Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Oct 09 09:32:36.445842 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.2M free. Oct 09 09:32:36.446534 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:32:36.446582 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:32:36.463535 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:32:37.016367 osdx osdx-coredump[191053]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:32:37.027219 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:32:37.770742 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:32:37.926572 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:32:38.049029 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:32:38.250762 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:32:38.437942 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:32:38.651612 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:32:38.687923 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:32:38.732226 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:32:38.965304 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 09:32:39.275424 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:32:39.427105 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:32:39.554980 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:32:39.700517 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:32:39.821616 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:32:39.964277 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:32:40.125579 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Oct 09 09:32:40.287054 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:32:40.516334 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:32:40.650871 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:32:40.841426 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:32:41.057656 osdx ca-certificates[191199]: Updating certificates in /etc/ssl/certs... Oct 09 09:32:42.158097 osdx ca-certificates[192202]: 1 added, 0 removed; done. Oct 09 09:32:42.164347 osdx ca-certificates[192208]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:32:42.170924 osdx ca-certificates[192210]: done. Oct 09 09:32:42.278626 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:32:42.285405 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:32:42.301596 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:32:42.324371 osdx dnscrypt-proxy[192214]: dnscrypt-proxy 2.0.45 Oct 09 09:32:42.324462 osdx dnscrypt-proxy[192214]: Network connectivity detected Oct 09 09:32:42.324782 osdx dnscrypt-proxy[192214]: Dropping privileges Oct 09 09:32:42.328672 osdx dnscrypt-proxy[192214]: Network connectivity detected Oct 09 09:32:42.328727 osdx dnscrypt-proxy[192214]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:32:42.328735 osdx dnscrypt-proxy[192214]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:32:42.328770 osdx dnscrypt-proxy[192214]: Firefox workaround initialized Oct 09 09:32:42.328778 osdx dnscrypt-proxy[192214]: Loading the set of cloaking rules from [/tmp/tmpwrb6z8i0] Oct 09 09:32:42.349613 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:32:42.547109 osdx dnscrypt-proxy[192214]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Oct 09 09:32:42.547139 osdx dnscrypt-proxy[192214]: [RD] OK (DoH) - rtt: 162ms Oct 09 09:32:42.547153 osdx dnscrypt-proxy[192214]: Server with the lowest initial latency: RD (rtt: 162ms) Oct 09 09:32:42.547162 osdx dnscrypt-proxy[192214]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:32:42.572432 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Oct 09 09:32:53.375794 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.2M, max 15.3M, 13.0M free. Oct 09 09:32:53.378513 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:32:53.378600 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:32:53.393201 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:32:53.921157 osdx osdx-coredump[193840]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:32:53.932449 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:32:54.693919 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:32:54.849665 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:32:54.933408 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:32:55.152301 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:32:55.286506 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:32:55.450358 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:32:55.494682 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:32:55.529915 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:32:55.715022 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 09:32:55.941839 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:32:56.047140 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:32:56.189731 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:32:56.304194 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:32:56.392911 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:32:56.495001 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:32:56.579711 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Oct 09 09:32:56.697710 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:32:56.830488 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:32:56.919061 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:32:57.050290 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:32:57.191449 osdx ca-certificates[193985]: Updating certificates in /etc/ssl/certs... Oct 09 09:32:57.959546 osdx ca-certificates[194989]: 1 added, 0 removed; done. Oct 09 09:32:57.963627 osdx ca-certificates[194995]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:32:57.969616 osdx ca-certificates[194997]: done. Oct 09 09:32:58.059173 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:32:58.061373 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:32:58.065156 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:32:58.091024 osdx dnscrypt-proxy[195001]: dnscrypt-proxy 2.0.45 Oct 09 09:32:58.091126 osdx dnscrypt-proxy[195001]: Network connectivity detected Oct 09 09:32:58.091478 osdx dnscrypt-proxy[195001]: Dropping privileges Oct 09 09:32:58.095237 osdx dnscrypt-proxy[195001]: Network connectivity detected Oct 09 09:32:58.095604 osdx dnscrypt-proxy[195001]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:32:58.095688 osdx dnscrypt-proxy[195001]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:32:58.095809 osdx dnscrypt-proxy[195001]: Firefox workaround initialized Oct 09 09:32:58.095893 osdx dnscrypt-proxy[195001]: Loading the set of cloaking rules from [/tmp/tmpmwfu180d] Oct 09 09:32:58.104992 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:32:58.255798 osdx dnscrypt-proxy[195001]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Oct 09 09:32:58.255832 osdx dnscrypt-proxy[195001]: [RD] OK (DoH) - rtt: 124ms Oct 09 09:32:58.255849 osdx dnscrypt-proxy[195001]: Server with the lowest initial latency: RD (rtt: 124ms) Oct 09 09:32:58.255858 osdx dnscrypt-proxy[195001]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:32:58.337996 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Oct 09 09:32:58.604576 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:32:58.606492 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:32:58.606572 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:32:58.624093 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:32:59.069753 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:32:59.162129 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:32:59.286529 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:32:59.420711 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:32:59.568692 osdx dnscrypt-proxy[195001]: Stopped. Oct 09 09:32:59.568720 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:32:59.569880 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:32:59.570020 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:32:59.729452 osdx ca-certificates[195091]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:32:59.818770 osdx zebra[1399]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 09 09:33:00.158310 osdx ca-certificates[195661]: done. Oct 09 09:33:00.164396 osdx ca-certificates[195670]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:00.902310 osdx ca-certificates[196522]: 140 added, 0 removed; done. Oct 09 09:33:00.906604 osdx ca-certificates[196527]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:00.912663 osdx ca-certificates[196529]: done. Oct 09 09:33:00.957408 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:00.962394 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:01.001059 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:02.772860 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:02.882924 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:33:02.998988 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:33:03.131381 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:33:03.230851 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:33:03.332725 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:33:03.428719 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Oct 09 09:33:03.521519 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:33:03.641589 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:03.753346 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:03.931005 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:04.081633 osdx ca-certificates[196588]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:04.943950 osdx ca-certificates[197592]: 1 added, 0 removed; done. Oct 09 09:33:04.948764 osdx ca-certificates[197598]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:04.955403 osdx ca-certificates[197600]: done. Oct 09 09:33:04.982508 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:33:05.278931 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:05.280659 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:05.308210 osdx dnscrypt-proxy[197664]: dnscrypt-proxy 2.0.45 Oct 09 09:33:05.308310 osdx dnscrypt-proxy[197664]: Network connectivity detected Oct 09 09:33:05.308662 osdx dnscrypt-proxy[197664]: Dropping privileges Oct 09 09:33:05.317333 osdx dnscrypt-proxy[197664]: Network connectivity detected Oct 09 09:33:05.317385 osdx dnscrypt-proxy[197664]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:33:05.317394 osdx dnscrypt-proxy[197664]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:33:05.317440 osdx dnscrypt-proxy[197664]: Firefox workaround initialized Oct 09 09:33:05.317448 osdx dnscrypt-proxy[197664]: Loading the set of cloaking rules from [/tmp/tmp16_ow907] Oct 09 09:33:05.350220 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:05.398297 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:05.527135 osdx dnscrypt-proxy[197664]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Oct 09 09:33:05.527153 osdx dnscrypt-proxy[197664]: [RD] OK (DoH) - rtt: 121ms Oct 09 09:33:05.527162 osdx dnscrypt-proxy[197664]: Server with the lowest initial latency: RD (rtt: 121ms) Oct 09 09:33:05.527167 osdx dnscrypt-proxy[197664]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:33:05.602876 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Oct 09 09:33:05.899459 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:33:05.902506 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:33:05.902597 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:33:05.918645 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:33:06.331237 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:06.428671 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:33:06.619249 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:33:06.726066 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:06.822785 osdx dnscrypt-proxy[197664]: Stopped. Oct 09 09:33:06.822942 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:33:06.824321 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:33:06.824540 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:06.964521 osdx ca-certificates[197770]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:33:07.386555 osdx ca-certificates[198339]: done. Oct 09 09:33:07.391724 osdx ca-certificates[198348]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:08.091094 osdx ca-certificates[199200]: 140 added, 0 removed; done. Oct 09 09:33:08.095889 osdx ca-certificates[199206]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:08.100196 osdx ca-certificates[199208]: done. Oct 09 09:33:08.158192 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:08.161682 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:08.189795 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:09.880549 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:09.978190 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:33:10.098615 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:33:10.212883 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:33:10.324626 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:33:10.448602 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:33:10.559100 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Oct 09 09:33:10.649234 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:33:10.767379 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:10.850163 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:10.991856 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:11.130081 osdx ca-certificates[199262]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:11.913176 osdx ca-certificates[200265]: 1 added, 0 removed; done. Oct 09 09:33:11.919010 osdx ca-certificates[200272]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:11.923620 osdx ca-certificates[200274]: done. Oct 09 09:33:11.946511 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:33:12.199068 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:12.201403 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:12.238237 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:12.242027 osdx dnscrypt-proxy[200337]: dnscrypt-proxy 2.0.45 Oct 09 09:33:12.242458 osdx dnscrypt-proxy[200337]: Network connectivity detected Oct 09 09:33:12.242973 osdx dnscrypt-proxy[200337]: Dropping privileges Oct 09 09:33:12.248376 osdx dnscrypt-proxy[200337]: Network connectivity detected Oct 09 09:33:12.248446 osdx dnscrypt-proxy[200337]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:33:12.248455 osdx dnscrypt-proxy[200337]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:33:12.248492 osdx dnscrypt-proxy[200337]: Firefox workaround initialized Oct 09 09:33:12.248501 osdx dnscrypt-proxy[200337]: Loading the set of cloaking rules from [/tmp/tmphhjrkj0v] Oct 09 09:33:12.271007 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:12.409876 osdx dnscrypt-proxy[200337]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Oct 09 09:33:12.409906 osdx dnscrypt-proxy[200337]: [RD] OK (DoH) - rtt: 122ms Oct 09 09:33:12.409920 osdx dnscrypt-proxy[200337]: Server with the lowest initial latency: RD (rtt: 122ms) Oct 09 09:33:12.409931 osdx dnscrypt-proxy[200337]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:33:12.465119 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Oct 09 09:33:23.392243 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:33:23.393310 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:33:23.393380 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:33:23.412449 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:33:24.017110 osdx osdx-coredump[201979]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:33:24.027345 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:33:24.754817 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:24.894637 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:25.000076 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:25.125669 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:25.256337 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:33:25.428822 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:25.464691 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:25.493354 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:25.673975 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 09:33:25.956689 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:26.066174 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:33:26.186021 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:33:26.299003 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:33:26.385641 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:33:26.510255 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:33:26.628625 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Oct 09 09:33:26.789255 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:33:26.940449 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:27.065581 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:27.227110 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:27.422570 osdx ca-certificates[202124]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:28.307547 osdx ca-certificates[203127]: 1 added, 0 removed; done. Oct 09 09:33:28.312879 osdx ca-certificates[203134]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:28.317296 osdx ca-certificates[203136]: done. Oct 09 09:33:28.425097 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:28.429085 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:28.436894 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:28.468598 osdx dnscrypt-proxy[203140]: dnscrypt-proxy 2.0.45 Oct 09 09:33:28.468701 osdx dnscrypt-proxy[203140]: Network connectivity detected Oct 09 09:33:28.469032 osdx dnscrypt-proxy[203140]: Dropping privileges Oct 09 09:33:28.472492 osdx dnscrypt-proxy[203140]: Network connectivity detected Oct 09 09:33:28.472825 osdx dnscrypt-proxy[203140]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:33:28.472907 osdx dnscrypt-proxy[203140]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:33:28.473008 osdx dnscrypt-proxy[203140]: Firefox workaround initialized Oct 09 09:33:28.473072 osdx dnscrypt-proxy[203140]: Loading the set of cloaking rules from [/tmp/tmpxrgr32i1] Oct 09 09:33:28.474261 osdx dnscrypt-proxy[203140]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Oct 09 09:33:28.494620 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:28.629418 osdx dnscrypt-proxy[203140]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Oct 09 09:33:28.629606 osdx dnscrypt-proxy[203140]: [RD] OK (DoH) - rtt: 111ms Oct 09 09:33:28.629695 osdx dnscrypt-proxy[203140]: Server with the lowest initial latency: RD (rtt: 111ms) Oct 09 09:33:28.629776 osdx dnscrypt-proxy[203140]: dnscrypt-proxy is ready - live servers: 1
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Oct 09 09:33:39.396179 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:33:39.398369 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:33:39.398467 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:33:39.417219 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:33:40.034573 osdx osdx-coredump[204763]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:33:40.047932 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:33:40.833362 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:40.969757 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:41.077250 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:41.220022 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:41.354361 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:33:41.541548 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:41.581087 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:41.633621 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:41.821473 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 09:33:42.010883 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:42.112883 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:33:42.230446 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:33:42.335816 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:33:42.420728 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:33:42.546103 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:33:42.640782 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Oct 09 09:33:42.738781 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:33:42.871056 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:42.965650 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:43.100375 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:43.244661 osdx ca-certificates[204908]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:44.062582 osdx ca-certificates[205912]: 1 added, 0 removed; done. Oct 09 09:33:44.068733 osdx ca-certificates[205918]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:44.074599 osdx ca-certificates[205920]: done. Oct 09 09:33:44.170973 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:44.172947 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:44.177958 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:44.206172 osdx dnscrypt-proxy[205924]: dnscrypt-proxy 2.0.45 Oct 09 09:33:44.206562 osdx dnscrypt-proxy[205924]: Network connectivity detected Oct 09 09:33:44.206862 osdx dnscrypt-proxy[205924]: Dropping privileges Oct 09 09:33:44.209833 osdx dnscrypt-proxy[205924]: Network connectivity detected Oct 09 09:33:44.209886 osdx dnscrypt-proxy[205924]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:33:44.209894 osdx dnscrypt-proxy[205924]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:33:44.209940 osdx dnscrypt-proxy[205924]: Firefox workaround initialized Oct 09 09:33:44.209948 osdx dnscrypt-proxy[205924]: Loading the set of cloaking rules from [/tmp/tmpcbc3b7cb] Oct 09 09:33:44.210937 osdx dnscrypt-proxy[205924]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Oct 09 09:33:44.225754 osdx OSDxCLI[101017]: User 'admin' left the configuration menu.
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Oct 09 09:33:44.597265 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:33:44.598360 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:33:44.598431 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:33:44.616575 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:33:44.652238 osdx zebra[1399]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 09 09:33:45.045065 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:45.140046 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:33:45.272140 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:33:45.380663 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:45.481934 osdx dnscrypt-proxy[205924]: Stopped. Oct 09 09:33:45.482071 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:33:45.483463 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:33:45.483654 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:45.655445 osdx ca-certificates[206010]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:33:46.124029 osdx ca-certificates[206579]: done. Oct 09 09:33:46.128630 osdx ca-certificates[206587]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:46.917691 osdx ca-certificates[207440]: 140 added, 0 removed; done. Oct 09 09:33:46.923889 osdx ca-certificates[207446]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:46.930317 osdx ca-certificates[207448]: done. Oct 09 09:33:46.981555 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:46.986867 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:47.021357 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:48.890753 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:48.997128 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:33:49.155634 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:33:49.271399 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:33:49.426413 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:33:49.548585 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:33:49.654965 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Oct 09 09:33:49.788344 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:33:49.920480 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:50.076418 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:50.225594 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:50.376461 osdx ca-certificates[207502]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:51.258742 osdx ca-certificates[208505]: 1 added, 0 removed; done. Oct 09 09:33:51.262851 osdx ca-certificates[208512]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:51.268649 osdx ca-certificates[208514]: done. Oct 09 09:33:51.290396 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:33:51.515092 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:51.517211 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:51.545025 osdx dnscrypt-proxy[208577]: dnscrypt-proxy 2.0.45 Oct 09 09:33:51.545123 osdx dnscrypt-proxy[208577]: Network connectivity detected Oct 09 09:33:51.545430 osdx dnscrypt-proxy[208577]: Dropping privileges Oct 09 09:33:51.548800 osdx dnscrypt-proxy[208577]: Network connectivity detected Oct 09 09:33:51.548846 osdx dnscrypt-proxy[208577]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:33:51.548856 osdx dnscrypt-proxy[208577]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:33:51.548889 osdx dnscrypt-proxy[208577]: Firefox workaround initialized Oct 09 09:33:51.548896 osdx dnscrypt-proxy[208577]: Loading the set of cloaking rules from [/tmp/tmpyiaxcxpc] Oct 09 09:33:51.550104 osdx dnscrypt-proxy[208577]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Oct 09 09:33:51.576392 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:51.626551 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:51.713826 osdx dnscrypt-proxy[208577]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Oct 09 09:33:51.713853 osdx dnscrypt-proxy[208577]: [RD] OK (DoH) - rtt: 120ms Oct 09 09:33:51.713866 osdx dnscrypt-proxy[208577]: Server with the lowest initial latency: RD (rtt: 120ms) Oct 09 09:33:51.713874 osdx dnscrypt-proxy[208577]: dnscrypt-proxy is ready - live servers: 1
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Oct 09 09:33:52.096998 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:33:52.098379 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:33:52.098456 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:33:52.114645 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:33:52.548538 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:52.665883 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:33:52.771829 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:33:52.924954 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:53.052099 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:33:53.052157 osdx dnscrypt-proxy[208577]: Stopped. Oct 09 09:33:53.053361 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:33:53.053541 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:53.213580 osdx ca-certificates[208677]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:33:53.650311 osdx ca-certificates[209246]: done. Oct 09 09:33:53.656779 osdx ca-certificates[209254]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:54.350311 osdx ca-certificates[210107]: 140 added, 0 removed; done. Oct 09 09:33:54.354601 osdx ca-certificates[210113]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:54.358760 osdx ca-certificates[210115]: done. Oct 09 09:33:54.398025 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:54.401385 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:54.433006 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:56.190181 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:33:56.302825 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:33:56.424998 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:33:56.541115 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:33:56.681666 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:33:56.794163 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:33:56.902568 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Oct 09 09:33:57.029871 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Oct 09 09:33:57.132595 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:33:57.297612 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:33:57.406892 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:33:57.582527 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:33:57.717860 osdx ca-certificates[210172]: Updating certificates in /etc/ssl/certs... Oct 09 09:33:58.747577 osdx ca-certificates[211176]: 1 added, 0 removed; done. Oct 09 09:33:58.752327 osdx ca-certificates[211182]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:33:58.756932 osdx ca-certificates[211184]: done. Oct 09 09:33:58.806764 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:33:59.167010 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:33:59.170632 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:33:59.207607 osdx dnscrypt-proxy[211247]: dnscrypt-proxy 2.0.45 Oct 09 09:33:59.207720 osdx dnscrypt-proxy[211247]: Network connectivity detected Oct 09 09:33:59.208052 osdx dnscrypt-proxy[211247]: Dropping privileges Oct 09 09:33:59.211913 osdx dnscrypt-proxy[211247]: Network connectivity detected Oct 09 09:33:59.211952 osdx dnscrypt-proxy[211247]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:33:59.211958 osdx dnscrypt-proxy[211247]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:33:59.211988 osdx dnscrypt-proxy[211247]: Firefox workaround initialized Oct 09 09:33:59.211993 osdx dnscrypt-proxy[211247]: Loading the set of cloaking rules from [/tmp/tmpz5yj9i8t] Oct 09 09:33:59.213259 osdx dnscrypt-proxy[211247]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Oct 09 09:33:59.228007 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:33:59.274427 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:33:59.425381 osdx dnscrypt-proxy[211247]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Oct 09 09:33:59.425400 osdx dnscrypt-proxy[211247]: [RD] OK (DoH) - rtt: 158ms Oct 09 09:33:59.425409 osdx dnscrypt-proxy[211247]: Server with the lowest initial latency: RD (rtt: 158ms) Oct 09 09:33:59.425415 osdx dnscrypt-proxy[211247]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Oct 09 09:34:10.000774 osdx systemd-timedated[212877]: Changed local time to Wed 2024-10-09 09:34:10 UTC Oct 09 09:34:10.002249 osdx systemd-journald[1768]: Time jumped backwards, rotating. Oct 09 09:34:10.003104 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'set date 2024-10-09 09:34:10'. Oct 09 09:34:10.601498 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:34:10.602526 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:34:10.602597 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:34:10.622062 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:34:11.150187 osdx osdx-coredump[212894]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:34:11.164437 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:34:11.986696 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:12.108277 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:34:12.244042 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:34:12.410954 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:12.638252 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:34:12.809188 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:12.854276 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:12.895778 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:13.104606 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 09:34:13.378594 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:13.482592 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:34:13.605118 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:34:13.715480 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:34:13.829928 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:34:14.007106 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:34:14.129524 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Oct 09 09:34:14.327370 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Oct 09 09:34:14.489273 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:34:14.550655 osdx zebra[1399]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 09 09:34:14.704273 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:34:14.797349 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:34:14.946949 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:15.116605 osdx ca-certificates[213040]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:16.004896 osdx ca-certificates[214043]: 1 added, 0 removed; done. Oct 09 09:34:16.011353 osdx ca-certificates[214050]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:16.017873 osdx ca-certificates[214052]: done. Oct 09 09:34:16.130674 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:16.132350 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:16.137137 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:16.169905 osdx dnscrypt-proxy[214056]: dnscrypt-proxy 2.0.45 Oct 09 09:34:16.170011 osdx dnscrypt-proxy[214056]: Network connectivity detected Oct 09 09:34:16.170396 osdx dnscrypt-proxy[214056]: Dropping privileges Oct 09 09:34:16.174004 osdx dnscrypt-proxy[214056]: Network connectivity detected Oct 09 09:34:16.174283 osdx dnscrypt-proxy[214056]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:34:16.174342 osdx dnscrypt-proxy[214056]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:34:16.174416 osdx dnscrypt-proxy[214056]: Firefox workaround initialized Oct 09 09:34:16.174465 osdx dnscrypt-proxy[214056]: Loading the set of cloaking rules from [/tmp/tmpia9cnq9c] Oct 09 09:34:16.183455 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:16.339386 osdx dnscrypt-proxy[214056]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Oct 09 09:34:16.339404 osdx dnscrypt-proxy[214056]: [RD] OK (DoH) - rtt: 120ms Oct 09 09:34:16.339415 osdx dnscrypt-proxy[214056]: Server with the lowest initial latency: RD (rtt: 120ms) Oct 09 09:34:16.339421 osdx dnscrypt-proxy[214056]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:34:16.371770 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Oct 09 09:34:16.694129 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.2M free. Oct 09 09:34:16.694821 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:34:16.694885 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:34:16.711972 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:34:17.191030 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:17.302373 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:34:17.442602 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:34:17.571509 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:17.720421 osdx dnscrypt-proxy[214056]: Stopped. Oct 09 09:34:17.720554 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:34:17.722422 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:34:17.722628 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:17.889953 osdx ca-certificates[214145]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:34:18.310097 osdx ca-certificates[214714]: done. Oct 09 09:34:18.315464 osdx ca-certificates[214722]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:19.079075 osdx ca-certificates[215574]: 140 added, 0 removed; done. Oct 09 09:34:19.085475 osdx ca-certificates[215581]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:19.092303 osdx ca-certificates[215583]: done. Oct 09 09:34:19.137950 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:19.142001 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:19.193037 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:21.260563 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:21.366647 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:34:21.497694 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:34:21.617386 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:34:21.723682 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:34:21.848667 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:34:21.968848 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Oct 09 09:34:22.082281 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Oct 09 09:34:22.208713 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:34:22.376933 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:34:22.462579 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:34:22.649283 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:22.865333 osdx ca-certificates[215638]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:23.727236 osdx ca-certificates[216642]: 1 added, 0 removed; done. Oct 09 09:34:23.731571 osdx ca-certificates[216648]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:23.735717 osdx ca-certificates[216650]: done. Oct 09 09:34:23.758248 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:34:24.030898 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:24.034387 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:24.060753 osdx dnscrypt-proxy[216713]: dnscrypt-proxy 2.0.45 Oct 09 09:34:24.060830 osdx dnscrypt-proxy[216713]: Network connectivity detected Oct 09 09:34:24.061067 osdx dnscrypt-proxy[216713]: Dropping privileges Oct 09 09:34:24.063886 osdx dnscrypt-proxy[216713]: Network connectivity detected Oct 09 09:34:24.063972 osdx dnscrypt-proxy[216713]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:34:24.063982 osdx dnscrypt-proxy[216713]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:34:24.064017 osdx dnscrypt-proxy[216713]: Firefox workaround initialized Oct 09 09:34:24.064026 osdx dnscrypt-proxy[216713]: Loading the set of cloaking rules from [/tmp/tmpel80mzzp] Oct 09 09:34:24.073636 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:24.129960 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:24.218886 osdx dnscrypt-proxy[216713]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Oct 09 09:34:24.218908 osdx dnscrypt-proxy[216713]: [RD] OK (DoH) - rtt: 117ms Oct 09 09:34:24.218917 osdx dnscrypt-proxy[216713]: Server with the lowest initial latency: RD (rtt: 117ms) Oct 09 09:34:24.218925 osdx dnscrypt-proxy[216713]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:34:24.303130 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Oct 09 09:34:24.602227 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.2M, max 15.3M, 13.0M free. Oct 09 09:34:24.606259 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:34:24.606348 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:34:24.622623 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:34:25.173113 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:25.316897 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:34:25.472534 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:34:25.577522 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:25.703510 osdx dnscrypt-proxy[216713]: Stopped. Oct 09 09:34:25.703670 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:34:25.704767 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:34:25.704949 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:25.874893 osdx ca-certificates[216818]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:34:26.372199 osdx ca-certificates[217387]: done. Oct 09 09:34:26.377098 osdx ca-certificates[217395]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:27.411275 osdx ca-certificates[218252]: 140 added, 0 removed; done. Oct 09 09:34:27.419319 osdx ca-certificates[218254]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:27.425222 osdx ca-certificates[218256]: done. Oct 09 09:34:27.480828 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:27.484637 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:27.536890 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:29.537248 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:29.552739 osdx zebra[1399]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 09 09:34:29.687937 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:34:29.844401 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:34:29.975465 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:34:30.127815 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:34:30.236870 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:34:30.333592 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Oct 09 09:34:30.451552 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Oct 09 09:34:30.539617 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:34:30.674620 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:34:30.777675 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:34:30.915455 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:31.046973 osdx ca-certificates[218311]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:31.917953 osdx ca-certificates[219314]: 1 added, 0 removed; done. Oct 09 09:34:31.922101 osdx ca-certificates[219321]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:31.927849 osdx ca-certificates[219323]: done. Oct 09 09:34:31.950248 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:34:32.203003 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:32.205510 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:32.234344 osdx dnscrypt-proxy[219386]: dnscrypt-proxy 2.0.45 Oct 09 09:34:32.234713 osdx dnscrypt-proxy[219386]: Network connectivity detected Oct 09 09:34:32.235015 osdx dnscrypt-proxy[219386]: Dropping privileges Oct 09 09:34:32.238190 osdx dnscrypt-proxy[219386]: Network connectivity detected Oct 09 09:34:32.238247 osdx dnscrypt-proxy[219386]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:34:32.238254 osdx dnscrypt-proxy[219386]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:34:32.238281 osdx dnscrypt-proxy[219386]: Firefox workaround initialized Oct 09 09:34:32.238287 osdx dnscrypt-proxy[219386]: Loading the set of cloaking rules from [/tmp/tmps38r4lm1] Oct 09 09:34:32.245794 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:32.312257 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:32.448099 osdx dnscrypt-proxy[219386]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Oct 09 09:34:32.448125 osdx dnscrypt-proxy[219386]: [RD] OK (DoH) - rtt: 174ms Oct 09 09:34:32.448139 osdx dnscrypt-proxy[219386]: Server with the lowest initial latency: RD (rtt: 174ms) Oct 09 09:34:32.448150 osdx dnscrypt-proxy[219386]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:34:32.486591 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Oct 09 09:34:32.807639 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:34:32.810289 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:34:32.810355 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:34:32.822730 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:34:33.304303 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:33.383505 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:34:33.493466 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:34:33.673321 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:33.792226 osdx dnscrypt-proxy[219386]: Stopped. Oct 09 09:34:33.792349 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:34:33.794322 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:34:33.794524 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:33.954642 osdx ca-certificates[219491]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:34:34.428097 osdx ca-certificates[220060]: done. Oct 09 09:34:34.434261 osdx ca-certificates[220070]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:35.219658 osdx ca-certificates[220920]: 140 added, 0 removed; done. Oct 09 09:34:35.224576 osdx ca-certificates[220927]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:35.231293 osdx ca-certificates[220929]: done. Oct 09 09:34:35.285827 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:35.290031 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:35.321248 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:37.184167 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:37.282283 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:34:37.396146 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:34:37.502970 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:34:37.608074 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:34:37.786315 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:34:37.876466 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Oct 09 09:34:37.992772 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Oct 09 09:34:38.075499 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:34:38.205783 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:34:38.283136 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:34:38.418108 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:38.545764 osdx ca-certificates[220984]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:39.442657 osdx ca-certificates[221988]: 1 added, 0 removed; done. Oct 09 09:34:39.447001 osdx ca-certificates[221994]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:39.451235 osdx ca-certificates[221996]: done. Oct 09 09:34:39.474252 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:34:39.747005 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:39.749317 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:39.781496 osdx dnscrypt-proxy[222059]: dnscrypt-proxy 2.0.45 Oct 09 09:34:39.781625 osdx dnscrypt-proxy[222059]: Network connectivity detected Oct 09 09:34:39.782059 osdx dnscrypt-proxy[222059]: Dropping privileges Oct 09 09:34:39.786360 osdx dnscrypt-proxy[222059]: Network connectivity detected Oct 09 09:34:39.786418 osdx dnscrypt-proxy[222059]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:34:39.786426 osdx dnscrypt-proxy[222059]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:34:39.786467 osdx dnscrypt-proxy[222059]: Firefox workaround initialized Oct 09 09:34:39.786476 osdx dnscrypt-proxy[222059]: Loading the set of cloaking rules from [/tmp/tmp8yg16z7q] Oct 09 09:34:39.799351 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:39.857595 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:39.958792 osdx dnscrypt-proxy[222059]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Oct 09 09:34:39.958820 osdx dnscrypt-proxy[222059]: [RD] OK (DoH) - rtt: 119ms Oct 09 09:34:39.958836 osdx dnscrypt-proxy[222059]: Server with the lowest initial latency: RD (rtt: 119ms) Oct 09 09:34:39.958844 osdx dnscrypt-proxy[222059]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:34:40.038714 osdx systemd[1]: systemd-timedated.service: Deactivated successfully. Oct 09 09:34:40.075501 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Oct 09 09:34:40.393429 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:34:40.394234 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:34:40.394284 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:34:40.407898 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:34:40.798498 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:40.911768 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:34:41.023897 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:34:41.190020 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:41.315995 osdx dnscrypt-proxy[222059]: Stopped. Oct 09 09:34:41.316113 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:34:41.317943 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:34:41.318152 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:41.484204 osdx ca-certificates[222165]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:34:41.940065 osdx ca-certificates[222734]: done. Oct 09 09:34:41.946705 osdx ca-certificates[222744]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:42.706197 osdx ca-certificates[223596]: 140 added, 0 removed; done. Oct 09 09:34:42.710744 osdx ca-certificates[223601]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:42.715941 osdx ca-certificates[223603]: done. Oct 09 09:34:42.757163 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:42.760944 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:42.805649 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:44.528343 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:44.553787 osdx zebra[1399]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 09 09:34:44.622093 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:34:44.738034 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:34:44.869201 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:34:44.981771 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:34:45.098304 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:34:45.187023 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Oct 09 09:34:45.308618 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Oct 09 09:34:45.393319 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:34:45.519990 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:34:45.606156 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:34:45.760684 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:45.903427 osdx ca-certificates[223657]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:46.842465 osdx ca-certificates[224661]: 1 added, 0 removed; done. Oct 09 09:34:46.848697 osdx ca-certificates[224668]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:46.855083 osdx ca-certificates[224670]: done. Oct 09 09:34:46.878249 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:34:47.123028 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:47.125610 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:47.164495 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:47.174372 osdx dnscrypt-proxy[224733]: dnscrypt-proxy 2.0.45 Oct 09 09:34:47.174472 osdx dnscrypt-proxy[224733]: Network connectivity detected Oct 09 09:34:47.174785 osdx dnscrypt-proxy[224733]: Dropping privileges Oct 09 09:34:47.181686 osdx dnscrypt-proxy[224733]: Network connectivity detected Oct 09 09:34:47.182135 osdx dnscrypt-proxy[224733]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:34:47.182265 osdx dnscrypt-proxy[224733]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:34:47.182399 osdx dnscrypt-proxy[224733]: Firefox workaround initialized Oct 09 09:34:47.182503 osdx dnscrypt-proxy[224733]: Loading the set of cloaking rules from [/tmp/tmpjt2fzqhq] Oct 09 09:34:47.219248 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:47.355926 osdx dnscrypt-proxy[224733]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Oct 09 09:34:47.355960 osdx dnscrypt-proxy[224733]: [RD] OK (DoH) - rtt: 121ms Oct 09 09:34:47.355974 osdx dnscrypt-proxy[224733]: Server with the lowest initial latency: RD (rtt: 121ms) Oct 09 09:34:47.355989 osdx dnscrypt-proxy[224733]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:34:47.433021 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Oct 09 09:34:47.745774 osdx systemd-journald[1768]: Runtime Journal (/run/log/journal/da0729972954483f829d339572dde7c1) is 2.0M, max 15.3M, 13.3M free. Oct 09 09:34:47.746790 osdx systemd-journald[1768]: Received client request to rotate journal, rotating. Oct 09 09:34:47.746859 osdx systemd-journald[1768]: Vacuuming done, freed 0B of archived journals from /run/log/journal/da0729972954483f829d339572dde7c1. Oct 09 09:34:47.764072 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:34:48.211760 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:48.299387 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'delete'. Oct 09 09:34:48.417385 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Oct 09 09:34:48.510212 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:48.669892 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Oct 09 09:34:48.670175 osdx dnscrypt-proxy[224733]: Stopped. Oct 09 09:34:48.672096 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Oct 09 09:34:48.672395 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:48.835193 osdx ca-certificates[224836]: Clearing symlinks in /etc/ssl/certs... Oct 09 09:34:49.298840 osdx ca-certificates[225405]: done. Oct 09 09:34:49.303933 osdx ca-certificates[225416]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:50.031542 osdx ca-certificates[226265]: 140 added, 0 removed; done. Oct 09 09:34:50.037592 osdx ca-certificates[226272]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:50.042319 osdx ca-certificates[226274]: done. Oct 09 09:34:50.091729 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:50.095322 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:50.139527 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:51.913971 osdx OSDxCLI[101017]: User 'admin' entered the configuration menu. Oct 09 09:34:52.018188 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 09:34:52.134384 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Oct 09 09:34:52.284466 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Oct 09 09:34:52.436441 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Oct 09 09:34:52.564100 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9'. Oct 09 09:34:52.648413 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Oct 09 09:34:52.793932 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Oct 09 09:34:52.892679 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:34:53.041552 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 09:34:53.154856 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:34:53.364048 osdx OSDxCLI[101017]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:34:53.564822 osdx ca-certificates[226329]: Updating certificates in /etc/ssl/certs... Oct 09 09:34:54.466417 osdx ca-certificates[227333]: 1 added, 0 removed; done. Oct 09 09:34:54.472300 osdx ca-certificates[227339]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:34:54.478484 osdx ca-certificates[227341]: done. Oct 09 09:34:54.502281 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:34:54.815110 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:34:54.819171 osdx cfgd[1434]: [101017]Completed change to active configuration Oct 09 09:34:54.859794 osdx dnscrypt-proxy[227404]: dnscrypt-proxy 2.0.45 Oct 09 09:34:54.859885 osdx dnscrypt-proxy[227404]: Network connectivity detected Oct 09 09:34:54.860416 osdx dnscrypt-proxy[227404]: Dropping privileges Oct 09 09:34:54.864552 osdx OSDxCLI[101017]: User 'admin' committed the configuration. Oct 09 09:34:54.865507 osdx dnscrypt-proxy[227404]: Network connectivity detected Oct 09 09:34:54.865563 osdx dnscrypt-proxy[227404]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:34:54.865572 osdx dnscrypt-proxy[227404]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:34:54.865612 osdx dnscrypt-proxy[227404]: Firefox workaround initialized Oct 09 09:34:54.865619 osdx dnscrypt-proxy[227404]: Loading the set of cloaking rules from [/tmp/tmpbak7cw2z] Oct 09 09:34:54.906202 osdx OSDxCLI[101017]: User 'admin' left the configuration menu. Oct 09 09:34:55.031646 osdx dnscrypt-proxy[227404]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Oct 09 09:34:55.031674 osdx dnscrypt-proxy[227404]: [RD] OK (DoH) - rtt: 123ms Oct 09 09:34:55.031688 osdx dnscrypt-proxy[227404]: Server with the lowest initial latency: RD (rtt: 123ms) Oct 09 09:34:55.031697 osdx dnscrypt-proxy[227404]: dnscrypt-proxy is ready - live servers: 1 Oct 09 09:34:55.106055 osdx OSDxCLI[101017]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.