Cipher

Test suite to validate using one or multiple ciphers to protect DoH connection

Single Valid Cipher

Description

Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 19 14:46:37.345787 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.2M free.
May 19 14:46:37.347157 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:46:37.347220 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:46:37.358535 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:46:37.699863 osdx osdx-coredump[93193]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 19 14:46:37.709886 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system coredump delete all'.
May 19 14:46:38.218733 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:46:38.321649 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:46:38.382378 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:46:38.519210 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:46:38.602395 osdx INFO[93213]: FRR daemons did not change
May 19 14:46:38.623158 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:46:38.728215 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:46:38.755423 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:46:38.780847 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:46:38.938267 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 19 14:46:39.152012 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:46:39.240085 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:46:39.330415 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:46:39.396396 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:46:39.492556 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:46:39.553885 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:46:39.651881 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 19 14:46:39.707755 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:46:39.819319 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:46:39.872077 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:46:39.986331 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:46:40.060323 osdx INFO[93332]: FRR daemons did not change
May 19 14:46:40.072776 osdx ca-certificates[93347]: Updating certificates in /etc/ssl/certs...
May 19 14:46:40.570474 osdx ca-certificates[94351]: 1 added, 0 removed; done.
May 19 14:46:40.573244 osdx ca-certificates[94358]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:46:40.575828 osdx ca-certificates[94360]: done.
May 19 14:46:40.643401 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:46:40.644846 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:46:40.646950 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:46:40.664016 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:46:40.669924 osdx dnscrypt-proxy[94364]: dnscrypt-proxy 2.0.45
May 19 14:46:40.669981 osdx dnscrypt-proxy[94364]: Network connectivity detected
May 19 14:46:40.670175 osdx dnscrypt-proxy[94364]: Dropping privileges
May 19 14:46:40.672011 osdx dnscrypt-proxy[94364]: Network connectivity detected
May 19 14:46:40.672036 osdx dnscrypt-proxy[94364]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:46:40.672040 osdx dnscrypt-proxy[94364]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:46:40.672069 osdx dnscrypt-proxy[94364]: Firefox workaround initialized
May 19 14:46:40.672074 osdx dnscrypt-proxy[94364]: Loading the set of cloaking rules from [/tmp/tmpfbgz1_h9]
May 19 14:46:40.831635 osdx dnscrypt-proxy[94364]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 19 14:46:40.831650 osdx dnscrypt-proxy[94364]: [RD] OK (DoH) - rtt: 137ms
May 19 14:46:40.831659 osdx dnscrypt-proxy[94364]: Server with the lowest initial latency: RD (rtt: 137ms)
May 19 14:46:40.831664 osdx dnscrypt-proxy[94364]: dnscrypt-proxy is ready - live servers: 1
May 19 14:46:45.822459 osdx OSDxCLI[2756]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
May 19 14:46:47.905791 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Multiple Valid Cipher

Description

Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 19 14:46:55.288883 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:46:55.289498 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:46:55.289545 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:46:55.300985 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:46:55.642236 osdx osdx-coredump[95989]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 19 14:46:55.652527 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system coredump delete all'.
May 19 14:46:56.168411 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:46:56.249713 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:46:56.330462 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:46:56.409603 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:46:56.516765 osdx INFO[96009]: FRR daemons did not change
May 19 14:46:56.537390 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:46:56.643072 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:46:56.671752 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:46:56.700647 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:46:56.845999 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 19 14:46:57.096199 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:46:57.188933 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:46:57.301470 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:46:57.390181 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:46:57.495128 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:46:57.612255 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:46:57.685443 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 19 14:46:57.750931 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:46:57.867558 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:46:57.921996 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:46:58.026768 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:46:58.103044 osdx INFO[96128]: FRR daemons did not change
May 19 14:46:58.116551 osdx ca-certificates[96144]: Updating certificates in /etc/ssl/certs...
May 19 14:46:58.606481 osdx ca-certificates[97147]: 1 added, 0 removed; done.
May 19 14:46:58.609295 osdx ca-certificates[97154]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:46:58.613044 osdx ca-certificates[97156]: done.
May 19 14:46:58.681694 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:46:58.683650 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:46:58.686562 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:46:58.704253 osdx dnscrypt-proxy[97160]: dnscrypt-proxy 2.0.45
May 19 14:46:58.704312 osdx dnscrypt-proxy[97160]: Network connectivity detected
May 19 14:46:58.704489 osdx dnscrypt-proxy[97160]: Dropping privileges
May 19 14:46:58.706576 osdx dnscrypt-proxy[97160]: Network connectivity detected
May 19 14:46:58.706606 osdx dnscrypt-proxy[97160]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:46:58.706610 osdx dnscrypt-proxy[97160]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:46:58.706633 osdx dnscrypt-proxy[97160]: Firefox workaround initialized
May 19 14:46:58.706637 osdx dnscrypt-proxy[97160]: Loading the set of cloaking rules from [/tmp/tmpkpdtn3y4]
May 19 14:46:58.713012 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:46:58.850508 osdx dnscrypt-proxy[97160]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 19 14:46:58.850617 osdx dnscrypt-proxy[97160]: [RD] OK (DoH) - rtt: 120ms
May 19 14:46:58.850652 osdx dnscrypt-proxy[97160]: Server with the lowest initial latency: RD (rtt: 120ms)
May 19 14:46:58.850687 osdx dnscrypt-proxy[97160]: dnscrypt-proxy is ready - live servers: 1
May 19 14:46:58.879120 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 19 14:46:59.075458 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:46:59.077380 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:46:59.077421 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:46:59.084704 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:46:59.364369 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:46:59.434367 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:46:59.558635 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:46:59.637561 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:46:59.750355 osdx dnscrypt-proxy[97160]: Stopped.
May 19 14:46:59.750434 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:46:59.751357 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:46:59.751468 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:46:59.856416 osdx ca-certificates[97246]: Clearing symlinks in /etc/ssl/certs...
May 19 14:47:00.127080 osdx ca-certificates[97815]: done.
May 19 14:47:00.129875 osdx ca-certificates[97825]: Updating certificates in /etc/ssl/certs...
May 19 14:47:00.552062 osdx ca-certificates[98675]: 140 added, 0 removed; done.
May 19 14:47:00.555575 osdx ca-certificates[98682]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:00.558129 osdx ca-certificates[98684]: done.
May 19 14:47:00.586217 osdx INFO[98687]: FRR daemons did not change
May 19 14:47:00.586486 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:00.589494 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:00.614088 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:01.835121 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:01.897122 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:01.988627 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:02.056130 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:02.170559 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:02.297338 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:02.366056 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 19 14:47:02.461447 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:02.539380 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:02.656859 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:02.746089 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:02.880183 osdx INFO[98728]: FRR daemons did not change
May 19 14:47:02.893465 osdx ca-certificates[98744]: Updating certificates in /etc/ssl/certs...
May 19 14:47:03.375667 osdx ca-certificates[99748]: 1 added, 0 removed; done.
May 19 14:47:03.379448 osdx ca-certificates[99754]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:03.382474 osdx ca-certificates[99756]: done.
May 19 14:47:03.401390 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:47:03.565628 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:03.566775 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:03.593727 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:03.597186 osdx dnscrypt-proxy[99822]: dnscrypt-proxy 2.0.45
May 19 14:47:03.597239 osdx dnscrypt-proxy[99822]: Network connectivity detected
May 19 14:47:03.597425 osdx dnscrypt-proxy[99822]: Dropping privileges
May 19 14:47:03.599571 osdx dnscrypt-proxy[99822]: Network connectivity detected
May 19 14:47:03.599605 osdx dnscrypt-proxy[99822]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:47:03.599610 osdx dnscrypt-proxy[99822]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:47:03.599638 osdx dnscrypt-proxy[99822]: Firefox workaround initialized
May 19 14:47:03.599644 osdx dnscrypt-proxy[99822]: Loading the set of cloaking rules from [/tmp/tmpf1b4r8_h]
May 19 14:47:03.611653 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:03.732820 osdx dnscrypt-proxy[99822]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 19 14:47:03.732839 osdx dnscrypt-proxy[99822]: [RD] OK (DoH) - rtt: 107ms
May 19 14:47:03.732846 osdx dnscrypt-proxy[99822]: Server with the lowest initial latency: RD (rtt: 107ms)
May 19 14:47:03.732850 osdx dnscrypt-proxy[99822]: dnscrypt-proxy is ready - live servers: 1
May 19 14:47:03.789502 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 19 14:47:03.982207 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:47:03.985392 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:47:03.985448 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:47:03.991651 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:47:04.280186 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:04.370308 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:47:04.447528 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:47:04.564242 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:04.664486 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:47:04.664491 osdx dnscrypt-proxy[99822]: Stopped.
May 19 14:47:04.665209 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:47:04.665310 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:04.760025 osdx ca-certificates[99928]: Clearing symlinks in /etc/ssl/certs...
May 19 14:47:05.002978 osdx ca-certificates[100497]: done.
May 19 14:47:05.006118 osdx ca-certificates[100506]: Updating certificates in /etc/ssl/certs...
May 19 14:47:05.446634 osdx ca-certificates[101358]: 140 added, 0 removed; done.
May 19 14:47:05.450407 osdx ca-certificates[101364]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:05.453221 osdx ca-certificates[101366]: done.
May 19 14:47:05.487558 osdx INFO[101369]: FRR daemons did not change
May 19 14:47:05.488034 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:05.490014 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:05.510085 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:06.700585 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:06.763135 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:06.863297 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:06.965805 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:07.022073 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:07.123254 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:07.183606 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 19 14:47:07.278924 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:07.379518 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:07.493709 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:07.577591 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:07.677959 osdx INFO[101407]: FRR daemons did not change
May 19 14:47:07.689718 osdx ca-certificates[101423]: Updating certificates in /etc/ssl/certs...
May 19 14:47:08.172837 osdx ca-certificates[102427]: 1 added, 0 removed; done.
May 19 14:47:08.176606 osdx ca-certificates[102433]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:08.179647 osdx ca-certificates[102435]: done.
May 19 14:47:08.201383 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:47:08.361657 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:08.362611 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:08.382668 osdx dnscrypt-proxy[102501]: dnscrypt-proxy 2.0.45
May 19 14:47:08.382742 osdx dnscrypt-proxy[102501]: Network connectivity detected
May 19 14:47:08.382964 osdx dnscrypt-proxy[102501]: Dropping privileges
May 19 14:47:08.385985 osdx dnscrypt-proxy[102501]: Network connectivity detected
May 19 14:47:08.386023 osdx dnscrypt-proxy[102501]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:47:08.386027 osdx dnscrypt-proxy[102501]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:47:08.386046 osdx dnscrypt-proxy[102501]: Firefox workaround initialized
May 19 14:47:08.386051 osdx dnscrypt-proxy[102501]: Loading the set of cloaking rules from [/tmp/tmp2lfhh_84]
May 19 14:47:08.388154 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:08.407490 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:08.519086 osdx dnscrypt-proxy[102501]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 19 14:47:08.519099 osdx dnscrypt-proxy[102501]: [RD] OK (DoH) - rtt: 104ms
May 19 14:47:08.519107 osdx dnscrypt-proxy[102501]: Server with the lowest initial latency: RD (rtt: 104ms)
May 19 14:47:08.519112 osdx dnscrypt-proxy[102501]: dnscrypt-proxy is ready - live servers: 1
May 19 14:47:08.561592 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---

Single Invalid Cipher

Description

Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 19 14:47:15.318007 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:47:15.318881 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:47:15.318936 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:47:15.327883 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:47:15.675346 osdx osdx-coredump[104141]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 19 14:47:15.683422 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system coredump delete all'.
May 19 14:47:16.172115 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:16.296453 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:16.351123 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:16.463853 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:16.561593 osdx INFO[104161]: FRR daemons did not change
May 19 14:47:16.582879 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:47:16.683950 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:16.709939 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:16.727704 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:16.879741 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 19 14:47:17.047590 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:17.109448 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:17.222399 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:17.298662 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:17.394927 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:17.459206 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:17.568637 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 19 14:47:17.636102 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:17.781575 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:17.845593 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:17.980248 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:18.055603 osdx INFO[104280]: FRR daemons did not change
May 19 14:47:18.067693 osdx ca-certificates[104296]: Updating certificates in /etc/ssl/certs...
May 19 14:47:18.559829 osdx ca-certificates[105299]: 1 added, 0 removed; done.
May 19 14:47:18.562864 osdx ca-certificates[105306]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:18.565681 osdx ca-certificates[105308]: done.
May 19 14:47:18.655198 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:18.656692 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:18.658715 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:18.686708 osdx dnscrypt-proxy[105312]: dnscrypt-proxy 2.0.45
May 19 14:47:18.686784 osdx dnscrypt-proxy[105312]: Network connectivity detected
May 19 14:47:18.687046 osdx dnscrypt-proxy[105312]: Dropping privileges
May 19 14:47:18.689369 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:18.690558 osdx dnscrypt-proxy[105312]: Network connectivity detected
May 19 14:47:18.690596 osdx dnscrypt-proxy[105312]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:47:18.690601 osdx dnscrypt-proxy[105312]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:47:18.690633 osdx dnscrypt-proxy[105312]: Firefox workaround initialized
May 19 14:47:18.690639 osdx dnscrypt-proxy[105312]: Loading the set of cloaking rules from [/tmp/tmpngriq8mt]
May 19 14:47:18.691371 osdx dnscrypt-proxy[105312]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

---

Multiple Invalid Cipher

Description

Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 19 14:47:25.329066 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:47:25.331080 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:47:25.331136 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:47:25.340042 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:47:25.747064 osdx osdx-coredump[106930]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 19 14:47:25.755729 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system coredump delete all'.
May 19 14:47:26.262985 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:26.341945 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:26.428306 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:26.497780 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:26.606951 osdx INFO[106950]: FRR daemons did not change
May 19 14:47:26.627078 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:47:26.720334 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:26.746058 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:26.762751 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:26.918491 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 19 14:47:27.054570 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:27.117471 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:27.207774 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:27.283619 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:27.375763 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:27.445706 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:27.540357 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 19 14:47:27.594981 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:27.704603 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:27.759440 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:27.879373 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:27.950765 osdx INFO[107069]: FRR daemons did not change
May 19 14:47:27.964238 osdx ca-certificates[107085]: Updating certificates in /etc/ssl/certs...
May 19 14:47:28.468279 osdx ca-certificates[108088]: 1 added, 0 removed; done.
May 19 14:47:28.471115 osdx ca-certificates[108095]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:28.474097 osdx ca-certificates[108097]: done.
May 19 14:47:28.539356 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:28.540582 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:28.543905 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:28.561461 osdx dnscrypt-proxy[108101]: dnscrypt-proxy 2.0.45
May 19 14:47:28.561522 osdx dnscrypt-proxy[108101]: Network connectivity detected
May 19 14:47:28.561708 osdx dnscrypt-proxy[108101]: Dropping privileges
May 19 14:47:28.562098 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:28.563731 osdx dnscrypt-proxy[108101]: Network connectivity detected
May 19 14:47:28.563761 osdx dnscrypt-proxy[108101]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:47:28.563766 osdx dnscrypt-proxy[108101]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:47:28.563783 osdx dnscrypt-proxy[108101]: Firefox workaround initialized
May 19 14:47:28.563787 osdx dnscrypt-proxy[108101]: Loading the set of cloaking rules from [/tmp/tmp8_j7qe2e]
May 19 14:47:28.564744 osdx dnscrypt-proxy[108101]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 19 14:47:28.824363 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:47:28.827071 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:47:28.827126 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:47:28.833754 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:47:29.101579 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:29.160393 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:47:29.272565 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:47:29.334229 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:29.454256 osdx dnscrypt-proxy[108101]: Stopped.
May 19 14:47:29.454285 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:47:29.455012 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:47:29.455117 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:29.546590 osdx ca-certificates[108183]: Clearing symlinks in /etc/ssl/certs...
May 19 14:47:29.845625 osdx ca-certificates[108752]: done.
May 19 14:47:29.849687 osdx ca-certificates[108762]: Updating certificates in /etc/ssl/certs...
May 19 14:47:30.298145 osdx ca-certificates[109612]: 140 added, 0 removed; done.
May 19 14:47:30.302006 osdx ca-certificates[109619]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:30.304971 osdx ca-certificates[109621]: done.
May 19 14:47:30.348473 osdx INFO[109624]: FRR daemons did not change
May 19 14:47:30.348980 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:30.351690 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:30.400059 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:31.618768 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:31.683803 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:31.786055 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:31.854493 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:31.954855 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:32.087644 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:32.175514 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 19 14:47:32.231388 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:32.349830 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:32.405694 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:32.514360 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:32.588047 osdx INFO[109663]: FRR daemons did not change
May 19 14:47:32.606657 osdx ca-certificates[109679]: Updating certificates in /etc/ssl/certs...
May 19 14:47:33.123538 osdx ca-certificates[110683]: 1 added, 0 removed; done.
May 19 14:47:33.126524 osdx ca-certificates[110689]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:33.129249 osdx ca-certificates[110691]: done.
May 19 14:47:33.147073 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:47:33.319638 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:33.321283 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:33.346718 osdx dnscrypt-proxy[110757]: dnscrypt-proxy 2.0.45
May 19 14:47:33.346797 osdx dnscrypt-proxy[110757]: Network connectivity detected
May 19 14:47:33.347070 osdx dnscrypt-proxy[110757]: Dropping privileges
May 19 14:47:33.349961 osdx dnscrypt-proxy[110757]: Network connectivity detected
May 19 14:47:33.350004 osdx dnscrypt-proxy[110757]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:47:33.350009 osdx dnscrypt-proxy[110757]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:47:33.350037 osdx dnscrypt-proxy[110757]: Firefox workaround initialized
May 19 14:47:33.350042 osdx dnscrypt-proxy[110757]: Loading the set of cloaking rules from [/tmp/tmprk_n0quy]
May 19 14:47:33.351205 osdx dnscrypt-proxy[110757]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
May 19 14:47:33.356089 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:33.385160 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file

Show output

May 19 14:47:33.645600 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:47:33.647076 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:47:33.647132 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:47:33.655276 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:47:33.924023 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:33.983095 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:47:34.089194 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:47:34.153914 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:34.281524 osdx dnscrypt-proxy[110757]: Stopped.
May 19 14:47:34.281542 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:47:34.282715 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:47:34.282811 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:34.383505 osdx ca-certificates[110858]: Clearing symlinks in /etc/ssl/certs...
May 19 14:47:34.636993 osdx ca-certificates[111428]: done.
May 19 14:47:34.640730 osdx ca-certificates[111437]: Updating certificates in /etc/ssl/certs...
May 19 14:47:35.073948 osdx ca-certificates[112288]: 140 added, 0 removed; done.
May 19 14:47:35.077902 osdx ca-certificates[112294]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:35.081054 osdx ca-certificates[112296]: done.
May 19 14:47:35.110338 osdx INFO[112299]: FRR daemons did not change
May 19 14:47:35.110647 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:35.113525 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:35.136814 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:36.391449 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:36.454970 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:36.558151 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:36.624111 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:36.723856 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:36.823177 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:36.881562 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 19 14:47:36.985665 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 19 14:47:37.042416 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:37.161432 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:37.219581 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:37.342565 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:37.419435 osdx INFO[112340]: FRR daemons did not change
May 19 14:47:37.432953 osdx ca-certificates[112355]: Updating certificates in /etc/ssl/certs...
May 19 14:47:37.957367 osdx ca-certificates[113360]: 1 added, 0 removed; done.
May 19 14:47:37.960428 osdx ca-certificates[113366]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:37.964014 osdx ca-certificates[113368]: done.
May 19 14:47:37.983093 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:47:38.159395 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:38.160628 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:38.194296 osdx dnscrypt-proxy[113434]: dnscrypt-proxy 2.0.45
May 19 14:47:38.194377 osdx dnscrypt-proxy[113434]: Network connectivity detected
May 19 14:47:38.194661 osdx dnscrypt-proxy[113434]: Dropping privileges
May 19 14:47:38.197624 osdx dnscrypt-proxy[113434]: Network connectivity detected
May 19 14:47:38.197661 osdx dnscrypt-proxy[113434]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:47:38.197667 osdx dnscrypt-proxy[113434]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:47:38.197697 osdx dnscrypt-proxy[113434]: Firefox workaround initialized
May 19 14:47:38.197702 osdx dnscrypt-proxy[113434]: Loading the set of cloaking rules from [/tmp/tmp9mpp38jp]
May 19 14:47:38.198495 osdx dnscrypt-proxy[113434]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file
May 19 14:47:38.202494 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:38.225618 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:38.325872 osdx dnscrypt-proxy[113434]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 19 14:47:38.325890 osdx dnscrypt-proxy[113434]: [RD] OK (DoH) - rtt: 105ms
May 19 14:47:38.325899 osdx dnscrypt-proxy[113434]: Server with the lowest initial latency: RD (rtt: 105ms)
May 19 14:47:38.325904 osdx dnscrypt-proxy[113434]: dnscrypt-proxy is ready - live servers: 1

---

Invalid Cipher With Fallback

Description

Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.

Scenario

Example 1

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 19 14:47:45.291628 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:47:45.292060 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:47:45.292092 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:47:45.301997 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:47:45.648431 osdx osdx-coredump[115072]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 19 14:47:45.656434 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system coredump delete all'.
May 19 14:47:46.144322 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:46.233679 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:46.321521 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:46.389261 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:46.481232 osdx INFO[115092]: FRR daemons did not change
May 19 14:47:46.500072 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:47:46.609324 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:46.636063 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:46.654298 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:46.793871 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'.
May 19 14:47:46.956538 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:47.058342 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:47.125139 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:47.222509 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:47.291496 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:47.395194 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:47.451812 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 19 14:47:47.553709 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 19 14:47:47.607577 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:47.732212 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:47.786188 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:47.907767 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:47.981963 osdx INFO[115214]: FRR daemons did not change
May 19 14:47:47.994422 osdx ca-certificates[115229]: Updating certificates in /etc/ssl/certs...
May 19 14:47:48.472655 osdx ca-certificates[116234]: 1 added, 0 removed; done.
May 19 14:47:48.476391 osdx ca-certificates[116240]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:48.479663 osdx ca-certificates[116242]: done.
May 19 14:47:48.536332 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:48.537533 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:48.541040 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:48.567704 osdx dnscrypt-proxy[116246]: dnscrypt-proxy 2.0.45
May 19 14:47:48.567766 osdx dnscrypt-proxy[116246]: Network connectivity detected
May 19 14:47:48.567941 osdx dnscrypt-proxy[116246]: Dropping privileges
May 19 14:47:48.570033 osdx dnscrypt-proxy[116246]: Network connectivity detected
May 19 14:47:48.570061 osdx dnscrypt-proxy[116246]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:47:48.570065 osdx dnscrypt-proxy[116246]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:47:48.570088 osdx dnscrypt-proxy[116246]: Firefox workaround initialized
May 19 14:47:48.570092 osdx dnscrypt-proxy[116246]: Loading the set of cloaking rules from [/tmp/tmpl701qe5l]
May 19 14:47:48.570573 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:48.716448 osdx dnscrypt-proxy[116246]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 19 14:47:48.716462 osdx dnscrypt-proxy[116246]: [RD] OK (DoH) - rtt: 122ms
May 19 14:47:48.716469 osdx dnscrypt-proxy[116246]: Server with the lowest initial latency: RD (rtt: 122ms)
May 19 14:47:48.716474 osdx dnscrypt-proxy[116246]: dnscrypt-proxy is ready - live servers: 1
May 19 14:47:53.732186 osdx OSDxCLI[2756]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
May 19 14:47:55.842567 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 2

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 19 14:47:56.045224 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:47:56.048072 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:47:56.048121 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:47:56.056811 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:47:56.306794 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:56.366534 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:47:56.514765 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:47:56.588897 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:56.675823 osdx dnscrypt-proxy[116246]: Stopped.
May 19 14:47:56.675854 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:47:56.676955 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:47:56.677052 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:47:56.778629 osdx ca-certificates[116334]: Clearing symlinks in /etc/ssl/certs...
May 19 14:47:57.041556 osdx ca-certificates[116904]: done.
May 19 14:47:57.044478 osdx ca-certificates[116914]: Updating certificates in /etc/ssl/certs...
May 19 14:47:57.466908 osdx ca-certificates[117764]: 140 added, 0 removed; done.
May 19 14:47:57.469924 osdx ca-certificates[117771]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:47:57.472777 osdx ca-certificates[117773]: done.
May 19 14:47:57.502042 osdx INFO[117776]: FRR daemons did not change
May 19 14:47:57.502325 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:47:57.505208 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:47:57.522629 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:47:58.813414 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:47:58.902928 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:47:59.003285 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:47:59.068356 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:47:59.153545 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:47:59.215786 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:47:59.317135 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 19 14:47:59.382360 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 19 14:47:59.491222 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:47:59.567132 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:47:59.660505 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:47:59.782562 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:47:59.878892 osdx INFO[117817]: FRR daemons did not change
May 19 14:47:59.891033 osdx ca-certificates[117832]: Updating certificates in /etc/ssl/certs...
May 19 14:48:00.380709 osdx ca-certificates[118836]: 1 added, 0 removed; done.
May 19 14:48:00.383450 osdx ca-certificates[118843]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:00.386127 osdx ca-certificates[118845]: done.
May 19 14:48:00.408071 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:48:00.552361 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:00.553491 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:00.573522 osdx dnscrypt-proxy[118911]: dnscrypt-proxy 2.0.45
May 19 14:48:00.573592 osdx dnscrypt-proxy[118911]: Network connectivity detected
May 19 14:48:00.573810 osdx dnscrypt-proxy[118911]: Dropping privileges
May 19 14:48:00.576322 osdx dnscrypt-proxy[118911]: Network connectivity detected
May 19 14:48:00.576351 osdx dnscrypt-proxy[118911]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:48:00.576354 osdx dnscrypt-proxy[118911]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:48:00.576372 osdx dnscrypt-proxy[118911]: Firefox workaround initialized
May 19 14:48:00.576376 osdx dnscrypt-proxy[118911]: Loading the set of cloaking rules from [/tmp/tmp6jupx1wu]
May 19 14:48:00.581774 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:00.600710 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:00.703578 osdx dnscrypt-proxy[118911]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 19 14:48:00.703597 osdx dnscrypt-proxy[118911]: [RD] OK (DoH) - rtt: 102ms
May 19 14:48:00.703608 osdx dnscrypt-proxy[118911]: Server with the lowest initial latency: RD (rtt: 102ms)
May 19 14:48:00.703614 osdx dnscrypt-proxy[118911]: dnscrypt-proxy is ready - live servers: 1
May 19 14:48:00.744203 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 3

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 19 14:48:00.972245 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:48:00.976083 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:48:00.976161 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:48:00.983030 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:48:01.269769 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:01.347010 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:48:01.459714 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:48:01.522140 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:01.627394 osdx dnscrypt-proxy[118911]: Stopped.
May 19 14:48:01.627495 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:48:01.628834 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:48:01.628956 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:01.731006 osdx ca-certificates[119019]: Clearing symlinks in /etc/ssl/certs...
May 19 14:48:01.977513 osdx ca-certificates[119588]: done.
May 19 14:48:01.980610 osdx ca-certificates[119598]: Updating certificates in /etc/ssl/certs...
May 19 14:48:02.406164 osdx ca-certificates[120450]: 140 added, 0 removed; done.
May 19 14:48:02.409914 osdx ca-certificates[120455]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:02.413395 osdx ca-certificates[120457]: done.
May 19 14:48:02.442062 osdx INFO[120460]: FRR daemons did not change
May 19 14:48:02.442319 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:02.446100 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:02.468270 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:03.710521 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:03.773798 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:48:03.872159 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:48:03.939442 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:48:04.035581 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:48:04.101626 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:48:04.219659 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'.
May 19 14:48:04.280664 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 19 14:48:04.373901 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:48:04.447337 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:48:04.532977 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:48:04.640692 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:04.716615 osdx INFO[120501]: FRR daemons did not change
May 19 14:48:04.730281 osdx ca-certificates[120516]: Updating certificates in /etc/ssl/certs...
May 19 14:48:05.286057 osdx ca-certificates[121520]: 1 added, 0 removed; done.
May 19 14:48:05.289750 osdx ca-certificates[121527]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:05.293436 osdx ca-certificates[121529]: done.
May 19 14:48:05.320078 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:48:05.516407 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:05.517600 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:05.541541 osdx dnscrypt-proxy[121595]: dnscrypt-proxy 2.0.45
May 19 14:48:05.541600 osdx dnscrypt-proxy[121595]: Network connectivity detected
May 19 14:48:05.541811 osdx dnscrypt-proxy[121595]: Dropping privileges
May 19 14:48:05.544298 osdx dnscrypt-proxy[121595]: Network connectivity detected
May 19 14:48:05.544504 osdx dnscrypt-proxy[121595]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:48:05.544550 osdx dnscrypt-proxy[121595]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:48:05.544601 osdx dnscrypt-proxy[121595]: Firefox workaround initialized
May 19 14:48:05.544637 osdx dnscrypt-proxy[121595]: Loading the set of cloaking rules from [/tmp/tmpqvhuxtb2]
May 19 14:48:05.558728 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:05.577657 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:05.683978 osdx dnscrypt-proxy[121595]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 19 14:48:05.683996 osdx dnscrypt-proxy[121595]: [RD] OK (DoH) - rtt: 114ms
May 19 14:48:05.684004 osdx dnscrypt-proxy[121595]: Server with the lowest initial latency: RD (rtt: 114ms)
May 19 14:48:05.684008 osdx dnscrypt-proxy[121595]: dnscrypt-proxy is ready - live servers: 1
May 19 14:48:05.762074 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 4

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49199

Show output

May 19 14:48:05.993581 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:48:05.996068 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:48:05.996113 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:48:06.004259 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:48:06.263517 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:06.326369 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:48:06.443767 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:48:06.508910 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:06.619311 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:48:06.619315 osdx dnscrypt-proxy[121595]: Stopped.
May 19 14:48:06.620379 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:48:06.620495 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:06.734351 osdx ca-certificates[121698]: Clearing symlinks in /etc/ssl/certs...
May 19 14:48:06.997846 osdx ca-certificates[122269]: done.
May 19 14:48:07.001978 osdx ca-certificates[122281]: Updating certificates in /etc/ssl/certs...
May 19 14:48:07.427418 osdx ca-certificates[123129]: 140 added, 0 removed; done.
May 19 14:48:07.430174 osdx ca-certificates[123135]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:07.433801 osdx ca-certificates[123137]: done.
May 19 14:48:07.470544 osdx INFO[123140]: FRR daemons did not change
May 19 14:48:07.471032 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:07.473789 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:07.494979 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:08.766902 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:08.829161 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:48:08.932424 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:48:09.010331 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:48:09.097158 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:48:09.199279 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:48:09.279227 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 19 14:48:09.395469 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.
May 19 14:48:09.454148 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:48:09.576994 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:48:09.632290 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:48:09.751883 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:09.845760 osdx INFO[123181]: FRR daemons did not change
May 19 14:48:09.857597 osdx ca-certificates[123197]: Updating certificates in /etc/ssl/certs...
May 19 14:48:10.340325 osdx ca-certificates[124200]: 1 added, 0 removed; done.
May 19 14:48:10.343089 osdx ca-certificates[124207]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:10.345808 osdx ca-certificates[124209]: done.
May 19 14:48:10.364093 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:48:10.528343 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:10.529358 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:10.549841 osdx dnscrypt-proxy[124275]: dnscrypt-proxy 2.0.45
May 19 14:48:10.549915 osdx dnscrypt-proxy[124275]: Network connectivity detected
May 19 14:48:10.550096 osdx dnscrypt-proxy[124275]: Dropping privileges
May 19 14:48:10.552224 osdx dnscrypt-proxy[124275]: Network connectivity detected
May 19 14:48:10.552250 osdx dnscrypt-proxy[124275]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:48:10.552255 osdx dnscrypt-proxy[124275]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:48:10.552273 osdx dnscrypt-proxy[124275]: Firefox workaround initialized
May 19 14:48:10.552276 osdx dnscrypt-proxy[124275]: Loading the set of cloaking rules from [/tmp/tmpptyb9lq7]
May 19 14:48:10.556707 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:10.574379 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:10.677828 osdx dnscrypt-proxy[124275]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199
May 19 14:48:10.677851 osdx dnscrypt-proxy[124275]: [RD] OK (DoH) - rtt: 102ms
May 19 14:48:10.677863 osdx dnscrypt-proxy[124275]: Server with the lowest initial latency: RD (rtt: 102ms)
May 19 14:48:10.677870 osdx dnscrypt-proxy[124275]: dnscrypt-proxy is ready - live servers: 1
May 19 14:48:10.758863 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 5

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 49200

Show output

May 19 14:48:10.999804 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.0M, max 15.3M, 13.3M free.
May 19 14:48:11.000236 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:48:11.000266 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:48:11.009068 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:48:11.257249 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:11.315373 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:48:11.430000 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:48:11.491785 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:11.587049 osdx dnscrypt-proxy[124275]: Stopped.
May 19 14:48:11.587116 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:48:11.587873 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:48:11.587987 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:11.680813 osdx ca-certificates[124379]: Clearing symlinks in /etc/ssl/certs...
May 19 14:48:11.926077 osdx ca-certificates[124948]: done.
May 19 14:48:11.931144 osdx ca-certificates[124957]: Updating certificates in /etc/ssl/certs...
May 19 14:48:12.402820 osdx ca-certificates[125808]: 140 added, 0 removed; done.
May 19 14:48:12.405671 osdx ca-certificates[125815]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:12.408561 osdx ca-certificates[125817]: done.
May 19 14:48:12.438227 osdx INFO[125820]: FRR daemons did not change
May 19 14:48:12.438515 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:12.440682 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:12.462370 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:13.638787 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:13.698710 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:48:13.796220 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:48:13.867757 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:48:13.974622 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:48:14.076211 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:48:14.130472 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 19 14:48:14.243280 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'.
May 19 14:48:14.312100 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:48:14.432402 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:48:14.502248 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:48:14.629619 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:14.716217 osdx INFO[125862]: FRR daemons did not change
May 19 14:48:14.731189 osdx ca-certificates[125877]: Updating certificates in /etc/ssl/certs...
May 19 14:48:15.030179 osdx systemd[1]: systemd-timedated.service: Deactivated successfully.
May 19 14:48:15.247757 osdx ca-certificates[126883]: 1 added, 0 removed; done.
May 19 14:48:15.251670 osdx ca-certificates[126890]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:15.254787 osdx ca-certificates[126892]: done.
May 19 14:48:15.280074 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:48:15.480429 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:15.481661 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:15.514760 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:15.518884 osdx dnscrypt-proxy[126958]: dnscrypt-proxy 2.0.45
May 19 14:48:15.518951 osdx dnscrypt-proxy[126958]: Network connectivity detected
May 19 14:48:15.519203 osdx dnscrypt-proxy[126958]: Dropping privileges
May 19 14:48:15.522025 osdx dnscrypt-proxy[126958]: Network connectivity detected
May 19 14:48:15.522279 osdx dnscrypt-proxy[126958]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:48:15.522335 osdx dnscrypt-proxy[126958]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:48:15.522411 osdx dnscrypt-proxy[126958]: Firefox workaround initialized
May 19 14:48:15.522452 osdx dnscrypt-proxy[126958]: Loading the set of cloaking rules from [/tmp/tmpemj4b1cv]
May 19 14:48:15.542004 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:15.677225 osdx dnscrypt-proxy[126958]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200
May 19 14:48:15.677415 osdx dnscrypt-proxy[126958]: [RD] OK (DoH) - rtt: 116ms
May 19 14:48:15.677477 osdx dnscrypt-proxy[126958]: Server with the lowest initial latency: RD (rtt: 116ms)
May 19 14:48:15.677526 osdx dnscrypt-proxy[126958]: dnscrypt-proxy is ready - live servers: 1
May 19 14:48:15.693927 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

Example 6

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
set service dns proxy log level 0
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:

teldat.com has address 19.18.17.16

Show output

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
teldat.com has address 19.18.17.16

Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:

Cipher suite: 52392

Show output

May 19 14:48:15.925620 osdx systemd-journald[1859]: Runtime Journal (/run/log/journal/dd53a6d251524eaf96fe5f49da605cd5) is 2.3M, max 15.3M, 12.9M free.
May 19 14:48:15.928068 osdx systemd-journald[1859]: Received client request to rotate journal, rotating.
May 19 14:48:15.928135 osdx systemd-journald[1859]: Vacuuming done, freed 0B of archived journals from /run/log/journal/dd53a6d251524eaf96fe5f49da605cd5.
May 19 14:48:15.936533 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'system journal clear'.
May 19 14:48:16.227853 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:16.287309 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'delete '.
May 19 14:48:16.411005 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'.
May 19 14:48:16.491074 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:16.614446 osdx dnscrypt-proxy[126958]: Stopped.
May 19 14:48:16.614495 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy...
May 19 14:48:16.615989 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully.
May 19 14:48:16.616100 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:16.714530 osdx ca-certificates[127062]: Clearing symlinks in /etc/ssl/certs...
May 19 14:48:16.965158 osdx ca-certificates[127631]: done.
May 19 14:48:16.968351 osdx ca-certificates[127640]: Updating certificates in /etc/ssl/certs...
May 19 14:48:17.391133 osdx ca-certificates[128493]: 140 added, 0 removed; done.
May 19 14:48:17.395160 osdx ca-certificates[128498]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:17.398826 osdx ca-certificates[128500]: done.
May 19 14:48:17.428872 osdx INFO[128503]: FRR daemons did not change
May 19 14:48:17.429477 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:17.431763 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:17.455163 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:18.697309 osdx OSDxCLI[2756]: User 'admin' entered the configuration menu.
May 19 14:48:18.760459 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 19 14:48:18.862486 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'.
May 19 14:48:18.943252 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'.
May 19 14:48:19.044303 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'.
May 19 14:48:19.159021 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'.
May 19 14:48:19.224649 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'.
May 19 14:48:19.325474 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'.
May 19 14:48:19.382933 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 19 14:48:19.557996 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 19 14:48:19.615856 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 19 14:48:19.730903 osdx OSDxCLI[2756]: User 'admin' added a new cfg line: 'show working'.
May 19 14:48:19.808980 osdx INFO[128544]: FRR daemons did not change
May 19 14:48:19.823814 osdx ca-certificates[128560]: Updating certificates in /etc/ssl/certs...
May 19 14:48:20.344132 osdx ca-certificates[129564]: 1 added, 0 removed; done.
May 19 14:48:20.347019 osdx ca-certificates[129570]: Running hooks in /etc/ca-certificates/update.d...
May 19 14:48:20.349794 osdx ca-certificates[129572]: done.
May 19 14:48:20.372069 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 19 14:48:20.532583 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
May 19 14:48:20.534101 osdx cfgd[1649]: [2756]Completed change to active configuration
May 19 14:48:20.553713 osdx dnscrypt-proxy[129638]: dnscrypt-proxy 2.0.45
May 19 14:48:20.553770 osdx dnscrypt-proxy[129638]: Network connectivity detected
May 19 14:48:20.553952 osdx dnscrypt-proxy[129638]: Dropping privileges
May 19 14:48:20.555880 osdx dnscrypt-proxy[129638]: Network connectivity detected
May 19 14:48:20.555917 osdx dnscrypt-proxy[129638]: Now listening to 127.0.0.1:53 [UDP]
May 19 14:48:20.555921 osdx dnscrypt-proxy[129638]: Now listening to 127.0.0.1:53 [TCP]
May 19 14:48:20.555941 osdx dnscrypt-proxy[129638]: Firefox workaround initialized
May 19 14:48:20.555945 osdx dnscrypt-proxy[129638]: Loading the set of cloaking rules from [/tmp/tmpdv26c119]
May 19 14:48:20.576424 osdx OSDxCLI[2756]: User 'admin' committed the configuration.
May 19 14:48:20.596197 osdx OSDxCLI[2756]: User 'admin' left the configuration menu.
May 19 14:48:21.595407 osdx dnscrypt-proxy[129638]: [RD] may be a lying resolver
May 19 14:48:21.595416 osdx dnscrypt-proxy[129638]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
May 19 14:48:21.595429 osdx dnscrypt-proxy[129638]: [RD] OK (DoH) - rtt: 1009ms
May 19 14:48:21.595436 osdx dnscrypt-proxy[129638]: Server with the lowest initial latency: RD (rtt: 1009ms)
May 19 14:48:21.595441 osdx dnscrypt-proxy[129638]: dnscrypt-proxy is ready - live servers: 1
May 19 14:48:25.763646 osdx OSDxCLI[2756]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'.
May 19 14:48:27.871075 osdx OSDxCLI[2756]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.

---