Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 11 23:47:58.400616 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.2M free.
May 11 23:47:58.401728 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:47:58.401823 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:47:58.417758 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:47:58.956873 osdx osdx-coredump[318596]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 11 23:47:58.972766 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system coredump delete all'.
May 11 23:47:59.752531 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:47:59.893978 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:00.026586 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:00.203099 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:00.405730 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:48:00.594948 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:00.653094 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:00.698029 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:00.913867 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
May 11 23:48:01.169541 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:01.297445 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:48:01.426078 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:48:01.538555 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:48:01.644055 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:48:01.775210 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:48:01.872868 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 11 23:48:01.983618 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:48:02.101797 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:02.207946 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:02.351310 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:02.490703 osdx ca-certificates[318747]: Updating certificates in /etc/ssl/certs...
May 11 23:48:03.389086 osdx ca-certificates[319751]: 1 added, 0 removed; done.
May 11 23:48:03.393502 osdx ca-certificates[319757]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:48:03.397757 osdx ca-certificates[319759]: done.
May 11 23:48:03.498333 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:48:03.502056 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:03.512145 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:03.548652 osdx dnscrypt-proxy[319763]: dnscrypt-proxy 2.0.45
May 11 23:48:03.548747 osdx dnscrypt-proxy[319763]: Network connectivity detected
May 11 23:48:03.549064 osdx dnscrypt-proxy[319763]: Dropping privileges
May 11 23:48:03.553130 osdx dnscrypt-proxy[319763]: Network connectivity detected
May 11 23:48:03.553515 osdx dnscrypt-proxy[319763]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:48:03.553602 osdx dnscrypt-proxy[319763]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:48:03.553730 osdx dnscrypt-proxy[319763]: Firefox workaround initialized
May 11 23:48:03.553816 osdx dnscrypt-proxy[319763]: Loading the set of cloaking rules from [/tmp/tmpgxrt9r91]
May 11 23:48:03.557093 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:03.721304 osdx dnscrypt-proxy[319763]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 11 23:48:03.721522 osdx dnscrypt-proxy[319763]: [RD] OK (DoH) - rtt: 111ms
May 11 23:48:03.721631 osdx dnscrypt-proxy[319763]: Server with the lowest initial latency: RD (rtt: 111ms)
May 11 23:48:03.721732 osdx dnscrypt-proxy[319763]: dnscrypt-proxy is ready - live servers: 1
May 11 23:48:03.774835 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 11 23:48:14.465197 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:48:14.467214 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:48:14.467285 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:48:14.483199 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:48:14.971833 osdx osdx-coredump[321390]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 11 23:48:14.983385 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system coredump delete all'.
May 11 23:48:15.725728 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:15.841252 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:15.945065 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:16.091144 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:16.219242 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:48:16.380429 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:16.427361 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:16.453718 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:16.653036 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
May 11 23:48:16.873666 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:17.004165 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:48:17.141100 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:48:17.269096 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:48:17.380852 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:48:17.571038 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:48:17.678049 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 11 23:48:17.781058 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:48:17.897288 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:17.995054 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:18.173900 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:18.313908 osdx ca-certificates[321535]: Updating certificates in /etc/ssl/certs...
May 11 23:48:19.164668 osdx ca-certificates[322539]: 1 added, 0 removed; done.
May 11 23:48:19.170822 osdx ca-certificates[322545]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:48:19.175052 osdx ca-certificates[322547]: done.
May 11 23:48:19.279775 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:48:19.282700 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:19.288653 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:19.313624 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:19.324958 osdx dnscrypt-proxy[322551]: dnscrypt-proxy 2.0.45
May 11 23:48:19.325048 osdx dnscrypt-proxy[322551]: Network connectivity detected
May 11 23:48:19.325362 osdx dnscrypt-proxy[322551]: Dropping privileges
May 11 23:48:19.328317 osdx dnscrypt-proxy[322551]: Network connectivity detected
May 11 23:48:19.328412 osdx dnscrypt-proxy[322551]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:48:19.328422 osdx dnscrypt-proxy[322551]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:48:19.328464 osdx dnscrypt-proxy[322551]: Firefox workaround initialized
May 11 23:48:19.328474 osdx dnscrypt-proxy[322551]: Loading the set of cloaking rules from [/tmp/tmpx5bxjpo7]
May 11 23:48:19.481401 osdx dnscrypt-proxy[322551]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 11 23:48:19.481423 osdx dnscrypt-proxy[322551]: [RD] OK (DoH) - rtt: 112ms
May 11 23:48:19.481434 osdx dnscrypt-proxy[322551]: Server with the lowest initial latency: RD (rtt: 112ms)
May 11 23:48:19.481440 osdx dnscrypt-proxy[322551]: dnscrypt-proxy is ready - live servers: 1
May 11 23:48:19.526599 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 11 23:48:19.805031 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:48:19.807220 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:48:19.807282 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:48:19.822266 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:48:20.255096 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:20.344215 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:48:20.453290 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:48:20.576912 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:20.697235 osdx dnscrypt-proxy[322551]: Stopped.
May 11 23:48:20.697370 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:48:20.698696 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:48:20.698986 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:48:20.876663 osdx ca-certificates[322641]: Clearing symlinks in /etc/ssl/certs...
May 11 23:48:21.322599 osdx ca-certificates[323211]: done.
May 11 23:48:21.327271 osdx ca-certificates[323220]: Updating certificates in /etc/ssl/certs...
May 11 23:48:22.029103 osdx ca-certificates[324070]: 140 added, 0 removed; done.
May 11 23:48:22.034954 osdx ca-certificates[324077]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:48:22.039515 osdx ca-certificates[324079]: done.
May 11 23:48:22.080537 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:22.085063 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:22.137275 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:23.989585 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:24.120571 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:48:24.248526 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:48:24.359953 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:48:24.473547 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:48:24.612602 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:48:24.781563 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 11 23:48:24.963138 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:48:25.117411 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:25.247452 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:25.432886 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:25.599501 osdx ca-certificates[324133]: Updating certificates in /etc/ssl/certs...
May 11 23:48:26.547299 osdx ca-certificates[325137]: 1 added, 0 removed; done.
May 11 23:48:26.551823 osdx ca-certificates[325143]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:48:26.557879 osdx ca-certificates[325145]: done.
May 11 23:48:26.587212 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:48:26.872108 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:48:26.876614 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:26.905445 osdx dnscrypt-proxy[325208]: dnscrypt-proxy 2.0.45
May 11 23:48:26.905540 osdx dnscrypt-proxy[325208]: Network connectivity detected
May 11 23:48:26.905871 osdx dnscrypt-proxy[325208]: Dropping privileges
May 11 23:48:26.909828 osdx dnscrypt-proxy[325208]: Network connectivity detected
May 11 23:48:26.909884 osdx dnscrypt-proxy[325208]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:48:26.909893 osdx dnscrypt-proxy[325208]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:48:26.909933 osdx dnscrypt-proxy[325208]: Firefox workaround initialized
May 11 23:48:26.909941 osdx dnscrypt-proxy[325208]: Loading the set of cloaking rules from [/tmp/tmpxn9tuzgo]
May 11 23:48:26.927623 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:26.988965 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:27.094502 osdx dnscrypt-proxy[325208]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 11 23:48:27.094537 osdx dnscrypt-proxy[325208]: [RD] OK (DoH) - rtt: 119ms
May 11 23:48:27.094552 osdx dnscrypt-proxy[325208]: Server with the lowest initial latency: RD (rtt: 119ms)
May 11 23:48:27.094561 osdx dnscrypt-proxy[325208]: dnscrypt-proxy is ready - live servers: 1
May 11 23:48:27.213943 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 11 23:48:27.588125 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:48:27.591228 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:48:27.591292 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:48:27.604500 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:48:28.157323 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:28.278426 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:48:28.428579 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:48:28.533122 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:28.664512 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:48:28.665073 osdx dnscrypt-proxy[325208]: Stopped.
May 11 23:48:28.668761 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:48:28.668960 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:48:28.843236 osdx ca-certificates[325313]: Clearing symlinks in /etc/ssl/certs...
May 11 23:48:29.312722 osdx ca-certificates[325882]: done.
May 11 23:48:29.318287 osdx ca-certificates[325891]: Updating certificates in /etc/ssl/certs...
May 11 23:48:30.134101 osdx ca-certificates[326747]: 140 added, 0 removed; done.
May 11 23:48:30.139311 osdx ca-certificates[326749]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:48:30.145790 osdx ca-certificates[326751]: done.
May 11 23:48:30.195328 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:30.198973 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:30.233531 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:32.187140 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:32.310724 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:48:32.438703 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:48:32.573029 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:48:32.676817 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:48:32.830200 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:48:32.954692 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 11 23:48:33.084374 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:48:33.239348 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:33.350854 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:33.544492 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:33.723695 osdx ca-certificates[326806]: Updating certificates in /etc/ssl/certs...
May 11 23:48:34.606794 osdx ca-certificates[327810]: 1 added, 0 removed; done.
May 11 23:48:34.611135 osdx ca-certificates[327816]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:48:34.617155 osdx ca-certificates[327818]: done.
May 11 23:48:34.643222 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:48:34.928030 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:48:34.930472 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:34.956592 osdx dnscrypt-proxy[327881]: dnscrypt-proxy 2.0.45
May 11 23:48:34.956686 osdx dnscrypt-proxy[327881]: Network connectivity detected
May 11 23:48:34.957001 osdx dnscrypt-proxy[327881]: Dropping privileges
May 11 23:48:34.962079 osdx dnscrypt-proxy[327881]: Network connectivity detected
May 11 23:48:34.962131 osdx dnscrypt-proxy[327881]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:48:34.962140 osdx dnscrypt-proxy[327881]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:48:34.962181 osdx dnscrypt-proxy[327881]: Firefox workaround initialized
May 11 23:48:34.962189 osdx dnscrypt-proxy[327881]: Loading the set of cloaking rules from [/tmp/tmpol2yj7om]
May 11 23:48:34.986794 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:35.042188 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:35.139972 osdx dnscrypt-proxy[327881]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 11 23:48:35.139994 osdx dnscrypt-proxy[327881]: [RD] OK (DoH) - rtt: 107ms
May 11 23:48:35.140003 osdx dnscrypt-proxy[327881]: Server with the lowest initial latency: RD (rtt: 107ms)
May 11 23:48:35.140009 osdx dnscrypt-proxy[327881]: dnscrypt-proxy is ready - live servers: 1
May 11 23:48:35.282708 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 11 23:48:47.518818 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 3.8M, max 15.3M, 11.5M free.
May 11 23:48:47.519746 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:48:47.519799 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:48:47.534524 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:48:48.042639 osdx osdx-coredump[329526]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 11 23:48:48.056495 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system coredump delete all'.
May 11 23:48:48.910003 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:49.072570 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:49.184670 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:49.329428 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:49.519795 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:48:49.700200 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:49.743635 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:49.793268 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:49.977929 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
May 11 23:48:50.206801 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:48:50.328300 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:48:50.426495 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:48:50.554967 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:48:50.653714 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:48:50.785397 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:48:50.914381 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 11 23:48:51.049740 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:48:51.182765 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:48:51.339098 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:48:51.522054 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:48:51.746711 osdx ca-certificates[329671]: Updating certificates in /etc/ssl/certs...
May 11 23:48:52.665706 osdx ca-certificates[330675]: 1 added, 0 removed; done.
May 11 23:48:52.670365 osdx ca-certificates[330681]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:48:52.676036 osdx ca-certificates[330683]: done.
May 11 23:48:52.768269 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:48:52.770451 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:48:52.773814 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:48:52.802134 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:48:52.809498 osdx dnscrypt-proxy[330687]: dnscrypt-proxy 2.0.45
May 11 23:48:52.809601 osdx dnscrypt-proxy[330687]: Network connectivity detected
May 11 23:48:52.809926 osdx dnscrypt-proxy[330687]: Dropping privileges
May 11 23:48:52.813142 osdx dnscrypt-proxy[330687]: Network connectivity detected
May 11 23:48:52.813184 osdx dnscrypt-proxy[330687]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:48:52.813191 osdx dnscrypt-proxy[330687]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:48:52.813219 osdx dnscrypt-proxy[330687]: Firefox workaround initialized
May 11 23:48:52.813225 osdx dnscrypt-proxy[330687]: Loading the set of cloaking rules from [/tmp/tmptgokrjnq]
May 11 23:48:52.814194 osdx dnscrypt-proxy[330687]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

---

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 11 23:49:03.431954 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:49:03.435782 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:49:03.435889 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:49:03.451039 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:49:04.326809 osdx osdx-coredump[332316]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 11 23:49:04.359127 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system coredump delete all'.
May 11 23:49:05.251985 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:05.429139 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:05.567585 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:05.774078 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:05.919726 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:49:06.085591 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:06.131218 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:06.162774 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:06.393144 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
May 11 23:49:06.715563 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:06.833953 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:49:06.974832 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:49:07.124242 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:49:07.250831 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:49:07.378269 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:49:07.497787 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 11 23:49:07.642616 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:49:07.780913 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:07.892541 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:08.054484 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:08.182049 osdx ca-certificates[332461]: Updating certificates in /etc/ssl/certs...
May 11 23:49:09.190868 osdx ca-certificates[333466]: 1 added, 0 removed; done.
May 11 23:49:09.199333 osdx ca-certificates[333471]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:09.207488 osdx ca-certificates[333473]: done.
May 11 23:49:09.328374 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:09.330535 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:09.341856 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:09.369876 osdx dnscrypt-proxy[333477]: dnscrypt-proxy 2.0.45
May 11 23:49:09.370263 osdx dnscrypt-proxy[333477]: Network connectivity detected
May 11 23:49:09.370563 osdx dnscrypt-proxy[333477]: Dropping privileges
May 11 23:49:09.373734 osdx dnscrypt-proxy[333477]: Network connectivity detected
May 11 23:49:09.373772 osdx dnscrypt-proxy[333477]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:49:09.373778 osdx dnscrypt-proxy[333477]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:49:09.373804 osdx dnscrypt-proxy[333477]: Firefox workaround initialized
May 11 23:49:09.373809 osdx dnscrypt-proxy[333477]: Loading the set of cloaking rules from [/tmp/tmpo2ip81ms]
May 11 23:49:09.375067 osdx dnscrypt-proxy[333477]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
May 11 23:49:09.414943 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:09.550933 osdx dnscrypt-proxy[333477]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 11 23:49:09.550963 osdx dnscrypt-proxy[333477]: [RD] OK (DoH) - rtt: 123ms
May 11 23:49:09.550980 osdx dnscrypt-proxy[333477]: Server with the lowest initial latency: RD (rtt: 123ms)
May 11 23:49:09.551017 osdx dnscrypt-proxy[333477]: dnscrypt-proxy is ready - live servers: 1

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 11 23:49:09.885996 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:49:09.887761 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:49:09.887823 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:49:09.900934 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:49:10.523466 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:10.642449 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:49:10.781236 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:49:10.899565 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:11.064251 osdx dnscrypt-proxy[333477]: Stopped.
May 11 23:49:11.064386 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:49:11.065851 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:49:11.066073 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:11.219958 osdx ca-certificates[333561]: Clearing symlinks in /etc/ssl/certs...
May 11 23:49:11.687702 osdx ca-certificates[334130]: done.
May 11 23:49:11.693465 osdx ca-certificates[334139]: Updating certificates in /etc/ssl/certs...
May 11 23:49:12.538532 osdx ca-certificates[334995]: 140 added, 0 removed; done.
May 11 23:49:12.545359 osdx ca-certificates[334997]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:12.551645 osdx ca-certificates[334999]: done.
May 11 23:49:12.613003 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:12.616337 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:12.662636 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:14.899490 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:15.015293 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:49:15.185149 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:49:15.325781 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:49:15.483846 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:49:15.641752 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:49:15.757027 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 11 23:49:15.873896 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:49:15.986954 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:16.079212 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:16.224543 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:16.368852 osdx ca-certificates[335053]: Updating certificates in /etc/ssl/certs...
May 11 23:49:17.253485 osdx ca-certificates[336056]: 1 added, 0 removed; done.
May 11 23:49:17.258865 osdx ca-certificates[336060]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:17.263392 osdx ca-certificates[336065]: done.
May 11 23:49:17.287720 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:49:17.568812 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:17.573732 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:17.649940 osdx dnscrypt-proxy[336128]: dnscrypt-proxy 2.0.45
May 11 23:49:17.650041 osdx dnscrypt-proxy[336128]: Network connectivity detected
May 11 23:49:17.650387 osdx dnscrypt-proxy[336128]: Dropping privileges
May 11 23:49:17.654916 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:17.656117 osdx dnscrypt-proxy[336128]: Network connectivity detected
May 11 23:49:17.656173 osdx dnscrypt-proxy[336128]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:49:17.656183 osdx dnscrypt-proxy[336128]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:49:17.656224 osdx dnscrypt-proxy[336128]: Firefox workaround initialized
May 11 23:49:17.656234 osdx dnscrypt-proxy[336128]: Loading the set of cloaking rules from [/tmp/tmpsqpm7dc8]
May 11 23:49:17.659362 osdx dnscrypt-proxy[336128]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
May 11 23:49:17.721613 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:17.865501 osdx dnscrypt-proxy[336128]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 11 23:49:17.865527 osdx dnscrypt-proxy[336128]: [RD] OK (DoH) - rtt: 127ms
May 11 23:49:17.865542 osdx dnscrypt-proxy[336128]: Server with the lowest initial latency: RD (rtt: 127ms)
May 11 23:49:17.865551 osdx dnscrypt-proxy[336128]: dnscrypt-proxy is ready - live servers: 1

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 11 23:49:18.145439 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:49:18.147731 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:49:18.147823 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:49:18.165639 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:49:18.621075 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:18.742421 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:49:18.901907 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:49:19.006519 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:19.149578 osdx dnscrypt-proxy[336128]: Stopped.
May 11 23:49:19.149718 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:49:19.151531 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:49:19.151749 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:19.307946 osdx ca-certificates[336227]: Clearing symlinks in /etc/ssl/certs...
May 11 23:49:19.720399 osdx ca-certificates[336797]: done.
May 11 23:49:19.725500 osdx ca-certificates[336804]: Updating certificates in /etc/ssl/certs...
May 11 23:49:20.430048 osdx ca-certificates[337657]: 140 added, 0 removed; done.
May 11 23:49:20.434220 osdx ca-certificates[337663]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:20.438746 osdx ca-certificates[337665]: done.
May 11 23:49:20.490445 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:20.494946 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:20.521920 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:22.745682 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:22.881650 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:49:23.006323 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:49:23.148940 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:49:23.277651 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:49:23.416451 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:49:23.537548 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 11 23:49:23.641008 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 11 23:49:23.747318 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:49:23.867417 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:23.976346 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:24.115117 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:24.272430 osdx ca-certificates[337720]: Updating certificates in /etc/ssl/certs...
May 11 23:49:25.309473 osdx ca-certificates[338724]: 1 added, 0 removed; done.
May 11 23:49:25.315885 osdx ca-certificates[338727]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:25.321875 osdx ca-certificates[338732]: done.
May 11 23:49:25.351808 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:49:25.644586 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:25.648384 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:25.685768 osdx dnscrypt-proxy[338795]: dnscrypt-proxy 2.0.45
May 11 23:49:25.685862 osdx dnscrypt-proxy[338795]: Network connectivity detected
May 11 23:49:25.686175 osdx dnscrypt-proxy[338795]: Dropping privileges
May 11 23:49:25.691871 osdx dnscrypt-proxy[338795]: Network connectivity detected
May 11 23:49:25.692271 osdx dnscrypt-proxy[338795]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:49:25.692378 osdx dnscrypt-proxy[338795]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:49:25.692502 osdx dnscrypt-proxy[338795]: Firefox workaround initialized
May 11 23:49:25.692611 osdx dnscrypt-proxy[338795]: Loading the set of cloaking rules from [/tmp/tmp651q59qe]
May 11 23:49:25.694162 osdx dnscrypt-proxy[338795]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
May 11 23:49:25.706794 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:25.752488 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:25.861987 osdx dnscrypt-proxy[338795]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 11 23:49:25.862015 osdx dnscrypt-proxy[338795]: [RD] OK (DoH) - rtt: 117ms
May 11 23:49:25.862028 osdx dnscrypt-proxy[338795]: Server with the lowest initial latency: RD (rtt: 117ms)
May 11 23:49:25.862037 osdx dnscrypt-proxy[338795]: dnscrypt-proxy is ready - live servers: 1

---

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 11 23:49:37.617990 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:49:37.620585 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:49:37.620730 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:49:37.639039 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:49:38.230522 osdx osdx-coredump[340434]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 11 23:49:38.241128 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system coredump delete all'.
May 11 23:49:38.909629 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:39.055705 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:39.153643 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:39.294089 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:39.452581 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:49:39.626822 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:39.668208 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:39.700015 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:39.977010 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
May 11 23:49:40.200950 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:40.325645 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:49:40.447351 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:49:40.561767 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:49:40.731478 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:49:40.879247 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:49:41.048340 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 11 23:49:41.184514 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 11 23:49:41.381474 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:49:41.557432 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:41.726751 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:41.878093 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:42.039426 osdx ca-certificates[340580]: Updating certificates in /etc/ssl/certs...
May 11 23:49:42.970545 osdx ca-certificates[341584]: 1 added, 0 removed; done.
May 11 23:49:42.977608 osdx ca-certificates[341590]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:42.983754 osdx ca-certificates[341592]: done.
May 11 23:49:43.085292 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:43.089961 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:43.097403 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:43.124508 osdx dnscrypt-proxy[341596]: dnscrypt-proxy 2.0.45
May 11 23:49:43.124640 osdx dnscrypt-proxy[341596]: Network connectivity detected
May 11 23:49:43.124967 osdx dnscrypt-proxy[341596]: Dropping privileges
May 11 23:49:43.145969 osdx dnscrypt-proxy[341596]: Network connectivity detected
May 11 23:49:43.146025 osdx dnscrypt-proxy[341596]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:49:43.146034 osdx dnscrypt-proxy[341596]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:49:43.146074 osdx dnscrypt-proxy[341596]: Firefox workaround initialized
May 11 23:49:43.146081 osdx dnscrypt-proxy[341596]: Loading the set of cloaking rules from [/tmp/tmpx9hpeic9]
May 11 23:49:43.150904 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:43.340296 osdx dnscrypt-proxy[341596]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 11 23:49:43.340518 osdx dnscrypt-proxy[341596]: [RD] OK (DoH) - rtt: 111ms
May 11 23:49:43.340665 osdx dnscrypt-proxy[341596]: Server with the lowest initial latency: RD (rtt: 111ms)
May 11 23:49:43.340755 osdx dnscrypt-proxy[341596]: dnscrypt-proxy is ready - live servers: 1
May 11 23:49:43.375953 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 11 23:49:43.719065 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:49:43.720592 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:49:43.720670 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:49:43.739216 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:49:44.241157 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:44.367872 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:49:44.562777 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:49:44.700978 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:44.820689 osdx dnscrypt-proxy[341596]: Stopped.
May 11 23:49:44.820906 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:49:44.823209 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:49:44.823369 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:45.003908 osdx ca-certificates[341686]: Clearing symlinks in /etc/ssl/certs...
May 11 23:49:45.452820 osdx ca-certificates[342256]: done.
May 11 23:49:45.459557 osdx ca-certificates[342265]: Updating certificates in /etc/ssl/certs...
May 11 23:49:46.265041 osdx ca-certificates[343116]: 140 added, 0 removed; done.
May 11 23:49:46.271294 osdx ca-certificates[343122]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:46.277189 osdx ca-certificates[343124]: done.
May 11 23:49:46.339751 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:46.344198 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:46.372856 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:48.433538 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:48.624756 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:49:48.784395 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:49:48.934588 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:49:49.052306 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:49:49.204940 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:49:49.296711 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 11 23:49:49.451985 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 11 23:49:49.562422 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:49:49.736817 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:49.828516 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:50.016683 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:50.154627 osdx ca-certificates[343179]: Updating certificates in /etc/ssl/certs...
May 11 23:49:51.026342 osdx ca-certificates[344183]: 1 added, 0 removed; done.
May 11 23:49:51.031531 osdx ca-certificates[344189]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:51.038285 osdx ca-certificates[344191]: done.
May 11 23:49:51.064570 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:49:51.341110 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:51.344743 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:51.386079 osdx dnscrypt-proxy[344254]: dnscrypt-proxy 2.0.45
May 11 23:49:51.386184 osdx dnscrypt-proxy[344254]: Network connectivity detected
May 11 23:49:51.386522 osdx dnscrypt-proxy[344254]: Dropping privileges
May 11 23:49:51.394752 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:51.397438 osdx dnscrypt-proxy[344254]: Network connectivity detected
May 11 23:49:51.397497 osdx dnscrypt-proxy[344254]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:49:51.397505 osdx dnscrypt-proxy[344254]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:49:51.397545 osdx dnscrypt-proxy[344254]: Firefox workaround initialized
May 11 23:49:51.397554 osdx dnscrypt-proxy[344254]: Loading the set of cloaking rules from [/tmp/tmp5kg54159]
May 11 23:49:51.432205 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:51.559333 osdx dnscrypt-proxy[344254]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 11 23:49:51.559355 osdx dnscrypt-proxy[344254]: [RD] OK (DoH) - rtt: 122ms
May 11 23:49:51.559367 osdx dnscrypt-proxy[344254]: Server with the lowest initial latency: RD (rtt: 122ms)
May 11 23:49:51.559373 osdx dnscrypt-proxy[344254]: dnscrypt-proxy is ready - live servers: 1
May 11 23:49:51.653995 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 11 23:49:51.985076 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:49:51.988582 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:49:51.988661 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:49:52.005760 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:49:52.530155 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:52.631570 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:49:52.750497 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:49:52.881381 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:53.041269 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:49:53.042535 osdx dnscrypt-proxy[344254]: Stopped.
May 11 23:49:53.044814 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:49:53.045036 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:53.238796 osdx ca-certificates[344358]: Clearing symlinks in /etc/ssl/certs...
May 11 23:49:53.731502 osdx ca-certificates[344927]: done.
May 11 23:49:53.741708 osdx ca-certificates[344931]: Updating certificates in /etc/ssl/certs...
May 11 23:49:54.561718 osdx ca-certificates[345789]: 140 added, 0 removed; done.
May 11 23:49:54.566307 osdx ca-certificates[345794]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:54.572322 osdx ca-certificates[345796]: done.
May 11 23:49:54.629290 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:54.632743 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:54.686164 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:56.679274 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:49:56.781574 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:49:56.907537 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:49:57.081361 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:49:57.222708 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:49:57.384663 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:49:57.522622 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 11 23:49:57.627864 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 11 23:49:57.769105 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:49:57.882215 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:49:57.995662 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:49:58.171096 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:49:58.339383 osdx ca-certificates[345851]: Updating certificates in /etc/ssl/certs...
May 11 23:49:59.322523 osdx ca-certificates[346853]: 1 added, 0 removed; done.
May 11 23:49:59.332256 osdx ca-certificates[346858]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:49:59.338961 osdx ca-certificates[346863]: done.
May 11 23:49:59.369321 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:49:59.725959 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:49:59.731303 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:49:59.782852 osdx dnscrypt-proxy[346926]: dnscrypt-proxy 2.0.45
May 11 23:49:59.782940 osdx dnscrypt-proxy[346926]: Network connectivity detected
May 11 23:49:59.783232 osdx dnscrypt-proxy[346926]: Dropping privileges
May 11 23:49:59.785704 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:49:59.787678 osdx dnscrypt-proxy[346926]: Network connectivity detected
May 11 23:49:59.787735 osdx dnscrypt-proxy[346926]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:49:59.787744 osdx dnscrypt-proxy[346926]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:49:59.787782 osdx dnscrypt-proxy[346926]: Firefox workaround initialized
May 11 23:49:59.787790 osdx dnscrypt-proxy[346926]: Loading the set of cloaking rules from [/tmp/tmp0lhu8nxi]
May 11 23:49:59.817400 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:49:59.968224 osdx dnscrypt-proxy[346926]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 11 23:49:59.968260 osdx dnscrypt-proxy[346926]: [RD] OK (DoH) - rtt: 123ms
May 11 23:49:59.968275 osdx dnscrypt-proxy[346926]: Server with the lowest initial latency: RD (rtt: 123ms)
May 11 23:49:59.968285 osdx dnscrypt-proxy[346926]: dnscrypt-proxy is ready - live servers: 1
May 11 23:50:00.046235 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 11 23:50:00.367067 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:50:00.368567 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:50:00.368646 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:50:00.387461 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:50:00.937106 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:50:01.081701 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:50:01.267616 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:50:01.400069 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:50:01.523094 osdx dnscrypt-proxy[346926]: Stopped.
May 11 23:50:01.523221 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:50:01.525078 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:50:01.525311 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:50:01.702157 osdx ca-certificates[347032]: Clearing symlinks in /etc/ssl/certs...
May 11 23:50:02.153817 osdx ca-certificates[347606]: done.
May 11 23:50:02.159891 osdx ca-certificates[347615]: Updating certificates in /etc/ssl/certs...
May 11 23:50:02.931320 osdx ca-certificates[348466]: 140 added, 0 removed; done.
May 11 23:50:02.935778 osdx ca-certificates[348473]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:50:02.941616 osdx ca-certificates[348475]: done.
May 11 23:50:02.981969 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:50:02.984768 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:50:03.037179 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:50:05.221100 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:50:05.329960 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:50:05.470661 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:50:05.640400 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:50:05.730457 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:50:05.868852 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:50:05.978683 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 11 23:50:06.100877 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 11 23:50:06.202899 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:50:06.349600 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:50:06.462402 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:50:06.628512 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:50:06.813113 osdx ca-certificates[348530]: Updating certificates in /etc/ssl/certs...
May 11 23:50:07.030020 osdx systemd[1]: systemd-timedated.service: Deactivated successfully.
May 11 23:50:07.676247 osdx ca-certificates[349536]: 1 added, 0 removed; done.
May 11 23:50:07.680764 osdx ca-certificates[349542]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:50:07.685529 osdx ca-certificates[349544]: done.
May 11 23:50:07.708569 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:50:08.037819 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:50:08.040014 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:50:08.079078 osdx dnscrypt-proxy[349607]: dnscrypt-proxy 2.0.45
May 11 23:50:08.079182 osdx dnscrypt-proxy[349607]: Network connectivity detected
May 11 23:50:08.079510 osdx dnscrypt-proxy[349607]: Dropping privileges
May 11 23:50:08.083207 osdx dnscrypt-proxy[349607]: Network connectivity detected
May 11 23:50:08.083263 osdx dnscrypt-proxy[349607]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:50:08.083272 osdx dnscrypt-proxy[349607]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:50:08.083312 osdx dnscrypt-proxy[349607]: Firefox workaround initialized
May 11 23:50:08.083320 osdx dnscrypt-proxy[349607]: Loading the set of cloaking rules from [/tmp/tmpr84fomxc]
May 11 23:50:08.098037 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:50:08.141377 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:50:08.259640 osdx dnscrypt-proxy[349607]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 11 23:50:08.259671 osdx dnscrypt-proxy[349607]: [RD] OK (DoH) - rtt: 120ms
May 11 23:50:08.259684 osdx dnscrypt-proxy[349607]: Server with the lowest initial latency: RD (rtt: 120ms)
May 11 23:50:08.259692 osdx dnscrypt-proxy[349607]: dnscrypt-proxy is ready - live servers: 1
May 11 23:50:08.346111 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 11 23:50:08.631671 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:50:08.632577 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:50:08.632647 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:50:08.648624 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:50:09.080713 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:50:09.171302 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:50:09.380257 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:50:09.532073 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:50:09.643464 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:50:09.643734 osdx dnscrypt-proxy[349607]: Stopped.
May 11 23:50:09.645165 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:50:09.645375 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:50:09.803437 osdx ca-certificates[349712]: Clearing symlinks in /etc/ssl/certs...
May 11 23:50:10.248611 osdx ca-certificates[350281]: done.
May 11 23:50:10.254714 osdx ca-certificates[350290]: Updating certificates in /etc/ssl/certs...
May 11 23:50:11.005779 osdx ca-certificates[351142]: 140 added, 0 removed; done.
May 11 23:50:11.011539 osdx ca-certificates[351148]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:50:11.015765 osdx ca-certificates[351150]: done.
May 11 23:50:11.068002 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:50:11.071207 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:50:11.109263 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:50:12.856791 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:50:13.023208 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:50:13.114701 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:50:13.220273 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:50:13.305446 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:50:13.427785 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:50:13.515701 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 11 23:50:13.610773 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 11 23:50:13.698712 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:50:13.806131 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:50:13.888043 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:50:14.029249 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:50:14.172842 osdx ca-certificates[351205]: Updating certificates in /etc/ssl/certs...
May 11 23:50:14.994667 osdx ca-certificates[352208]: 1 added, 0 removed; done.
May 11 23:50:15.000884 osdx ca-certificates[352215]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:50:15.005554 osdx ca-certificates[352217]: done.
May 11 23:50:15.028580 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:50:15.269067 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:50:15.270868 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:50:15.313232 osdx dnscrypt-proxy[352280]: dnscrypt-proxy 2.0.45
May 11 23:50:15.313328 osdx dnscrypt-proxy[352280]: Network connectivity detected
May 11 23:50:15.313639 osdx dnscrypt-proxy[352280]: Dropping privileges
May 11 23:50:15.317627 osdx dnscrypt-proxy[352280]: Network connectivity detected
May 11 23:50:15.317670 osdx dnscrypt-proxy[352280]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:50:15.317680 osdx dnscrypt-proxy[352280]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:50:15.317716 osdx dnscrypt-proxy[352280]: Firefox workaround initialized
May 11 23:50:15.317724 osdx dnscrypt-proxy[352280]: Loading the set of cloaking rules from [/tmp/tmpf4qk9dvk]
May 11 23:50:15.320921 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:50:15.351832 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:50:15.480099 osdx dnscrypt-proxy[352280]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 11 23:50:15.480119 osdx dnscrypt-proxy[352280]: [RD] OK (DoH) - rtt: 116ms
May 11 23:50:15.480131 osdx dnscrypt-proxy[352280]: Server with the lowest initial latency: RD (rtt: 116ms)
May 11 23:50:15.480138 osdx dnscrypt-proxy[352280]: dnscrypt-proxy is ready - live servers: 1
May 11 23:50:15.567189 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 11 23:50:15.897414 osdx systemd-journald[118835]: Runtime Journal (/run/log/journal/f55f446d40464b198e70fbabb9c21674) is 2.0M, max 15.3M, 13.3M free.
May 11 23:50:15.900566 osdx systemd-journald[118835]: Received client request to rotate journal, rotating.
May 11 23:50:15.900659 osdx systemd-journald[118835]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f55f446d40464b198e70fbabb9c21674.
May 11 23:50:15.915736 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'system journal clear'.
May 11 23:50:16.339804 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:50:16.434826 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'delete'.
May 11 23:50:16.583522 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 11 23:50:16.694669 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:50:16.812204 osdx dnscrypt-proxy[352280]: Stopped.
May 11 23:50:16.812330 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 11 23:50:16.814253 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 11 23:50:16.814478 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:50:16.962565 osdx ca-certificates[352386]: Clearing symlinks in /etc/ssl/certs...
May 11 23:50:17.418757 osdx ca-certificates[352955]: done.
May 11 23:50:17.425153 osdx ca-certificates[352965]: Updating certificates in /etc/ssl/certs...
May 11 23:50:18.160625 osdx ca-certificates[353816]: 140 added, 0 removed; done.
May 11 23:50:18.165115 osdx ca-certificates[353822]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:50:18.169953 osdx ca-certificates[353824]: done.
May 11 23:50:18.218799 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:50:18.221717 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:50:18.264900 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:50:20.066851 osdx OSDxCLI[242344]: User 'admin' entered the configuration menu.
May 11 23:50:20.198308 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 11 23:50:20.308006 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 11 23:50:20.441056 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 11 23:50:20.562328 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 11 23:50:20.665779 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e'.
May 11 23:50:20.760618 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 11 23:50:20.855734 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 11 23:50:20.944956 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 11 23:50:21.052380 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 11 23:50:21.179221 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 11 23:50:21.341205 osdx OSDxCLI[242344]: User 'admin' added a new cfg line: 'show working'.
May 11 23:50:21.522571 osdx ca-certificates[353879]: Updating certificates in /etc/ssl/certs...
May 11 23:50:22.417291 osdx ca-certificates[354882]: 1 added, 0 removed; done.
May 11 23:50:22.422709 osdx ca-certificates[354889]: Running hooks in /etc/ca-certificates/update.d...
May 11 23:50:22.427386 osdx ca-certificates[354891]: done.
May 11 23:50:22.448580 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 11 23:50:22.745473 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 11 23:50:22.749504 osdx cfgd[1244]: [242344]Completed change to active configuration
May 11 23:50:22.791243 osdx dnscrypt-proxy[354954]: dnscrypt-proxy 2.0.45
May 11 23:50:22.792367 osdx dnscrypt-proxy[354954]: Network connectivity detected
May 11 23:50:22.793288 osdx dnscrypt-proxy[354954]: Dropping privileges
May 11 23:50:22.799615 osdx dnscrypt-proxy[354954]: Network connectivity detected
May 11 23:50:22.799675 osdx dnscrypt-proxy[354954]: Now listening to 127.0.0.1:53 [UDP]
May 11 23:50:22.799684 osdx dnscrypt-proxy[354954]: Now listening to 127.0.0.1:53 [TCP]
May 11 23:50:22.799722 osdx dnscrypt-proxy[354954]: Firefox workaround initialized
May 11 23:50:22.799730 osdx dnscrypt-proxy[354954]: Loading the set of cloaking rules from [/tmp/tmpkrdtbkc9]
May 11 23:50:22.817802 osdx OSDxCLI[242344]: User 'admin' committed the configuration.
May 11 23:50:22.867707 osdx OSDxCLI[242344]: User 'admin' left the configuration menu.
May 11 23:50:22.979244 osdx dnscrypt-proxy[354954]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 11 23:50:22.979271 osdx dnscrypt-proxy[354954]: [RD] OK (DoH) - rtt: 109ms
May 11 23:50:22.979284 osdx dnscrypt-proxy[354954]: Server with the lowest initial latency: RD (rtt: 109ms)
May 11 23:50:22.979292 osdx dnscrypt-proxy[354954]: dnscrypt-proxy is ready - live servers: 1
May 11 23:50:23.038043 osdx OSDxCLI[242344]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---