Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 04 15:21:19.293524 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.2M free. Dec 04 15:21:19.296975 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:21:19.297030 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:21:19.303254 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:21:19.627155 osdx osdx-coredump[133522]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 04 15:21:19.634106 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system coredump delete all'. Dec 04 15:21:20.051034 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:20.114123 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:20.197050 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:20.262753 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:20.372969 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:21:20.482688 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:20.511404 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:20.526803 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:20.666288 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 04 15:21:20.843653 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:20.898279 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:21:20.995754 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:21:21.056115 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:21:21.150942 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:21:21.211992 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:21:21.316814 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 04 15:21:21.369535 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:21:21.473401 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:21.522624 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:21.635336 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:21.718120 osdx ca-certificates[133667]: Updating certificates in /etc/ssl/certs... Dec 04 15:21:22.241053 osdx ca-certificates[134671]: 1 added, 0 removed; done. Dec 04 15:21:22.244167 osdx ca-certificates[134677]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:21:22.246913 osdx ca-certificates[134679]: done. Dec 04 15:21:22.321321 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:21:22.322941 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:22.325349 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:22.341605 osdx dnscrypt-proxy[134683]: dnscrypt-proxy 2.0.45 Dec 04 15:21:22.341661 osdx dnscrypt-proxy[134683]: Network connectivity detected Dec 04 15:21:22.341852 osdx dnscrypt-proxy[134683]: Dropping privileges Dec 04 15:21:22.344139 osdx dnscrypt-proxy[134683]: Network connectivity detected Dec 04 15:21:22.344374 osdx dnscrypt-proxy[134683]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:21:22.344428 osdx dnscrypt-proxy[134683]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:21:22.344498 osdx dnscrypt-proxy[134683]: Firefox workaround initialized Dec 04 15:21:22.344533 osdx dnscrypt-proxy[134683]: Loading the set of cloaking rules from [/tmp/tmpvhpeejtc] Dec 04 15:21:22.360374 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:22.483930 osdx dnscrypt-proxy[134683]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 04 15:21:22.483944 osdx dnscrypt-proxy[134683]: [RD] OK (DoH) - rtt: 115ms Dec 04 15:21:22.483953 osdx dnscrypt-proxy[134683]: Server with the lowest initial latency: RD (rtt: 115ms) Dec 04 15:21:22.483958 osdx dnscrypt-proxy[134683]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:21:22.528523 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 04 15:21:29.305134 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:21:29.306223 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:21:29.306275 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:21:29.318062 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:21:29.633014 osdx osdx-coredump[136310]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 04 15:21:29.639852 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system coredump delete all'. Dec 04 15:21:30.089696 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:30.157360 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:30.244127 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:30.323199 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:30.434234 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:21:30.552590 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:30.586157 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:30.601379 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:30.748415 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 04 15:21:30.872782 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:30.932124 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:21:31.028821 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:21:31.091264 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:21:31.171533 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:21:31.229711 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:21:31.324841 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 04 15:21:31.382914 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:21:31.484735 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:31.538004 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:31.651729 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:31.753022 osdx ca-certificates[136455]: Updating certificates in /etc/ssl/certs... Dec 04 15:21:32.270120 osdx ca-certificates[137458]: 1 added, 0 removed; done. Dec 04 15:21:32.272956 osdx ca-certificates[137465]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:21:32.275909 osdx ca-certificates[137467]: done. Dec 04 15:21:32.342677 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:21:32.344260 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:32.346501 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:32.365590 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:32.371484 osdx dnscrypt-proxy[137471]: dnscrypt-proxy 2.0.45 Dec 04 15:21:32.371542 osdx dnscrypt-proxy[137471]: Network connectivity detected Dec 04 15:21:32.371726 osdx dnscrypt-proxy[137471]: Dropping privileges Dec 04 15:21:32.373629 osdx dnscrypt-proxy[137471]: Network connectivity detected Dec 04 15:21:32.373654 osdx dnscrypt-proxy[137471]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:21:32.373658 osdx dnscrypt-proxy[137471]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:21:32.373676 osdx dnscrypt-proxy[137471]: Firefox workaround initialized Dec 04 15:21:32.373680 osdx dnscrypt-proxy[137471]: Loading the set of cloaking rules from [/tmp/tmp81r9c712] Dec 04 15:21:32.516357 osdx dnscrypt-proxy[137471]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 04 15:21:32.516373 osdx dnscrypt-proxy[137471]: [RD] OK (DoH) - rtt: 120ms Dec 04 15:21:32.516381 osdx dnscrypt-proxy[137471]: Server with the lowest initial latency: RD (rtt: 120ms) Dec 04 15:21:32.516386 osdx dnscrypt-proxy[137471]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:21:32.539671 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Dec 04 15:21:32.721011 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:21:32.722223 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:21:32.722284 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:21:32.732480 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:21:32.978984 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:33.072595 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:21:33.139712 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:21:33.237946 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:33.300289 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:21:33.300309 osdx dnscrypt-proxy[137471]: Stopped. Dec 04 15:21:33.301715 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:21:33.301854 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:21:33.409318 osdx ca-certificates[137560]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:21:33.661447 osdx ca-certificates[138129]: done. Dec 04 15:21:33.665552 osdx ca-certificates[138137]: Updating certificates in /etc/ssl/certs... Dec 04 15:21:34.125307 osdx ca-certificates[138991]: 140 added, 0 removed; done. Dec 04 15:21:34.129229 osdx ca-certificates[138996]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:21:34.132160 osdx ca-certificates[138998]: done. Dec 04 15:21:34.169672 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:34.173577 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:34.190734 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:35.579024 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:35.639669 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:21:35.732888 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:21:35.795519 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:21:35.884118 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:21:35.941699 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:21:36.035455 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 04 15:21:36.088867 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:21:36.193790 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:36.245640 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:36.356555 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:36.443983 osdx ca-certificates[139051]: Updating certificates in /etc/ssl/certs... Dec 04 15:21:36.947167 osdx ca-certificates[140056]: 1 added, 0 removed; done. Dec 04 15:21:36.950981 osdx ca-certificates[140062]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:21:36.954025 osdx ca-certificates[140064]: done. Dec 04 15:21:36.970312 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:21:37.134595 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:21:37.135816 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:37.153184 osdx dnscrypt-proxy[140127]: dnscrypt-proxy 2.0.45 Dec 04 15:21:37.153244 osdx dnscrypt-proxy[140127]: Network connectivity detected Dec 04 15:21:37.153428 osdx dnscrypt-proxy[140127]: Dropping privileges Dec 04 15:21:37.155453 osdx dnscrypt-proxy[140127]: Network connectivity detected Dec 04 15:21:37.155478 osdx dnscrypt-proxy[140127]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:21:37.155482 osdx dnscrypt-proxy[140127]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:21:37.155501 osdx dnscrypt-proxy[140127]: Firefox workaround initialized Dec 04 15:21:37.155505 osdx dnscrypt-proxy[140127]: Loading the set of cloaking rules from [/tmp/tmpqnz8la8w] Dec 04 15:21:37.174313 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:37.192735 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:37.290992 osdx dnscrypt-proxy[140127]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 04 15:21:37.291012 osdx dnscrypt-proxy[140127]: [RD] OK (DoH) - rtt: 106ms Dec 04 15:21:37.291022 osdx dnscrypt-proxy[140127]: Server with the lowest initial latency: RD (rtt: 106ms) Dec 04 15:21:37.291028 osdx dnscrypt-proxy[140127]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:21:37.385800 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Dec 04 15:21:37.597958 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:21:37.598710 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:21:37.598756 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:21:37.610949 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:21:37.882057 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:37.942412 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:21:38.054299 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:21:38.118812 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:38.217158 osdx dnscrypt-proxy[140127]: Stopped. Dec 04 15:21:38.217197 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:21:38.218115 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:21:38.218229 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:21:38.317671 osdx ca-certificates[140232]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:21:38.591616 osdx ca-certificates[140802]: done. Dec 04 15:21:38.595559 osdx ca-certificates[140814]: Updating certificates in /etc/ssl/certs... Dec 04 15:21:39.017893 osdx ca-certificates[141662]: 140 added, 0 removed; done. Dec 04 15:21:39.020603 osdx ca-certificates[141668]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:21:39.023340 osdx ca-certificates[141670]: done. Dec 04 15:21:39.053068 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:39.055479 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:39.071279 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:40.280496 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:40.334935 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:21:40.425537 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:21:40.483486 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:21:40.591000 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:21:40.695795 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:21:40.753637 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 04 15:21:40.861437 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:21:40.941545 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:41.026641 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:41.112958 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:41.230543 osdx ca-certificates[141724]: Updating certificates in /etc/ssl/certs... Dec 04 15:21:41.790983 osdx ca-certificates[142727]: 1 added, 0 removed; done. Dec 04 15:21:41.794920 osdx ca-certificates[142734]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:21:41.798067 osdx ca-certificates[142736]: done. Dec 04 15:21:41.818233 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:21:42.014696 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:21:42.016102 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:42.039298 osdx dnscrypt-proxy[142799]: dnscrypt-proxy 2.0.45 Dec 04 15:21:42.039374 osdx dnscrypt-proxy[142799]: Network connectivity detected Dec 04 15:21:42.039625 osdx dnscrypt-proxy[142799]: Dropping privileges Dec 04 15:21:42.042603 osdx dnscrypt-proxy[142799]: Network connectivity detected Dec 04 15:21:42.042643 osdx dnscrypt-proxy[142799]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:21:42.042649 osdx dnscrypt-proxy[142799]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:21:42.042684 osdx dnscrypt-proxy[142799]: Firefox workaround initialized Dec 04 15:21:42.042690 osdx dnscrypt-proxy[142799]: Loading the set of cloaking rules from [/tmp/tmp1o2nkvgr] Dec 04 15:21:42.055501 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:42.086956 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:42.189318 osdx dnscrypt-proxy[142799]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 04 15:21:42.189336 osdx dnscrypt-proxy[142799]: [RD] OK (DoH) - rtt: 116ms Dec 04 15:21:42.189346 osdx dnscrypt-proxy[142799]: Server with the lowest initial latency: RD (rtt: 116ms) Dec 04 15:21:42.189351 osdx dnscrypt-proxy[142799]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:21:42.284529 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 04 15:21:48.305623 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.7M, max 15.3M, 12.5M free. Dec 04 15:21:48.308582 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:21:48.308650 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:21:48.318257 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:21:48.649639 osdx osdx-coredump[144440]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 04 15:21:48.656910 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system coredump delete all'. Dec 04 15:21:49.136731 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:49.217185 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:49.311620 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:49.396386 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:49.528585 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:21:49.649388 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:49.680912 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:49.696583 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:49.836006 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 04 15:21:49.986938 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:50.065061 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:21:50.167755 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:21:50.252925 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:21:50.398419 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:21:50.476299 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:21:50.562415 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 04 15:21:50.615421 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:21:50.721632 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:50.787948 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:50.899420 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:50.990142 osdx ca-certificates[144585]: Updating certificates in /etc/ssl/certs... Dec 04 15:21:51.509312 osdx ca-certificates[145588]: 1 added, 0 removed; done. Dec 04 15:21:51.513149 osdx ca-certificates[145595]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:21:51.516862 osdx ca-certificates[145597]: done. Dec 04 15:21:51.580939 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:21:51.582246 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:51.584625 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:51.600937 osdx dnscrypt-proxy[145601]: dnscrypt-proxy 2.0.45 Dec 04 15:21:51.600994 osdx dnscrypt-proxy[145601]: Network connectivity detected Dec 04 15:21:51.601173 osdx dnscrypt-proxy[145601]: Dropping privileges Dec 04 15:21:51.602914 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:51.603751 osdx dnscrypt-proxy[145601]: Network connectivity detected Dec 04 15:21:51.603779 osdx dnscrypt-proxy[145601]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:21:51.603783 osdx dnscrypt-proxy[145601]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:21:51.603801 osdx dnscrypt-proxy[145601]: Firefox workaround initialized Dec 04 15:21:51.603805 osdx dnscrypt-proxy[145601]: Loading the set of cloaking rules from [/tmp/tmpk8ogdgl0] Dec 04 15:21:51.604453 osdx dnscrypt-proxy[145601]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 04 15:21:58.322847 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:21:58.324244 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:21:58.324287 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:21:58.333884 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:21:58.644718 osdx osdx-coredump[147224]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 04 15:21:58.652170 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system coredump delete all'. Dec 04 15:21:59.100273 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:59.169867 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:21:59.273842 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:21:59.338023 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:21:59.448244 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:21:59.551607 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:21:59.576158 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:21:59.590844 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:21:59.729965 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 04 15:21:59.843686 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:21:59.898297 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:21:59.994792 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:00.053740 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:00.142612 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:00.198438 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:00.288865 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 04 15:22:00.338146 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:00.435841 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:00.491694 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:00.608635 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:00.695505 osdx ca-certificates[147368]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:01.215230 osdx ca-certificates[148377]: 1 added, 0 removed; done. Dec 04 15:22:01.218131 osdx ca-certificates[148383]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:01.221266 osdx ca-certificates[148385]: done. Dec 04 15:22:01.292577 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:01.293929 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:01.296106 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:01.311464 osdx dnscrypt-proxy[148389]: dnscrypt-proxy 2.0.45 Dec 04 15:22:01.311539 osdx dnscrypt-proxy[148389]: Network connectivity detected Dec 04 15:22:01.311773 osdx dnscrypt-proxy[148389]: Dropping privileges Dec 04 15:22:01.314064 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:01.314390 osdx dnscrypt-proxy[148389]: Network connectivity detected Dec 04 15:22:01.314424 osdx dnscrypt-proxy[148389]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:01.314429 osdx dnscrypt-proxy[148389]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:01.314446 osdx dnscrypt-proxy[148389]: Firefox workaround initialized Dec 04 15:22:01.314450 osdx dnscrypt-proxy[148389]: Loading the set of cloaking rules from [/tmp/tmpmf6e609d] Dec 04 15:22:01.315094 osdx dnscrypt-proxy[148389]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 04 15:22:01.546262 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:22:01.548293 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:01.548344 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:01.558057 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:01.823021 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:01.887906 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:22:02.009595 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:22:02.072261 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:02.166279 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:22:02.166340 osdx dnscrypt-proxy[148389]: Stopped. Dec 04 15:22:02.167233 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:22:02.167356 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:02.286558 osdx ca-certificates[148476]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:22:02.556633 osdx ca-certificates[149046]: done. Dec 04 15:22:02.560720 osdx ca-certificates[149053]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:03.031743 osdx ca-certificates[149906]: 140 added, 0 removed; done. Dec 04 15:22:03.034892 osdx ca-certificates[149910]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:03.037906 osdx ca-certificates[149914]: done. Dec 04 15:22:03.068461 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:03.070482 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:03.101487 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:04.521859 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:04.604945 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:22:04.721829 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:04.798261 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:04.926053 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:04.985746 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:05.078706 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 04 15:22:05.159880 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:05.272405 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:05.325750 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:05.442086 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:05.532694 osdx ca-certificates[149968]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:06.045332 osdx ca-certificates[150972]: 1 added, 0 removed; done. Dec 04 15:22:06.048320 osdx ca-certificates[150978]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:06.052066 osdx ca-certificates[150980]: done. Dec 04 15:22:06.068240 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:22:06.252682 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:06.254179 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:06.279207 osdx dnscrypt-proxy[151043]: dnscrypt-proxy 2.0.45 Dec 04 15:22:06.279267 osdx dnscrypt-proxy[151043]: Network connectivity detected Dec 04 15:22:06.279475 osdx dnscrypt-proxy[151043]: Dropping privileges Dec 04 15:22:06.281706 osdx dnscrypt-proxy[151043]: Network connectivity detected Dec 04 15:22:06.281939 osdx dnscrypt-proxy[151043]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:06.281983 osdx dnscrypt-proxy[151043]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:06.282051 osdx dnscrypt-proxy[151043]: Firefox workaround initialized Dec 04 15:22:06.282087 osdx dnscrypt-proxy[151043]: Loading the set of cloaking rules from [/tmp/tmp1w2gswgo] Dec 04 15:22:06.283039 osdx dnscrypt-proxy[151043]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 04 15:22:06.296597 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:06.313488 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:06.438106 osdx dnscrypt-proxy[151043]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 04 15:22:06.438137 osdx dnscrypt-proxy[151043]: [RD] OK (DoH) - rtt: 129ms Dec 04 15:22:06.438148 osdx dnscrypt-proxy[151043]: Server with the lowest initial latency: RD (rtt: 129ms) Dec 04 15:22:06.438163 osdx dnscrypt-proxy[151043]: dnscrypt-proxy is ready - live servers: 1
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 04 15:22:06.578271 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:22:06.580236 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:06.580310 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:06.588367 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:06.946775 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:07.054449 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:22:07.157477 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:22:07.292324 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:07.355909 osdx dnscrypt-proxy[151043]: Stopped. Dec 04 15:22:07.355960 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:22:07.357100 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:22:07.357209 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:07.485775 osdx ca-certificates[151144]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:22:07.775537 osdx ca-certificates[151713]: done. Dec 04 15:22:07.778942 osdx ca-certificates[151722]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:08.240998 osdx ca-certificates[152574]: 140 added, 0 removed; done. Dec 04 15:22:08.244730 osdx ca-certificates[152580]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:08.247831 osdx ca-certificates[152582]: done. Dec 04 15:22:08.296065 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:08.298963 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:08.320443 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:09.557999 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:09.617640 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:22:09.710169 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:09.768339 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:09.857797 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:09.914045 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:10.005547 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 04 15:22:10.060936 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 04 15:22:10.157113 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:10.278093 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:10.389222 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:10.561035 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:10.663961 osdx ca-certificates[152637]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:11.182627 osdx ca-certificates[153641]: 1 added, 0 removed; done. Dec 04 15:22:11.185514 osdx ca-certificates[153647]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:11.188514 osdx ca-certificates[153649]: done. Dec 04 15:22:11.204235 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:22:11.368545 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:11.369719 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:11.392847 osdx dnscrypt-proxy[153712]: dnscrypt-proxy 2.0.45 Dec 04 15:22:11.392913 osdx dnscrypt-proxy[153712]: Network connectivity detected Dec 04 15:22:11.393109 osdx dnscrypt-proxy[153712]: Dropping privileges Dec 04 15:22:11.395044 osdx dnscrypt-proxy[153712]: Network connectivity detected Dec 04 15:22:11.395070 osdx dnscrypt-proxy[153712]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:11.395074 osdx dnscrypt-proxy[153712]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:11.395095 osdx dnscrypt-proxy[153712]: Firefox workaround initialized Dec 04 15:22:11.395099 osdx dnscrypt-proxy[153712]: Loading the set of cloaking rules from [/tmp/tmptfao8g7s] Dec 04 15:22:11.396184 osdx dnscrypt-proxy[153712]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 04 15:22:11.399349 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:11.426268 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:11.593201 osdx dnscrypt-proxy[153712]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 04 15:22:11.593221 osdx dnscrypt-proxy[153712]: [RD] OK (DoH) - rtt: 122ms Dec 04 15:22:11.593231 osdx dnscrypt-proxy[153712]: Server with the lowest initial latency: RD (rtt: 122ms) Dec 04 15:22:11.593236 osdx dnscrypt-proxy[153712]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 04 15:22:18.288492 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:22:18.289522 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:18.289569 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:18.303121 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:18.680424 osdx osdx-coredump[155350]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Dec 04 15:22:18.688518 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system coredump delete all'. Dec 04 15:22:19.203564 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:19.275682 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:19.374309 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:19.449429 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:19.557516 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:22:19.667258 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:19.705015 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:19.721124 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:19.859780 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 04 15:22:19.976116 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:20.037141 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:22:20.133738 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:20.194504 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:20.293292 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:20.354444 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:20.432017 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 04 15:22:20.482625 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 04 15:22:20.610492 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:20.676432 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:20.780710 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:20.864739 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:20.968411 osdx ca-certificates[155496]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:21.513897 osdx ca-certificates[156500]: 1 added, 0 removed; done. Dec 04 15:22:21.516864 osdx ca-certificates[156506]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:21.519608 osdx ca-certificates[156508]: done. Dec 04 15:22:21.577872 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:21.579078 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:21.582582 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:21.597263 osdx dnscrypt-proxy[156512]: dnscrypt-proxy 2.0.45 Dec 04 15:22:21.597328 osdx dnscrypt-proxy[156512]: Network connectivity detected Dec 04 15:22:21.597540 osdx dnscrypt-proxy[156512]: Dropping privileges Dec 04 15:22:21.600062 osdx dnscrypt-proxy[156512]: Network connectivity detected Dec 04 15:22:21.600102 osdx dnscrypt-proxy[156512]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:21.600107 osdx dnscrypt-proxy[156512]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:21.600137 osdx dnscrypt-proxy[156512]: Firefox workaround initialized Dec 04 15:22:21.600142 osdx dnscrypt-proxy[156512]: Loading the set of cloaking rules from [/tmp/tmpr9gitlwp] Dec 04 15:22:21.602920 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:21.752826 osdx dnscrypt-proxy[156512]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 04 15:22:21.753031 osdx dnscrypt-proxy[156512]: [RD] OK (DoH) - rtt: 131ms Dec 04 15:22:21.753125 osdx dnscrypt-proxy[156512]: Server with the lowest initial latency: RD (rtt: 131ms) Dec 04 15:22:21.753208 osdx dnscrypt-proxy[156512]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:22:21.795488 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Dec 04 15:22:22.005536 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:22:22.009520 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:22.009573 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:22.015430 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:22.296181 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:22.353943 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:22:22.466555 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:22:22.527283 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:22.630440 osdx dnscrypt-proxy[156512]: Stopped. Dec 04 15:22:22.630481 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:22:22.631240 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:22:22.631352 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:22.732181 osdx ca-certificates[156602]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:22:22.990952 osdx ca-certificates[157172]: done. Dec 04 15:22:22.994144 osdx ca-certificates[157181]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:23.425790 osdx ca-certificates[158032]: 140 added, 0 removed; done. Dec 04 15:22:23.428637 osdx ca-certificates[158038]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:23.431417 osdx ca-certificates[158040]: done. Dec 04 15:22:23.460946 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:23.463083 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:23.485660 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:24.680562 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:24.742091 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:22:24.834698 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:24.894589 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:24.984378 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:25.038594 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:25.145863 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 04 15:22:25.232709 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 04 15:22:25.285229 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:25.388479 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:25.439722 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:25.546763 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:25.634727 osdx ca-certificates[158097]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:26.174097 osdx ca-certificates[159101]: 1 added, 0 removed; done. Dec 04 15:22:26.176507 osdx ca-certificates[159107]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:26.179666 osdx ca-certificates[159109]: done. Dec 04 15:22:26.193525 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:22:26.365922 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:26.367261 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:26.388138 osdx dnscrypt-proxy[159172]: dnscrypt-proxy 2.0.45 Dec 04 15:22:26.388197 osdx dnscrypt-proxy[159172]: Network connectivity detected Dec 04 15:22:26.388391 osdx dnscrypt-proxy[159172]: Dropping privileges Dec 04 15:22:26.390508 osdx dnscrypt-proxy[159172]: Network connectivity detected Dec 04 15:22:26.390544 osdx dnscrypt-proxy[159172]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:26.390550 osdx dnscrypt-proxy[159172]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:26.390578 osdx dnscrypt-proxy[159172]: Firefox workaround initialized Dec 04 15:22:26.390584 osdx dnscrypt-proxy[159172]: Loading the set of cloaking rules from [/tmp/tmpauwi9ril] Dec 04 15:22:26.395295 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:26.417630 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:26.553124 osdx dnscrypt-proxy[159172]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 04 15:22:26.553144 osdx dnscrypt-proxy[159172]: [RD] OK (DoH) - rtt: 133ms Dec 04 15:22:26.553154 osdx dnscrypt-proxy[159172]: Server with the lowest initial latency: RD (rtt: 133ms) Dec 04 15:22:26.553160 osdx dnscrypt-proxy[159172]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:22:31.561341 osdx OSDxCLI[44364]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 04 15:22:31.754691 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Dec 04 15:22:31.945783 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:22:31.949519 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:31.949569 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:31.957168 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:32.204071 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:32.257361 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:22:32.364603 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:22:32.427823 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:32.520649 osdx dnscrypt-proxy[159172]: Stopped. Dec 04 15:22:32.520666 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:22:32.521382 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:22:32.521476 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:32.640659 osdx ca-certificates[159281]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:22:32.914096 osdx ca-certificates[159850]: done. Dec 04 15:22:32.919092 osdx ca-certificates[159859]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:33.412516 osdx ca-certificates[160711]: 140 added, 0 removed; done. Dec 04 15:22:33.415694 osdx ca-certificates[160717]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:33.418874 osdx ca-certificates[160719]: done. Dec 04 15:22:33.449341 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:33.451828 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:33.469158 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:34.690883 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:34.759145 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:22:34.850527 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:34.938590 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:34.995022 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:35.093178 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:35.145664 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 04 15:22:35.239076 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 04 15:22:35.290986 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:35.401630 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:35.460613 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:35.577972 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:35.678878 osdx ca-certificates[160774]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:36.251398 osdx ca-certificates[161777]: 1 added, 0 removed; done. Dec 04 15:22:36.254528 osdx ca-certificates[161784]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:36.257615 osdx ca-certificates[161786]: done. Dec 04 15:22:36.273527 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:22:36.449966 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:36.451723 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:36.474617 osdx dnscrypt-proxy[161849]: dnscrypt-proxy 2.0.45 Dec 04 15:22:36.474674 osdx dnscrypt-proxy[161849]: Network connectivity detected Dec 04 15:22:36.474838 osdx dnscrypt-proxy[161849]: Dropping privileges Dec 04 15:22:36.477063 osdx dnscrypt-proxy[161849]: Network connectivity detected Dec 04 15:22:36.477089 osdx dnscrypt-proxy[161849]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:36.477093 osdx dnscrypt-proxy[161849]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:36.477110 osdx dnscrypt-proxy[161849]: Firefox workaround initialized Dec 04 15:22:36.477114 osdx dnscrypt-proxy[161849]: Loading the set of cloaking rules from [/tmp/tmp_to5dra2] Dec 04 15:22:36.480617 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:36.497727 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:36.708534 osdx dnscrypt-proxy[161849]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 04 15:22:36.708601 osdx dnscrypt-proxy[161849]: [RD] OK (DoH) - rtt: 206ms Dec 04 15:22:36.708639 osdx dnscrypt-proxy[161849]: Server with the lowest initial latency: RD (rtt: 206ms) Dec 04 15:22:36.708657 osdx dnscrypt-proxy[161849]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:22:41.652517 osdx OSDxCLI[44364]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 04 15:22:41.843333 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 04 15:22:42.053404 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:22:42.053943 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:42.053973 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:42.065613 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:42.352927 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:42.416745 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:22:42.525519 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:22:42.591216 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:42.695688 osdx dnscrypt-proxy[161849]: Stopped. Dec 04 15:22:42.695767 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:22:42.696758 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:22:42.696891 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:42.805823 osdx ca-certificates[161958]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:22:43.075423 osdx ca-certificates[162528]: done. Dec 04 15:22:43.079320 osdx ca-certificates[162536]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:43.533658 osdx ca-certificates[163388]: 140 added, 0 removed; done. Dec 04 15:22:43.537608 osdx ca-certificates[163394]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:43.540836 osdx ca-certificates[163396]: done. Dec 04 15:22:43.571938 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:43.574388 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:43.605185 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:44.952912 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:45.011681 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:22:45.108114 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:45.174501 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:45.278766 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:45.375933 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:45.429214 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 04 15:22:45.522576 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 04 15:22:45.577249 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:45.683344 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:45.736075 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:45.847703 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:45.940839 osdx ca-certificates[163451]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:46.495137 osdx ca-certificates[164454]: 1 added, 0 removed; done. Dec 04 15:22:46.498073 osdx ca-certificates[164461]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:46.501051 osdx ca-certificates[164463]: done. Dec 04 15:22:46.517519 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:22:46.713800 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:46.715028 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:46.733376 osdx dnscrypt-proxy[164526]: dnscrypt-proxy 2.0.45 Dec 04 15:22:46.733451 osdx dnscrypt-proxy[164526]: Network connectivity detected Dec 04 15:22:46.733701 osdx dnscrypt-proxy[164526]: Dropping privileges Dec 04 15:22:46.736253 osdx dnscrypt-proxy[164526]: Network connectivity detected Dec 04 15:22:46.736287 osdx dnscrypt-proxy[164526]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:46.736292 osdx dnscrypt-proxy[164526]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:46.736312 osdx dnscrypt-proxy[164526]: Firefox workaround initialized Dec 04 15:22:46.736316 osdx dnscrypt-proxy[164526]: Loading the set of cloaking rules from [/tmp/tmpq27vcpin] Dec 04 15:22:46.742293 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:46.778351 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:46.926872 osdx dnscrypt-proxy[164526]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 04 15:22:46.926886 osdx dnscrypt-proxy[164526]: [RD] OK (DoH) - rtt: 155ms Dec 04 15:22:46.926893 osdx dnscrypt-proxy[164526]: Server with the lowest initial latency: RD (rtt: 155ms) Dec 04 15:22:46.926898 osdx dnscrypt-proxy[164526]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:22:48.030538 osdx systemd[1]: systemd-timedated.service: Deactivated successfully. Dec 04 15:22:51.926177 osdx OSDxCLI[44364]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 04 15:22:52.109264 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Dec 04 15:22:52.386282 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.8M, max 15.3M, 12.5M free. Dec 04 15:22:52.389617 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:52.389680 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:52.397632 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:52.671190 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:52.790530 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:22:52.851234 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:22:52.950662 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:53.014921 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:22:53.015053 osdx dnscrypt-proxy[164526]: Stopped. Dec 04 15:22:53.016167 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:22:53.016268 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:53.114828 osdx ca-certificates[164636]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:22:53.376260 osdx ca-certificates[165205]: done. Dec 04 15:22:53.380176 osdx ca-certificates[165214]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:53.842951 osdx ca-certificates[166067]: 140 added, 0 removed; done. Dec 04 15:22:53.845713 osdx ca-certificates[166072]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:53.848239 osdx ca-certificates[166074]: done. Dec 04 15:22:53.875720 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:53.877869 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:53.894289 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:55.152534 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:55.208422 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:22:55.297598 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:22:55.360407 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:22:55.447717 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:22:55.508051 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:22:55.595302 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 04 15:22:55.648384 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 04 15:22:55.744315 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:22:55.806849 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:22:55.896365 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:22:55.969671 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:56.084002 osdx ca-certificates[166129]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:56.611172 osdx ca-certificates[167132]: 1 added, 0 removed; done. Dec 04 15:22:56.615193 osdx ca-certificates[167139]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:56.619348 osdx ca-certificates[167141]: done. Dec 04 15:22:56.641515 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:22:56.857991 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:56.859770 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:56.884791 osdx dnscrypt-proxy[167204]: dnscrypt-proxy 2.0.45 Dec 04 15:22:56.884865 osdx dnscrypt-proxy[167204]: Network connectivity detected Dec 04 15:22:56.885095 osdx dnscrypt-proxy[167204]: Dropping privileges Dec 04 15:22:56.887120 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:56.888750 osdx dnscrypt-proxy[167204]: Network connectivity detected Dec 04 15:22:56.888789 osdx dnscrypt-proxy[167204]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:22:56.888794 osdx dnscrypt-proxy[167204]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:22:56.888825 osdx dnscrypt-proxy[167204]: Firefox workaround initialized Dec 04 15:22:56.888831 osdx dnscrypt-proxy[167204]: Loading the set of cloaking rules from [/tmp/tmpb6q559jf] Dec 04 15:22:56.908093 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:57.043930 osdx dnscrypt-proxy[167204]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 04 15:22:57.043942 osdx dnscrypt-proxy[167204]: [RD] OK (DoH) - rtt: 124ms Dec 04 15:22:57.043949 osdx dnscrypt-proxy[167204]: Server with the lowest initial latency: RD (rtt: 124ms) Dec 04 15:22:57.043954 osdx dnscrypt-proxy[167204]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:22:57.057172 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Dec 04 15:22:57.247853 osdx systemd-journald[1574]: Runtime Journal (/run/log/journal/2754912ae611401eb118833e63cf0c07) is 2.0M, max 15.3M, 13.3M free. Dec 04 15:22:57.249509 osdx systemd-journald[1574]: Received client request to rotate journal, rotating. Dec 04 15:22:57.249578 osdx systemd-journald[1574]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2754912ae611401eb118833e63cf0c07. Dec 04 15:22:57.261200 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'system journal clear'. Dec 04 15:22:57.523269 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:22:57.584741 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'delete'. Dec 04 15:22:57.704294 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 04 15:22:57.781307 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:22:57.877763 osdx dnscrypt-proxy[167204]: Stopped. Dec 04 15:22:57.877851 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 04 15:22:57.878804 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 04 15:22:57.878937 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:22:57.982004 osdx ca-certificates[167309]: Clearing symlinks in /etc/ssl/certs... Dec 04 15:22:58.272258 osdx ca-certificates[167878]: done. Dec 04 15:22:58.275100 osdx ca-certificates[167888]: Updating certificates in /etc/ssl/certs... Dec 04 15:22:58.740398 osdx ca-certificates[168738]: 140 added, 0 removed; done. Dec 04 15:22:58.743520 osdx ca-certificates[168745]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:22:58.746210 osdx ca-certificates[168747]: done. Dec 04 15:22:58.776134 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:22:58.779135 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:22:58.808489 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:22:59.951741 osdx OSDxCLI[44364]: User 'admin' entered the configuration menu. Dec 04 15:23:00.007050 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 04 15:23:00.101717 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 04 15:23:00.167114 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 04 15:23:00.259904 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 04 15:23:00.323854 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Dec 04 15:23:00.447527 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 04 15:23:00.534048 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 04 15:23:00.632595 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 04 15:23:00.702404 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 04 15:23:00.988936 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 04 15:23:01.059753 osdx OSDxCLI[44364]: User 'admin' added a new cfg line: 'show working'. Dec 04 15:23:01.179470 osdx ca-certificates[168801]: Updating certificates in /etc/ssl/certs... Dec 04 15:23:01.709176 osdx ca-certificates[169811]: 1 added, 0 removed; done. Dec 04 15:23:01.712011 osdx ca-certificates[169817]: Running hooks in /etc/ca-certificates/update.d... Dec 04 15:23:01.715906 osdx ca-certificates[169819]: done. Dec 04 15:23:01.733505 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 04 15:23:01.905910 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 04 15:23:01.907375 osdx cfgd[1239]: [44364]Completed change to active configuration Dec 04 15:23:01.925375 osdx dnscrypt-proxy[169882]: dnscrypt-proxy 2.0.45 Dec 04 15:23:01.925560 osdx dnscrypt-proxy[169882]: Network connectivity detected Dec 04 15:23:01.925796 osdx dnscrypt-proxy[169882]: Dropping privileges Dec 04 15:23:01.928465 osdx dnscrypt-proxy[169882]: Network connectivity detected Dec 04 15:23:01.928498 osdx dnscrypt-proxy[169882]: Now listening to 127.0.0.1:53 [UDP] Dec 04 15:23:01.928503 osdx dnscrypt-proxy[169882]: Now listening to 127.0.0.1:53 [TCP] Dec 04 15:23:01.928522 osdx dnscrypt-proxy[169882]: Firefox workaround initialized Dec 04 15:23:01.928526 osdx dnscrypt-proxy[169882]: Loading the set of cloaking rules from [/tmp/tmpfglezve8] Dec 04 15:23:01.948817 osdx OSDxCLI[44364]: User 'admin' committed the configuration. Dec 04 15:23:01.968786 osdx OSDxCLI[44364]: User 'admin' left the configuration menu. Dec 04 15:23:02.068147 osdx dnscrypt-proxy[169882]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 04 15:23:02.068173 osdx dnscrypt-proxy[169882]: [RD] OK (DoH) - rtt: 114ms Dec 04 15:23:02.068184 osdx dnscrypt-proxy[169882]: Server with the lowest initial latency: RD (rtt: 114ms) Dec 04 15:23:02.068191 osdx dnscrypt-proxy[169882]: dnscrypt-proxy is ready - live servers: 1 Dec 04 15:23:02.120777 osdx OSDxCLI[44364]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.