Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Jul 30 12:16:56.273347 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.2M free.
Jul 30 12:16:56.275059 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:16:56.275106 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:16:56.282177 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:16:56.556956 osdx osdx-coredump[286637]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Jul 30 12:16:56.563988 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system coredump delete all'.
Jul 30 12:16:56.937489 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:16:56.998162 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:16:57.085498 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:16:57.148139 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:16:57.259091 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:16:57.320087 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:16:57.346795 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:16:57.375477 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:16:57.506964 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Jul 30 12:16:57.621363 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:16:57.678107 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:16:57.773019 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:16:57.834957 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:16:57.924653 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:16:57.979382 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:16:58.067614 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Jul 30 12:16:58.118075 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:16:58.210293 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:16:58.262628 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:16:58.372595 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:16:58.446630 osdx ca-certificates[286777]: Updating certificates in /etc/ssl/certs...
Jul 30 12:16:58.931123 osdx ca-certificates[287780]: 1 added, 0 removed; done.
Jul 30 12:16:58.934913 osdx ca-certificates[287787]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:16:58.937537 osdx ca-certificates[287789]: done.
Jul 30 12:16:58.991404 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:16:58.992533 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:16:58.996675 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:16:59.012153 osdx dnscrypt-proxy[287793]: dnscrypt-proxy 2.0.45
Jul 30 12:16:59.012213 osdx dnscrypt-proxy[287793]: Network connectivity detected
Jul 30 12:16:59.012396 osdx dnscrypt-proxy[287793]: Dropping privileges
Jul 30 12:16:59.012497 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:16:59.014666 osdx dnscrypt-proxy[287793]: Network connectivity detected
Jul 30 12:16:59.014701 osdx dnscrypt-proxy[287793]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:16:59.014707 osdx dnscrypt-proxy[287793]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:16:59.014736 osdx dnscrypt-proxy[287793]: Firefox workaround initialized
Jul 30 12:16:59.014741 osdx dnscrypt-proxy[287793]: Loading the set of cloaking rules from [/tmp/tmpl0k1l54r]
Jul 30 12:16:59.141603 osdx dnscrypt-proxy[287793]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Jul 30 12:16:59.141626 osdx dnscrypt-proxy[287793]: [RD] OK (DoH) - rtt: 106ms
Jul 30 12:16:59.141638 osdx dnscrypt-proxy[287793]: Server with the lowest initial latency: RD (rtt: 106ms)
Jul 30 12:16:59.141646 osdx dnscrypt-proxy[287793]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:16:59.156040 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Jul 30 12:17:05.279708 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.5M, max 15.3M, 12.7M free.
Jul 30 12:17:05.282838 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:05.282910 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:05.289629 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:05.581139 osdx osdx-coredump[289424]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Jul 30 12:17:05.587434 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system coredump delete all'.
Jul 30 12:17:05.983936 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:06.050691 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:06.135394 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:06.197468 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:06.306833 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:17:06.379312 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:06.402955 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:06.422927 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:06.552512 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Jul 30 12:17:06.704092 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:06.757695 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:17:06.848976 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:17:06.902600 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:17:06.979283 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:17:07.070354 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:17:07.119690 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Jul 30 12:17:07.210379 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:17:07.260352 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:07.352243 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:07.417103 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:07.518594 osdx ca-certificates[289564]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:07.973151 osdx ca-certificates[290569]: 1 added, 0 removed; done.
Jul 30 12:17:07.975834 osdx ca-certificates[290574]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:07.978516 osdx ca-certificates[290576]: done.
Jul 30 12:17:08.035311 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:08.036781 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:08.039840 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:08.065203 osdx dnscrypt-proxy[290580]: dnscrypt-proxy 2.0.45
Jul 30 12:17:08.065260 osdx dnscrypt-proxy[290580]: Network connectivity detected
Jul 30 12:17:08.065437 osdx dnscrypt-proxy[290580]: Dropping privileges
Jul 30 12:17:08.067787 osdx dnscrypt-proxy[290580]: Network connectivity detected
Jul 30 12:17:08.067830 osdx dnscrypt-proxy[290580]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:17:08.067835 osdx dnscrypt-proxy[290580]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:17:08.067861 osdx dnscrypt-proxy[290580]: Firefox workaround initialized
Jul 30 12:17:08.067866 osdx dnscrypt-proxy[290580]: Loading the set of cloaking rules from [/tmp/tmpks0l_uw5]
Jul 30 12:17:08.078130 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:08.210087 osdx dnscrypt-proxy[290580]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Jul 30 12:17:08.210104 osdx dnscrypt-proxy[290580]: [RD] OK (DoH) - rtt: 114ms
Jul 30 12:17:08.210112 osdx dnscrypt-proxy[290580]: Server with the lowest initial latency: RD (rtt: 114ms)
Jul 30 12:17:08.210116 osdx dnscrypt-proxy[290580]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:17:13.226127 osdx OSDxCLI[210769]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Jul 30 12:17:13.430881 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Jul 30 12:17:13.665426 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:17:13.666826 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:13.666865 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:13.674480 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:13.888452 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:13.981785 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:17:14.037009 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:17:14.128673 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:14.185061 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:17:14.185197 osdx dnscrypt-proxy[290580]: Stopped.
Jul 30 12:17:14.186149 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:17:14.186256 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:14.244861 osdx ca-certificates[290670]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:17:14.477210 osdx ca-certificates[291239]: done.
Jul 30 12:17:14.479942 osdx ca-certificates[291248]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:14.865019 osdx ca-certificates[292101]: 140 added, 0 removed; done.
Jul 30 12:17:14.867536 osdx ca-certificates[292106]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:14.870415 osdx ca-certificates[292108]: done.
Jul 30 12:17:14.899833 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:14.902034 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:14.922181 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:16.032871 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:16.125388 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:17:16.176320 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:17:16.276838 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:17:16.324841 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:17:16.420661 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:17:16.467527 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Jul 30 12:17:16.561478 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:17:16.621425 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:16.708647 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:16.773028 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:16.884348 osdx ca-certificates[292162]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:17.356904 osdx ca-certificates[293166]: 1 added, 0 removed; done.
Jul 30 12:17:17.359611 osdx ca-certificates[293172]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:17.362248 osdx ca-certificates[293174]: done.
Jul 30 12:17:17.378843 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:17:17.499249 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:17.500467 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:17.517260 osdx dnscrypt-proxy[293233]: dnscrypt-proxy 2.0.45
Jul 30 12:17:17.517332 osdx dnscrypt-proxy[293233]: Network connectivity detected
Jul 30 12:17:17.517556 osdx dnscrypt-proxy[293233]: Dropping privileges
Jul 30 12:17:17.520056 osdx dnscrypt-proxy[293233]: Network connectivity detected
Jul 30 12:17:17.520091 osdx dnscrypt-proxy[293233]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:17:17.520096 osdx dnscrypt-proxy[293233]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:17:17.520120 osdx dnscrypt-proxy[293233]: Firefox workaround initialized
Jul 30 12:17:17.520125 osdx dnscrypt-proxy[293233]: Loading the set of cloaking rules from [/tmp/tmpbq333i0p]
Jul 30 12:17:17.528418 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:17.552894 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:17.673912 osdx dnscrypt-proxy[293233]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Jul 30 12:17:17.673926 osdx dnscrypt-proxy[293233]: [RD] OK (DoH) - rtt: 129ms
Jul 30 12:17:17.673934 osdx dnscrypt-proxy[293233]: Server with the lowest initial latency: RD (rtt: 129ms)
Jul 30 12:17:17.673938 osdx dnscrypt-proxy[293233]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:17:22.689767 osdx OSDxCLI[210769]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Jul 30 12:17:22.865264 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Jul 30 12:17:23.076518 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:17:23.078840 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:23.078916 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:23.086752 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:23.351908 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:23.444393 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:17:23.507594 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:17:23.601591 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:23.661348 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:17:23.661357 osdx dnscrypt-proxy[293233]: Stopped.
Jul 30 12:17:23.662281 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:17:23.662382 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:23.727356 osdx ca-certificates[293338]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:17:23.971954 osdx ca-certificates[293908]: done.
Jul 30 12:17:23.976682 osdx ca-certificates[293918]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:24.414700 osdx ca-certificates[294769]: 140 added, 0 removed; done.
Jul 30 12:17:24.417556 osdx ca-certificates[294774]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:24.420424 osdx ca-certificates[294776]: done.
Jul 30 12:17:24.447370 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:24.450209 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:24.466096 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:25.708726 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:25.763332 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:17:25.858526 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:17:25.919483 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:17:26.000753 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:17:26.056767 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:17:26.144826 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Jul 30 12:17:26.195111 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:17:26.295595 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:26.343156 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:26.453193 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:26.531305 osdx ca-certificates[294830]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:27.010160 osdx ca-certificates[295834]: 1 added, 0 removed; done.
Jul 30 12:17:27.012919 osdx ca-certificates[295840]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:27.015887 osdx ca-certificates[295842]: done.
Jul 30 12:17:27.030850 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:17:27.155105 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:27.156461 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:27.175687 osdx dnscrypt-proxy[295901]: dnscrypt-proxy 2.0.45
Jul 30 12:17:27.175744 osdx dnscrypt-proxy[295901]: Network connectivity detected
Jul 30 12:17:27.175918 osdx dnscrypt-proxy[295901]: Dropping privileges
Jul 30 12:17:27.177750 osdx dnscrypt-proxy[295901]: Network connectivity detected
Jul 30 12:17:27.177775 osdx dnscrypt-proxy[295901]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:17:27.177779 osdx dnscrypt-proxy[295901]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:17:27.177795 osdx dnscrypt-proxy[295901]: Firefox workaround initialized
Jul 30 12:17:27.177798 osdx dnscrypt-proxy[295901]: Loading the set of cloaking rules from [/tmp/tmpcfp_8x3k]
Jul 30 12:17:27.190416 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:27.208029 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:27.334942 osdx dnscrypt-proxy[295901]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Jul 30 12:17:27.334957 osdx dnscrypt-proxy[295901]: [RD] OK (DoH) - rtt: 133ms
Jul 30 12:17:27.334964 osdx dnscrypt-proxy[295901]: Server with the lowest initial latency: RD (rtt: 133ms)
Jul 30 12:17:27.334969 osdx dnscrypt-proxy[295901]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:17:27.352519 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Jul 30 12:17:33.271884 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:17:33.275727 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:33.275778 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:33.281017 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:33.555922 osdx osdx-coredump[297539]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Jul 30 12:17:33.562260 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system coredump delete all'.
Jul 30 12:17:33.927623 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:34.032708 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:34.078819 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:34.182510 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:34.255648 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:17:34.313109 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:34.335654 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:34.349872 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:34.486753 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Jul 30 12:17:34.596770 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:34.694610 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:17:34.745703 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:17:34.846261 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:17:34.893883 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:17:34.990057 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:17:35.034761 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Jul 30 12:17:35.125862 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:17:35.174472 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:35.267785 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:35.331862 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:35.433097 osdx ca-certificates[297679]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:35.868223 osdx ca-certificates[298682]: 1 added, 0 removed; done.
Jul 30 12:17:35.870715 osdx ca-certificates[298689]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:35.873369 osdx ca-certificates[298691]: done.
Jul 30 12:17:35.935968 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:35.938171 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:35.942776 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:35.957969 osdx dnscrypt-proxy[298695]: dnscrypt-proxy 2.0.45
Jul 30 12:17:35.958025 osdx dnscrypt-proxy[298695]: Network connectivity detected
Jul 30 12:17:35.958035 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:35.958197 osdx dnscrypt-proxy[298695]: Dropping privileges
Jul 30 12:17:35.960216 osdx dnscrypt-proxy[298695]: Network connectivity detected
Jul 30 12:17:35.960245 osdx dnscrypt-proxy[298695]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:17:35.960249 osdx dnscrypt-proxy[298695]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:17:35.960270 osdx dnscrypt-proxy[298695]: Firefox workaround initialized
Jul 30 12:17:35.960274 osdx dnscrypt-proxy[298695]: Loading the set of cloaking rules from [/tmp/tmphcjio6wl]
Jul 30 12:17:35.960920 osdx dnscrypt-proxy[298695]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

---

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Jul 30 12:17:42.274245 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:17:42.275573 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:42.275611 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:42.283074 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:42.570035 osdx osdx-coredump[300314]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Jul 30 12:17:42.576990 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system coredump delete all'.
Jul 30 12:17:42.951071 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:43.055673 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:43.102460 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:43.208581 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:43.283652 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:17:43.342767 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:43.366470 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:43.380465 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:43.514537 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Jul 30 12:17:43.627333 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:43.680324 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:17:43.775495 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:17:43.831973 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:17:43.920719 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:17:43.974283 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:17:44.064528 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Jul 30 12:17:44.113007 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:17:44.206421 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:44.257006 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:44.370888 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:44.446762 osdx ca-certificates[300453]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:44.943115 osdx ca-certificates[301457]: 1 added, 0 removed; done.
Jul 30 12:17:44.945944 osdx ca-certificates[301464]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:44.949003 osdx ca-certificates[301466]: done.
Jul 30 12:17:45.008124 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:45.010346 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:45.016906 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:45.036278 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:45.038001 osdx dnscrypt-proxy[301470]: dnscrypt-proxy 2.0.45
Jul 30 12:17:45.038066 osdx dnscrypt-proxy[301470]: Network connectivity detected
Jul 30 12:17:45.038262 osdx dnscrypt-proxy[301470]: Dropping privileges
Jul 30 12:17:45.040320 osdx dnscrypt-proxy[301470]: Network connectivity detected
Jul 30 12:17:45.040348 osdx dnscrypt-proxy[301470]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:17:45.040352 osdx dnscrypt-proxy[301470]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:17:45.040372 osdx dnscrypt-proxy[301470]: Firefox workaround initialized
Jul 30 12:17:45.040376 osdx dnscrypt-proxy[301470]: Loading the set of cloaking rules from [/tmp/tmpekw31z44]
Jul 30 12:17:45.041035 osdx dnscrypt-proxy[301470]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Jul 30 12:17:45.247431 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:17:45.247845 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:45.247873 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:45.256344 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:45.483494 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:45.573402 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:17:45.634040 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:17:45.729103 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:45.788306 osdx dnscrypt-proxy[301470]: Stopped.
Jul 30 12:17:45.788354 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:17:45.789254 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:17:45.789355 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:45.852812 osdx ca-certificates[301551]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:17:46.094641 osdx ca-certificates[302121]: done.
Jul 30 12:17:46.097790 osdx ca-certificates[302129]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:46.544828 osdx ca-certificates[302981]: 140 added, 0 removed; done.
Jul 30 12:17:46.547469 osdx ca-certificates[302987]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:46.550252 osdx ca-certificates[302989]: done.
Jul 30 12:17:46.577218 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:46.579619 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:46.594767 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:47.699553 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:47.751178 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:17:47.844722 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:17:47.900736 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:17:47.989089 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:17:48.043876 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:17:48.131271 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Jul 30 12:17:48.178719 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:17:48.279034 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:48.325236 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:48.432166 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:48.511328 osdx ca-certificates[303043]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:48.960256 osdx ca-certificates[304047]: 1 added, 0 removed; done.
Jul 30 12:17:48.962957 osdx ca-certificates[304053]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:48.965614 osdx ca-certificates[304055]: done.
Jul 30 12:17:48.979617 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:17:49.096190 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:49.097851 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:49.124880 osdx dnscrypt-proxy[304114]: dnscrypt-proxy 2.0.45
Jul 30 12:17:49.124943 osdx dnscrypt-proxy[304114]: Network connectivity detected
Jul 30 12:17:49.125134 osdx dnscrypt-proxy[304114]: Dropping privileges
Jul 30 12:17:49.127157 osdx dnscrypt-proxy[304114]: Network connectivity detected
Jul 30 12:17:49.127192 osdx dnscrypt-proxy[304114]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:17:49.127197 osdx dnscrypt-proxy[304114]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:17:49.127230 osdx dnscrypt-proxy[304114]: Firefox workaround initialized
Jul 30 12:17:49.127235 osdx dnscrypt-proxy[304114]: Loading the set of cloaking rules from [/tmp/tmpdjkb137p]
Jul 30 12:17:49.128179 osdx dnscrypt-proxy[304114]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Jul 30 12:17:49.132607 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:49.148523 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:49.272001 osdx dnscrypt-proxy[304114]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Jul 30 12:17:49.272012 osdx dnscrypt-proxy[304114]: [RD] OK (DoH) - rtt: 122ms
Jul 30 12:17:49.272020 osdx dnscrypt-proxy[304114]: Server with the lowest initial latency: RD (rtt: 122ms)
Jul 30 12:17:49.272025 osdx dnscrypt-proxy[304114]: dnscrypt-proxy is ready - live servers: 1

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Jul 30 12:17:49.372161 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:17:49.375622 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:49.375663 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:49.380608 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:49.605143 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:49.695153 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:17:49.757731 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:17:49.849663 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:49.909407 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:17:49.909423 osdx dnscrypt-proxy[304114]: Stopped.
Jul 30 12:17:49.910651 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:17:49.910756 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:49.973528 osdx ca-certificates[304211]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:17:50.216534 osdx ca-certificates[304780]: done.
Jul 30 12:17:50.219961 osdx ca-certificates[304790]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:50.653991 osdx ca-certificates[305640]: 140 added, 0 removed; done.
Jul 30 12:17:50.656688 osdx ca-certificates[305647]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:50.659375 osdx ca-certificates[305649]: done.
Jul 30 12:17:50.686154 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:50.688466 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:50.705212 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:17:51.792180 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:17:51.844183 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:17:51.936165 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:17:51.993282 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:17:52.085581 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:17:52.135673 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:17:52.228743 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Jul 30 12:17:52.279662 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Jul 30 12:17:52.368613 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:17:52.430440 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:17:52.513218 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:17:52.582627 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:17:52.689672 osdx ca-certificates[305705]: Updating certificates in /etc/ssl/certs...
Jul 30 12:17:53.182256 osdx ca-certificates[306708]: 1 added, 0 removed; done.
Jul 30 12:17:53.186093 osdx ca-certificates[306715]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:17:53.189957 osdx ca-certificates[306717]: done.
Jul 30 12:17:53.207580 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:17:53.331952 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:17:53.333353 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:17:53.351965 osdx dnscrypt-proxy[306776]: dnscrypt-proxy 2.0.45
Jul 30 12:17:53.352042 osdx dnscrypt-proxy[306776]: Network connectivity detected
Jul 30 12:17:53.352294 osdx dnscrypt-proxy[306776]: Dropping privileges
Jul 30 12:17:53.354741 osdx dnscrypt-proxy[306776]: Network connectivity detected
Jul 30 12:17:53.354769 osdx dnscrypt-proxy[306776]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:17:53.354773 osdx dnscrypt-proxy[306776]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:17:53.354795 osdx dnscrypt-proxy[306776]: Firefox workaround initialized
Jul 30 12:17:53.354798 osdx dnscrypt-proxy[306776]: Loading the set of cloaking rules from [/tmp/tmp3et9g2h2]
Jul 30 12:17:53.355819 osdx dnscrypt-proxy[306776]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Jul 30 12:17:53.361761 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:17:53.377968 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.

---

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Jul 30 12:17:59.295475 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:17:59.297416 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:17:59.297465 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:17:59.305408 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:17:59.599698 osdx osdx-coredump[308411]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Jul 30 12:17:59.606691 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system coredump delete all'.
Jul 30 12:18:00.009689 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:00.072095 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:18:00.155845 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:18:00.217978 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:00.321321 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:18:00.385128 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:00.409525 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:00.424273 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:00.558396 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Jul 30 12:18:00.674634 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:00.734019 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:18:00.825523 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:18:00.882920 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:18:00.973980 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:18:01.024083 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:18:01.114325 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Jul 30 12:18:01.164887 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Jul 30 12:18:01.255675 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:18:01.309100 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:18:01.400596 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:18:01.473650 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:01.577960 osdx ca-certificates[308552]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:02.058426 osdx ca-certificates[309561]: 1 added, 0 removed; done.
Jul 30 12:18:02.060989 osdx ca-certificates[309567]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:02.063777 osdx ca-certificates[309569]: done.
Jul 30 12:18:02.133697 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:02.135080 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:02.137485 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:02.153462 osdx dnscrypt-proxy[309573]: dnscrypt-proxy 2.0.45
Jul 30 12:18:02.153528 osdx dnscrypt-proxy[309573]: Network connectivity detected
Jul 30 12:18:02.153705 osdx dnscrypt-proxy[309573]: Dropping privileges
Jul 30 12:18:02.155996 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:02.156741 osdx dnscrypt-proxy[309573]: Network connectivity detected
Jul 30 12:18:02.156782 osdx dnscrypt-proxy[309573]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:18:02.156788 osdx dnscrypt-proxy[309573]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:18:02.156816 osdx dnscrypt-proxy[309573]: Firefox workaround initialized
Jul 30 12:18:02.156822 osdx dnscrypt-proxy[309573]: Loading the set of cloaking rules from [/tmp/tmp9h_zxsga]
Jul 30 12:18:02.302124 osdx dnscrypt-proxy[309573]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Jul 30 12:18:02.302139 osdx dnscrypt-proxy[309573]: [RD] OK (DoH) - rtt: 122ms
Jul 30 12:18:02.302147 osdx dnscrypt-proxy[309573]: Server with the lowest initial latency: RD (rtt: 122ms)
Jul 30 12:18:02.302151 osdx dnscrypt-proxy[309573]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:18:07.300970 osdx OSDxCLI[210769]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Jul 30 12:18:07.478551 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Jul 30 12:18:07.686103 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:18:07.689326 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:18:07.689394 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:18:07.697712 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:18:07.980438 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:08.036402 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:18:08.142519 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:18:08.202259 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:08.299855 osdx dnscrypt-proxy[309573]: Stopped.
Jul 30 12:18:08.299894 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:18:08.301101 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:18:08.301207 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:08.370114 osdx ca-certificates[309662]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:18:08.622837 osdx ca-certificates[310232]: done.
Jul 30 12:18:08.626517 osdx ca-certificates[310241]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:09.033918 osdx ca-certificates[311092]: 140 added, 0 removed; done.
Jul 30 12:18:09.036531 osdx ca-certificates[311098]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:09.039089 osdx ca-certificates[311100]: done.
Jul 30 12:18:09.068053 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:09.070382 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:09.085119 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:10.297779 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:10.350600 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:18:10.444062 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:18:10.501573 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:18:10.585659 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:18:10.639085 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:18:10.725467 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Jul 30 12:18:10.778203 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Jul 30 12:18:10.868283 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:18:10.930112 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:18:11.012570 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:18:11.077594 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:11.242329 osdx ca-certificates[311155]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:11.698699 osdx ca-certificates[312159]: 1 added, 0 removed; done.
Jul 30 12:18:11.701588 osdx ca-certificates[312165]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:11.704076 osdx ca-certificates[312167]: done.
Jul 30 12:18:11.717309 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:18:11.846030 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:11.848593 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:11.888758 osdx dnscrypt-proxy[312226]: dnscrypt-proxy 2.0.45
Jul 30 12:18:11.888815 osdx dnscrypt-proxy[312226]: Network connectivity detected
Jul 30 12:18:11.889002 osdx dnscrypt-proxy[312226]: Dropping privileges
Jul 30 12:18:11.891031 osdx dnscrypt-proxy[312226]: Network connectivity detected
Jul 30 12:18:11.891063 osdx dnscrypt-proxy[312226]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:18:11.891066 osdx dnscrypt-proxy[312226]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:18:11.891089 osdx dnscrypt-proxy[312226]: Firefox workaround initialized
Jul 30 12:18:11.891092 osdx dnscrypt-proxy[312226]: Loading the set of cloaking rules from [/tmp/tmpgaouplhn]
Jul 30 12:18:11.897833 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:11.915980 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:12.054590 osdx dnscrypt-proxy[312226]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Jul 30 12:18:12.054612 osdx dnscrypt-proxy[312226]: [RD] OK (DoH) - rtt: 140ms
Jul 30 12:18:12.054622 osdx dnscrypt-proxy[312226]: Server with the lowest initial latency: RD (rtt: 140ms)
Jul 30 12:18:12.054627 osdx dnscrypt-proxy[312226]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:18:17.058509 osdx OSDxCLI[210769]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Jul 30 12:18:17.238788 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Jul 30 12:18:17.449040 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:18:17.449524 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:18:17.449554 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:18:17.458299 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:18:17.682976 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:17.777127 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:18:17.842414 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:18:17.943181 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:18.003135 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:18:18.003198 osdx dnscrypt-proxy[312226]: Stopped.
Jul 30 12:18:18.004262 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:18:18.004387 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:18.063608 osdx ca-certificates[312332]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:18:18.318572 osdx ca-certificates[312902]: done.
Jul 30 12:18:18.322443 osdx ca-certificates[312914]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:18.728561 osdx ca-certificates[313762]: 140 added, 0 removed; done.
Jul 30 12:18:18.731083 osdx ca-certificates[313768]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:18.733958 osdx ca-certificates[313770]: done.
Jul 30 12:18:18.762932 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:18.765219 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:18.780423 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:19.893167 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:19.988148 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:18:20.038685 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:18:20.133680 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:18:20.182810 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:18:20.283711 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:18:20.336946 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Jul 30 12:18:20.429816 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Jul 30 12:18:20.482253 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:18:20.593865 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:18:20.650245 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:18:20.768314 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:20.854855 osdx ca-certificates[313825]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:21.396679 osdx ca-certificates[314829]: 1 added, 0 removed; done.
Jul 30 12:18:21.399955 osdx ca-certificates[314835]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:21.403138 osdx ca-certificates[314837]: done.
Jul 30 12:18:21.421322 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:18:21.569682 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:21.571280 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:21.590983 osdx dnscrypt-proxy[314896]: dnscrypt-proxy 2.0.45
Jul 30 12:18:21.591059 osdx dnscrypt-proxy[314896]: Network connectivity detected
Jul 30 12:18:21.591272 osdx dnscrypt-proxy[314896]: Dropping privileges
Jul 30 12:18:21.593628 osdx dnscrypt-proxy[314896]: Network connectivity detected
Jul 30 12:18:21.593657 osdx dnscrypt-proxy[314896]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:18:21.593661 osdx dnscrypt-proxy[314896]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:18:21.593685 osdx dnscrypt-proxy[314896]: Firefox workaround initialized
Jul 30 12:18:21.593689 osdx dnscrypt-proxy[314896]: Loading the set of cloaking rules from [/tmp/tmpftz2brfs]
Jul 30 12:18:21.602594 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:21.624334 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:21.810815 osdx dnscrypt-proxy[314896]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Jul 30 12:18:21.810837 osdx dnscrypt-proxy[314896]: [RD] OK (DoH) - rtt: 190ms
Jul 30 12:18:21.810848 osdx dnscrypt-proxy[314896]: Server with the lowest initial latency: RD (rtt: 190ms)
Jul 30 12:18:21.810854 osdx dnscrypt-proxy[314896]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:18:26.805121 osdx OSDxCLI[210769]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Jul 30 12:18:26.992497 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Jul 30 12:18:27.213844 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.6M, max 15.3M, 12.7M free.
Jul 30 12:18:27.217312 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:18:27.217370 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:18:27.225311 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:18:27.486253 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:27.547824 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:18:27.653597 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:18:27.719788 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:27.824740 osdx dnscrypt-proxy[314896]: Stopped.
Jul 30 12:18:27.824742 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:18:27.825949 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:18:27.826058 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:27.893047 osdx ca-certificates[315001]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:18:28.162874 osdx ca-certificates[315570]: done.
Jul 30 12:18:28.166902 osdx ca-certificates[315579]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:28.608057 osdx ca-certificates[316430]: 140 added, 0 removed; done.
Jul 30 12:18:28.612125 osdx ca-certificates[316437]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:28.615418 osdx ca-certificates[316439]: done.
Jul 30 12:18:28.647382 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:28.650075 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:28.684387 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:29.031750 osdx systemd[1]: systemd-timedated.service: Deactivated successfully.
Jul 30 12:18:29.919669 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:29.996357 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:18:30.105137 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:18:30.192434 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:18:30.309708 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:18:30.406587 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:18:30.464485 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Jul 30 12:18:30.573163 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Jul 30 12:18:30.631490 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:18:30.733779 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:18:30.783379 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:18:30.890738 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:30.979489 osdx ca-certificates[316496]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:31.473021 osdx ca-certificates[317500]: 1 added, 0 removed; done.
Jul 30 12:18:31.475979 osdx ca-certificates[317506]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:31.478527 osdx ca-certificates[317508]: done.
Jul 30 12:18:31.493397 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:18:31.617886 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:31.619908 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:31.649584 osdx dnscrypt-proxy[317567]: dnscrypt-proxy 2.0.45
Jul 30 12:18:31.649661 osdx dnscrypt-proxy[317567]: Network connectivity detected
Jul 30 12:18:31.649895 osdx dnscrypt-proxy[317567]: Dropping privileges
Jul 30 12:18:31.652866 osdx dnscrypt-proxy[317567]: Network connectivity detected
Jul 30 12:18:31.652893 osdx dnscrypt-proxy[317567]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:18:31.652897 osdx dnscrypt-proxy[317567]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:18:31.652916 osdx dnscrypt-proxy[317567]: Firefox workaround initialized
Jul 30 12:18:31.652919 osdx dnscrypt-proxy[317567]: Loading the set of cloaking rules from [/tmp/tmpixo1_h9x]
Jul 30 12:18:31.654643 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:31.669906 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:31.807181 osdx dnscrypt-proxy[317567]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Jul 30 12:18:31.807206 osdx dnscrypt-proxy[317567]: [RD] OK (DoH) - rtt: 132ms
Jul 30 12:18:31.807218 osdx dnscrypt-proxy[317567]: Server with the lowest initial latency: RD (rtt: 132ms)
Jul 30 12:18:31.807224 osdx dnscrypt-proxy[317567]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:18:31.859884 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Jul 30 12:18:32.044535 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:18:32.045314 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:18:32.045347 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:18:32.054216 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:18:32.323411 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:32.417627 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:18:32.481378 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:18:32.571377 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:32.631292 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:18:32.631329 osdx dnscrypt-proxy[317567]: Stopped.
Jul 30 12:18:32.632468 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:18:32.632566 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:32.695405 osdx ca-certificates[317669]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:18:32.948908 osdx ca-certificates[318239]: done.
Jul 30 12:18:32.953086 osdx ca-certificates[318251]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:33.399965 osdx ca-certificates[319099]: 140 added, 0 removed; done.
Jul 30 12:18:33.403019 osdx ca-certificates[319105]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:33.406730 osdx ca-certificates[319107]: done.
Jul 30 12:18:33.436608 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:33.438932 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:33.454782 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:34.601516 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:34.699538 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:18:34.752135 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:18:34.853030 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:18:34.903546 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:18:35.002540 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:18:35.050677 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Jul 30 12:18:35.145678 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Jul 30 12:18:35.194895 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:18:35.298997 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:18:35.347854 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:18:35.463706 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:35.550886 osdx ca-certificates[319162]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:36.047468 osdx ca-certificates[320166]: 1 added, 0 removed; done.
Jul 30 12:18:36.050199 osdx ca-certificates[320172]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:36.052928 osdx ca-certificates[320174]: done.
Jul 30 12:18:36.069326 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:18:36.189579 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:36.190575 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:36.209589 osdx dnscrypt-proxy[320233]: dnscrypt-proxy 2.0.45
Jul 30 12:18:36.209663 osdx dnscrypt-proxy[320233]: Network connectivity detected
Jul 30 12:18:36.209897 osdx dnscrypt-proxy[320233]: Dropping privileges
Jul 30 12:18:36.212349 osdx dnscrypt-proxy[320233]: Network connectivity detected
Jul 30 12:18:36.212516 osdx dnscrypt-proxy[320233]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:18:36.212548 osdx dnscrypt-proxy[320233]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:18:36.212590 osdx dnscrypt-proxy[320233]: Firefox workaround initialized
Jul 30 12:18:36.212617 osdx dnscrypt-proxy[320233]: Loading the set of cloaking rules from [/tmp/tmpnjoj_maq]
Jul 30 12:18:36.216681 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:36.232231 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:36.379749 osdx dnscrypt-proxy[320233]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Jul 30 12:18:36.379773 osdx dnscrypt-proxy[320233]: [RD] OK (DoH) - rtt: 133ms
Jul 30 12:18:36.379783 osdx dnscrypt-proxy[320233]: Server with the lowest initial latency: RD (rtt: 133ms)
Jul 30 12:18:36.379790 osdx dnscrypt-proxy[320233]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:18:41.385110 osdx OSDxCLI[210769]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Jul 30 12:18:41.558576 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Jul 30 12:18:41.744604 osdx systemd-journald[60253]: Runtime Journal (/run/log/journal/22c37bf8be29452e87aca50c6265032f) is 2.0M, max 15.3M, 13.3M free.
Jul 30 12:18:41.745315 osdx systemd-journald[60253]: Received client request to rotate journal, rotating.
Jul 30 12:18:41.745354 osdx systemd-journald[60253]: Vacuuming done, freed 0B of archived journals from /run/log/journal/22c37bf8be29452e87aca50c6265032f.
Jul 30 12:18:41.753792 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'system journal clear'.
Jul 30 12:18:41.989215 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:42.082510 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'delete'.
Jul 30 12:18:42.149459 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Jul 30 12:18:42.242050 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:42.301882 osdx dnscrypt-proxy[320233]: Stopped.
Jul 30 12:18:42.301890 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Jul 30 12:18:42.303146 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Jul 30 12:18:42.303398 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:42.376697 osdx ca-certificates[320338]: Clearing symlinks in /etc/ssl/certs...
Jul 30 12:18:42.620391 osdx ca-certificates[320908]: done.
Jul 30 12:18:42.623390 osdx ca-certificates[320917]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:43.032294 osdx ca-certificates[321769]: 140 added, 0 removed; done.
Jul 30 12:18:43.035134 osdx ca-certificates[321774]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:43.038248 osdx ca-certificates[321776]: done.
Jul 30 12:18:43.067658 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:43.070037 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:43.087185 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:44.205001 osdx OSDxCLI[210769]: User 'admin' entered the configuration menu.
Jul 30 12:18:44.291772 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Jul 30 12:18:44.353157 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Jul 30 12:18:44.445006 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Jul 30 12:18:44.497972 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Jul 30 12:18:44.596263 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854'.
Jul 30 12:18:44.651056 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Jul 30 12:18:44.747738 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Jul 30 12:18:44.804995 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jul 30 12:18:44.919660 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Jul 30 12:18:44.972246 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jul 30 12:18:45.084638 osdx OSDxCLI[210769]: User 'admin' added a new cfg line: 'show working'.
Jul 30 12:18:45.172193 osdx ca-certificates[321830]: Updating certificates in /etc/ssl/certs...
Jul 30 12:18:45.640244 osdx ca-certificates[322836]: 1 added, 0 removed; done.
Jul 30 12:18:45.643035 osdx ca-certificates[322841]: Running hooks in /etc/ca-certificates/update.d...
Jul 30 12:18:45.646042 osdx ca-certificates[322843]: done.
Jul 30 12:18:45.661339 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jul 30 12:18:45.777823 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jul 30 12:18:45.779558 osdx cfgd[1242]: [210769]Completed change to active configuration
Jul 30 12:18:45.799724 osdx dnscrypt-proxy[322902]: dnscrypt-proxy 2.0.45
Jul 30 12:18:45.799868 osdx dnscrypt-proxy[322902]: Network connectivity detected
Jul 30 12:18:45.800065 osdx dnscrypt-proxy[322902]: Dropping privileges
Jul 30 12:18:45.802497 osdx dnscrypt-proxy[322902]: Network connectivity detected
Jul 30 12:18:45.802525 osdx dnscrypt-proxy[322902]: Now listening to 127.0.0.1:53 [UDP]
Jul 30 12:18:45.802529 osdx dnscrypt-proxy[322902]: Now listening to 127.0.0.1:53 [TCP]
Jul 30 12:18:45.802550 osdx dnscrypt-proxy[322902]: Firefox workaround initialized
Jul 30 12:18:45.802554 osdx dnscrypt-proxy[322902]: Loading the set of cloaking rules from [/tmp/tmpe_dytkk8]
Jul 30 12:18:45.807582 osdx OSDxCLI[210769]: User 'admin' committed the configuration.
Jul 30 12:18:45.823709 osdx OSDxCLI[210769]: User 'admin' left the configuration menu.
Jul 30 12:18:45.969396 osdx dnscrypt-proxy[322902]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Jul 30 12:18:45.969410 osdx dnscrypt-proxy[322902]: [RD] OK (DoH) - rtt: 143ms
Jul 30 12:18:45.969417 osdx dnscrypt-proxy[322902]: Server with the lowest initial latency: RD (rtt: 143ms)
Jul 30 12:18:45.969421 osdx dnscrypt-proxy[322902]: dnscrypt-proxy is ready - live servers: 1
Jul 30 12:18:50.969419 osdx OSDxCLI[210769]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Jul 30 12:18:51.149814 osdx OSDxCLI[210769]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---