Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jul 17 16:40:03.287040 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.2M free. Jul 17 16:40:03.287918 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:40:03.287959 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:40:03.296949 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:40:03.620094 osdx osdx-coredump[238896]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:40:03.627284 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:40:04.063232 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:04.151059 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:04.265127 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:04.376686 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:04.467923 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:40:04.544261 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:04.577580 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:04.616929 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:04.758507 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 17 16:40:04.895947 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:04.967005 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:40:05.071610 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:40:05.138546 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:40:05.237540 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:40:05.341060 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:40:05.415894 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jul 17 16:40:05.533266 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:40:05.646795 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:05.699738 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:05.816435 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:05.907060 osdx ca-certificates[239037]: Updating certificates in /etc/ssl/certs... Jul 17 16:40:06.442419 osdx ca-certificates[240040]: 1 added, 0 removed; done. Jul 17 16:40:06.445675 osdx ca-certificates[240047]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:40:06.448633 osdx ca-certificates[240049]: done. Jul 17 16:40:06.512283 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:40:06.513616 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:06.515795 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:06.532161 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:06.545178 osdx dnscrypt-proxy[240053]: dnscrypt-proxy 2.0.45 Jul 17 16:40:06.545240 osdx dnscrypt-proxy[240053]: Network connectivity detected Jul 17 16:40:06.545439 osdx dnscrypt-proxy[240053]: Dropping privileges Jul 17 16:40:06.547694 osdx dnscrypt-proxy[240053]: Network connectivity detected Jul 17 16:40:06.547725 osdx dnscrypt-proxy[240053]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:40:06.547729 osdx dnscrypt-proxy[240053]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:40:06.547750 osdx dnscrypt-proxy[240053]: Firefox workaround initialized Jul 17 16:40:06.547754 osdx dnscrypt-proxy[240053]: Loading the set of cloaking rules from [/tmp/tmp2vi91z4h] Jul 17 16:40:06.697562 osdx dnscrypt-proxy[240053]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jul 17 16:40:06.697576 osdx dnscrypt-proxy[240053]: [RD] OK (DoH) - rtt: 122ms Jul 17 16:40:06.697585 osdx dnscrypt-proxy[240053]: Server with the lowest initial latency: RD (rtt: 122ms) Jul 17 16:40:06.697589 osdx dnscrypt-proxy[240053]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:40:11.685315 osdx OSDxCLI[170971]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Jul 17 16:40:11.865038 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jul 17 16:40:18.282499 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:40:18.282959 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:40:18.282992 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:40:18.292724 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:40:18.586852 osdx osdx-coredump[241680]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:40:18.594045 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:40:19.072206 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:19.183489 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:19.247187 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:19.368317 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:19.451031 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:40:19.524855 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:19.549546 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:19.564391 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:19.703248 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 17 16:40:19.870818 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:19.935304 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:40:20.041628 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:40:20.100914 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:40:20.190338 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:40:20.243767 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:40:20.334609 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jul 17 16:40:20.389339 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:40:20.494479 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:20.546972 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:20.656380 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:20.740372 osdx ca-certificates[241821]: Updating certificates in /etc/ssl/certs... Jul 17 16:40:21.294095 osdx ca-certificates[242825]: 1 added, 0 removed; done. Jul 17 16:40:21.297207 osdx ca-certificates[242831]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:40:21.300346 osdx ca-certificates[242833]: done. Jul 17 16:40:21.367324 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:40:21.368498 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:21.370822 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:21.387720 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:21.399106 osdx dnscrypt-proxy[242837]: dnscrypt-proxy 2.0.45 Jul 17 16:40:21.399185 osdx dnscrypt-proxy[242837]: Network connectivity detected Jul 17 16:40:21.399434 osdx dnscrypt-proxy[242837]: Dropping privileges Jul 17 16:40:21.401699 osdx dnscrypt-proxy[242837]: Network connectivity detected Jul 17 16:40:21.401727 osdx dnscrypt-proxy[242837]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:40:21.401731 osdx dnscrypt-proxy[242837]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:40:21.401756 osdx dnscrypt-proxy[242837]: Firefox workaround initialized Jul 17 16:40:21.401760 osdx dnscrypt-proxy[242837]: Loading the set of cloaking rules from [/tmp/tmpibolyr0i] Jul 17 16:40:21.534691 osdx dnscrypt-proxy[242837]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jul 17 16:40:21.534711 osdx dnscrypt-proxy[242837]: [RD] OK (DoH) - rtt: 111ms Jul 17 16:40:21.534723 osdx dnscrypt-proxy[242837]: Server with the lowest initial latency: RD (rtt: 111ms) Jul 17 16:40:21.534730 osdx dnscrypt-proxy[242837]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:40:26.551027 osdx OSDxCLI[170971]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Jul 17 16:40:26.760734 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Jul 17 16:40:26.961378 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.6M, max 15.3M, 12.6M free. Jul 17 16:40:26.962938 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:40:26.962984 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:40:26.973625 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:40:27.232198 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:27.286557 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:40:27.396400 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:40:27.459711 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:27.550308 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:40:27.550356 osdx dnscrypt-proxy[242837]: Stopped. Jul 17 16:40:27.551360 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:40:27.551481 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:40:27.626203 osdx ca-certificates[242928]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:40:27.918997 osdx ca-certificates[243497]: done. Jul 17 16:40:27.923039 osdx ca-certificates[243506]: Updating certificates in /etc/ssl/certs... Jul 17 16:40:28.406080 osdx ca-certificates[244358]: 140 added, 0 removed; done. Jul 17 16:40:28.408982 osdx ca-certificates[244364]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:40:28.411944 osdx ca-certificates[244366]: done. Jul 17 16:40:28.447056 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:28.450137 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:28.479979 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:29.741235 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:29.809931 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:40:29.905900 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:40:29.962573 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:40:30.054035 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:40:30.107356 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:40:30.199795 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jul 17 16:40:30.248837 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:40:30.352921 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:30.403026 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:30.513629 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:30.596667 osdx ca-certificates[244420]: Updating certificates in /etc/ssl/certs... Jul 17 16:40:31.118588 osdx ca-certificates[245424]: 1 added, 0 removed; done. Jul 17 16:40:31.121845 osdx ca-certificates[245430]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:40:31.124829 osdx ca-certificates[245432]: done. Jul 17 16:40:31.138940 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:40:31.263477 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:40:31.264834 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:31.292051 osdx dnscrypt-proxy[245491]: dnscrypt-proxy 2.0.45 Jul 17 16:40:31.292125 osdx dnscrypt-proxy[245491]: Network connectivity detected Jul 17 16:40:31.292324 osdx dnscrypt-proxy[245491]: Dropping privileges Jul 17 16:40:31.294360 osdx dnscrypt-proxy[245491]: Network connectivity detected Jul 17 16:40:31.294389 osdx dnscrypt-proxy[245491]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:40:31.294393 osdx dnscrypt-proxy[245491]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:40:31.294412 osdx dnscrypt-proxy[245491]: Firefox workaround initialized Jul 17 16:40:31.294416 osdx dnscrypt-proxy[245491]: Loading the set of cloaking rules from [/tmp/tmp_k9mfz7w] Jul 17 16:40:31.302018 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:31.320219 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:31.859920 osdx dnscrypt-proxy[245491]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jul 17 16:40:31.859940 osdx dnscrypt-proxy[245491]: [RD] OK (DoH) - rtt: 536ms Jul 17 16:40:31.859949 osdx dnscrypt-proxy[245491]: Server with the lowest initial latency: RD (rtt: 536ms) Jul 17 16:40:31.859954 osdx dnscrypt-proxy[245491]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:40:36.476571 osdx OSDxCLI[170971]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Jul 17 16:40:36.663381 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Jul 17 16:40:36.876030 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:40:36.878962 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:40:36.879027 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:40:36.888572 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:40:37.131098 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:37.190194 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:40:37.296879 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:40:37.359999 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:37.450578 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:40:37.450724 osdx dnscrypt-proxy[245491]: Stopped. Jul 17 16:40:37.451888 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:40:37.452015 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:40:37.526002 osdx ca-certificates[245595]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:40:37.810346 osdx ca-certificates[246164]: done. Jul 17 16:40:37.814550 osdx ca-certificates[246176]: Updating certificates in /etc/ssl/certs... Jul 17 16:40:38.274806 osdx ca-certificates[247025]: 140 added, 0 removed; done. Jul 17 16:40:38.277913 osdx ca-certificates[247031]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:40:38.280898 osdx ca-certificates[247033]: done. Jul 17 16:40:38.325866 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:38.328238 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:38.353062 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:39.611298 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:39.666804 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:40:39.763921 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:40:39.826074 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:40:39.910553 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:40:39.966282 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:40:40.058828 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jul 17 16:40:40.113097 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:40:40.218872 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:40.270473 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:40.382117 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:40.470853 osdx ca-certificates[247087]: Updating certificates in /etc/ssl/certs... Jul 17 16:40:41.041186 osdx ca-certificates[248094]: 1 added, 0 removed; done. Jul 17 16:40:41.044523 osdx ca-certificates[248099]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:40:41.047335 osdx ca-certificates[248101]: done. Jul 17 16:40:41.062943 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:40:41.207277 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:40:41.209200 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:41.244065 osdx dnscrypt-proxy[248160]: dnscrypt-proxy 2.0.45 Jul 17 16:40:41.244136 osdx dnscrypt-proxy[248160]: Network connectivity detected Jul 17 16:40:41.244355 osdx dnscrypt-proxy[248160]: Dropping privileges Jul 17 16:40:41.246836 osdx dnscrypt-proxy[248160]: Network connectivity detected Jul 17 16:40:41.246866 osdx dnscrypt-proxy[248160]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:40:41.246871 osdx dnscrypt-proxy[248160]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:40:41.246892 osdx dnscrypt-proxy[248160]: Firefox workaround initialized Jul 17 16:40:41.246896 osdx dnscrypt-proxy[248160]: Loading the set of cloaking rules from [/tmp/tmpturgrbzz] Jul 17 16:40:41.251360 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:41.267327 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:41.399812 osdx dnscrypt-proxy[248160]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jul 17 16:40:41.399835 osdx dnscrypt-proxy[248160]: [RD] OK (DoH) - rtt: 124ms Jul 17 16:40:41.399847 osdx dnscrypt-proxy[248160]: Server with the lowest initial latency: RD (rtt: 124ms) Jul 17 16:40:41.399856 osdx dnscrypt-proxy[248160]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:40:41.411083 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jul 17 16:40:48.281843 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:40:48.283128 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:40:48.283169 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:40:48.291285 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:40:48.588816 osdx osdx-coredump[249797]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:40:48.597367 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:40:49.022158 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:49.086366 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:49.177188 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:49.251295 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:49.355131 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:40:49.419369 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:49.444829 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:49.466826 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:49.636234 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 17 16:40:49.756600 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:49.815515 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:40:49.911537 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:40:49.970624 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:40:50.057911 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:40:50.111394 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:40:50.202091 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jul 17 16:40:50.252851 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:40:50.362574 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:50.413571 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:50.525107 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:50.609768 osdx ca-certificates[249938]: Updating certificates in /etc/ssl/certs... Jul 17 16:40:51.135360 osdx ca-certificates[250941]: 1 added, 0 removed; done. Jul 17 16:40:51.140089 osdx ca-certificates[250948]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:40:51.144100 osdx ca-certificates[250950]: done. Jul 17 16:40:51.219830 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:40:51.221632 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:51.224387 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:51.241806 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:51.242463 osdx dnscrypt-proxy[250954]: dnscrypt-proxy 2.0.45 Jul 17 16:40:51.242524 osdx dnscrypt-proxy[250954]: Network connectivity detected Jul 17 16:40:51.242725 osdx dnscrypt-proxy[250954]: Dropping privileges Jul 17 16:40:51.245032 osdx dnscrypt-proxy[250954]: Network connectivity detected Jul 17 16:40:51.245290 osdx dnscrypt-proxy[250954]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:40:51.245348 osdx dnscrypt-proxy[250954]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:40:51.245430 osdx dnscrypt-proxy[250954]: Firefox workaround initialized Jul 17 16:40:51.245475 osdx dnscrypt-proxy[250954]: Loading the set of cloaking rules from [/tmp/tmp13eqw4c_] Jul 17 16:40:51.246350 osdx dnscrypt-proxy[250954]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jul 17 16:40:57.282317 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:40:57.284547 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:40:57.284617 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:40:57.294751 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:40:57.626542 osdx osdx-coredump[252574]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:40:57.636023 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:40:58.067337 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:58.170663 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:58.219619 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:58.324317 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:58.404554 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:40:58.469522 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:40:58.494437 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:40:58.518078 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:40:58.655812 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 17 16:40:58.818353 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:40:58.883137 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:40:58.979823 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:40:59.073375 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:40:59.129711 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:40:59.222074 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:40:59.277860 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jul 17 16:40:59.373396 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:40:59.441711 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:40:59.533293 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:40:59.610939 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:40:59.715986 osdx ca-certificates[252715]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:00.270208 osdx ca-certificates[253718]: 1 added, 0 removed; done. Jul 17 16:41:00.274852 osdx ca-certificates[253725]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:00.279229 osdx ca-certificates[253727]: done. Jul 17 16:41:00.357196 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:00.359029 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:00.363091 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:00.383443 osdx dnscrypt-proxy[253731]: dnscrypt-proxy 2.0.45 Jul 17 16:41:00.383528 osdx dnscrypt-proxy[253731]: Network connectivity detected Jul 17 16:41:00.383781 osdx dnscrypt-proxy[253731]: Dropping privileges Jul 17 16:41:00.386662 osdx dnscrypt-proxy[253731]: Network connectivity detected Jul 17 16:41:00.386700 osdx dnscrypt-proxy[253731]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:00.386706 osdx dnscrypt-proxy[253731]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:00.386740 osdx dnscrypt-proxy[253731]: Firefox workaround initialized Jul 17 16:41:00.386746 osdx dnscrypt-proxy[253731]: Loading the set of cloaking rules from [/tmp/tmpmalb0xx4] Jul 17 16:41:00.387588 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:00.387908 osdx dnscrypt-proxy[253731]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jul 17 16:41:00.617709 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:00.620546 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:00.620600 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:00.628406 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:00.898193 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:00.981601 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:41:01.071050 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:41:01.146415 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:01.229463 osdx dnscrypt-proxy[253731]: Stopped. Jul 17 16:41:01.229503 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:41:01.230399 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:41:01.230509 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:01.314252 osdx ca-certificates[253818]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:41:01.610640 osdx ca-certificates[254387]: done. Jul 17 16:41:01.615865 osdx ca-certificates[254396]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:02.111235 osdx ca-certificates[255249]: 140 added, 0 removed; done. Jul 17 16:41:02.114450 osdx ca-certificates[255254]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:02.118466 osdx ca-certificates[255256]: done. Jul 17 16:41:02.163698 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:02.166928 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:02.191982 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:03.357709 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:03.416194 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:03.512076 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:03.573048 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:03.689169 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:03.788129 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:03.865095 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jul 17 16:41:04.013847 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:04.080987 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:04.160755 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:04.233439 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:04.346493 osdx ca-certificates[255310]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:04.953263 osdx ca-certificates[256314]: 1 added, 0 removed; done. Jul 17 16:41:04.956226 osdx ca-certificates[256320]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:04.959261 osdx ca-certificates[256322]: done. Jul 17 16:41:04.976560 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:05.112940 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:05.114684 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:05.132807 osdx dnscrypt-proxy[256381]: dnscrypt-proxy 2.0.45 Jul 17 16:41:05.132873 osdx dnscrypt-proxy[256381]: Network connectivity detected Jul 17 16:41:05.133064 osdx dnscrypt-proxy[256381]: Dropping privileges Jul 17 16:41:05.135571 osdx dnscrypt-proxy[256381]: Network connectivity detected Jul 17 16:41:05.135601 osdx dnscrypt-proxy[256381]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:05.135605 osdx dnscrypt-proxy[256381]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:05.135624 osdx dnscrypt-proxy[256381]: Firefox workaround initialized Jul 17 16:41:05.135628 osdx dnscrypt-proxy[256381]: Loading the set of cloaking rules from [/tmp/tmp869ct6mk] Jul 17 16:41:05.136480 osdx dnscrypt-proxy[256381]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jul 17 16:41:05.143048 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:05.159979 osdx OSDxCLI[170971]: User 'admin' left the configuration menu.
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jul 17 16:41:05.436101 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:05.436791 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:05.436830 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:05.446706 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:05.691252 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:05.745143 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:41:05.859846 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:41:05.921572 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:06.021749 osdx dnscrypt-proxy[256381]: Stopped. Jul 17 16:41:06.021762 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:41:06.023098 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:41:06.023209 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:06.089827 osdx ca-certificates[256479]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:41:06.386329 osdx ca-certificates[257049]: done. Jul 17 16:41:06.389507 osdx ca-certificates[257057]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:06.877350 osdx ca-certificates[257909]: 140 added, 0 removed; done. Jul 17 16:41:06.880401 osdx ca-certificates[257915]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:06.883473 osdx ca-certificates[257917]: done. Jul 17 16:41:06.913302 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:06.915657 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:06.932252 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:08.182917 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:08.279316 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:08.333929 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:08.439659 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:08.497555 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:08.595211 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:08.646780 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jul 17 16:41:08.740677 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jul 17 16:41:08.792644 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:08.907695 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:08.962842 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:09.072513 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:09.168250 osdx ca-certificates[257973]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:09.737921 osdx ca-certificates[258978]: 1 added, 0 removed; done. Jul 17 16:41:09.740690 osdx ca-certificates[258984]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:09.743759 osdx ca-certificates[258986]: done. Jul 17 16:41:09.760548 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:09.913053 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:09.914667 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:09.933309 osdx dnscrypt-proxy[259045]: dnscrypt-proxy 2.0.45 Jul 17 16:41:09.933390 osdx dnscrypt-proxy[259045]: Network connectivity detected Jul 17 16:41:09.933636 osdx dnscrypt-proxy[259045]: Dropping privileges Jul 17 16:41:09.936069 osdx dnscrypt-proxy[259045]: Network connectivity detected Jul 17 16:41:09.936108 osdx dnscrypt-proxy[259045]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:09.936113 osdx dnscrypt-proxy[259045]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:09.936143 osdx dnscrypt-proxy[259045]: Firefox workaround initialized Jul 17 16:41:09.936148 osdx dnscrypt-proxy[259045]: Loading the set of cloaking rules from [/tmp/tmp2fjmdwro] Jul 17 16:41:09.937207 osdx dnscrypt-proxy[259045]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jul 17 16:41:09.945913 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:09.962188 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:10.086450 osdx dnscrypt-proxy[259045]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jul 17 16:41:10.086471 osdx dnscrypt-proxy[259045]: [RD] OK (DoH) - rtt: 120ms Jul 17 16:41:10.086483 osdx dnscrypt-proxy[259045]: Server with the lowest initial latency: RD (rtt: 120ms) Jul 17 16:41:10.086490 osdx dnscrypt-proxy[259045]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jul 17 16:41:17.299226 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:17.301505 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:17.301572 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:17.309903 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:17.619534 osdx osdx-coredump[260679]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:41:17.627041 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:41:18.044377 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:18.109859 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:18.192861 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:18.261847 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:18.369522 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:18.439625 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:18.465644 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:18.480348 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:18.616717 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 17 16:41:18.734841 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:18.792054 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:18.891865 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:18.949211 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:19.043501 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:19.103639 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:19.193992 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jul 17 16:41:19.248435 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jul 17 16:41:19.345367 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:19.413386 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:19.499220 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:19.573634 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:19.689074 osdx ca-certificates[260821]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:20.300404 osdx ca-certificates[261824]: 1 added, 0 removed; done. Jul 17 16:41:20.304540 osdx ca-certificates[261831]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:20.307691 osdx ca-certificates[261833]: done. Jul 17 16:41:20.370043 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:20.371835 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:20.374609 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:20.392972 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:20.395649 osdx dnscrypt-proxy[261837]: dnscrypt-proxy 2.0.45 Jul 17 16:41:20.395922 osdx dnscrypt-proxy[261837]: Network connectivity detected Jul 17 16:41:20.396168 osdx dnscrypt-proxy[261837]: Dropping privileges Jul 17 16:41:20.398358 osdx dnscrypt-proxy[261837]: Network connectivity detected Jul 17 16:41:20.398552 osdx dnscrypt-proxy[261837]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:20.398598 osdx dnscrypt-proxy[261837]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:20.398655 osdx dnscrypt-proxy[261837]: Firefox workaround initialized Jul 17 16:41:20.398689 osdx dnscrypt-proxy[261837]: Loading the set of cloaking rules from [/tmp/tmpfxy3fwyh] Jul 17 16:41:20.540511 osdx dnscrypt-proxy[261837]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jul 17 16:41:20.540526 osdx dnscrypt-proxy[261837]: [RD] OK (DoH) - rtt: 117ms Jul 17 16:41:20.540534 osdx dnscrypt-proxy[261837]: Server with the lowest initial latency: RD (rtt: 117ms) Jul 17 16:41:20.540539 osdx dnscrypt-proxy[261837]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:41:25.538292 osdx OSDxCLI[170971]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Jul 17 16:41:25.720197 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Jul 17 16:41:25.929947 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:25.933597 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:25.933664 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:25.941173 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:26.198367 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:26.252624 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:41:26.393269 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:41:26.456294 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:26.554576 osdx dnscrypt-proxy[261837]: Stopped. Jul 17 16:41:26.554635 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:41:26.555639 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:41:26.555736 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:26.621732 osdx ca-certificates[261926]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:41:26.912314 osdx ca-certificates[262495]: done. Jul 17 16:41:26.915845 osdx ca-certificates[262504]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:27.368093 osdx ca-certificates[263355]: 140 added, 0 removed; done. Jul 17 16:41:27.372244 osdx ca-certificates[263362]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:27.375492 osdx ca-certificates[263364]: done. Jul 17 16:41:27.404625 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:27.407249 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:27.431709 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:28.579737 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:28.635814 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:28.729336 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:28.789087 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:28.889294 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:29.016589 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:29.068959 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jul 17 16:41:29.164767 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jul 17 16:41:29.219526 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:29.328264 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:29.380663 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:29.492369 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:29.581194 osdx ca-certificates[263418]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:30.116317 osdx ca-certificates[264423]: 1 added, 0 removed; done. Jul 17 16:41:30.119433 osdx ca-certificates[264429]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:30.122431 osdx ca-certificates[264431]: done. Jul 17 16:41:30.141530 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:30.289877 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:30.291243 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:30.315930 osdx dnscrypt-proxy[264490]: dnscrypt-proxy 2.0.45 Jul 17 16:41:30.316004 osdx dnscrypt-proxy[264490]: Network connectivity detected Jul 17 16:41:30.316225 osdx dnscrypt-proxy[264490]: Dropping privileges Jul 17 16:41:30.318531 osdx dnscrypt-proxy[264490]: Network connectivity detected Jul 17 16:41:30.318562 osdx dnscrypt-proxy[264490]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:30.318567 osdx dnscrypt-proxy[264490]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:30.318591 osdx dnscrypt-proxy[264490]: Firefox workaround initialized Jul 17 16:41:30.318595 osdx dnscrypt-proxy[264490]: Loading the set of cloaking rules from [/tmp/tmp_gul16me] Jul 17 16:41:30.318685 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:30.348131 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:30.471081 osdx dnscrypt-proxy[264490]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jul 17 16:41:30.471094 osdx dnscrypt-proxy[264490]: [RD] OK (DoH) - rtt: 122ms Jul 17 16:41:30.471104 osdx dnscrypt-proxy[264490]: Server with the lowest initial latency: RD (rtt: 122ms) Jul 17 16:41:30.471110 osdx dnscrypt-proxy[264490]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:41:30.501103 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Jul 17 16:41:30.712006 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:30.713492 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:30.713555 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:30.724483 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:31.001939 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:31.060538 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:41:31.170233 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:41:31.233412 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:31.325049 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:41:31.325107 osdx dnscrypt-proxy[264490]: Stopped. Jul 17 16:41:31.326036 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:41:31.326167 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:31.396337 osdx ca-certificates[264591]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:41:31.671865 osdx ca-certificates[265160]: done. Jul 17 16:41:31.676322 osdx ca-certificates[265169]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:32.121006 osdx ca-certificates[266021]: 140 added, 0 removed; done. Jul 17 16:41:32.123732 osdx ca-certificates[266027]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:32.126958 osdx ca-certificates[266029]: done. Jul 17 16:41:32.161046 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:32.164083 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:32.179800 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:33.424699 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:33.481597 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:33.579650 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:33.643960 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:33.738488 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:33.824852 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:33.873841 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jul 17 16:41:33.965130 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jul 17 16:41:34.014379 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:34.120236 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:34.173466 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:34.282774 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:34.376385 osdx ca-certificates[266084]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:34.941733 osdx ca-certificates[267088]: 1 added, 0 removed; done. Jul 17 16:41:34.945019 osdx ca-certificates[267094]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:34.949159 osdx ca-certificates[267096]: done. Jul 17 16:41:34.965517 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:35.101785 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:35.102961 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:35.128437 osdx dnscrypt-proxy[267155]: dnscrypt-proxy 2.0.45 Jul 17 16:41:35.128504 osdx dnscrypt-proxy[267155]: Network connectivity detected Jul 17 16:41:35.128704 osdx dnscrypt-proxy[267155]: Dropping privileges Jul 17 16:41:35.131171 osdx dnscrypt-proxy[267155]: Network connectivity detected Jul 17 16:41:35.131200 osdx dnscrypt-proxy[267155]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:35.131205 osdx dnscrypt-proxy[267155]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:35.131228 osdx dnscrypt-proxy[267155]: Firefox workaround initialized Jul 17 16:41:35.131233 osdx dnscrypt-proxy[267155]: Loading the set of cloaking rules from [/tmp/tmpj2qv1b5f] Jul 17 16:41:35.133275 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:35.164578 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:35.292380 osdx dnscrypt-proxy[267155]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jul 17 16:41:35.292394 osdx dnscrypt-proxy[267155]: [RD] OK (DoH) - rtt: 134ms Jul 17 16:41:35.292403 osdx dnscrypt-proxy[267155]: Server with the lowest initial latency: RD (rtt: 134ms) Jul 17 16:41:35.292409 osdx dnscrypt-proxy[267155]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:41:35.314632 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jul 17 16:41:35.517845 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:35.521498 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:35.521547 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:35.529140 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:35.794437 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:35.888397 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:41:35.952944 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:41:36.047428 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:36.111756 osdx dnscrypt-proxy[267155]: Stopped. Jul 17 16:41:36.111768 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:41:36.112641 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:41:36.112753 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:36.190177 osdx ca-certificates[267255]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:41:36.513311 osdx ca-certificates[267824]: done. Jul 17 16:41:36.516408 osdx ca-certificates[267833]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:36.984898 osdx ca-certificates[268685]: 140 added, 0 removed; done. Jul 17 16:41:36.987675 osdx ca-certificates[268691]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:36.990749 osdx ca-certificates[268693]: done. Jul 17 16:41:37.022002 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:37.024509 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:37.039916 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:38.242586 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:38.296308 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:38.397951 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:38.461128 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:38.542620 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:38.596961 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:38.691839 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jul 17 16:41:38.750559 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jul 17 16:41:38.843714 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:38.905223 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:38.994371 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:39.061908 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:39.176740 osdx ca-certificates[268748]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:39.687854 osdx ca-certificates[269752]: 1 added, 0 removed; done. Jul 17 16:41:39.690793 osdx ca-certificates[269758]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:39.694562 osdx ca-certificates[269760]: done. Jul 17 16:41:39.709494 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:39.865992 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:39.867772 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:39.887480 osdx dnscrypt-proxy[269819]: dnscrypt-proxy 2.0.45 Jul 17 16:41:39.887812 osdx dnscrypt-proxy[269819]: Network connectivity detected Jul 17 16:41:39.888063 osdx dnscrypt-proxy[269819]: Dropping privileges Jul 17 16:41:39.890185 osdx dnscrypt-proxy[269819]: Network connectivity detected Jul 17 16:41:39.890215 osdx dnscrypt-proxy[269819]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:39.890220 osdx dnscrypt-proxy[269819]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:39.890242 osdx dnscrypt-proxy[269819]: Firefox workaround initialized Jul 17 16:41:39.890246 osdx dnscrypt-proxy[269819]: Loading the set of cloaking rules from [/tmp/tmpe9xvfbnp] Jul 17 16:41:39.909654 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:39.926766 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:40.040234 osdx dnscrypt-proxy[269819]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jul 17 16:41:40.040259 osdx dnscrypt-proxy[269819]: [RD] OK (DoH) - rtt: 122ms Jul 17 16:41:40.040270 osdx dnscrypt-proxy[269819]: Server with the lowest initial latency: RD (rtt: 122ms) Jul 17 16:41:40.040277 osdx dnscrypt-proxy[269819]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:41:40.086236 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Jul 17 16:41:40.284468 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:40.285498 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:40.285532 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:40.296792 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:40.547526 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:40.604364 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:41:40.709132 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:41:40.772678 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:40.870599 osdx dnscrypt-proxy[269819]: Stopped. Jul 17 16:41:40.870654 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:41:40.871802 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:41:40.871940 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:40.939662 osdx ca-certificates[269921]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:41:41.239684 osdx ca-certificates[270491]: done. Jul 17 16:41:41.243506 osdx ca-certificates[270500]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:41.690307 osdx ca-certificates[271350]: 140 added, 0 removed; done. Jul 17 16:41:41.693320 osdx ca-certificates[271357]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:41.696559 osdx ca-certificates[271359]: done. Jul 17 16:41:41.725053 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:41.727313 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:41.743097 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:42.873088 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:42.928757 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:43.034041 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:43.097041 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:43.183502 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:43.241146 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:43.331849 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jul 17 16:41:43.386320 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jul 17 16:41:43.488112 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:43.564952 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:43.649821 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:43.722773 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:43.840102 osdx ca-certificates[271414]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:44.376799 osdx ca-certificates[272418]: 1 added, 0 removed; done. Jul 17 16:41:44.379707 osdx ca-certificates[272424]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:44.382788 osdx ca-certificates[272426]: done. Jul 17 16:41:44.397502 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:44.529958 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:44.531608 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:44.556699 osdx dnscrypt-proxy[272485]: dnscrypt-proxy 2.0.45 Jul 17 16:41:44.556777 osdx dnscrypt-proxy[272485]: Network connectivity detected Jul 17 16:41:44.557029 osdx dnscrypt-proxy[272485]: Dropping privileges Jul 17 16:41:44.559225 osdx dnscrypt-proxy[272485]: Network connectivity detected Jul 17 16:41:44.559263 osdx dnscrypt-proxy[272485]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:44.559267 osdx dnscrypt-proxy[272485]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:44.559290 osdx dnscrypt-proxy[272485]: Firefox workaround initialized Jul 17 16:41:44.559294 osdx dnscrypt-proxy[272485]: Loading the set of cloaking rules from [/tmp/tmpli9kq8ib] Jul 17 16:41:44.568279 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:44.590263 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:44.706548 osdx dnscrypt-proxy[272485]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jul 17 16:41:44.706563 osdx dnscrypt-proxy[272485]: [RD] OK (DoH) - rtt: 122ms Jul 17 16:41:44.706572 osdx dnscrypt-proxy[272485]: Server with the lowest initial latency: RD (rtt: 122ms) Jul 17 16:41:44.706577 osdx dnscrypt-proxy[272485]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:41:44.732078 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Jul 17 16:41:44.925058 osdx systemd-journald[93647]: Runtime Journal (/run/log/journal/7135572a45764d02b8df631348eed5fb) is 2.0M, max 15.3M, 13.3M free. Jul 17 16:41:44.925515 osdx systemd-journald[93647]: Received client request to rotate journal, rotating. Jul 17 16:41:44.925544 osdx systemd-journald[93647]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7135572a45764d02b8df631348eed5fb. Jul 17 16:41:44.935200 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:41:45.161014 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:45.218174 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'delete'. Jul 17 16:41:45.334767 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jul 17 16:41:45.397423 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:45.501525 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jul 17 16:41:45.501548 osdx dnscrypt-proxy[272485]: Stopped. Jul 17 16:41:45.502840 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jul 17 16:41:45.502951 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:45.571972 osdx ca-certificates[272586]: Clearing symlinks in /etc/ssl/certs... Jul 17 16:41:45.879882 osdx ca-certificates[273156]: done. Jul 17 16:41:45.884123 osdx ca-certificates[273167]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:46.364516 osdx ca-certificates[274015]: 140 added, 0 removed; done. Jul 17 16:41:46.368188 osdx ca-certificates[274022]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:46.372652 osdx ca-certificates[274024]: done. Jul 17 16:41:46.416166 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:46.418620 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:46.438084 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:47.022660 osdx systemd[1]: systemd-timedated.service: Deactivated successfully. Jul 17 16:41:47.651172 osdx OSDxCLI[170971]: User 'admin' entered the configuration menu. Jul 17 16:41:47.715180 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jul 17 16:41:47.814361 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jul 17 16:41:47.882886 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jul 17 16:41:47.969134 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jul 17 16:41:48.041204 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'. Jul 17 16:41:48.128457 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jul 17 16:41:48.197076 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jul 17 16:41:48.290309 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:41:48.367701 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 17 16:41:48.448074 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:41:48.521580 osdx OSDxCLI[170971]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:41:48.668823 osdx ca-certificates[274081]: Updating certificates in /etc/ssl/certs... Jul 17 16:41:49.228629 osdx ca-certificates[275085]: 1 added, 0 removed; done. Jul 17 16:41:49.231703 osdx ca-certificates[275091]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:41:49.234603 osdx ca-certificates[275093]: done. Jul 17 16:41:49.253540 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:41:49.385955 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:41:49.387466 osdx cfgd[1240]: [170971]Completed change to active configuration Jul 17 16:41:49.416615 osdx dnscrypt-proxy[275152]: dnscrypt-proxy 2.0.45 Jul 17 16:41:49.416701 osdx dnscrypt-proxy[275152]: Network connectivity detected Jul 17 16:41:49.416961 osdx dnscrypt-proxy[275152]: Dropping privileges Jul 17 16:41:49.419452 osdx dnscrypt-proxy[275152]: Network connectivity detected Jul 17 16:41:49.419481 osdx dnscrypt-proxy[275152]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:41:49.419486 osdx dnscrypt-proxy[275152]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:41:49.419506 osdx dnscrypt-proxy[275152]: Firefox workaround initialized Jul 17 16:41:49.419510 osdx dnscrypt-proxy[275152]: Loading the set of cloaking rules from [/tmp/tmp1qm1lyn4] Jul 17 16:41:49.423765 osdx OSDxCLI[170971]: User 'admin' committed the configuration. Jul 17 16:41:49.469461 osdx OSDxCLI[170971]: User 'admin' left the configuration menu. Jul 17 16:41:49.565453 osdx dnscrypt-proxy[275152]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jul 17 16:41:49.565469 osdx dnscrypt-proxy[275152]: [RD] OK (DoH) - rtt: 121ms Jul 17 16:41:49.565477 osdx dnscrypt-proxy[275152]: Server with the lowest initial latency: RD (rtt: 121ms) Jul 17 16:41:49.565493 osdx dnscrypt-proxy[275152]: dnscrypt-proxy is ready - live servers: 1 Jul 17 16:41:49.613969 osdx OSDxCLI[170971]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.