Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199
Show output
Feb 03 12:04:00.442827 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.2M free.
Feb 03 12:04:00.446263 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:04:00.446366 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:04:00.457827 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:04:00.968663 osdx osdx-coredump[174369]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Feb 03 12:04:00.979890 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 03 12:04:01.797660 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:01.962633 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:04:02.054337 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:04:02.183143 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:02.316777 osdx INFO[174393]: FRR daemons did not change
Feb 03 12:04:02.338254 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:04:02.492204 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:02.529230 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:02.569531 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:02.753292 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 03 12:04:02.993152 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:03.102657 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:04:03.225161 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:04:03.339317 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:04:03.432836 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:04:03.561254 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:04:03.658652 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 03 12:04:03.777705 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:04:03.910895 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:04:04.026000 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:04:04.197489 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:04.310164 osdx INFO[174510]: FRR daemons did not change
Feb 03 12:04:04.333267 osdx ca-certificates[174526]: Updating certificates in /etc/ssl/certs...
Feb 03 12:04:05.151037 osdx ca-certificates[175529]: 1 added, 0 removed; done.
Feb 03 12:04:05.157423 osdx ca-certificates[175536]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:04:05.162186 osdx ca-certificates[175538]: done.
Feb 03 12:04:05.278805 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:04:05.282166 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:05.286570 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:05.313348 osdx dnscrypt-proxy[175542]: dnscrypt-proxy 2.0.45
Feb 03 12:04:05.313435 osdx dnscrypt-proxy[175542]: Network connectivity detected
Feb 03 12:04:05.313705 osdx dnscrypt-proxy[175542]: Dropping privileges
Feb 03 12:04:05.316550 osdx dnscrypt-proxy[175542]: Network connectivity detected
Feb 03 12:04:05.316869 osdx dnscrypt-proxy[175542]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:04:05.316943 osdx dnscrypt-proxy[175542]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:04:05.317041 osdx dnscrypt-proxy[175542]: Firefox workaround initialized
Feb 03 12:04:05.317108 osdx dnscrypt-proxy[175542]: Loading the set of cloaking rules from [/tmp/tmpsdvkxmks]
Feb 03 12:04:05.349046 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:05.719606 osdx dnscrypt-proxy[175542]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 03 12:04:05.719625 osdx dnscrypt-proxy[175542]: [RD] OK (DoH) - rtt: 191ms
Feb 03 12:04:05.719637 osdx dnscrypt-proxy[175542]: Server with the lowest initial latency: RD (rtt: 191ms)
Feb 03 12:04:05.719647 osdx dnscrypt-proxy[175542]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:04:10.543259 osdx OSDxCLI[64814]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Feb 03 12:04:10.765853 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199
Show output
Feb 03 12:04:21.440269 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:04:21.442523 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:04:21.442593 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:04:21.457710 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:04:22.010102 osdx osdx-coredump[177176]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Feb 03 12:04:22.023980 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 03 12:04:22.769309 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:22.894567 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:04:23.027341 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:04:23.183358 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:23.288927 osdx INFO[177197]: FRR daemons did not change
Feb 03 12:04:23.310582 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:04:23.474783 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:23.522979 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:23.550045 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:23.761908 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 03 12:04:24.134657 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:24.269959 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:04:24.410747 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:04:24.535759 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:04:24.634488 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:04:24.760246 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:04:24.900813 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 03 12:04:25.071249 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:04:25.185612 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:04:25.300833 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:04:25.474397 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:25.595780 osdx INFO[177314]: FRR daemons did not change
Feb 03 12:04:25.614740 osdx ca-certificates[177330]: Updating certificates in /etc/ssl/certs...
Feb 03 12:04:26.451955 osdx ca-certificates[178333]: 1 added, 0 removed; done.
Feb 03 12:04:26.456274 osdx ca-certificates[178340]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:04:26.460435 osdx ca-certificates[178342]: done.
Feb 03 12:04:26.551044 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:04:26.553943 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:26.556711 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:26.586773 osdx dnscrypt-proxy[178346]: dnscrypt-proxy 2.0.45
Feb 03 12:04:26.586873 osdx dnscrypt-proxy[178346]: Network connectivity detected
Feb 03 12:04:26.587167 osdx dnscrypt-proxy[178346]: Dropping privileges
Feb 03 12:04:26.592113 osdx dnscrypt-proxy[178346]: Network connectivity detected
Feb 03 12:04:26.592205 osdx dnscrypt-proxy[178346]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:04:26.592214 osdx dnscrypt-proxy[178346]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:04:26.592251 osdx dnscrypt-proxy[178346]: Firefox workaround initialized
Feb 03 12:04:26.592259 osdx dnscrypt-proxy[178346]: Loading the set of cloaking rules from [/tmp/tmpo_n9ajz8]
Feb 03 12:04:26.593379 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:26.814644 osdx dnscrypt-proxy[178346]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 03 12:04:26.814667 osdx dnscrypt-proxy[178346]: [RD] OK (DoH) - rtt: 182ms
Feb 03 12:04:26.814683 osdx dnscrypt-proxy[178346]: Server with the lowest initial latency: RD (rtt: 182ms)
Feb 03 12:04:26.814693 osdx dnscrypt-proxy[178346]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:04:31.815820 osdx OSDxCLI[64814]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Feb 03 12:04:32.035354 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200
Show output
Feb 03 12:04:32.336987 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:04:32.338531 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:04:32.338623 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:04:32.350781 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:04:32.782158 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:32.900850 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:04:33.041183 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:04:33.154406 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:33.262490 osdx dnscrypt-proxy[178346]: Stopped.
Feb 03 12:04:33.262566 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:04:33.263937 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:04:33.264092 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:04:33.405517 osdx ca-certificates[178442]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:04:33.813943 osdx ca-certificates[179011]: done.
Feb 03 12:04:33.819284 osdx ca-certificates[179021]: Updating certificates in /etc/ssl/certs...
Feb 03 12:04:34.535449 osdx ca-certificates[179871]: 140 added, 0 removed; done.
Feb 03 12:04:34.539458 osdx ca-certificates[179878]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:04:34.543920 osdx ca-certificates[179880]: done.
Feb 03 12:04:34.585055 osdx INFO[179883]: FRR daemons did not change
Feb 03 12:04:34.585433 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:34.588051 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:34.616798 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:36.327256 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:36.432455 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:04:36.555238 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:04:36.705787 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:04:36.837464 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:04:36.954712 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:04:37.101358 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Feb 03 12:04:37.199727 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:04:37.318442 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:04:37.431849 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:04:37.582845 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:37.703532 osdx INFO[179922]: FRR daemons did not change
Feb 03 12:04:37.723184 osdx ca-certificates[179938]: Updating certificates in /etc/ssl/certs...
Feb 03 12:04:38.532700 osdx ca-certificates[180942]: 1 added, 0 removed; done.
Feb 03 12:04:38.538762 osdx ca-certificates[180948]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:04:38.544191 osdx ca-certificates[180950]: done.
Feb 03 12:04:38.566548 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:04:38.819268 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:04:38.821680 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:38.861798 osdx dnscrypt-proxy[181013]: dnscrypt-proxy 2.0.45
Feb 03 12:04:38.861920 osdx dnscrypt-proxy[181013]: Network connectivity detected
Feb 03 12:04:38.862275 osdx dnscrypt-proxy[181013]: Dropping privileges
Feb 03 12:04:38.865938 osdx dnscrypt-proxy[181013]: Network connectivity detected
Feb 03 12:04:38.865998 osdx dnscrypt-proxy[181013]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:04:38.866007 osdx dnscrypt-proxy[181013]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:04:38.866049 osdx dnscrypt-proxy[181013]: Firefox workaround initialized
Feb 03 12:04:38.866058 osdx dnscrypt-proxy[181013]: Loading the set of cloaking rules from [/tmp/tmphpe2cz1j]
Feb 03 12:04:38.873747 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:38.923751 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:39.082312 osdx dnscrypt-proxy[181013]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Feb 03 12:04:39.082339 osdx dnscrypt-proxy[181013]: [RD] OK (DoH) - rtt: 174ms
Feb 03 12:04:39.082354 osdx dnscrypt-proxy[181013]: Server with the lowest initial latency: RD (rtt: 174ms)
Feb 03 12:04:39.082362 osdx dnscrypt-proxy[181013]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:04:39.118847 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392
Show output
Feb 03 12:04:39.396008 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:04:39.398532 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:04:39.398597 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:04:39.412830 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:04:39.856479 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:39.965190 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:04:40.107428 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:04:40.221057 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:40.329438 osdx dnscrypt-proxy[181013]: Stopped.
Feb 03 12:04:40.329519 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:04:40.331407 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:04:40.331574 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:04:40.493433 osdx ca-certificates[181121]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:04:40.927380 osdx ca-certificates[181690]: done.
Feb 03 12:04:40.933569 osdx ca-certificates[181698]: Updating certificates in /etc/ssl/certs...
Feb 03 12:04:41.705661 osdx ca-certificates[182550]: 140 added, 0 removed; done.
Feb 03 12:04:41.710339 osdx ca-certificates[182557]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:04:41.716122 osdx ca-certificates[182559]: done.
Feb 03 12:04:41.762290 osdx INFO[182562]: FRR daemons did not change
Feb 03 12:04:41.762997 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:41.765952 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:41.804985 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:43.577865 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:43.691667 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:04:43.838382 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:04:43.957907 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:04:44.065394 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:04:44.184543 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:04:44.286971 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Feb 03 12:04:44.387868 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:04:44.515213 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:04:44.604918 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:04:44.731407 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:44.853497 osdx INFO[182601]: FRR daemons did not change
Feb 03 12:04:44.874102 osdx ca-certificates[182617]: Updating certificates in /etc/ssl/certs...
Feb 03 12:04:45.831173 osdx ca-certificates[183620]: 1 added, 0 removed; done.
Feb 03 12:04:45.835336 osdx ca-certificates[183627]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:04:45.839667 osdx ca-certificates[183629]: done.
Feb 03 12:04:45.870530 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:04:46.147064 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:04:46.149691 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:46.191429 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:46.194192 osdx dnscrypt-proxy[183692]: dnscrypt-proxy 2.0.45
Feb 03 12:04:46.194270 osdx dnscrypt-proxy[183692]: Network connectivity detected
Feb 03 12:04:46.194596 osdx dnscrypt-proxy[183692]: Dropping privileges
Feb 03 12:04:46.198604 osdx dnscrypt-proxy[183692]: Network connectivity detected
Feb 03 12:04:46.198660 osdx dnscrypt-proxy[183692]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:04:46.198667 osdx dnscrypt-proxy[183692]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:04:46.198702 osdx dnscrypt-proxy[183692]: Firefox workaround initialized
Feb 03 12:04:46.198707 osdx dnscrypt-proxy[183692]: Loading the set of cloaking rules from [/tmp/tmprk97t0ng]
Feb 03 12:04:46.231829 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:46.384517 osdx dnscrypt-proxy[183692]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 03 12:04:46.384535 osdx dnscrypt-proxy[183692]: [RD] OK (DoH) - rtt: 137ms
Feb 03 12:04:46.384544 osdx dnscrypt-proxy[183692]: Server with the lowest initial latency: RD (rtt: 137ms)
Feb 03 12:04:46.384550 osdx dnscrypt-proxy[183692]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:04:46.453424 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Show output
Feb 03 12:04:57.503195 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:04:57.506364 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:04:57.506505 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:04:57.522137 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:04:58.073504 osdx osdx-coredump[185345]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Feb 03 12:04:58.087758 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 03 12:04:58.878925 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:04:59.023788 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:04:59.137543 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:04:59.311235 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:04:59.438939 osdx INFO[185366]: FRR daemons did not change
Feb 03 12:04:59.462342 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:04:59.626550 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:04:59.666490 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:04:59.695755 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:04:59.916054 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 03 12:05:00.326432 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:00.527726 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:05:00.644921 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:05:00.770734 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:05:00.878926 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:05:01.001459 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:05:01.105966 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 03 12:05:01.227213 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:05:01.401267 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:01.539043 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:01.774096 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:01.918192 osdx INFO[185486]: FRR daemons did not change
Feb 03 12:05:01.939990 osdx ca-certificates[185502]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:02.792810 osdx ca-certificates[186506]: 1 added, 0 removed; done.
Feb 03 12:05:02.798757 osdx ca-certificates[186512]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:02.804691 osdx ca-certificates[186514]: done.
Feb 03 12:05:02.906749 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:02.908356 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:02.911743 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:02.941605 osdx dnscrypt-proxy[186518]: dnscrypt-proxy 2.0.45
Feb 03 12:05:02.941729 osdx dnscrypt-proxy[186518]: Network connectivity detected
Feb 03 12:05:02.942023 osdx dnscrypt-proxy[186518]: Dropping privileges
Feb 03 12:05:02.942046 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:02.946125 osdx dnscrypt-proxy[186518]: Network connectivity detected
Feb 03 12:05:02.946177 osdx dnscrypt-proxy[186518]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:05:02.946185 osdx dnscrypt-proxy[186518]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:05:02.946227 osdx dnscrypt-proxy[186518]: Firefox workaround initialized
Feb 03 12:05:02.946235 osdx dnscrypt-proxy[186518]: Loading the set of cloaking rules from [/tmp/tmpvm7_f6_u]
Feb 03 12:05:02.947492 osdx dnscrypt-proxy[186518]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Feb 03 12:05:03.140917 osdx dnscrypt-proxy[186518]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 03 12:05:03.140934 osdx dnscrypt-proxy[186518]: [RD] OK (DoH) - rtt: 148ms
Feb 03 12:05:03.140943 osdx dnscrypt-proxy[186518]: Server with the lowest initial latency: RD (rtt: 148ms)
Feb 03 12:05:03.140948 osdx dnscrypt-proxy[186518]: dnscrypt-proxy is ready - live servers: 1

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Show output
Feb 03 12:05:14.429698 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:05:14.431874 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:05:14.431954 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:05:14.447591 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:05:14.992859 osdx osdx-coredump[188145]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Feb 03 12:05:15.003900 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 03 12:05:15.719446 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:15.844246 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:15.999594 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:16.171422 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:16.305210 osdx INFO[188166]: FRR daemons did not change
Feb 03 12:05:16.335288 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:05:16.520074 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:16.575094 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:16.606905 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:16.833663 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 03 12:05:17.118774 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:17.277106 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:05:17.433327 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:05:17.565392 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:05:17.696222 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:05:17.828387 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:05:18.003543 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 03 12:05:18.171647 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:05:18.335888 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:18.445943 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:18.644641 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:18.784962 osdx INFO[188283]: FRR daemons did not change
Feb 03 12:05:18.820887 osdx ca-certificates[188298]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:19.756377 osdx ca-certificates[189302]: 1 added, 0 removed; done.
Feb 03 12:05:19.762259 osdx ca-certificates[189309]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:19.767018 osdx ca-certificates[189311]: done.
Feb 03 12:05:19.861165 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:19.873202 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:19.878774 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:19.900245 osdx dnscrypt-proxy[189315]: dnscrypt-proxy 2.0.45
Feb 03 12:05:19.900335 osdx dnscrypt-proxy[189315]: Network connectivity detected
Feb 03 12:05:19.900672 osdx dnscrypt-proxy[189315]: Dropping privileges
Feb 03 12:05:19.904207 osdx dnscrypt-proxy[189315]: Network connectivity detected
Feb 03 12:05:19.904549 osdx dnscrypt-proxy[189315]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:05:19.904652 osdx dnscrypt-proxy[189315]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:05:19.904740 osdx dnscrypt-proxy[189315]: Firefox workaround initialized
Feb 03 12:05:19.904798 osdx dnscrypt-proxy[189315]: Loading the set of cloaking rules from [/tmp/tmp_h8k13p4]
Feb 03 12:05:19.905939 osdx dnscrypt-proxy[189315]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Feb 03 12:05:19.918553 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Show output
Feb 03 12:05:20.340369 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:05:20.343267 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:05:20.343350 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:05:20.355952 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:05:20.783751 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:20.902920 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:05:21.041279 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:05:21.182521 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:21.328307 osdx dnscrypt-proxy[189315]: Stopped.
Feb 03 12:05:21.328412 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:05:21.329937 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:05:21.330126 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:21.533154 osdx ca-certificates[189400]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:05:22.066853 osdx ca-certificates[189969]: done.
Feb 03 12:05:22.073061 osdx ca-certificates[189978]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:22.902886 osdx ca-certificates[190829]: 140 added, 0 removed; done.
Feb 03 12:05:22.907571 osdx ca-certificates[190836]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:22.913797 osdx ca-certificates[190838]: done.
Feb 03 12:05:22.962173 osdx INFO[190841]: FRR daemons did not change
Feb 03 12:05:22.962619 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:22.974924 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:23.018410 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:24.880031 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:25.006051 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:05:25.116756 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:05:25.261967 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:05:25.394162 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:05:25.539202 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:05:25.661803 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 03 12:05:25.786330 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:05:25.925338 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:26.048540 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:26.189096 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:26.328841 osdx INFO[190880]: FRR daemons did not change
Feb 03 12:05:26.349708 osdx ca-certificates[190896]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:27.365370 osdx ca-certificates[191900]: 1 added, 0 removed; done.
Feb 03 12:05:27.369922 osdx ca-certificates[191906]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:27.374775 osdx ca-certificates[191908]: done.
Feb 03 12:05:27.399344 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:05:27.667836 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:27.670496 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:27.716399 osdx dnscrypt-proxy[191971]: dnscrypt-proxy 2.0.45
Feb 03 12:05:27.716497 osdx dnscrypt-proxy[191971]: Network connectivity detected
Feb 03 12:05:27.716988 osdx dnscrypt-proxy[191971]: Dropping privileges
Feb 03 12:05:27.719322 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:27.721704 osdx dnscrypt-proxy[191971]: Network connectivity detected
Feb 03 12:05:27.721764 osdx dnscrypt-proxy[191971]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:05:27.721774 osdx dnscrypt-proxy[191971]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:05:27.721815 osdx dnscrypt-proxy[191971]: Firefox workaround initialized
Feb 03 12:05:27.721824 osdx dnscrypt-proxy[191971]: Loading the set of cloaking rules from [/tmp/tmpq43ifjya]
Feb 03 12:05:27.725397 osdx dnscrypt-proxy[191971]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Feb 03 12:05:27.795142 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:27.920947 osdx dnscrypt-proxy[191971]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 03 12:05:27.920980 osdx dnscrypt-proxy[191971]: [RD] OK (DoH) - rtt: 129ms
Feb 03 12:05:27.920993 osdx dnscrypt-proxy[191971]: Server with the lowest initial latency: RD (rtt: 129ms)
Feb 03 12:05:27.921001 osdx dnscrypt-proxy[191971]: dnscrypt-proxy is ready - live servers: 1

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Show output
Feb 03 12:05:28.221029 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:05:28.223312 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:05:28.223419 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:05:28.239736 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:05:28.664710 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:28.767808 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:05:28.913774 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:05:29.052955 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:29.178075 osdx dnscrypt-proxy[191971]: Stopped.
Feb 03 12:05:29.178205 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:05:29.179463 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:05:29.179646 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:29.354425 osdx ca-certificates[192076]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:05:29.780900 osdx ca-certificates[192646]: done.
Feb 03 12:05:29.788111 osdx ca-certificates[192654]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:30.532189 osdx ca-certificates[193505]: 140 added, 0 removed; done.
Feb 03 12:05:30.538324 osdx ca-certificates[193512]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:30.542899 osdx ca-certificates[193514]: done.
Feb 03 12:05:30.602790 osdx INFO[193517]: FRR daemons did not change
Feb 03 12:05:30.603415 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:30.608240 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:30.642026 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:32.442940 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:32.548195 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:05:32.654000 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:05:32.787682 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:05:32.886429 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:05:33.014447 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:05:33.114932 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 03 12:05:33.224878 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 03 12:05:33.325219 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:05:33.459037 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:33.576827 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:33.733856 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:33.852757 osdx INFO[193559]: FRR daemons did not change
Feb 03 12:05:33.871121 osdx ca-certificates[193574]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:34.629495 osdx ca-certificates[194579]: 1 added, 0 removed; done.
Feb 03 12:05:34.635607 osdx ca-certificates[194585]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:34.641669 osdx ca-certificates[194587]: done.
Feb 03 12:05:34.667293 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:05:34.919885 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:34.922084 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:34.951517 osdx dnscrypt-proxy[194650]: dnscrypt-proxy 2.0.45
Feb 03 12:05:34.951627 osdx dnscrypt-proxy[194650]: Network connectivity detected
Feb 03 12:05:34.951936 osdx dnscrypt-proxy[194650]: Dropping privileges
Feb 03 12:05:34.955508 osdx dnscrypt-proxy[194650]: Network connectivity detected
Feb 03 12:05:34.955866 osdx dnscrypt-proxy[194650]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:05:34.955950 osdx dnscrypt-proxy[194650]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:05:34.956065 osdx dnscrypt-proxy[194650]: Firefox workaround initialized
Feb 03 12:05:34.956138 osdx dnscrypt-proxy[194650]: Loading the set of cloaking rules from [/tmp/tmp9ciklxsz]
Feb 03 12:05:34.957355 osdx dnscrypt-proxy[194650]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Feb 03 12:05:34.963786 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:35.008120 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:35.142845 osdx dnscrypt-proxy[194650]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 03 12:05:35.142870 osdx dnscrypt-proxy[194650]: [RD] OK (DoH) - rtt: 151ms
Feb 03 12:05:35.142883 osdx dnscrypt-proxy[194650]: Server with the lowest initial latency: RD (rtt: 151ms)
Feb 03 12:05:35.142892 osdx dnscrypt-proxy[194650]: dnscrypt-proxy is ready - live servers: 1

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199
Show output
Feb 03 12:05:45.001932 osdx systemd-timedated[196280]: Changed local time to Mon 2025-02-03 12:05:45 UTC
Feb 03 12:05:45.004264 osdx systemd-journald[1936]: Time jumped backwards, rotating.
Feb 03 12:05:45.004368 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'set date 2025-02-03 12:05:45'.
Feb 03 12:05:45.507204 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:05:45.508254 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:05:45.508327 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:05:45.533021 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:05:46.074842 osdx osdx-coredump[196298]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Feb 03 12:05:46.085799 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 03 12:05:46.818039 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:46.947963 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:47.063615 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:47.201616 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:47.340952 osdx INFO[196319]: FRR daemons did not change
Feb 03 12:05:47.372286 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:05:47.557035 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:47.617877 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:47.658259 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:47.882346 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Feb 03 12:05:48.171835 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:48.280399 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:05:48.434134 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:05:48.551737 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:05:48.654066 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:05:48.772666 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:05:48.879988 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 03 12:05:49.010745 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 03 12:05:49.134434 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:05:49.252745 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:49.348128 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:49.483765 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:49.602964 osdx INFO[196439]: FRR daemons did not change
Feb 03 12:05:49.622313 osdx ca-certificates[196455]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:50.447762 osdx ca-certificates[197458]: 1 added, 0 removed; done.
Feb 03 12:05:50.452598 osdx ca-certificates[197465]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:50.457583 osdx ca-certificates[197467]: done.
Feb 03 12:05:50.556750 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:50.558670 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:50.561941 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:50.592976 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:50.600210 osdx dnscrypt-proxy[197471]: dnscrypt-proxy 2.0.45
Feb 03 12:05:50.600316 osdx dnscrypt-proxy[197471]: Network connectivity detected
Feb 03 12:05:50.600634 osdx dnscrypt-proxy[197471]: Dropping privileges
Feb 03 12:05:50.609524 osdx dnscrypt-proxy[197471]: Network connectivity detected
Feb 03 12:05:50.609608 osdx dnscrypt-proxy[197471]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:05:50.609616 osdx dnscrypt-proxy[197471]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:05:50.609648 osdx dnscrypt-proxy[197471]: Firefox workaround initialized
Feb 03 12:05:50.609653 osdx dnscrypt-proxy[197471]: Loading the set of cloaking rules from [/tmp/tmp0v2hczsx]
Feb 03 12:05:50.774819 osdx dnscrypt-proxy[197471]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 03 12:05:50.774843 osdx dnscrypt-proxy[197471]: [RD] OK (DoH) - rtt: 130ms
Feb 03 12:05:50.774853 osdx dnscrypt-proxy[197471]: Server with the lowest initial latency: RD (rtt: 130ms)
Feb 03 12:05:50.774860 osdx dnscrypt-proxy[197471]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:05:50.786739 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200
Show output
Feb 03 12:05:51.086991 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.2M free.
Feb 03 12:05:51.088245 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:05:51.088320 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:05:51.105427 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:05:51.535573 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:51.640943 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:05:51.761241 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:05:51.891952 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:51.999945 osdx dnscrypt-proxy[197471]: Stopped.
Feb 03 12:05:52.000079 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:05:52.001368 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:05:52.001618 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:52.144559 osdx ca-certificates[197562]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:05:52.543263 osdx ca-certificates[198132]: done.
Feb 03 12:05:52.550300 osdx ca-certificates[198141]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:53.243754 osdx ca-certificates[198994]: 140 added, 0 removed; done.
Feb 03 12:05:53.249514 osdx ca-certificates[199000]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:53.254169 osdx ca-certificates[199002]: done.
Feb 03 12:05:53.298723 osdx INFO[199005]: FRR daemons did not change
Feb 03 12:05:53.299136 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:53.302720 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:53.345460 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:55.110087 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:55.226552 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:05:55.355073 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:05:55.484501 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:05:55.611196 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:05:55.746433 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:05:55.849204 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 03 12:05:55.951302 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Feb 03 12:05:56.078961 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:05:56.248873 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:05:56.373614 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:05:56.531355 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:56.656186 osdx INFO[199047]: FRR daemons did not change
Feb 03 12:05:56.677113 osdx ca-certificates[199063]: Updating certificates in /etc/ssl/certs...
Feb 03 12:05:57.520673 osdx ca-certificates[200066]: 1 added, 0 removed; done.
Feb 03 12:05:57.525202 osdx ca-certificates[200073]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:05:57.531251 osdx ca-certificates[200075]: done.
Feb 03 12:05:57.556310 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:05:57.856769 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:57.858650 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:05:57.889433 osdx dnscrypt-proxy[200138]: dnscrypt-proxy 2.0.45
Feb 03 12:05:57.889989 osdx dnscrypt-proxy[200138]: Network connectivity detected
Feb 03 12:05:57.890457 osdx dnscrypt-proxy[200138]: Dropping privileges
Feb 03 12:05:57.894295 osdx dnscrypt-proxy[200138]: Network connectivity detected
Feb 03 12:05:57.894356 osdx dnscrypt-proxy[200138]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:05:57.894371 osdx dnscrypt-proxy[200138]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:05:57.894406 osdx dnscrypt-proxy[200138]: Firefox workaround initialized
Feb 03 12:05:57.894414 osdx dnscrypt-proxy[200138]: Loading the set of cloaking rules from [/tmp/tmpemccey58]
Feb 03 12:05:57.901667 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:05:58.001689 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:05:58.123824 osdx dnscrypt-proxy[200138]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Feb 03 12:05:58.124003 osdx dnscrypt-proxy[200138]: [RD] OK (DoH) - rtt: 178ms
Feb 03 12:05:58.124130 osdx dnscrypt-proxy[200138]: Server with the lowest initial latency: RD (rtt: 178ms)
Feb 03 12:05:58.124197 osdx dnscrypt-proxy[200138]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:05:58.193421 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392
Show output
Feb 03 12:05:58.552665 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.1M, max 15.3M, 13.2M free.
Feb 03 12:05:58.556262 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:05:58.556348 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:05:58.568309 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:05:58.993633 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:05:59.100334 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:05:59.244239 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:05:59.351719 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:05:59.467654 osdx dnscrypt-proxy[200138]: Stopped.
Feb 03 12:05:59.467748 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:05:59.470606 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:05:59.470822 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:05:59.630187 osdx ca-certificates[200248]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:06:00.078287 osdx ca-certificates[200818]: done.
Feb 03 12:06:00.085895 osdx ca-certificates[200832]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:00.838197 osdx ca-certificates[201677]: 140 added, 0 removed; done.
Feb 03 12:06:00.844964 osdx ca-certificates[201684]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:00.851274 osdx ca-certificates[201686]: done.
Feb 03 12:06:00.917096 osdx INFO[201689]: FRR daemons did not change
Feb 03 12:06:00.918440 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:00.922255 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:00.959128 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:03.053329 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:06:03.167835 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:06:03.302506 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:06:03.440501 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:06:03.571684 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:06:03.685241 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:06:03.835847 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Feb 03 12:06:03.941623 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Feb 03 12:06:04.074890 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:06:04.253860 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:06:04.390417 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:06:04.552615 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:06:04.686226 osdx INFO[201734]: FRR daemons did not change
Feb 03 12:06:04.705706 osdx ca-certificates[201749]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:05.542303 osdx ca-certificates[202753]: 1 added, 0 removed; done.
Feb 03 12:06:05.546773 osdx ca-certificates[202760]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:05.551267 osdx ca-certificates[202762]: done.
Feb 03 12:06:05.576258 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:06:05.836974 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:06:05.839335 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:05.873422 osdx dnscrypt-proxy[202825]: dnscrypt-proxy 2.0.45
Feb 03 12:06:05.873892 osdx dnscrypt-proxy[202825]: Network connectivity detected
Feb 03 12:06:05.874325 osdx dnscrypt-proxy[202825]: Dropping privileges
Feb 03 12:06:05.877962 osdx dnscrypt-proxy[202825]: Network connectivity detected
Feb 03 12:06:05.878014 osdx dnscrypt-proxy[202825]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:06:05.878020 osdx dnscrypt-proxy[202825]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:06:05.878048 osdx dnscrypt-proxy[202825]: Firefox workaround initialized
Feb 03 12:06:05.878053 osdx dnscrypt-proxy[202825]: Loading the set of cloaking rules from [/tmp/tmp02703lkj]
Feb 03 12:06:05.882427 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:05.936118 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:06.173807 osdx dnscrypt-proxy[202825]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 03 12:06:06.173834 osdx dnscrypt-proxy[202825]: [RD] OK (DoH) - rtt: 244ms
Feb 03 12:06:06.173846 osdx dnscrypt-proxy[202825]: Server with the lowest initial latency: RD (rtt: 244ms)
Feb 03 12:06:06.173854 osdx dnscrypt-proxy[202825]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:06:11.132177 osdx OSDxCLI[64814]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Feb 03 12:06:11.352883 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199
Show output
Feb 03 12:06:11.665354 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:06:11.668242 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:06:11.668327 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:06:11.687371 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:06:12.168168 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:06:12.303518 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:06:12.465324 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:06:12.581194 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:06:12.682275 osdx dnscrypt-proxy[202825]: Stopped.
Feb 03 12:06:12.682420 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:06:12.683752 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:06:12.683949 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:06:12.864900 osdx ca-certificates[202940]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:06:13.303731 osdx ca-certificates[203509]: done.
Feb 03 12:06:13.309494 osdx ca-certificates[203519]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:14.024289 osdx ca-certificates[204371]: 140 added, 0 removed; done.
Feb 03 12:06:14.028881 osdx ca-certificates[204376]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:14.033365 osdx ca-certificates[204378]: done.
Feb 03 12:06:14.078589 osdx INFO[204381]: FRR daemons did not change
Feb 03 12:06:14.079087 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:14.083891 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:14.119875 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:15.032852 osdx systemd[1]: systemd-timedated.service: Deactivated successfully.
Feb 03 12:06:15.864987 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:06:15.969801 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:06:16.076349 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:06:16.190869 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:06:16.295195 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:06:16.408262 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:06:16.519851 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 03 12:06:16.645920 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Feb 03 12:06:16.745523 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:06:16.883519 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:06:16.994177 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:06:17.131724 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:06:17.263965 osdx INFO[204425]: FRR daemons did not change
Feb 03 12:06:17.283578 osdx ca-certificates[204441]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:18.177179 osdx ca-certificates[205446]: 1 added, 0 removed; done.
Feb 03 12:06:18.182243 osdx ca-certificates[205451]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:18.187147 osdx ca-certificates[205453]: done.
Feb 03 12:06:18.216289 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:06:18.556799 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:06:18.564161 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:18.602640 osdx dnscrypt-proxy[205516]: dnscrypt-proxy 2.0.45
Feb 03 12:06:18.602737 osdx dnscrypt-proxy[205516]: Network connectivity detected
Feb 03 12:06:18.603051 osdx dnscrypt-proxy[205516]: Dropping privileges
Feb 03 12:06:18.621530 osdx dnscrypt-proxy[205516]: Network connectivity detected
Feb 03 12:06:18.621584 osdx dnscrypt-proxy[205516]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:06:18.621592 osdx dnscrypt-proxy[205516]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:06:18.621639 osdx dnscrypt-proxy[205516]: Firefox workaround initialized
Feb 03 12:06:18.621647 osdx dnscrypt-proxy[205516]: Loading the set of cloaking rules from [/tmp/tmpmsz9hy5t]
Feb 03 12:06:18.627727 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:18.683784 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:18.861855 osdx dnscrypt-proxy[205516]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Feb 03 12:06:18.861887 osdx dnscrypt-proxy[205516]: [RD] OK (DoH) - rtt: 189ms
Feb 03 12:06:18.861903 osdx dnscrypt-proxy[205516]: Server with the lowest initial latency: RD (rtt: 189ms)
Feb 03 12:06:18.861910 osdx dnscrypt-proxy[205516]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:06:18.914668 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200
Show output
Feb 03 12:06:19.323864 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:06:19.324764 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:06:19.324828 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:06:19.346620 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:06:19.830866 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:06:19.939338 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:06:20.108049 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:06:20.228701 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:06:20.387976 osdx dnscrypt-proxy[205516]: Stopped.
Feb 03 12:06:20.388279 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:06:20.390016 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:06:20.390202 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:06:20.598287 osdx ca-certificates[205625]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:06:21.131944 osdx ca-certificates[206194]: done.
Feb 03 12:06:21.137850 osdx ca-certificates[206204]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:21.971158 osdx ca-certificates[207054]: 140 added, 0 removed; done.
Feb 03 12:06:21.975927 osdx ca-certificates[207061]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:21.980671 osdx ca-certificates[207063]: done.
Feb 03 12:06:22.029089 osdx INFO[207066]: FRR daemons did not change
Feb 03 12:06:22.029549 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:22.032446 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:22.078249 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:24.120635 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:06:24.268144 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:06:24.390688 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:06:24.551701 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:06:24.653048 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:06:24.774173 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:06:24.884487 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 03 12:06:25.001748 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Feb 03 12:06:25.109922 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:06:25.256966 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:06:25.358300 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:06:25.503782 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:06:25.644456 osdx INFO[207108]: FRR daemons did not change
Feb 03 12:06:25.670529 osdx ca-certificates[207124]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:26.620864 osdx ca-certificates[208127]: 1 added, 0 removed; done.
Feb 03 12:06:26.628755 osdx ca-certificates[208134]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:26.634081 osdx ca-certificates[208136]: done.
Feb 03 12:06:26.656273 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:06:26.941167 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:06:26.944017 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:26.976622 osdx dnscrypt-proxy[208199]: dnscrypt-proxy 2.0.45
Feb 03 12:06:26.976773 osdx dnscrypt-proxy[208199]: Network connectivity detected
Feb 03 12:06:26.977201 osdx dnscrypt-proxy[208199]: Dropping privileges
Feb 03 12:06:26.981140 osdx dnscrypt-proxy[208199]: Network connectivity detected
Feb 03 12:06:26.981192 osdx dnscrypt-proxy[208199]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:06:26.981201 osdx dnscrypt-proxy[208199]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:06:26.981280 osdx dnscrypt-proxy[208199]: Firefox workaround initialized
Feb 03 12:06:26.981289 osdx dnscrypt-proxy[208199]: Loading the set of cloaking rules from [/tmp/tmpuf2xn5_p]
Feb 03 12:06:26.995726 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:27.046220 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:27.269274 osdx dnscrypt-proxy[208199]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Feb 03 12:06:27.269291 osdx dnscrypt-proxy[208199]: [RD] OK (DoH) - rtt: 230ms
Feb 03 12:06:27.269300 osdx dnscrypt-proxy[208199]: Server with the lowest initial latency: RD (rtt: 230ms)
Feb 03 12:06:27.269305 osdx dnscrypt-proxy[208199]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:06:32.267223 osdx OSDxCLI[64814]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Feb 03 12:06:32.487222 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16
Show output
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392
Show output
Feb 03 12:06:32.766229 osdx systemd-journald[1936]: Runtime Journal (/run/log/journal/0b455e05fd8849079cae205af04c9e16) is 2.0M, max 15.3M, 13.3M free.
Feb 03 12:06:32.768263 osdx systemd-journald[1936]: Received client request to rotate journal, rotating.
Feb 03 12:06:32.768331 osdx systemd-journald[1936]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0b455e05fd8849079cae205af04c9e16.
Feb 03 12:06:32.781570 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'system journal clear'.
Feb 03 12:06:33.179116 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:06:33.285278 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'delete '.
Feb 03 12:06:33.434103 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Feb 03 12:06:33.546382 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:06:33.694965 osdx dnscrypt-proxy[208199]: Stopped.
Feb 03 12:06:33.695088 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Feb 03 12:06:33.696495 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Feb 03 12:06:33.696688 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:06:33.858980 osdx ca-certificates[208312]: Clearing symlinks in /etc/ssl/certs...
Feb 03 12:06:34.264460 osdx ca-certificates[208881]: done.
Feb 03 12:06:34.269261 osdx ca-certificates[208891]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:34.974212 osdx ca-certificates[209741]: 140 added, 0 removed; done.
Feb 03 12:06:34.978603 osdx ca-certificates[209748]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:34.983292 osdx ca-certificates[209750]: done.
Feb 03 12:06:35.027690 osdx INFO[209753]: FRR daemons did not change
Feb 03 12:06:35.028453 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:35.031505 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:35.061495 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:37.115213 osdx OSDxCLI[64814]: User 'admin' entered the configuration menu.
Feb 03 12:06:37.249000 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 03 12:06:37.384536 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Feb 03 12:06:37.525776 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Feb 03 12:06:37.647454 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Feb 03 12:06:37.764321 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 3c15e90bd022a1619161d18b235841fbb951fd9251cbf16baaf9244baed3a840'.
Feb 03 12:06:37.921799 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Feb 03 12:06:38.094643 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Feb 03 12:06:38.237814 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Feb 03 12:06:38.371667 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 03 12:06:38.469976 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 03 12:06:38.655313 osdx OSDxCLI[64814]: User 'admin' added a new cfg line: 'show working'.
Feb 03 12:06:38.793562 osdx INFO[209795]: FRR daemons did not change
Feb 03 12:06:38.818125 osdx ca-certificates[209810]: Updating certificates in /etc/ssl/certs...
Feb 03 12:06:39.802101 osdx ca-certificates[210814]: 1 added, 0 removed; done.
Feb 03 12:06:39.807517 osdx ca-certificates[210821]: Running hooks in /etc/ca-certificates/update.d...
Feb 03 12:06:39.815099 osdx ca-certificates[210823]: done.
Feb 03 12:06:39.846255 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 03 12:06:40.137090 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Feb 03 12:06:40.144117 osdx cfgd[1636]: [64814]Completed change to active configuration
Feb 03 12:06:40.173582 osdx dnscrypt-proxy[210886]: dnscrypt-proxy 2.0.45
Feb 03 12:06:40.173681 osdx dnscrypt-proxy[210886]: Network connectivity detected
Feb 03 12:06:40.174009 osdx dnscrypt-proxy[210886]: Dropping privileges
Feb 03 12:06:40.177539 osdx dnscrypt-proxy[210886]: Network connectivity detected
Feb 03 12:06:40.177630 osdx dnscrypt-proxy[210886]: Now listening to 127.0.0.1:53 [UDP]
Feb 03 12:06:40.177640 osdx dnscrypt-proxy[210886]: Now listening to 127.0.0.1:53 [TCP]
Feb 03 12:06:40.177677 osdx dnscrypt-proxy[210886]: Firefox workaround initialized
Feb 03 12:06:40.177685 osdx dnscrypt-proxy[210886]: Loading the set of cloaking rules from [/tmp/tmpa_p9wfml]
Feb 03 12:06:40.193671 osdx OSDxCLI[64814]: User 'admin' committed the configuration.
Feb 03 12:06:40.239448 osdx OSDxCLI[64814]: User 'admin' left the configuration menu.
Feb 03 12:06:40.480048 osdx dnscrypt-proxy[210886]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Feb 03 12:06:40.480078 osdx dnscrypt-proxy[210886]: [RD] OK (DoH) - rtt: 242ms
Feb 03 12:06:40.480094 osdx dnscrypt-proxy[210886]: Server with the lowest initial latency: RD (rtt: 242ms)
Feb 03 12:06:40.480101 osdx dnscrypt-proxy[210886]: dnscrypt-proxy is ready - live servers: 1
Feb 03 12:06:45.454113 osdx OSDxCLI[64814]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
Feb 03 12:06:45.715695 osdx OSDxCLI[64814]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.