Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Mar 10 12:52:45.327555 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.2M free.
Mar 10 12:52:45.328208 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:52:45.328252 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:52:45.339938 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:52:45.692715 osdx osdx-coredump[281629]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 10 12:52:45.700812 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 10 12:52:46.211532 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:52:46.285475 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:52:46.367976 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:52:46.434324 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:52:46.528142 osdx INFO[281653]: FRR daemons did not change
Mar 10 12:52:46.547898 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:52:46.664910 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:52:46.690875 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:52:46.710084 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:52:46.852615 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 10 12:52:46.974090 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:52:47.032785 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:52:47.129339 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:52:47.191783 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:52:47.280530 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:52:47.340047 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:52:47.427554 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Mar 10 12:52:47.481687 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:52:47.592420 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:52:47.645854 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:52:47.766203 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:52:47.836260 osdx INFO[281776]: FRR daemons did not change
Mar 10 12:52:47.849174 osdx ca-certificates[281792]: Updating certificates in /etc/ssl/certs...
Mar 10 12:52:48.355071 osdx ca-certificates[282796]: 1 added, 0 removed; done.
Mar 10 12:52:48.357949 osdx ca-certificates[282802]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:52:48.360817 osdx ca-certificates[282804]: done.
Mar 10 12:52:48.416289 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:52:48.417694 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:52:48.421458 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:52:48.453846 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:52:48.456081 osdx dnscrypt-proxy[282808]: dnscrypt-proxy 2.0.45
Mar 10 12:52:48.456148 osdx dnscrypt-proxy[282808]: Network connectivity detected
Mar 10 12:52:48.456362 osdx dnscrypt-proxy[282808]: Dropping privileges
Mar 10 12:52:48.458394 osdx dnscrypt-proxy[282808]: Network connectivity detected
Mar 10 12:52:48.458427 osdx dnscrypt-proxy[282808]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:52:48.458432 osdx dnscrypt-proxy[282808]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:52:48.458457 osdx dnscrypt-proxy[282808]: Firefox workaround initialized
Mar 10 12:52:48.458462 osdx dnscrypt-proxy[282808]: Loading the set of cloaking rules from [/tmp/tmptzpiw38w]
Mar 10 12:52:48.562441 osdx dnscrypt-proxy[282808]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Mar 10 12:52:48.562459 osdx dnscrypt-proxy[282808]: [RD] OK (DoH) - rtt: 81ms
Mar 10 12:52:48.562468 osdx dnscrypt-proxy[282808]: Server with the lowest initial latency: RD (rtt: 81ms)
Mar 10 12:52:48.562474 osdx dnscrypt-proxy[282808]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:52:48.606859 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Mar 10 12:52:55.301268 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:52:55.301962 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:52:55.302008 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:52:55.310923 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:52:55.624557 osdx osdx-coredump[284439]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 10 12:52:55.632043 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 10 12:52:56.091927 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:52:56.168707 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:52:56.252904 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:52:56.326549 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:52:56.417464 osdx INFO[284463]: FRR daemons did not change
Mar 10 12:52:56.437953 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:52:56.539275 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:52:56.564324 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:52:56.582360 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:52:56.723440 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 10 12:52:56.868887 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:52:56.928864 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:52:57.027203 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:52:57.090329 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:52:57.185985 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:52:57.289835 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:52:57.344685 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Mar 10 12:52:57.443205 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:52:57.542765 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:52:57.627527 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:52:57.771786 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:52:57.849401 osdx INFO[284586]: FRR daemons did not change
Mar 10 12:52:57.862330 osdx ca-certificates[284602]: Updating certificates in /etc/ssl/certs...
Mar 10 12:52:58.378213 osdx ca-certificates[285606]: 1 added, 0 removed; done.
Mar 10 12:52:58.381073 osdx ca-certificates[285612]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:52:58.383934 osdx ca-certificates[285614]: done.
Mar 10 12:52:58.458223 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:52:58.459439 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:52:58.462343 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:52:58.480203 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:52:58.482431 osdx dnscrypt-proxy[285618]: dnscrypt-proxy 2.0.45
Mar 10 12:52:58.482500 osdx dnscrypt-proxy[285618]: Network connectivity detected
Mar 10 12:52:58.482726 osdx dnscrypt-proxy[285618]: Dropping privileges
Mar 10 12:52:58.485114 osdx dnscrypt-proxy[285618]: Network connectivity detected
Mar 10 12:52:58.485141 osdx dnscrypt-proxy[285618]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:52:58.485145 osdx dnscrypt-proxy[285618]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:52:58.485165 osdx dnscrypt-proxy[285618]: Firefox workaround initialized
Mar 10 12:52:58.485170 osdx dnscrypt-proxy[285618]: Loading the set of cloaking rules from [/tmp/tmpzdtservm]
Mar 10 12:52:58.583539 osdx dnscrypt-proxy[285618]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Mar 10 12:52:58.583683 osdx dnscrypt-proxy[285618]: [RD] OK (DoH) - rtt: 76ms
Mar 10 12:52:58.583728 osdx dnscrypt-proxy[285618]: Server with the lowest initial latency: RD (rtt: 76ms)
Mar 10 12:52:58.583762 osdx dnscrypt-proxy[285618]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:52:58.637558 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Mar 10 12:52:58.855380 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:52:58.857938 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:52:58.857987 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:52:58.865746 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:52:59.174982 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:52:59.284274 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:52:59.367694 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:52:59.482085 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:52:59.546051 osdx dnscrypt-proxy[285618]: Stopped.
Mar 10 12:52:59.546118 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:52:59.547457 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:52:59.547585 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:52:59.657745 osdx ca-certificates[285707]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:52:59.908814 osdx ca-certificates[286276]: done.
Mar 10 12:52:59.912320 osdx ca-certificates[286286]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:00.307591 osdx ca-certificates[287136]: 140 added, 0 removed; done.
Mar 10 12:53:00.310547 osdx ca-certificates[287143]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:00.313555 osdx ca-certificates[287145]: done.
Mar 10 12:53:00.342031 osdx INFO[287148]: FRR daemons did not change
Mar 10 12:53:00.342417 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:00.344622 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:00.363498 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:01.679399 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:01.752033 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:01.863318 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:01.944307 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:02.071963 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:02.139111 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:02.236789 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Mar 10 12:53:02.293143 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:02.405631 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:02.460544 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:02.576448 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:02.693958 osdx INFO[287193]: FRR daemons did not change
Mar 10 12:53:02.711747 osdx ca-certificates[287209]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:03.208370 osdx ca-certificates[288213]: 1 added, 0 removed; done.
Mar 10 12:53:03.211283 osdx ca-certificates[288219]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:03.214168 osdx ca-certificates[288221]: done.
Mar 10 12:53:03.233944 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:03.410448 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:03.411927 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:03.431249 osdx dnscrypt-proxy[288287]: dnscrypt-proxy 2.0.45
Mar 10 12:53:03.431312 osdx dnscrypt-proxy[288287]: Network connectivity detected
Mar 10 12:53:03.431511 osdx dnscrypt-proxy[288287]: Dropping privileges
Mar 10 12:53:03.433597 osdx dnscrypt-proxy[288287]: Network connectivity detected
Mar 10 12:53:03.433625 osdx dnscrypt-proxy[288287]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:03.433630 osdx dnscrypt-proxy[288287]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:03.433649 osdx dnscrypt-proxy[288287]: Firefox workaround initialized
Mar 10 12:53:03.433653 osdx dnscrypt-proxy[288287]: Loading the set of cloaking rules from [/tmp/tmpm55hrur9]
Mar 10 12:53:03.451980 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:03.473319 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:03.533609 osdx dnscrypt-proxy[288287]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Mar 10 12:53:03.533623 osdx dnscrypt-proxy[288287]: [RD] OK (DoH) - rtt: 75ms
Mar 10 12:53:03.533630 osdx dnscrypt-proxy[288287]: Server with the lowest initial latency: RD (rtt: 75ms)
Mar 10 12:53:03.533635 osdx dnscrypt-proxy[288287]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:53:03.636031 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Mar 10 12:53:03.846437 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:03.849942 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:03.850002 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:03.855834 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:04.121849 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:04.196468 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:53:04.306225 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:53:04.393693 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:04.497196 osdx dnscrypt-proxy[288287]: Stopped.
Mar 10 12:53:04.497208 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:53:04.498525 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:53:04.498664 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:04.605942 osdx ca-certificates[288396]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:53:04.869111 osdx ca-certificates[288965]: done.
Mar 10 12:53:04.872215 osdx ca-certificates[288973]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:05.310974 osdx ca-certificates[289825]: 140 added, 0 removed; done.
Mar 10 12:53:05.313679 osdx ca-certificates[289832]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:05.316380 osdx ca-certificates[289834]: done.
Mar 10 12:53:05.355622 osdx INFO[289837]: FRR daemons did not change
Mar 10 12:53:05.356101 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:05.358466 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:05.384067 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:06.655773 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:06.742949 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:06.813516 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:06.932893 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:07.055855 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:07.147074 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:07.215754 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Mar 10 12:53:07.324335 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:07.402334 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:07.516650 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:07.602991 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:07.709846 osdx INFO[289879]: FRR daemons did not change
Mar 10 12:53:07.729423 osdx ca-certificates[289895]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:08.288881 osdx ca-certificates[290900]: 1 added, 0 removed; done.
Mar 10 12:53:08.291889 osdx ca-certificates[290905]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:08.294876 osdx ca-certificates[290907]: done.
Mar 10 12:53:08.313943 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:08.494724 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:08.496614 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:08.525561 osdx dnscrypt-proxy[290973]: dnscrypt-proxy 2.0.45
Mar 10 12:53:08.525638 osdx dnscrypt-proxy[290973]: Network connectivity detected
Mar 10 12:53:08.525883 osdx dnscrypt-proxy[290973]: Dropping privileges
Mar 10 12:53:08.528536 osdx dnscrypt-proxy[290973]: Network connectivity detected
Mar 10 12:53:08.528574 osdx dnscrypt-proxy[290973]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:08.528579 osdx dnscrypt-proxy[290973]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:08.528606 osdx dnscrypt-proxy[290973]: Firefox workaround initialized
Mar 10 12:53:08.528611 osdx dnscrypt-proxy[290973]: Loading the set of cloaking rules from [/tmp/tmpw9exsrtz]
Mar 10 12:53:08.533642 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:08.577976 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:08.629955 osdx dnscrypt-proxy[290973]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Mar 10 12:53:08.629977 osdx dnscrypt-proxy[290973]: [RD] OK (DoH) - rtt: 76ms
Mar 10 12:53:08.629989 osdx dnscrypt-proxy[290973]: Server with the lowest initial latency: RD (rtt: 76ms)
Mar 10 12:53:08.629995 osdx dnscrypt-proxy[290973]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:53:08.743180 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Mar 10 12:53:15.293674 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:15.297704 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:15.297758 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:15.303703 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:15.610874 osdx osdx-coredump[292622]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 10 12:53:15.618459 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 10 12:53:16.075819 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:16.167945 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:16.264268 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:16.347245 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:16.455590 osdx INFO[292646]: FRR daemons did not change
Mar 10 12:53:16.473704 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:16.572181 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:16.597987 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:16.626267 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:16.784758 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 10 12:53:16.990415 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:17.049663 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:17.144910 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:17.207508 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:17.298412 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:17.354907 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:17.449239 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Mar 10 12:53:17.502630 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:17.610979 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:17.663179 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:17.779717 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:17.857648 osdx INFO[292769]: FRR daemons did not change
Mar 10 12:53:17.871204 osdx ca-certificates[292785]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:18.321896 osdx ca-certificates[293788]: 1 added, 0 removed; done.
Mar 10 12:53:18.324814 osdx ca-certificates[293795]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:18.328547 osdx ca-certificates[293797]: done.
Mar 10 12:53:18.390084 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:18.391508 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:18.394402 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:18.411741 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:18.414396 osdx dnscrypt-proxy[293801]: dnscrypt-proxy 2.0.45
Mar 10 12:53:18.414456 osdx dnscrypt-proxy[293801]: Network connectivity detected
Mar 10 12:53:18.414640 osdx dnscrypt-proxy[293801]: Dropping privileges
Mar 10 12:53:18.416696 osdx dnscrypt-proxy[293801]: Network connectivity detected
Mar 10 12:53:18.416730 osdx dnscrypt-proxy[293801]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:18.416736 osdx dnscrypt-proxy[293801]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:18.416765 osdx dnscrypt-proxy[293801]: Firefox workaround initialized
Mar 10 12:53:18.416770 osdx dnscrypt-proxy[293801]: Loading the set of cloaking rules from [/tmp/tmpp1zjaupp]
Mar 10 12:53:18.417538 osdx dnscrypt-proxy[293801]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Mar 10 12:53:18.539399 osdx dnscrypt-proxy[293801]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Mar 10 12:53:18.539413 osdx dnscrypt-proxy[293801]: [RD] OK (DoH) - rtt: 75ms
Mar 10 12:53:18.539421 osdx dnscrypt-proxy[293801]: Server with the lowest initial latency: RD (rtt: 75ms)
Mar 10 12:53:18.539425 osdx dnscrypt-proxy[293801]: dnscrypt-proxy is ready - live servers: 1

---

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Mar 10 12:53:25.307864 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:25.309819 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:25.309860 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:25.316935 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:25.676328 osdx osdx-coredump[295428]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 10 12:53:25.684095 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 10 12:53:26.171961 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:26.254187 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:26.336879 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:26.419112 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:26.521812 osdx INFO[295452]: FRR daemons did not change
Mar 10 12:53:26.545822 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:26.653311 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:26.681680 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:26.707788 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:26.908941 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 10 12:53:27.089111 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:27.164030 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:27.284432 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:27.363081 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:27.429558 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:27.534177 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:27.613232 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Mar 10 12:53:27.718559 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:27.806374 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:27.897234 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:27.993365 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:28.104496 osdx INFO[295575]: FRR daemons did not change
Mar 10 12:53:28.119352 osdx ca-certificates[295591]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:28.605237 osdx ca-certificates[296594]: 1 added, 0 removed; done.
Mar 10 12:53:28.608140 osdx ca-certificates[296601]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:28.610878 osdx ca-certificates[296603]: done.
Mar 10 12:53:28.682106 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:28.683509 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:28.686277 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:28.706814 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:28.713892 osdx dnscrypt-proxy[296607]: dnscrypt-proxy 2.0.45
Mar 10 12:53:28.713962 osdx dnscrypt-proxy[296607]: Network connectivity detected
Mar 10 12:53:28.714201 osdx dnscrypt-proxy[296607]: Dropping privileges
Mar 10 12:53:28.716499 osdx dnscrypt-proxy[296607]: Network connectivity detected
Mar 10 12:53:28.716526 osdx dnscrypt-proxy[296607]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:28.716531 osdx dnscrypt-proxy[296607]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:28.716555 osdx dnscrypt-proxy[296607]: Firefox workaround initialized
Mar 10 12:53:28.716559 osdx dnscrypt-proxy[296607]: Loading the set of cloaking rules from [/tmp/tmpfzbej07_]
Mar 10 12:53:28.717258 osdx dnscrypt-proxy[296607]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Mar 10 12:53:28.822785 osdx dnscrypt-proxy[296607]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Mar 10 12:53:28.822879 osdx dnscrypt-proxy[296607]: [RD] OK (DoH) - rtt: 82ms
Mar 10 12:53:28.822887 osdx dnscrypt-proxy[296607]: Server with the lowest initial latency: RD (rtt: 82ms)
Mar 10 12:53:28.822891 osdx dnscrypt-proxy[296607]: dnscrypt-proxy is ready - live servers: 1

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Mar 10 12:53:28.936662 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:28.937817 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:28.937876 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:28.946344 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:29.223492 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:29.288201 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:53:29.403098 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:53:29.467811 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:29.556843 osdx dnscrypt-proxy[296607]: Stopped.
Mar 10 12:53:29.556899 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:53:29.558107 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:53:29.558223 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:29.673855 osdx ca-certificates[296693]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:53:29.940626 osdx ca-certificates[297262]: done.
Mar 10 12:53:29.943741 osdx ca-certificates[297271]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:30.362981 osdx ca-certificates[298123]: 140 added, 0 removed; done.
Mar 10 12:53:30.367123 osdx ca-certificates[298129]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:30.370157 osdx ca-certificates[298131]: done.
Mar 10 12:53:30.401896 osdx INFO[298134]: FRR daemons did not change
Mar 10 12:53:30.402347 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:30.405196 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:30.423378 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:31.645699 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:31.709485 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:31.809002 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:31.875248 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:31.964781 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:32.032138 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:32.127164 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Mar 10 12:53:32.180497 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:32.306027 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:32.371769 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:32.524767 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:32.607010 osdx INFO[298176]: FRR daemons did not change
Mar 10 12:53:32.618691 osdx ca-certificates[298192]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:33.118280 osdx ca-certificates[299195]: 1 added, 0 removed; done.
Mar 10 12:53:33.120996 osdx ca-certificates[299202]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:33.123556 osdx ca-certificates[299204]: done.
Mar 10 12:53:33.145825 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:33.318252 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:33.320864 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:33.346975 osdx dnscrypt-proxy[299270]: dnscrypt-proxy 2.0.45
Mar 10 12:53:33.347057 osdx dnscrypt-proxy[299270]: Network connectivity detected
Mar 10 12:53:33.347282 osdx dnscrypt-proxy[299270]: Dropping privileges
Mar 10 12:53:33.349306 osdx dnscrypt-proxy[299270]: Network connectivity detected
Mar 10 12:53:33.349333 osdx dnscrypt-proxy[299270]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:33.349337 osdx dnscrypt-proxy[299270]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:33.349356 osdx dnscrypt-proxy[299270]: Firefox workaround initialized
Mar 10 12:53:33.349360 osdx dnscrypt-proxy[299270]: Loading the set of cloaking rules from [/tmp/tmpgiyl3mky]
Mar 10 12:53:33.350270 osdx dnscrypt-proxy[299270]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Mar 10 12:53:33.361285 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:33.384375 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

Mar 10 12:53:33.651470 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:33.653826 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:33.653900 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:33.661192 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:33.924744 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:33.980688 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:53:34.103918 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:53:34.194774 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:34.261866 osdx dnscrypt-proxy[299270]: Stopped.
Mar 10 12:53:34.261941 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:53:34.262852 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:53:34.262957 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:34.363942 osdx ca-certificates[299375]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:53:34.628575 osdx ca-certificates[299944]: done.
Mar 10 12:53:34.632098 osdx ca-certificates[299954]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:35.075356 osdx ca-certificates[300804]: 140 added, 0 removed; done.
Mar 10 12:53:35.078384 osdx ca-certificates[300811]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:35.081290 osdx ca-certificates[300813]: done.
Mar 10 12:53:35.121960 osdx INFO[300816]: FRR daemons did not change
Mar 10 12:53:35.122498 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:35.125858 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:35.152168 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:36.491853 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:36.584963 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:36.693816 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:36.774617 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:36.874576 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:36.933533 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:37.029512 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Mar 10 12:53:37.088334 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Mar 10 12:53:37.180466 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:37.255432 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:37.368220 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:37.459702 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:37.552116 osdx INFO[300861]: FRR daemons did not change
Mar 10 12:53:37.568689 osdx ca-certificates[300877]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:38.083851 osdx ca-certificates[301881]: 1 added, 0 removed; done.
Mar 10 12:53:38.086745 osdx ca-certificates[301887]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:38.089558 osdx ca-certificates[301889]: done.
Mar 10 12:53:38.113827 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:38.286126 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:38.287366 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:38.311788 osdx dnscrypt-proxy[301955]: dnscrypt-proxy 2.0.45
Mar 10 12:53:38.311878 osdx dnscrypt-proxy[301955]: Network connectivity detected
Mar 10 12:53:38.312142 osdx dnscrypt-proxy[301955]: Dropping privileges
Mar 10 12:53:38.315249 osdx dnscrypt-proxy[301955]: Network connectivity detected
Mar 10 12:53:38.315283 osdx dnscrypt-proxy[301955]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:38.315288 osdx dnscrypt-proxy[301955]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:38.315312 osdx dnscrypt-proxy[301955]: Firefox workaround initialized
Mar 10 12:53:38.315317 osdx dnscrypt-proxy[301955]: Loading the set of cloaking rules from [/tmp/tmpbz7cog62]
Mar 10 12:53:38.316501 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:38.317355 osdx dnscrypt-proxy[301955]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
Mar 10 12:53:38.338214 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:38.458500 osdx dnscrypt-proxy[301955]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Mar 10 12:53:38.458648 osdx dnscrypt-proxy[301955]: [RD] OK (DoH) - rtt: 112ms
Mar 10 12:53:38.458689 osdx dnscrypt-proxy[301955]: Server with the lowest initial latency: RD (rtt: 112ms)
Mar 10 12:53:38.458724 osdx dnscrypt-proxy[301955]: dnscrypt-proxy is ready - live servers: 1

---

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Mar 10 12:53:45.320763 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:45.322339 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:45.322396 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:45.331629 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:45.658777 osdx osdx-coredump[303601]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 10 12:53:45.666197 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 10 12:53:46.160620 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:46.243756 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:46.314378 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:46.422475 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:46.490456 osdx INFO[303625]: FRR daemons did not change
Mar 10 12:53:46.514333 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:46.627033 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:46.652134 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:46.677637 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:46.825973 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
Mar 10 12:53:47.033240 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:47.093897 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:47.189772 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:47.251517 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:47.345423 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:47.414693 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:47.518796 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Mar 10 12:53:47.606409 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Mar 10 12:53:47.667409 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:47.794895 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:47.869199 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:47.972172 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:48.134732 osdx INFO[303751]: FRR daemons did not change
Mar 10 12:53:48.147616 osdx ca-certificates[303766]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:48.653803 osdx ca-certificates[304771]: 1 added, 0 removed; done.
Mar 10 12:53:48.656879 osdx ca-certificates[304777]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:48.659787 osdx ca-certificates[304779]: done.
Mar 10 12:53:48.726753 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:48.728228 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:48.731282 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:48.747754 osdx dnscrypt-proxy[304783]: dnscrypt-proxy 2.0.45
Mar 10 12:53:48.748071 osdx dnscrypt-proxy[304783]: Network connectivity detected
Mar 10 12:53:48.748322 osdx dnscrypt-proxy[304783]: Dropping privileges
Mar 10 12:53:48.750447 osdx dnscrypt-proxy[304783]: Network connectivity detected
Mar 10 12:53:48.750483 osdx dnscrypt-proxy[304783]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:48.750489 osdx dnscrypt-proxy[304783]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:48.750541 osdx dnscrypt-proxy[304783]: Firefox workaround initialized
Mar 10 12:53:48.750546 osdx dnscrypt-proxy[304783]: Loading the set of cloaking rules from [/tmp/tmpuwu68np0]
Mar 10 12:53:48.787054 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:48.903117 osdx dnscrypt-proxy[304783]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Mar 10 12:53:48.903132 osdx dnscrypt-proxy[304783]: [RD] OK (DoH) - rtt: 129ms
Mar 10 12:53:48.903144 osdx dnscrypt-proxy[304783]: Server with the lowest initial latency: RD (rtt: 129ms)
Mar 10 12:53:48.903151 osdx dnscrypt-proxy[304783]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:53:48.963140 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Mar 10 12:53:49.177290 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:49.178323 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:49.178371 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:49.188340 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:49.463155 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:49.523191 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:53:49.628115 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:53:49.691203 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:49.790649 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:53:49.790662 osdx dnscrypt-proxy[304783]: Stopped.
Mar 10 12:53:49.791624 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:53:49.791731 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:49.894443 osdx ca-certificates[304872]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:53:50.177635 osdx ca-certificates[305442]: done.
Mar 10 12:53:50.181508 osdx ca-certificates[305451]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:50.640401 osdx ca-certificates[306302]: 140 added, 0 removed; done.
Mar 10 12:53:50.643220 osdx ca-certificates[306308]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:50.646059 osdx ca-certificates[306310]: done.
Mar 10 12:53:50.689408 osdx INFO[306313]: FRR daemons did not change
Mar 10 12:53:50.689893 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:50.692225 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:50.724274 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:52.033014 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:52.099242 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:52.196671 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:52.263252 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:52.369706 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:52.486193 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:52.547294 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Mar 10 12:53:52.663199 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Mar 10 12:53:52.715847 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:52.821297 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:52.878228 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:52.999374 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:53.077353 osdx INFO[306358]: FRR daemons did not change
Mar 10 12:53:53.092580 osdx ca-certificates[306374]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:53.613575 osdx ca-certificates[307377]: 1 added, 0 removed; done.
Mar 10 12:53:53.616769 osdx ca-certificates[307384]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:53.620567 osdx ca-certificates[307386]: done.
Mar 10 12:53:53.642331 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:53.810634 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:53.811959 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:53.831781 osdx dnscrypt-proxy[307452]: dnscrypt-proxy 2.0.45
Mar 10 12:53:53.832072 osdx dnscrypt-proxy[307452]: Network connectivity detected
Mar 10 12:53:53.832304 osdx dnscrypt-proxy[307452]: Dropping privileges
Mar 10 12:53:53.834563 osdx dnscrypt-proxy[307452]: Network connectivity detected
Mar 10 12:53:53.834595 osdx dnscrypt-proxy[307452]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:53.834599 osdx dnscrypt-proxy[307452]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:53.834617 osdx dnscrypt-proxy[307452]: Firefox workaround initialized
Mar 10 12:53:53.834621 osdx dnscrypt-proxy[307452]: Loading the set of cloaking rules from [/tmp/tmp030vvbr_]
Mar 10 12:53:53.840826 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:53.861899 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:53.956059 osdx dnscrypt-proxy[307452]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Mar 10 12:53:53.956075 osdx dnscrypt-proxy[307452]: [RD] OK (DoH) - rtt: 96ms
Mar 10 12:53:53.956083 osdx dnscrypt-proxy[307452]: Server with the lowest initial latency: RD (rtt: 96ms)
Mar 10 12:53:53.956088 osdx dnscrypt-proxy[307452]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:53:54.030817 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Mar 10 12:53:54.238255 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:54.238734 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:54.238764 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:54.248677 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:54.535804 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:54.636251 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:53:54.712010 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:53:54.804816 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:54.870500 osdx dnscrypt-proxy[307452]: Stopped.
Mar 10 12:53:54.870574 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:53:54.871240 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:53:54.871354 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:54.975001 osdx ca-certificates[307560]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:53:55.223976 osdx ca-certificates[308129]: done.
Mar 10 12:53:55.227880 osdx ca-certificates[308139]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:55.680446 osdx ca-certificates[308989]: 140 added, 0 removed; done.
Mar 10 12:53:55.683224 osdx ca-certificates[308996]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:55.685921 osdx ca-certificates[308998]: done.
Mar 10 12:53:55.725834 osdx INFO[309001]: FRR daemons did not change
Mar 10 12:53:55.726304 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:55.729521 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:55.747404 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:57.060376 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:57.121943 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:53:57.243681 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:53:57.327188 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:53:57.423912 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:53:57.496708 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:53:57.612997 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
Mar 10 12:53:57.682155 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Mar 10 12:53:57.774740 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:53:57.850401 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:53:57.935035 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:53:58.014942 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:58.146815 osdx INFO[309047]: FRR daemons did not change
Mar 10 12:53:58.161838 osdx ca-certificates[309062]: Updating certificates in /etc/ssl/certs...
Mar 10 12:53:58.713833 osdx ca-certificates[310067]: 1 added, 0 removed; done.
Mar 10 12:53:58.717724 osdx ca-certificates[310073]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:53:58.720588 osdx ca-certificates[310075]: done.
Mar 10 12:53:58.742332 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:53:58.942821 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:53:58.944589 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:53:58.975762 osdx dnscrypt-proxy[310141]: dnscrypt-proxy 2.0.45
Mar 10 12:53:58.975822 osdx dnscrypt-proxy[310141]: Network connectivity detected
Mar 10 12:53:58.976006 osdx dnscrypt-proxy[310141]: Dropping privileges
Mar 10 12:53:58.977656 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:53:58.978630 osdx dnscrypt-proxy[310141]: Network connectivity detected
Mar 10 12:53:58.978661 osdx dnscrypt-proxy[310141]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:53:58.978665 osdx dnscrypt-proxy[310141]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:53:58.978684 osdx dnscrypt-proxy[310141]: Firefox workaround initialized
Mar 10 12:53:58.978687 osdx dnscrypt-proxy[310141]: Loading the set of cloaking rules from [/tmp/tmpygnpj1kf]
Mar 10 12:53:59.011701 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:53:59.126541 osdx dnscrypt-proxy[310141]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Mar 10 12:53:59.126556 osdx dnscrypt-proxy[310141]: [RD] OK (DoH) - rtt: 117ms
Mar 10 12:53:59.126564 osdx dnscrypt-proxy[310141]: Server with the lowest initial latency: RD (rtt: 117ms)
Mar 10 12:53:59.126569 osdx dnscrypt-proxy[310141]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:53:59.156655 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

Mar 10 12:53:59.378488 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:53:59.382329 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:53:59.382386 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:53:59.388403 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:53:59.651121 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:53:59.709972 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:53:59.819343 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:53:59.883172 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:53:59.973994 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:53:59.974009 osdx dnscrypt-proxy[310141]: Stopped.
Mar 10 12:53:59.975524 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:53:59.975654 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:54:00.080067 osdx ca-certificates[310251]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:54:00.356246 osdx ca-certificates[310821]: done.
Mar 10 12:54:00.359341 osdx ca-certificates[310830]: Updating certificates in /etc/ssl/certs...
Mar 10 12:54:00.806691 osdx ca-certificates[311680]: 140 added, 0 removed; done.
Mar 10 12:54:00.809613 osdx ca-certificates[311687]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:54:00.812461 osdx ca-certificates[311689]: done.
Mar 10 12:54:00.844128 osdx INFO[311692]: FRR daemons did not change
Mar 10 12:54:00.844562 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:54:00.847337 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:54:00.869334 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:54:02.225641 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:54:02.295818 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:54:02.394010 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:54:02.459181 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:54:02.548863 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:54:02.610723 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:54:02.721049 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Mar 10 12:54:02.779776 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
Mar 10 12:54:02.873255 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:54:02.945719 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:54:03.030523 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:54:03.105859 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:54:03.201846 osdx INFO[311740]: FRR daemons did not change
Mar 10 12:54:03.214374 osdx ca-certificates[311756]: Updating certificates in /etc/ssl/certs...
Mar 10 12:54:03.738321 osdx ca-certificates[312760]: 1 added, 0 removed; done.
Mar 10 12:54:03.742194 osdx ca-certificates[312766]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:54:03.745193 osdx ca-certificates[312768]: done.
Mar 10 12:54:03.766341 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:54:03.950653 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:54:03.951874 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:54:04.003139 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:54:04.003963 osdx dnscrypt-proxy[312834]: dnscrypt-proxy 2.0.45
Mar 10 12:54:04.004029 osdx dnscrypt-proxy[312834]: Network connectivity detected
Mar 10 12:54:04.004245 osdx dnscrypt-proxy[312834]: Dropping privileges
Mar 10 12:54:04.007278 osdx dnscrypt-proxy[312834]: Network connectivity detected
Mar 10 12:54:04.007313 osdx dnscrypt-proxy[312834]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:54:04.007318 osdx dnscrypt-proxy[312834]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:54:04.007339 osdx dnscrypt-proxy[312834]: Firefox workaround initialized
Mar 10 12:54:04.007344 osdx dnscrypt-proxy[312834]: Loading the set of cloaking rules from [/tmp/tmpd2ezi76v]
Mar 10 12:54:04.021004 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:54:04.147953 osdx dnscrypt-proxy[312834]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
Mar 10 12:54:04.147973 osdx dnscrypt-proxy[312834]: [RD] OK (DoH) - rtt: 116ms
Mar 10 12:54:04.147982 osdx dnscrypt-proxy[312834]: Server with the lowest initial latency: RD (rtt: 116ms)
Mar 10 12:54:04.147987 osdx dnscrypt-proxy[312834]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:54:04.175173 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

Mar 10 12:54:04.388161 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:54:04.390325 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:54:04.390376 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:54:04.398101 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:54:04.649831 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:54:04.705850 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:54:04.812890 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:54:04.875972 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:54:04.972568 osdx dnscrypt-proxy[312834]: Stopped.
Mar 10 12:54:04.972614 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:54:04.973423 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:54:04.973530 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:54:05.064587 osdx ca-certificates[312942]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:54:05.314516 osdx ca-certificates[313511]: done.
Mar 10 12:54:05.318043 osdx ca-certificates[313521]: Updating certificates in /etc/ssl/certs...
Mar 10 12:54:05.730300 osdx ca-certificates[314372]: 140 added, 0 removed; done.
Mar 10 12:54:05.733297 osdx ca-certificates[314378]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:54:05.736010 osdx ca-certificates[314380]: done.
Mar 10 12:54:05.773436 osdx INFO[314383]: FRR daemons did not change
Mar 10 12:54:05.773926 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:54:05.776746 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:54:05.796933 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:54:07.074752 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:54:07.137732 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:54:07.236286 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:54:07.307713 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:54:07.392068 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:54:07.459655 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:54:07.580746 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Mar 10 12:54:07.645287 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
Mar 10 12:54:07.745643 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:54:07.860035 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:54:07.925601 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:54:08.068020 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:54:08.153709 osdx INFO[314428]: FRR daemons did not change
Mar 10 12:54:08.168127 osdx ca-certificates[314444]: Updating certificates in /etc/ssl/certs...
Mar 10 12:54:08.684073 osdx ca-certificates[315448]: 1 added, 0 removed; done.
Mar 10 12:54:08.687123 osdx ca-certificates[315454]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:54:08.689867 osdx ca-certificates[315456]: done.
Mar 10 12:54:08.710350 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:54:08.875115 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:54:08.877970 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:54:08.920875 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:54:08.921468 osdx dnscrypt-proxy[315522]: dnscrypt-proxy 2.0.45
Mar 10 12:54:08.921540 osdx dnscrypt-proxy[315522]: Network connectivity detected
Mar 10 12:54:08.921763 osdx dnscrypt-proxy[315522]: Dropping privileges
Mar 10 12:54:08.925218 osdx dnscrypt-proxy[315522]: Network connectivity detected
Mar 10 12:54:08.925335 osdx dnscrypt-proxy[315522]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:54:08.925340 osdx dnscrypt-proxy[315522]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:54:08.925366 osdx dnscrypt-proxy[315522]: Firefox workaround initialized
Mar 10 12:54:08.925370 osdx dnscrypt-proxy[315522]: Loading the set of cloaking rules from [/tmp/tmpynm19pf1]
Mar 10 12:54:08.954191 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:54:09.048112 osdx dnscrypt-proxy[315522]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
Mar 10 12:54:09.048133 osdx dnscrypt-proxy[315522]: [RD] OK (DoH) - rtt: 94ms
Mar 10 12:54:09.048143 osdx dnscrypt-proxy[315522]: Server with the lowest initial latency: RD (rtt: 94ms)
Mar 10 12:54:09.048158 osdx dnscrypt-proxy[315522]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:54:09.117017 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

Mar 10 12:54:09.330681 osdx systemd-journald[51744]: Runtime Journal (/run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6) is 2.0M, max 15.3M, 13.3M free.
Mar 10 12:54:09.334332 osdx systemd-journald[51744]: Received client request to rotate journal, rotating.
Mar 10 12:54:09.334387 osdx systemd-journald[51744]: Vacuuming done, freed 0B of archived journals from /run/log/journal/3fdd2a0ddf0a4f0d80cd50f7e198c3e6.
Mar 10 12:54:09.341313 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'system journal clear'.
Mar 10 12:54:09.598797 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:54:09.654504 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'delete '.
Mar 10 12:54:09.774685 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
Mar 10 12:54:09.856369 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:54:09.958819 osdx dnscrypt-proxy[315522]: Stopped.
Mar 10 12:54:09.958899 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
Mar 10 12:54:09.959645 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
Mar 10 12:54:09.959770 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:54:10.055416 osdx ca-certificates[315632]: Clearing symlinks in /etc/ssl/certs...
Mar 10 12:54:10.307238 osdx ca-certificates[316202]: done.
Mar 10 12:54:10.310196 osdx ca-certificates[316211]: Updating certificates in /etc/ssl/certs...
Mar 10 12:54:10.752679 osdx ca-certificates[317061]: 140 added, 0 removed; done.
Mar 10 12:54:10.756220 osdx ca-certificates[317068]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:54:10.758970 osdx ca-certificates[317070]: done.
Mar 10 12:54:10.798585 osdx INFO[317073]: FRR daemons did not change
Mar 10 12:54:10.799054 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:54:10.802373 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:54:10.823737 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:54:12.152177 osdx OSDxCLI[132790]: User 'admin' entered the configuration menu.
Mar 10 12:54:12.213182 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Mar 10 12:54:12.326804 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
Mar 10 12:54:12.413703 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
Mar 10 12:54:12.500430 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
Mar 10 12:54:12.562785 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56f84956a81b8326accde7f3159265ae8dee5f1377cc2cbee7baf4ff8b8c82c6'.
Mar 10 12:54:12.662732 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
Mar 10 12:54:12.721966 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
Mar 10 12:54:12.814621 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 10 12:54:12.887969 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Mar 10 12:54:12.982561 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 10 12:54:13.062848 osdx OSDxCLI[132790]: User 'admin' added a new cfg line: 'show working'.
Mar 10 12:54:13.172979 osdx INFO[317118]: FRR daemons did not change
Mar 10 12:54:13.185360 osdx ca-certificates[317134]: Updating certificates in /etc/ssl/certs...
Mar 10 12:54:13.708228 osdx ca-certificates[318138]: 1 added, 0 removed; done.
Mar 10 12:54:13.711557 osdx ca-certificates[318144]: Running hooks in /etc/ca-certificates/update.d...
Mar 10 12:54:13.714384 osdx ca-certificates[318146]: done.
Mar 10 12:54:13.734331 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 10 12:54:13.898572 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 10 12:54:13.899804 osdx cfgd[1455]: [132790]Completed change to active configuration
Mar 10 12:54:13.918721 osdx dnscrypt-proxy[318212]: dnscrypt-proxy 2.0.45
Mar 10 12:54:13.918793 osdx dnscrypt-proxy[318212]: Network connectivity detected
Mar 10 12:54:13.919009 osdx dnscrypt-proxy[318212]: Dropping privileges
Mar 10 12:54:13.921486 osdx dnscrypt-proxy[318212]: Network connectivity detected
Mar 10 12:54:13.921515 osdx dnscrypt-proxy[318212]: Now listening to 127.0.0.1:53 [UDP]
Mar 10 12:54:13.921519 osdx dnscrypt-proxy[318212]: Now listening to 127.0.0.1:53 [TCP]
Mar 10 12:54:13.921588 osdx dnscrypt-proxy[318212]: Firefox workaround initialized
Mar 10 12:54:13.921592 osdx dnscrypt-proxy[318212]: Loading the set of cloaking rules from [/tmp/tmp45ymnyn2]
Mar 10 12:54:13.927158 osdx OSDxCLI[132790]: User 'admin' committed the configuration.
Mar 10 12:54:13.965635 osdx OSDxCLI[132790]: User 'admin' left the configuration menu.
Mar 10 12:54:14.049977 osdx dnscrypt-proxy[318212]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
Mar 10 12:54:14.049991 osdx dnscrypt-proxy[318212]: [RD] OK (DoH) - rtt: 103ms
Mar 10 12:54:14.049999 osdx dnscrypt-proxy[318212]: Server with the lowest initial latency: RD (rtt: 103ms)
Mar 10 12:54:14.050004 osdx dnscrypt-proxy[318212]: dnscrypt-proxy is ready - live servers: 1
Mar 10 12:54:14.134025 osdx OSDxCLI[132790]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---