918]: Firefox workaround initialized Jan 25 00:19:24.309001 osdx dnscrypt-proxy[15918]: Loading the set of cloaking rules from [/tmp/tmpHLmAQO] Jan 25 00:19:24.334153 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:24.366341 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:24.615905 osdx dnscrypt-proxy[15918]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jan 25 00:19:24.615923 osdx dnscrypt-proxy[15918]: [RD] OK (DoH) - rtt: 237ms Jan 25 00:19:24.615932 osdx dnscrypt-proxy[15918]: Server with the lowest initial latency: RD (rtt: 237ms) Jan 25 00:19:24.615938 osdx dnscrypt-proxy[15918]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:19:25.331331 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:30.342600 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:30.558219 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
-- Logs begin at Thu 2024-01-25 00:19:30 UTC, end at Thu 2024-01-25 00:19:42 UTC. -- Jan 25 00:19:30.813125 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:19:30.831886 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:19:31.235998 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:31.325902 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'delete'. Jan 25 00:19:31.476313 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 25 00:19:31.591528 osdx dnscrypt-proxy[15918]: Stopped. Jan 25 00:19:31.592861 osdx systemd[1]: Stopping DNSCrypt client proxy... Jan 25 00:19:31.593475 osdx systemd[1]: dnscrypt-proxy.service: Succeeded. Jan 25 00:19:31.593846 osdx systemd[1]: Stopped DNSCrypt client proxy. Jan 25 00:19:31.692784 osdx ca-certificates[16006]: Clearing symlinks in /etc/ssl/certs... Jan 25 00:19:32.015665 osdx ca-certificates[16564]: done. Jan 25 00:19:32.023119 osdx ca-certificates[16568]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:32.572603 osdx ca-certificates[17407]: 137 added, 0 removed; done. Jan 25 00:19:32.578358 osdx ca-certificates[17411]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:32.583484 osdx ca-certificates[17415]: done. Jan 25 00:19:32.625824 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:32.629621 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:32.662979 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:33.283240 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:34.129893 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:19:34.228677 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:19:34.318563 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 25 00:19:34.418166 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 25 00:19:34.511387 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 25 00:19:34.604573 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac'. Jan 25 00:19:34.690291 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 25 00:19:34.811308 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jan 25 00:19:34.900823 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 25 00:19:34.990427 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:19:35.100543 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:19:35.244748 osdx ca-certificates[17463]: Updating certificates in /etc/ssl/certs... Jan 25 00:19:35.865843 osdx ca-certificates[18447]: 1 added, 0 removed; done. Jan 25 00:19:35.871717 osdx ca-certificates[18451]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:19:35.876926 osdx ca-certificates[18455]: done. Jan 25 00:19:35.907435 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:19:36.097357 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:19:36.100241 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:19:36.155585 osdx dnscrypt-proxy[18514]: dnscrypt-proxy 2.0.45 Jan 25 00:19:36.155658 osdx dnscrypt-proxy[18514]: Network connectivity detected Jan 25 00:19:36.155990 osdx dnscrypt-proxy[18514]: Dropping privileges Jan 25 00:19:36.164357 osdx dnscrypt-proxy[18514]: Network connectivity detected Jan 25 00:19:36.164695 osdx dnscrypt-proxy[18514]: Now listening to 127.0.0.1:53 [UDP] Jan 25 00:19:36.164786 osdx dnscrypt-proxy[18514]: Now listening to 127.0.0.1:53 [TCP] Jan 25 00:19:36.164904 osdx dnscrypt-proxy[18514]: Firefox workaround initialized Jan 25 00:19:36.164986 osdx dnscrypt-proxy[18514]: Loading the set of cloaking rules from [/tmp/tmpoC2cRJ] Jan 25 00:19:36.189078 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:19:36.233483 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:19:36.408105 osdx dnscrypt-proxy[18514]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 25 00:19:36.408122 osdx dnscrypt-proxy[18514]: [RD] OK (DoH) - rtt: 174ms Jan 25 00:19:36.408132 osdx dnscrypt-proxy[18514]: Server with the lowest initial latency: RD (rtt: 174ms) Jan 25 00:19:36.408139 osdx dnscrypt-proxy[18514]: dnscrypt-proxy is ready - live servers: 1 Jan 25 00:19:40.334327 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:19:42.384820 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.