Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jan 10 12:59:42.294007 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.2M free. Jan 10 12:59:42.297068 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 12:59:42.297114 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 12:59:42.302930 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 12:59:42.619920 osdx osdx-coredump[188562]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 12:59:42.627528 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 12:59:43.099415 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:59:43.226545 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 12:59:43.290549 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 12:59:43.405126 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:59:43.469269 osdx INFO[188586]: FRR daemons did not change Jan 10 12:59:43.489082 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 12:59:43.591144 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:59:43.616988 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:59:43.632978 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:59:43.777625 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 12:59:43.895007 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:59:43.954483 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 12:59:44.080184 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 12:59:44.143198 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 12:59:44.238093 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 12:59:44.297089 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 12:59:44.406607 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 10 12:59:44.460019 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 12:59:44.570718 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 12:59:44.624000 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 12:59:44.742414 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:59:44.813102 osdx INFO[188709]: FRR daemons did not change Jan 10 12:59:44.824747 osdx ca-certificates[188725]: Updating certificates in /etc/ssl/certs... Jan 10 12:59:45.276463 osdx ca-certificates[189730]: 1 added, 0 removed; done. Jan 10 12:59:45.279342 osdx ca-certificates[189735]: Running hooks in /etc/ca-certificates/update.d... Jan 10 12:59:45.281972 osdx ca-certificates[189737]: done. Jan 10 12:59:45.369361 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 12:59:45.370711 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:59:45.375502 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:59:45.395848 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:59:45.398389 osdx dnscrypt-proxy[189741]: dnscrypt-proxy 2.0.45 Jan 10 12:59:45.398447 osdx dnscrypt-proxy[189741]: Network connectivity detected Jan 10 12:59:45.398622 osdx dnscrypt-proxy[189741]: Dropping privileges Jan 10 12:59:45.400707 osdx dnscrypt-proxy[189741]: Network connectivity detected Jan 10 12:59:45.400739 osdx dnscrypt-proxy[189741]: Now listening to 127.0.0.1:53 [UDP] Jan 10 12:59:45.400744 osdx dnscrypt-proxy[189741]: Now listening to 127.0.0.1:53 [TCP] Jan 10 12:59:45.400765 osdx dnscrypt-proxy[189741]: Firefox workaround initialized Jan 10 12:59:45.400769 osdx dnscrypt-proxy[189741]: Loading the set of cloaking rules from [/tmp/tmpyg5tdcnw] Jan 10 12:59:45.527666 osdx dnscrypt-proxy[189741]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 10 12:59:45.527684 osdx dnscrypt-proxy[189741]: [RD] OK (DoH) - rtt: 104ms Jan 10 12:59:45.527694 osdx dnscrypt-proxy[189741]: Server with the lowest initial latency: RD (rtt: 104ms) Jan 10 12:59:45.527700 osdx dnscrypt-proxy[189741]: dnscrypt-proxy is ready - live servers: 1 Jan 10 12:59:45.546745 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jan 10 12:59:51.295043 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 12:59:51.298644 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 12:59:51.298711 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 12:59:51.304096 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 12:59:51.613908 osdx osdx-coredump[191371]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 12:59:51.621312 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 12:59:52.079122 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:59:52.151835 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 12:59:52.234181 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 12:59:52.299833 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:59:52.396491 osdx INFO[191395]: FRR daemons did not change Jan 10 12:59:52.418636 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 12:59:52.516824 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:59:52.542049 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:59:52.557721 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:59:52.690073 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 12:59:52.808019 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:59:52.866905 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 12:59:52.967601 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 12:59:53.031692 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 12:59:53.122503 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 12:59:53.180288 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 12:59:53.274581 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 10 12:59:53.326258 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 12:59:53.438532 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 12:59:53.490191 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 12:59:53.601699 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:59:53.676139 osdx INFO[191518]: FRR daemons did not change Jan 10 12:59:53.687769 osdx ca-certificates[191534]: Updating certificates in /etc/ssl/certs... Jan 10 12:59:54.149154 osdx ca-certificates[192537]: 1 added, 0 removed; done. Jan 10 12:59:54.151986 osdx ca-certificates[192544]: Running hooks in /etc/ca-certificates/update.d... Jan 10 12:59:54.154608 osdx ca-certificates[192546]: done. Jan 10 12:59:54.214882 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 12:59:54.215859 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:59:54.218278 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:59:54.237003 osdx dnscrypt-proxy[192550]: dnscrypt-proxy 2.0.45 Jan 10 12:59:54.237065 osdx dnscrypt-proxy[192550]: Network connectivity detected Jan 10 12:59:54.237243 osdx dnscrypt-proxy[192550]: Dropping privileges Jan 10 12:59:54.239329 osdx dnscrypt-proxy[192550]: Network connectivity detected Jan 10 12:59:54.239356 osdx dnscrypt-proxy[192550]: Now listening to 127.0.0.1:53 [UDP] Jan 10 12:59:54.239360 osdx dnscrypt-proxy[192550]: Now listening to 127.0.0.1:53 [TCP] Jan 10 12:59:54.239387 osdx dnscrypt-proxy[192550]: Firefox workaround initialized Jan 10 12:59:54.239391 osdx dnscrypt-proxy[192550]: Loading the set of cloaking rules from [/tmp/tmpyz40pcnr] Jan 10 12:59:54.248464 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:59:54.370347 osdx dnscrypt-proxy[192550]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 10 12:59:54.370361 osdx dnscrypt-proxy[192550]: [RD] OK (DoH) - rtt: 107ms Jan 10 12:59:54.370368 osdx dnscrypt-proxy[192550]: Server with the lowest initial latency: RD (rtt: 107ms) Jan 10 12:59:54.370372 osdx dnscrypt-proxy[192550]: dnscrypt-proxy is ready - live servers: 1 Jan 10 12:59:54.398706 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Jan 10 12:59:54.587107 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 12:59:54.590634 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 12:59:54.590678 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 12:59:54.596026 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 12:59:54.849811 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:59:54.905187 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 12:59:55.019082 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 12:59:55.081370 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:59:55.179116 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 12:59:55.179136 osdx dnscrypt-proxy[192550]: Stopped. Jan 10 12:59:55.179996 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 12:59:55.180100 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 12:59:55.270374 osdx ca-certificates[192641]: Clearing symlinks in /etc/ssl/certs... Jan 10 12:59:55.505055 osdx ca-certificates[193210]: done. Jan 10 12:59:55.507969 osdx ca-certificates[193220]: Updating certificates in /etc/ssl/certs... Jan 10 12:59:55.948719 osdx ca-certificates[194072]: 140 added, 0 removed; done. Jan 10 12:59:55.951479 osdx ca-certificates[194077]: Running hooks in /etc/ca-certificates/update.d... Jan 10 12:59:55.954222 osdx ca-certificates[194079]: done. Jan 10 12:59:55.989619 osdx INFO[194082]: FRR daemons did not change Jan 10 12:59:55.990098 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:59:55.992580 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:59:56.009230 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:59:57.195164 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:59:57.252280 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 12:59:57.348835 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 12:59:57.411012 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 12:59:57.505508 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 12:59:57.622252 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 12:59:57.675924 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jan 10 12:59:57.779732 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 12:59:57.905399 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 12:59:57.969162 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 12:59:58.095776 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:59:58.178776 osdx INFO[194124]: FRR daemons did not change Jan 10 12:59:58.190611 osdx ca-certificates[194140]: Updating certificates in /etc/ssl/certs... Jan 10 12:59:58.629810 osdx ca-certificates[195144]: 1 added, 0 removed; done. Jan 10 12:59:58.632546 osdx ca-certificates[195150]: Running hooks in /etc/ca-certificates/update.d... Jan 10 12:59:58.635264 osdx ca-certificates[195152]: done. Jan 10 12:59:58.654651 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 12:59:58.826895 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 12:59:58.827975 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 12:59:58.867505 osdx dnscrypt-proxy[195218]: dnscrypt-proxy 2.0.45 Jan 10 12:59:58.867563 osdx dnscrypt-proxy[195218]: Network connectivity detected Jan 10 12:59:58.867750 osdx dnscrypt-proxy[195218]: Dropping privileges Jan 10 12:59:58.870642 osdx dnscrypt-proxy[195218]: Network connectivity detected Jan 10 12:59:58.870670 osdx dnscrypt-proxy[195218]: Now listening to 127.0.0.1:53 [UDP] Jan 10 12:59:58.870674 osdx dnscrypt-proxy[195218]: Now listening to 127.0.0.1:53 [TCP] Jan 10 12:59:58.870692 osdx dnscrypt-proxy[195218]: Firefox workaround initialized Jan 10 12:59:58.870696 osdx dnscrypt-proxy[195218]: Loading the set of cloaking rules from [/tmp/tmpgqk2ajv8] Jan 10 12:59:58.875294 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 12:59:58.895166 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 12:59:59.014214 osdx dnscrypt-proxy[195218]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jan 10 12:59:59.014228 osdx dnscrypt-proxy[195218]: [RD] OK (DoH) - rtt: 118ms Jan 10 12:59:59.014236 osdx dnscrypt-proxy[195218]: Server with the lowest initial latency: RD (rtt: 118ms) Jan 10 12:59:59.014240 osdx dnscrypt-proxy[195218]: dnscrypt-proxy is ready - live servers: 1 Jan 10 12:59:59.044273 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Jan 10 12:59:59.276678 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 12:59:59.278632 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 12:59:59.278676 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 12:59:59.286228 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 12:59:59.609847 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 12:59:59.676534 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 12:59:59.791390 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 12:59:59.880002 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 12:59:59.980946 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 12:59:59.980977 osdx dnscrypt-proxy[195218]: Stopped. Jan 10 12:59:59.982213 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 12:59:59.982316 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:00.077460 osdx ca-certificates[195327]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:00:00.310158 osdx ca-certificates[195896]: done. Jan 10 13:00:00.313711 osdx ca-certificates[195904]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:00.756524 osdx ca-certificates[196757]: 140 added, 0 removed; done. Jan 10 13:00:00.759417 osdx ca-certificates[196763]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:00.762211 osdx ca-certificates[196765]: done. Jan 10 13:00:00.791065 osdx INFO[196768]: FRR daemons did not change Jan 10 13:00:00.791723 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:00.794635 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:00.813682 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:02.049048 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:02.107343 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:02.207866 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:02.270140 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:02.363032 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:02.463019 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:02.518099 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jan 10 13:00:02.609611 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:02.678544 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:02.761936 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:02.833920 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:02.931544 osdx INFO[196815]: FRR daemons did not change Jan 10 13:00:02.945778 osdx ca-certificates[196831]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:03.403067 osdx ca-certificates[197835]: 1 added, 0 removed; done. Jan 10 13:00:03.405819 osdx ca-certificates[197841]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:03.408410 osdx ca-certificates[197843]: done. Jan 10 13:00:03.430641 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:03.607016 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:03.608915 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:03.631062 osdx dnscrypt-proxy[197909]: dnscrypt-proxy 2.0.45 Jan 10 13:00:03.631118 osdx dnscrypt-proxy[197909]: Network connectivity detected Jan 10 13:00:03.631303 osdx dnscrypt-proxy[197909]: Dropping privileges Jan 10 13:00:03.633381 osdx dnscrypt-proxy[197909]: Network connectivity detected Jan 10 13:00:03.633405 osdx dnscrypt-proxy[197909]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:03.633409 osdx dnscrypt-proxy[197909]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:03.633427 osdx dnscrypt-proxy[197909]: Firefox workaround initialized Jan 10 13:00:03.633431 osdx dnscrypt-proxy[197909]: Loading the set of cloaking rules from [/tmp/tmpb3nayy3l] Jan 10 13:00:03.642947 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:03.660896 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:03.764737 osdx dnscrypt-proxy[197909]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 10 13:00:03.764750 osdx dnscrypt-proxy[197909]: [RD] OK (DoH) - rtt: 107ms Jan 10 13:00:03.764757 osdx dnscrypt-proxy[197909]: Server with the lowest initial latency: RD (rtt: 107ms) Jan 10 13:00:03.764762 osdx dnscrypt-proxy[197909]: dnscrypt-proxy is ready - live servers: 1 Jan 10 13:00:03.809831 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jan 10 13:00:10.340390 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:10.340810 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:10.340841 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:10.349432 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:10.656577 osdx osdx-coredump[199558]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 13:00:10.665467 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 13:00:11.133109 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:11.218429 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:11.314909 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:11.380538 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:11.478476 osdx INFO[199582]: FRR daemons did not change Jan 10 13:00:11.496715 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:11.589294 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:11.614935 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:11.630833 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:11.774505 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 13:00:11.934209 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:11.992486 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:12.088992 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:12.151607 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:12.243625 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:12.301213 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:12.396921 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 10 13:00:12.449519 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:12.559209 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:12.611360 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:12.724065 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:12.806262 osdx INFO[199705]: FRR daemons did not change Jan 10 13:00:12.817834 osdx ca-certificates[199721]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:13.291023 osdx ca-certificates[200724]: 1 added, 0 removed; done. Jan 10 13:00:13.293845 osdx ca-certificates[200731]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:13.296612 osdx ca-certificates[200733]: done. Jan 10 13:00:13.361071 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:13.362222 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:13.364986 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:13.383127 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:13.388242 osdx dnscrypt-proxy[200737]: dnscrypt-proxy 2.0.45 Jan 10 13:00:13.388318 osdx dnscrypt-proxy[200737]: Network connectivity detected Jan 10 13:00:13.388548 osdx dnscrypt-proxy[200737]: Dropping privileges Jan 10 13:00:13.391390 osdx dnscrypt-proxy[200737]: Network connectivity detected Jan 10 13:00:13.391427 osdx dnscrypt-proxy[200737]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:13.391433 osdx dnscrypt-proxy[200737]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:13.391460 osdx dnscrypt-proxy[200737]: Firefox workaround initialized Jan 10 13:00:13.391466 osdx dnscrypt-proxy[200737]: Loading the set of cloaking rules from [/tmp/tmp3zxx6lsw] Jan 10 13:00:13.392296 osdx dnscrypt-proxy[200737]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jan 10 13:00:20.323024 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:20.325934 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:20.325986 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:20.334917 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:20.649057 osdx osdx-coredump[202362]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 13:00:20.656781 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 13:00:21.116514 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:21.257303 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:21.313196 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:21.442061 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:21.518135 osdx INFO[202386]: FRR daemons did not change Jan 10 13:00:21.537920 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:21.627301 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:21.652042 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:21.675428 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:21.841726 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 13:00:22.019368 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:22.098230 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:22.207999 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:22.278613 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:22.368742 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:22.425614 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:22.519712 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 10 13:00:22.572115 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:22.679938 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:22.741621 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:22.853964 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:22.926635 osdx INFO[202509]: FRR daemons did not change Jan 10 13:00:22.939538 osdx ca-certificates[202525]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:23.413057 osdx ca-certificates[203529]: 1 added, 0 removed; done. Jan 10 13:00:23.415784 osdx ca-certificates[203535]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:23.418396 osdx ca-certificates[203537]: done. Jan 10 13:00:23.498198 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:23.499266 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:23.502015 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:23.519276 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:23.520817 osdx dnscrypt-proxy[203541]: dnscrypt-proxy 2.0.45 Jan 10 13:00:23.521061 osdx dnscrypt-proxy[203541]: Network connectivity detected Jan 10 13:00:23.521311 osdx dnscrypt-proxy[203541]: Dropping privileges Jan 10 13:00:23.523186 osdx dnscrypt-proxy[203541]: Network connectivity detected Jan 10 13:00:23.523213 osdx dnscrypt-proxy[203541]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:23.523217 osdx dnscrypt-proxy[203541]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:23.523236 osdx dnscrypt-proxy[203541]: Firefox workaround initialized Jan 10 13:00:23.523240 osdx dnscrypt-proxy[203541]: Loading the set of cloaking rules from [/tmp/tmpjbp7ebmy] Jan 10 13:00:23.523897 osdx dnscrypt-proxy[203541]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jan 10 13:00:23.758911 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:23.761920 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:23.761986 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:23.767971 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:24.014400 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:24.115238 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 13:00:24.181763 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 13:00:24.279919 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:24.342692 osdx dnscrypt-proxy[203541]: Stopped. Jan 10 13:00:24.342728 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 13:00:24.343822 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 13:00:24.343923 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:24.435371 osdx ca-certificates[203627]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:00:24.665727 osdx ca-certificates[204196]: done. Jan 10 13:00:24.668706 osdx ca-certificates[204206]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:25.063238 osdx ca-certificates[205058]: 140 added, 0 removed; done. Jan 10 13:00:25.065972 osdx ca-certificates[205063]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:25.068768 osdx ca-certificates[205065]: done. Jan 10 13:00:25.101539 osdx INFO[205068]: FRR daemons did not change Jan 10 13:00:25.102045 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:25.104352 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:25.121362 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:26.288673 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:26.347494 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:26.435679 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:26.498407 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:26.591595 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:26.649282 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:26.743196 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 10 13:00:26.796335 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:26.929973 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:26.984204 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:27.125372 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:27.199155 osdx INFO[205110]: FRR daemons did not change Jan 10 13:00:27.210914 osdx ca-certificates[205126]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:27.679280 osdx ca-certificates[206130]: 1 added, 0 removed; done. Jan 10 13:00:27.682003 osdx ca-certificates[206136]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:27.684768 osdx ca-certificates[206138]: done. Jan 10 13:00:27.705946 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:27.882172 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:27.883363 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:27.904375 osdx dnscrypt-proxy[206204]: dnscrypt-proxy 2.0.45 Jan 10 13:00:27.904432 osdx dnscrypt-proxy[206204]: Network connectivity detected Jan 10 13:00:27.904610 osdx dnscrypt-proxy[206204]: Dropping privileges Jan 10 13:00:27.906633 osdx dnscrypt-proxy[206204]: Network connectivity detected Jan 10 13:00:27.906780 osdx dnscrypt-proxy[206204]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:27.906785 osdx dnscrypt-proxy[206204]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:27.906804 osdx dnscrypt-proxy[206204]: Firefox workaround initialized Jan 10 13:00:27.906808 osdx dnscrypt-proxy[206204]: Loading the set of cloaking rules from [/tmp/tmpx9yxq0vh] Jan 10 13:00:27.907766 osdx dnscrypt-proxy[206204]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jan 10 13:00:27.910236 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:27.936374 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:28.040788 osdx dnscrypt-proxy[206204]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 10 13:00:28.040801 osdx dnscrypt-proxy[206204]: [RD] OK (DoH) - rtt: 111ms Jan 10 13:00:28.040809 osdx dnscrypt-proxy[206204]: Server with the lowest initial latency: RD (rtt: 111ms) Jan 10 13:00:28.040814 osdx dnscrypt-proxy[206204]: dnscrypt-proxy is ready - live servers: 1
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Jan 10 13:00:28.172351 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:28.173918 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:28.173956 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:28.183676 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:28.425716 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:28.480113 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 13:00:28.592044 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 13:00:28.654479 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:28.751375 osdx dnscrypt-proxy[206204]: Stopped. Jan 10 13:00:28.751408 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 13:00:28.752429 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 13:00:28.752526 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:28.854436 osdx ca-certificates[206310]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:00:29.091104 osdx ca-certificates[206879]: done. Jan 10 13:00:29.093845 osdx ca-certificates[206888]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:29.486789 osdx ca-certificates[207739]: 140 added, 0 removed; done. Jan 10 13:00:29.489518 osdx ca-certificates[207746]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:29.492073 osdx ca-certificates[207748]: done. Jan 10 13:00:29.522392 osdx INFO[207751]: FRR daemons did not change Jan 10 13:00:29.522876 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:29.525200 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:29.544597 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:30.721765 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:30.790470 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:30.894427 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:30.977040 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:31.070376 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:31.131067 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:31.225023 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 10 13:00:31.290187 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 10 13:00:31.385614 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:31.455141 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:31.542369 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:31.626018 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:31.717959 osdx INFO[207796]: FRR daemons did not change Jan 10 13:00:31.731473 osdx ca-certificates[207812]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:32.192839 osdx ca-certificates[208816]: 1 added, 0 removed; done. Jan 10 13:00:32.195560 osdx ca-certificates[208822]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:32.198397 osdx ca-certificates[208824]: done. Jan 10 13:00:32.221925 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:32.414189 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:32.415478 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:32.446425 osdx dnscrypt-proxy[208890]: dnscrypt-proxy 2.0.45 Jan 10 13:00:32.446505 osdx dnscrypt-proxy[208890]: Network connectivity detected Jan 10 13:00:32.446724 osdx dnscrypt-proxy[208890]: Dropping privileges Jan 10 13:00:32.448779 osdx dnscrypt-proxy[208890]: Network connectivity detected Jan 10 13:00:32.448812 osdx dnscrypt-proxy[208890]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:32.448817 osdx dnscrypt-proxy[208890]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:32.448847 osdx dnscrypt-proxy[208890]: Firefox workaround initialized Jan 10 13:00:32.448852 osdx dnscrypt-proxy[208890]: Loading the set of cloaking rules from [/tmp/tmph75l3uvm] Jan 10 13:00:32.449941 osdx dnscrypt-proxy[208890]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Jan 10 13:00:32.452545 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:32.474973 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:32.580826 osdx dnscrypt-proxy[208890]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 10 13:00:32.580842 osdx dnscrypt-proxy[208890]: [RD] OK (DoH) - rtt: 106ms Jan 10 13:00:32.580849 osdx dnscrypt-proxy[208890]: Server with the lowest initial latency: RD (rtt: 106ms) Jan 10 13:00:32.580853 osdx dnscrypt-proxy[208890]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jan 10 13:00:38.299244 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:38.300080 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:38.300118 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:38.308209 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:38.613452 osdx osdx-coredump[210534]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 10 13:00:38.620848 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system coredump delete all'. Jan 10 13:00:39.057780 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:39.130124 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:39.213301 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:39.283408 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:39.383512 osdx INFO[210558]: FRR daemons did not change Jan 10 13:00:39.400082 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:39.495216 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:39.526285 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:39.544508 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:39.695342 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 10 13:00:39.814804 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:39.873010 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:39.970916 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:40.034564 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:40.126964 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:40.183083 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:40.278792 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 10 13:00:40.335700 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 10 13:00:40.432415 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:40.501225 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:40.589487 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:40.662084 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:40.759348 osdx INFO[210684]: FRR daemons did not change Jan 10 13:00:40.770456 osdx ca-certificates[210700]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:41.224524 osdx ca-certificates[211704]: 1 added, 0 removed; done. Jan 10 13:00:41.227257 osdx ca-certificates[211710]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:41.229851 osdx ca-certificates[211712]: done. Jan 10 13:00:41.288391 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:41.289617 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:41.293964 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:41.322405 osdx dnscrypt-proxy[211716]: dnscrypt-proxy 2.0.45 Jan 10 13:00:41.322475 osdx dnscrypt-proxy[211716]: Network connectivity detected Jan 10 13:00:41.322663 osdx dnscrypt-proxy[211716]: Dropping privileges Jan 10 13:00:41.324817 osdx dnscrypt-proxy[211716]: Network connectivity detected Jan 10 13:00:41.324818 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:41.324844 osdx dnscrypt-proxy[211716]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:41.324848 osdx dnscrypt-proxy[211716]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:41.324865 osdx dnscrypt-proxy[211716]: Firefox workaround initialized Jan 10 13:00:41.324869 osdx dnscrypt-proxy[211716]: Loading the set of cloaking rules from [/tmp/tmp71jbk8sr] Jan 10 13:00:41.474864 osdx dnscrypt-proxy[211716]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 10 13:00:41.474878 osdx dnscrypt-proxy[211716]: [RD] OK (DoH) - rtt: 129ms Jan 10 13:00:41.474885 osdx dnscrypt-proxy[211716]: Server with the lowest initial latency: RD (rtt: 129ms) Jan 10 13:00:41.474889 osdx dnscrypt-proxy[211716]: dnscrypt-proxy is ready - live servers: 1 Jan 10 13:00:46.492035 osdx OSDxCLI[66002]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Jan 10 13:00:46.679870 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Jan 10 13:00:46.896489 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:46.900080 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:46.900128 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:46.905165 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:47.148266 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:47.203502 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 13:00:47.314992 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 13:00:47.375221 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:47.475936 osdx dnscrypt-proxy[211716]: Stopped. Jan 10 13:00:47.476018 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 13:00:47.477027 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 13:00:47.477150 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:47.570041 osdx ca-certificates[211812]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:00:47.808007 osdx ca-certificates[212381]: done. Jan 10 13:00:47.811429 osdx ca-certificates[212390]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:48.207035 osdx ca-certificates[213241]: 140 added, 0 removed; done. Jan 10 13:00:48.210680 osdx ca-certificates[213248]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:48.213523 osdx ca-certificates[213250]: done. Jan 10 13:00:48.241308 osdx INFO[213253]: FRR daemons did not change Jan 10 13:00:48.241572 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:48.244241 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:48.261161 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:49.451277 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:49.509755 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:49.607793 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:49.672073 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:49.764235 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:49.823058 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:49.917964 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 10 13:00:49.974147 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jan 10 13:00:50.068519 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:50.138230 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:50.222582 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:50.300002 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:50.393224 osdx INFO[213298]: FRR daemons did not change Jan 10 13:00:50.406260 osdx ca-certificates[213314]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:50.870210 osdx ca-certificates[214317]: 1 added, 0 removed; done. Jan 10 13:00:50.872882 osdx ca-certificates[214324]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:50.875382 osdx ca-certificates[214326]: done. Jan 10 13:00:50.896083 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:51.068401 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:51.069628 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:51.089094 osdx dnscrypt-proxy[214392]: dnscrypt-proxy 2.0.45 Jan 10 13:00:51.089318 osdx dnscrypt-proxy[214392]: Network connectivity detected Jan 10 13:00:51.089514 osdx dnscrypt-proxy[214392]: Dropping privileges Jan 10 13:00:51.091453 osdx dnscrypt-proxy[214392]: Network connectivity detected Jan 10 13:00:51.091607 osdx dnscrypt-proxy[214392]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:51.091638 osdx dnscrypt-proxy[214392]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:51.091680 osdx dnscrypt-proxy[214392]: Firefox workaround initialized Jan 10 13:00:51.091710 osdx dnscrypt-proxy[214392]: Loading the set of cloaking rules from [/tmp/tmpwjnqcsuq] Jan 10 13:00:51.095339 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:51.111774 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:51.230328 osdx dnscrypt-proxy[214392]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jan 10 13:00:51.230347 osdx dnscrypt-proxy[214392]: [RD] OK (DoH) - rtt: 115ms Jan 10 13:00:51.230356 osdx dnscrypt-proxy[214392]: Server with the lowest initial latency: RD (rtt: 115ms) Jan 10 13:00:51.230362 osdx dnscrypt-proxy[214392]: dnscrypt-proxy is ready - live servers: 1 Jan 10 13:00:51.258734 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Jan 10 13:00:51.457568 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:51.460089 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:51.460135 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:51.466771 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:51.743915 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:51.839918 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 13:00:51.908860 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 13:00:52.011962 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:52.074198 osdx dnscrypt-proxy[214392]: Stopped. Jan 10 13:00:52.074222 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 13:00:52.074890 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 13:00:52.074979 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:52.171553 osdx ca-certificates[214501]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:00:52.410764 osdx ca-certificates[215071]: done. Jan 10 13:00:52.413620 osdx ca-certificates[215080]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:52.836945 osdx ca-certificates[215931]: 140 added, 0 removed; done. Jan 10 13:00:52.839648 osdx ca-certificates[215937]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:52.842181 osdx ca-certificates[215939]: done. Jan 10 13:00:52.871273 osdx INFO[215942]: FRR daemons did not change Jan 10 13:00:52.871732 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:52.874051 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:52.891464 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:54.079643 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:54.138277 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:54.235457 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:54.298285 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:54.391931 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:54.448215 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:54.540607 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Jan 10 13:00:54.595840 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jan 10 13:00:54.686939 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:54.755202 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:54.840199 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:54.915096 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:55.016247 osdx INFO[215987]: FRR daemons did not change Jan 10 13:00:55.027672 osdx ca-certificates[216003]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:55.470493 osdx ca-certificates[217006]: 1 added, 0 removed; done. Jan 10 13:00:55.473372 osdx ca-certificates[217013]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:55.476947 osdx ca-certificates[217015]: done. Jan 10 13:00:55.496084 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:00:55.676581 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:55.678686 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:55.700545 osdx dnscrypt-proxy[217081]: dnscrypt-proxy 2.0.45 Jan 10 13:00:55.700601 osdx dnscrypt-proxy[217081]: Network connectivity detected Jan 10 13:00:55.700774 osdx dnscrypt-proxy[217081]: Dropping privileges Jan 10 13:00:55.702698 osdx dnscrypt-proxy[217081]: Network connectivity detected Jan 10 13:00:55.702723 osdx dnscrypt-proxy[217081]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:00:55.702727 osdx dnscrypt-proxy[217081]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:00:55.702750 osdx dnscrypt-proxy[217081]: Firefox workaround initialized Jan 10 13:00:55.702754 osdx dnscrypt-proxy[217081]: Loading the set of cloaking rules from [/tmp/tmporf06gf6] Jan 10 13:00:55.715578 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:55.732393 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:55.838313 osdx dnscrypt-proxy[217081]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 10 13:00:55.838328 osdx dnscrypt-proxy[217081]: [RD] OK (DoH) - rtt: 112ms Jan 10 13:00:55.838337 osdx dnscrypt-proxy[217081]: Server with the lowest initial latency: RD (rtt: 112ms) Jan 10 13:00:55.838342 osdx dnscrypt-proxy[217081]: dnscrypt-proxy is ready - live servers: 1 Jan 10 13:00:55.886796 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Jan 10 13:00:56.087458 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:00:56.088081 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:00:56.088124 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:00:56.096600 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:00:56.338868 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:56.393305 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 13:00:56.501476 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 13:00:56.565302 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:56.664177 osdx dnscrypt-proxy[217081]: Stopped. Jan 10 13:00:56.664209 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 13:00:56.665014 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 13:00:56.665130 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:00:56.760746 osdx ca-certificates[217190]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:00:56.991575 osdx ca-certificates[217760]: done. Jan 10 13:00:56.995422 osdx ca-certificates[217772]: Updating certificates in /etc/ssl/certs... Jan 10 13:00:57.378780 osdx ca-certificates[218619]: 140 added, 0 removed; done. Jan 10 13:00:57.381507 osdx ca-certificates[218626]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:00:57.384163 osdx ca-certificates[218628]: done. Jan 10 13:00:57.417052 osdx INFO[218631]: FRR daemons did not change Jan 10 13:00:57.417558 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:00:57.419962 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:00:57.441685 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:00:58.619668 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:00:58.677185 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:00:58.777484 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:00:58.839740 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:00:58.934263 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:00:59.034321 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:00:59.087240 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 10 13:00:59.187962 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Jan 10 13:00:59.238824 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:00:59.357706 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:00:59.410278 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:00:59.526397 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:00:59.599836 osdx INFO[218676]: FRR daemons did not change Jan 10 13:00:59.618357 osdx ca-certificates[218692]: Updating certificates in /etc/ssl/certs... Jan 10 13:01:00.070053 osdx ca-certificates[219696]: 1 added, 0 removed; done. Jan 10 13:01:00.073923 osdx ca-certificates[219702]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:01:00.076615 osdx ca-certificates[219704]: done. Jan 10 13:01:00.096088 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:01:00.244386 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:01:00.245649 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:01:00.264457 osdx dnscrypt-proxy[219770]: dnscrypt-proxy 2.0.45 Jan 10 13:01:00.264517 osdx dnscrypt-proxy[219770]: Network connectivity detected Jan 10 13:01:00.264688 osdx dnscrypt-proxy[219770]: Dropping privileges Jan 10 13:01:00.266801 osdx dnscrypt-proxy[219770]: Network connectivity detected Jan 10 13:01:00.266833 osdx dnscrypt-proxy[219770]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:01:00.266837 osdx dnscrypt-proxy[219770]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:01:00.266855 osdx dnscrypt-proxy[219770]: Firefox workaround initialized Jan 10 13:01:00.266859 osdx dnscrypt-proxy[219770]: Loading the set of cloaking rules from [/tmp/tmptidizzev] Jan 10 13:01:00.271588 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:01:00.288348 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:01:00.429263 osdx dnscrypt-proxy[219770]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Jan 10 13:01:00.429281 osdx dnscrypt-proxy[219770]: [RD] OK (DoH) - rtt: 140ms Jan 10 13:01:00.429291 osdx dnscrypt-proxy[219770]: Server with the lowest initial latency: RD (rtt: 140ms) Jan 10 13:01:00.429296 osdx dnscrypt-proxy[219770]: dnscrypt-proxy is ready - live servers: 1 Jan 10 13:01:00.437107 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Jan 10 13:01:00.646511 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:01:00.648099 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:01:00.648148 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:01:00.657827 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:01:00.940215 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:01:00.998153 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 13:01:01.107187 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 13:01:01.167622 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:01:01.266346 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 13:01:01.266350 osdx dnscrypt-proxy[219770]: Stopped. Jan 10 13:01:01.267117 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 13:01:01.267217 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:01:01.374094 osdx ca-certificates[219879]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:01:01.623179 osdx ca-certificates[220448]: done. Jan 10 13:01:01.626065 osdx ca-certificates[220458]: Updating certificates in /etc/ssl/certs... Jan 10 13:01:02.007035 osdx ca-certificates[221311]: 140 added, 0 removed; done. Jan 10 13:01:02.009767 osdx ca-certificates[221318]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:01:02.012428 osdx ca-certificates[221320]: done. Jan 10 13:01:02.040750 osdx INFO[221323]: FRR daemons did not change Jan 10 13:01:02.041018 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:01:02.043116 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:01:02.059873 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:01:03.232977 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:01:03.290252 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:01:03.386456 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:01:03.448244 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:01:03.538794 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:01:03.596217 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:01:03.691136 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 10 13:01:03.746771 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Jan 10 13:01:03.838847 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:01:03.907734 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:01:03.990790 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:01:04.061201 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:01:04.160380 osdx INFO[221368]: FRR daemons did not change Jan 10 13:01:04.175911 osdx ca-certificates[221384]: Updating certificates in /etc/ssl/certs... Jan 10 13:01:04.628325 osdx ca-certificates[222388]: 1 added, 0 removed; done. Jan 10 13:01:04.631061 osdx ca-certificates[222394]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:01:04.634709 osdx ca-certificates[222396]: done. Jan 10 13:01:04.652092 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:01:04.816563 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:01:04.818573 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:01:04.843956 osdx dnscrypt-proxy[222462]: dnscrypt-proxy 2.0.45 Jan 10 13:01:04.844341 osdx dnscrypt-proxy[222462]: Network connectivity detected Jan 10 13:01:04.844665 osdx dnscrypt-proxy[222462]: Dropping privileges Jan 10 13:01:04.847468 osdx dnscrypt-proxy[222462]: Network connectivity detected Jan 10 13:01:04.847503 osdx dnscrypt-proxy[222462]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:01:04.847508 osdx dnscrypt-proxy[222462]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:01:04.847539 osdx dnscrypt-proxy[222462]: Firefox workaround initialized Jan 10 13:01:04.847544 osdx dnscrypt-proxy[222462]: Loading the set of cloaking rules from [/tmp/tmpt5shg2sg] Jan 10 13:01:04.852394 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:01:04.876937 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:01:05.002860 osdx dnscrypt-proxy[222462]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Jan 10 13:01:05.002872 osdx dnscrypt-proxy[222462]: [RD] OK (DoH) - rtt: 127ms Jan 10 13:01:05.002879 osdx dnscrypt-proxy[222462]: Server with the lowest initial latency: RD (rtt: 127ms) Jan 10 13:01:05.002883 osdx dnscrypt-proxy[222462]: dnscrypt-proxy is ready - live servers: 1 Jan 10 13:01:05.027834 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Jan 10 13:01:05.225432 osdx systemd-journald[1741]: Runtime Journal (/run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71) is 2.0M, max 15.3M, 13.3M free. Jan 10 13:01:05.228085 osdx systemd-journald[1741]: Received client request to rotate journal, rotating. Jan 10 13:01:05.228141 osdx systemd-journald[1741]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fda2548b09bd4d8ba0d8cad09b8eab71. Jan 10 13:01:05.234762 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'system journal clear'. Jan 10 13:01:05.479838 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:01:05.574330 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'delete '. Jan 10 13:01:05.642395 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Jan 10 13:01:05.740972 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:01:05.803943 osdx dnscrypt-proxy[222462]: Stopped. Jan 10 13:01:05.803986 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Jan 10 13:01:05.804738 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Jan 10 13:01:05.804843 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:01:05.894081 osdx ca-certificates[222571]: Clearing symlinks in /etc/ssl/certs... Jan 10 13:01:06.125024 osdx ca-certificates[223140]: done. Jan 10 13:01:06.127860 osdx ca-certificates[223148]: Updating certificates in /etc/ssl/certs... Jan 10 13:01:06.533017 osdx ca-certificates[224000]: 140 added, 0 removed; done. Jan 10 13:01:06.536680 osdx ca-certificates[224007]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:01:06.539258 osdx ca-certificates[224009]: done. Jan 10 13:01:06.577886 osdx INFO[224012]: FRR daemons did not change Jan 10 13:01:06.578326 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:01:06.580814 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:01:06.597486 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:01:07.765040 osdx OSDxCLI[66002]: User 'admin' entered the configuration menu. Jan 10 13:01:07.824251 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 10 13:01:07.923801 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Jan 10 13:01:07.988746 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Jan 10 13:01:08.030492 osdx systemd[1]: systemd-timedated.service: Deactivated successfully. Jan 10 13:01:08.082342 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Jan 10 13:01:08.143173 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194'. Jan 10 13:01:08.253081 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Jan 10 13:01:08.328015 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Jan 10 13:01:08.391166 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jan 10 13:01:08.513559 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 10 13:01:08.569510 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 10 13:01:08.693507 osdx OSDxCLI[66002]: User 'admin' added a new cfg line: 'show working'. Jan 10 13:01:08.779593 osdx INFO[224059]: FRR daemons did not change Jan 10 13:01:08.791000 osdx ca-certificates[224075]: Updating certificates in /etc/ssl/certs... Jan 10 13:01:09.245090 osdx ca-certificates[225079]: 1 added, 0 removed; done. Jan 10 13:01:09.247813 osdx ca-certificates[225085]: Running hooks in /etc/ca-certificates/update.d... Jan 10 13:01:09.250614 osdx ca-certificates[225087]: done. Jan 10 13:01:09.268083 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 10 13:01:09.432332 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jan 10 13:01:09.433358 osdx cfgd[1445]: [66002]Completed change to active configuration Jan 10 13:01:09.458652 osdx OSDxCLI[66002]: User 'admin' committed the configuration. Jan 10 13:01:09.460147 osdx dnscrypt-proxy[225153]: dnscrypt-proxy 2.0.45 Jan 10 13:01:09.460201 osdx dnscrypt-proxy[225153]: Network connectivity detected Jan 10 13:01:09.460378 osdx dnscrypt-proxy[225153]: Dropping privileges Jan 10 13:01:09.462371 osdx dnscrypt-proxy[225153]: Network connectivity detected Jan 10 13:01:09.462396 osdx dnscrypt-proxy[225153]: Now listening to 127.0.0.1:53 [UDP] Jan 10 13:01:09.462400 osdx dnscrypt-proxy[225153]: Now listening to 127.0.0.1:53 [TCP] Jan 10 13:01:09.462418 osdx dnscrypt-proxy[225153]: Firefox workaround initialized Jan 10 13:01:09.462422 osdx dnscrypt-proxy[225153]: Loading the set of cloaking rules from [/tmp/tmpgyfzf_d8] Jan 10 13:01:09.484338 osdx OSDxCLI[66002]: User 'admin' left the configuration menu. Jan 10 13:01:09.600596 osdx dnscrypt-proxy[225153]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Jan 10 13:01:09.600611 osdx dnscrypt-proxy[225153]: [RD] OK (DoH) - rtt: 116ms Jan 10 13:01:09.600620 osdx dnscrypt-proxy[225153]: Server with the lowest initial latency: RD (rtt: 116ms) Jan 10 13:01:09.600625 osdx dnscrypt-proxy[225153]: dnscrypt-proxy is ready - live servers: 1 Jan 10 13:01:09.632564 osdx OSDxCLI[66002]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.