Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
May 14 09:50:30.347429 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.6M, max 15.3M, 12.7M free. May 14 09:50:30.348833 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:50:30.348873 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:50:30.356963 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:50:30.696301 osdx osdx-coredump[111195]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:50:30.704221 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:50:31.275345 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:31.398626 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:50:31.540177 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:50:31.611951 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:50:31.704849 osdx ubnt-cfgd[111213]: inactive May 14 09:50:31.725834 osdx INFO[111221]: FRR daemons did not change May 14 09:50:31.821512 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:50:31.834127 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:50:31.850759 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:50:32.050029 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:50:32.217034 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:32.280027 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:50:32.381124 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:50:32.450804 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:50:32.560884 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:50:32.706174 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:50:32.767638 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. May 14 09:50:32.861972 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:50:32.932459 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:50:33.045757 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:50:33.129730 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:50:33.224987 osdx ubnt-cfgd[111382]: inactive May 14 09:50:33.252586 osdx INFO[111390]: FRR daemons did not change May 14 09:50:33.265687 osdx ca-certificates[111406]: Updating certificates in /etc/ssl/certs... May 14 09:50:33.767069 osdx ca-certificates[112409]: 1 added, 0 removed; done. May 14 09:50:33.770055 osdx ca-certificates[112416]: Running hooks in /etc/ca-certificates/update.d... May 14 09:50:33.772833 osdx ca-certificates[112418]: done. May 14 09:50:33.837416 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:50:33.838955 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:50:33.841543 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:50:33.859595 osdx dnscrypt-proxy[112422]: dnscrypt-proxy 2.0.45 May 14 09:50:33.859696 osdx dnscrypt-proxy[112422]: Network connectivity detected May 14 09:50:33.859951 osdx dnscrypt-proxy[112422]: Dropping privileges May 14 09:50:33.863087 osdx dnscrypt-proxy[112422]: Network connectivity detected May 14 09:50:33.863124 osdx dnscrypt-proxy[112422]: Now listening to 127.0.0.1:53 [UDP] May 14 09:50:33.863130 osdx dnscrypt-proxy[112422]: Now listening to 127.0.0.1:53 [TCP] May 14 09:50:33.863157 osdx dnscrypt-proxy[112422]: Firefox workaround initialized May 14 09:50:33.863162 osdx dnscrypt-proxy[112422]: Loading the set of cloaking rules from [/tmp/tmpnzaz7yzl] May 14 09:50:33.867653 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:50:34.030106 osdx dnscrypt-proxy[112422]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 May 14 09:50:34.030120 osdx dnscrypt-proxy[112422]: [RD] OK (DoH) - rtt: 143ms May 14 09:50:34.030128 osdx dnscrypt-proxy[112422]: Server with the lowest initial latency: RD (rtt: 143ms) May 14 09:50:34.030132 osdx dnscrypt-proxy[112422]: dnscrypt-proxy is ready - live servers: 1 May 14 09:50:39.042285 osdx OSDxCLI[2678]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. May 14 09:50:41.140002 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
May 14 09:50:48.280132 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:50:48.282066 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:50:48.282117 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:50:48.290223 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:50:48.602926 osdx osdx-coredump[114097]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:50:48.611207 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:50:49.103270 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:49.178388 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:50:49.265223 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:50:49.343698 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:50:49.425134 osdx ubnt-cfgd[114115]: inactive May 14 09:50:49.445891 osdx INFO[114123]: FRR daemons did not change May 14 09:50:49.540246 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:50:49.554502 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:50:49.572928 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:50:49.707577 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:50:49.895606 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:49.953786 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:50:50.061278 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:50:50.141560 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:50:50.269278 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:50:50.343330 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:50:50.453456 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. May 14 09:50:50.533734 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:50:50.665606 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:50:50.728487 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:50:50.863642 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:50:50.938718 osdx ubnt-cfgd[114284]: inactive May 14 09:50:50.958610 osdx INFO[114292]: FRR daemons did not change May 14 09:50:50.971906 osdx ca-certificates[114308]: Updating certificates in /etc/ssl/certs... May 14 09:50:51.491704 osdx ca-certificates[115312]: 1 added, 0 removed; done. May 14 09:50:51.494901 osdx ca-certificates[115318]: Running hooks in /etc/ca-certificates/update.d... May 14 09:50:51.497593 osdx ca-certificates[115320]: done. May 14 09:50:51.570332 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:50:51.571650 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:50:51.573934 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:50:51.603504 osdx dnscrypt-proxy[115324]: dnscrypt-proxy 2.0.45 May 14 09:50:51.603563 osdx dnscrypt-proxy[115324]: Network connectivity detected May 14 09:50:51.603766 osdx dnscrypt-proxy[115324]: Dropping privileges May 14 09:50:51.606238 osdx dnscrypt-proxy[115324]: Network connectivity detected May 14 09:50:51.606273 osdx dnscrypt-proxy[115324]: Now listening to 127.0.0.1:53 [UDP] May 14 09:50:51.606278 osdx dnscrypt-proxy[115324]: Now listening to 127.0.0.1:53 [TCP] May 14 09:50:51.606307 osdx dnscrypt-proxy[115324]: Firefox workaround initialized May 14 09:50:51.606313 osdx dnscrypt-proxy[115324]: Loading the set of cloaking rules from [/tmp/tmpj04tg0l_] May 14 09:50:51.610220 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:50:51.749352 osdx dnscrypt-proxy[115324]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 May 14 09:50:51.749365 osdx dnscrypt-proxy[115324]: [RD] OK (DoH) - rtt: 113ms May 14 09:50:51.749374 osdx dnscrypt-proxy[115324]: Server with the lowest initial latency: RD (rtt: 113ms) May 14 09:50:51.749378 osdx dnscrypt-proxy[115324]: dnscrypt-proxy is ready - live servers: 1 May 14 09:50:51.762936 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
May 14 09:50:51.964803 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:50:51.966051 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:50:51.966111 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:50:51.977212 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:50:52.274100 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:52.333815 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:50:52.451450 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:50:52.538131 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:50:52.604264 osdx ubnt-cfgd[115374]: inactive May 14 09:50:52.628673 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:50:52.628766 osdx dnscrypt-proxy[115324]: Stopped. May 14 09:50:52.629914 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:50:52.630012 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:50:52.705950 osdx ca-certificates[115460]: Clearing symlinks in /etc/ssl/certs... May 14 09:50:52.968805 osdx ca-certificates[116028]: done. May 14 09:50:52.971595 osdx ca-certificates[116037]: Updating certificates in /etc/ssl/certs... May 14 09:50:53.407878 osdx ca-certificates[116889]: 140 added, 0 removed; done. May 14 09:50:53.411525 osdx ca-certificates[116896]: Running hooks in /etc/ca-certificates/update.d... May 14 09:50:53.414247 osdx ca-certificates[116898]: done. May 14 09:50:53.429181 osdx INFO[116901]: FRR daemons did not change May 14 09:50:53.429728 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:50:53.432281 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:50:53.449741 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:50:54.711912 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:54.779475 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:50:54.883147 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:50:54.956913 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:50:55.053370 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:50:55.120571 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:50:55.215519 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. May 14 09:50:55.270307 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:50:55.417984 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:50:55.474822 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:50:55.596531 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:50:55.663784 osdx ubnt-cfgd[116935]: inactive May 14 09:50:55.686893 osdx INFO[116945]: FRR daemons did not change May 14 09:50:55.703233 osdx ca-certificates[116961]: Updating certificates in /etc/ssl/certs... May 14 09:50:56.228284 osdx ca-certificates[117964]: 1 added, 0 removed; done. May 14 09:50:56.231180 osdx ca-certificates[117971]: Running hooks in /etc/ca-certificates/update.d... May 14 09:50:56.234064 osdx ca-certificates[117973]: done. May 14 09:50:56.414667 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:50:56.416591 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:50:56.430689 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:50:56.446999 osdx dnscrypt-proxy[118083]: dnscrypt-proxy 2.0.45 May 14 09:50:56.447079 osdx dnscrypt-proxy[118083]: Network connectivity detected May 14 09:50:56.447317 osdx dnscrypt-proxy[118083]: Dropping privileges May 14 09:50:56.449644 osdx dnscrypt-proxy[118083]: Network connectivity detected May 14 09:50:56.449670 osdx dnscrypt-proxy[118083]: Now listening to 127.0.0.1:53 [UDP] May 14 09:50:56.449674 osdx dnscrypt-proxy[118083]: Now listening to 127.0.0.1:53 [TCP] May 14 09:50:56.449702 osdx dnscrypt-proxy[118083]: Firefox workaround initialized May 14 09:50:56.449706 osdx dnscrypt-proxy[118083]: Loading the set of cloaking rules from [/tmp/tmpicdrksmf] May 14 09:50:56.455778 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:50:56.595892 osdx dnscrypt-proxy[118083]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 May 14 09:50:56.595906 osdx dnscrypt-proxy[118083]: [RD] OK (DoH) - rtt: 117ms May 14 09:50:56.595914 osdx dnscrypt-proxy[118083]: Server with the lowest initial latency: RD (rtt: 117ms) May 14 09:50:56.595917 osdx dnscrypt-proxy[118083]: dnscrypt-proxy is ready - live servers: 1 May 14 09:50:56.616985 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
May 14 09:50:56.834667 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:50:56.838053 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:50:56.838135 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:50:56.844710 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:50:57.110271 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:57.168759 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:50:57.284166 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:50:57.354702 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:50:57.448399 osdx ubnt-cfgd[118152]: inactive May 14 09:50:57.466521 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:50:57.466594 osdx dnscrypt-proxy[118083]: Stopped. May 14 09:50:57.467507 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:50:57.467609 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:50:57.538694 osdx ca-certificates[118239]: Clearing symlinks in /etc/ssl/certs... May 14 09:50:57.796241 osdx ca-certificates[118808]: done. May 14 09:50:57.799868 osdx ca-certificates[118817]: Updating certificates in /etc/ssl/certs... May 14 09:50:58.225828 osdx ca-certificates[119669]: 140 added, 0 removed; done. May 14 09:50:58.228604 osdx ca-certificates[119675]: Running hooks in /etc/ca-certificates/update.d... May 14 09:50:58.231532 osdx ca-certificates[119677]: done. May 14 09:50:58.247697 osdx INFO[119680]: FRR daemons did not change May 14 09:50:58.248187 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:50:58.250693 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:50:58.272821 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:50:59.548482 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:50:59.612424 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:50:59.747599 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:50:59.811142 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:50:59.909989 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:50:59.977532 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:51:00.090210 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. May 14 09:51:00.168345 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:51:00.294309 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:00.360212 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:00.487143 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:00.553575 osdx ubnt-cfgd[119714]: inactive May 14 09:51:00.580736 osdx INFO[119724]: FRR daemons did not change May 14 09:51:00.596733 osdx ca-certificates[119740]: Updating certificates in /etc/ssl/certs... May 14 09:51:01.092519 osdx ca-certificates[120744]: 1 added, 0 removed; done. May 14 09:51:01.095501 osdx ca-certificates[120750]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:01.099372 osdx ca-certificates[120752]: done. May 14 09:51:01.270392 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:01.271898 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:01.283885 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:01.294970 osdx dnscrypt-proxy[120862]: dnscrypt-proxy 2.0.45 May 14 09:51:01.295339 osdx dnscrypt-proxy[120862]: Network connectivity detected May 14 09:51:01.295645 osdx dnscrypt-proxy[120862]: Dropping privileges May 14 09:51:01.298419 osdx dnscrypt-proxy[120862]: Network connectivity detected May 14 09:51:01.298691 osdx dnscrypt-proxy[120862]: Now listening to 127.0.0.1:53 [UDP] May 14 09:51:01.298751 osdx dnscrypt-proxy[120862]: Now listening to 127.0.0.1:53 [TCP] May 14 09:51:01.298815 osdx dnscrypt-proxy[120862]: Firefox workaround initialized May 14 09:51:01.298855 osdx dnscrypt-proxy[120862]: Loading the set of cloaking rules from [/tmp/tmp2gp69uhl] May 14 09:51:01.323300 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:01.480225 osdx dnscrypt-proxy[120862]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 May 14 09:51:01.480253 osdx dnscrypt-proxy[120862]: [RD] OK (DoH) - rtt: 150ms May 14 09:51:01.480268 osdx dnscrypt-proxy[120862]: Server with the lowest initial latency: RD (rtt: 150ms) May 14 09:51:01.480275 osdx dnscrypt-proxy[120862]: dnscrypt-proxy is ready - live servers: 1 May 14 09:51:01.497456 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
May 14 09:51:08.306071 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:51:08.309940 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:51:08.309995 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:51:08.315383 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:51:08.673850 osdx osdx-coredump[122555]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:51:08.681890 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:51:09.164818 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:09.246143 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:09.345097 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:09.420044 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:09.518114 osdx ubnt-cfgd[122573]: inactive May 14 09:51:09.538942 osdx INFO[122581]: FRR daemons did not change May 14 09:51:09.635643 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:09.646695 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:09.676157 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:09.820437 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:51:10.002167 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:10.126074 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:51:10.188111 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:51:10.296472 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:51:10.355463 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:51:10.459843 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:51:10.517994 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. May 14 09:51:10.620340 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:51:10.700574 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:10.781942 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:10.860745 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:10.958684 osdx ubnt-cfgd[122742]: inactive May 14 09:51:10.986242 osdx INFO[122750]: FRR daemons did not change May 14 09:51:11.001072 osdx ca-certificates[122766]: Updating certificates in /etc/ssl/certs... May 14 09:51:11.560953 osdx ca-certificates[123769]: 1 added, 0 removed; done. May 14 09:51:11.564130 osdx ca-certificates[123776]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:11.568120 osdx ca-certificates[123778]: done. May 14 09:51:11.638250 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:11.639738 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:11.642546 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:11.663394 osdx dnscrypt-proxy[123782]: dnscrypt-proxy 2.0.45 May 14 09:51:11.663711 osdx dnscrypt-proxy[123782]: Network connectivity detected May 14 09:51:11.663970 osdx dnscrypt-proxy[123782]: Dropping privileges May 14 09:51:11.666648 osdx dnscrypt-proxy[123782]: Network connectivity detected May 14 09:51:11.666683 osdx dnscrypt-proxy[123782]: Now listening to 127.0.0.1:53 [UDP] May 14 09:51:11.666689 osdx dnscrypt-proxy[123782]: Now listening to 127.0.0.1:53 [TCP] May 14 09:51:11.666715 osdx dnscrypt-proxy[123782]: Firefox workaround initialized May 14 09:51:11.666720 osdx dnscrypt-proxy[123782]: Loading the set of cloaking rules from [/tmp/tmpdjj3pamv] May 14 09:51:11.667582 osdx dnscrypt-proxy[123782]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file May 14 09:51:11.676931 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:11.820724 osdx dnscrypt-proxy[123782]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 May 14 09:51:11.820746 osdx dnscrypt-proxy[123782]: [RD] OK (DoH) - rtt: 127ms May 14 09:51:11.820754 osdx dnscrypt-proxy[123782]: Server with the lowest initial latency: RD (rtt: 127ms) May 14 09:51:11.820759 osdx dnscrypt-proxy[123782]: dnscrypt-proxy is ready - live servers: 1
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
May 14 09:51:19.315661 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:51:19.316294 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:51:19.316335 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:51:19.325430 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:51:19.645073 osdx osdx-coredump[125448]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:51:19.653051 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:51:20.146397 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:20.311516 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:20.365503 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:20.473029 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:20.535227 osdx ubnt-cfgd[125466]: inactive May 14 09:51:20.553940 osdx INFO[125474]: FRR daemons did not change May 14 09:51:20.645273 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:20.656839 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:20.677060 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:20.823925 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:51:21.011060 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:21.110445 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:51:21.180190 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:51:21.302165 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:51:21.361290 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:51:21.463957 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:51:21.518409 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. May 14 09:51:21.613721 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:51:21.687515 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:21.787731 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:21.859386 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:21.958876 osdx ubnt-cfgd[125635]: inactive May 14 09:51:21.983661 osdx INFO[125643]: FRR daemons did not change May 14 09:51:21.997862 osdx ca-certificates[125659]: Updating certificates in /etc/ssl/certs... May 14 09:51:22.488042 osdx ca-certificates[126663]: 1 added, 0 removed; done. May 14 09:51:22.490940 osdx ca-certificates[126669]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:22.493650 osdx ca-certificates[126671]: done. May 14 09:51:22.560173 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:22.561446 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:22.563670 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:22.581903 osdx dnscrypt-proxy[126675]: dnscrypt-proxy 2.0.45 May 14 09:51:22.581984 osdx dnscrypt-proxy[126675]: Network connectivity detected May 14 09:51:22.582207 osdx dnscrypt-proxy[126675]: Dropping privileges May 14 09:51:22.584757 osdx dnscrypt-proxy[126675]: Network connectivity detected May 14 09:51:22.584788 osdx dnscrypt-proxy[126675]: Now listening to 127.0.0.1:53 [UDP] May 14 09:51:22.584792 osdx dnscrypt-proxy[126675]: Now listening to 127.0.0.1:53 [TCP] May 14 09:51:22.584815 osdx dnscrypt-proxy[126675]: Firefox workaround initialized May 14 09:51:22.584819 osdx dnscrypt-proxy[126675]: Loading the set of cloaking rules from [/tmp/tmpv_sv1lo8] May 14 09:51:22.585813 osdx dnscrypt-proxy[126675]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file May 14 09:51:22.591306 osdx OSDxCLI[2678]: User 'admin' left the configuration menu.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
May 14 09:51:22.825523 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:51:22.827884 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:51:22.827946 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:51:22.836104 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:51:23.082196 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:23.180341 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:51:23.249161 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:51:23.352544 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:23.415758 osdx ubnt-cfgd[126722]: inactive May 14 09:51:23.435475 osdx dnscrypt-proxy[126675]: Stopped. May 14 09:51:23.435515 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:51:23.436520 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:51:23.436623 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:23.506081 osdx ca-certificates[126808]: Clearing symlinks in /etc/ssl/certs... May 14 09:51:23.776748 osdx ca-certificates[127377]: done. May 14 09:51:23.780740 osdx ca-certificates[127385]: Updating certificates in /etc/ssl/certs... May 14 09:51:24.216210 osdx ca-certificates[128238]: 140 added, 0 removed; done. May 14 09:51:24.219088 osdx ca-certificates[128244]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:24.221833 osdx ca-certificates[128246]: done. May 14 09:51:24.239556 osdx INFO[128249]: FRR daemons did not change May 14 09:51:24.240095 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:24.242765 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:24.259338 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:25.556664 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:25.628366 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:51:25.740902 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:51:25.816148 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:51:25.872011 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:51:25.975561 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:51:26.032264 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. May 14 09:51:26.125356 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:51:26.206071 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:26.287873 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:26.361693 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:26.459604 osdx ubnt-cfgd[128283]: inactive May 14 09:51:26.488080 osdx INFO[128293]: FRR daemons did not change May 14 09:51:26.503737 osdx ca-certificates[128309]: Updating certificates in /etc/ssl/certs... May 14 09:51:27.023740 osdx ca-certificates[129313]: 1 added, 0 removed; done. May 14 09:51:27.027305 osdx ca-certificates[129319]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:27.031421 osdx ca-certificates[129321]: done. May 14 09:51:27.228444 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:27.230164 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:27.242370 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:27.260616 osdx dnscrypt-proxy[129431]: dnscrypt-proxy 2.0.45 May 14 09:51:27.260688 osdx dnscrypt-proxy[129431]: Network connectivity detected May 14 09:51:27.260941 osdx dnscrypt-proxy[129431]: Dropping privileges May 14 09:51:27.263054 osdx dnscrypt-proxy[129431]: Network connectivity detected May 14 09:51:27.263080 osdx dnscrypt-proxy[129431]: Now listening to 127.0.0.1:53 [UDP] May 14 09:51:27.263084 osdx dnscrypt-proxy[129431]: Now listening to 127.0.0.1:53 [TCP] May 14 09:51:27.263105 osdx dnscrypt-proxy[129431]: Firefox workaround initialized May 14 09:51:27.263109 osdx dnscrypt-proxy[129431]: Loading the set of cloaking rules from [/tmp/tmp53ed9m2m] May 14 09:51:27.264028 osdx dnscrypt-proxy[129431]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file May 14 09:51:27.279958 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:27.406012 osdx dnscrypt-proxy[129431]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 May 14 09:51:27.406026 osdx dnscrypt-proxy[129431]: [RD] OK (DoH) - rtt: 116ms May 14 09:51:27.406034 osdx dnscrypt-proxy[129431]: Server with the lowest initial latency: RD (rtt: 116ms) May 14 09:51:27.406039 osdx dnscrypt-proxy[129431]: dnscrypt-proxy is ready - live servers: 1
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
May 14 09:51:27.629476 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:51:27.631861 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:51:27.631912 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:51:27.640980 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:51:27.951629 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:28.062608 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:51:28.159582 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:51:28.231073 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:28.333810 osdx ubnt-cfgd[129496]: inactive May 14 09:51:28.356208 osdx dnscrypt-proxy[129431]: Stopped. May 14 09:51:28.356352 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:51:28.357379 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:51:28.357506 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:28.432540 osdx ca-certificates[129582]: Clearing symlinks in /etc/ssl/certs... May 14 09:51:28.716750 osdx ca-certificates[130152]: done. May 14 09:51:28.720602 osdx ca-certificates[130164]: Updating certificates in /etc/ssl/certs... May 14 09:51:29.141217 osdx ca-certificates[131011]: 140 added, 0 removed; done. May 14 09:51:29.144983 osdx ca-certificates[131018]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:29.147802 osdx ca-certificates[131020]: done. May 14 09:51:29.162619 osdx INFO[131023]: FRR daemons did not change May 14 09:51:29.162893 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:29.165372 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:29.197160 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:30.510059 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:30.569881 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:51:30.670348 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:51:30.736744 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:51:30.847922 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:51:30.965510 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:51:31.041270 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. May 14 09:51:31.151471 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. May 14 09:51:31.251131 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:51:31.333014 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:31.414975 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:31.488658 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:31.578502 osdx ubnt-cfgd[131060]: inactive May 14 09:51:31.602803 osdx INFO[131070]: FRR daemons did not change May 14 09:51:31.617240 osdx ca-certificates[131086]: Updating certificates in /etc/ssl/certs... May 14 09:51:32.129806 osdx ca-certificates[132089]: 1 added, 0 removed; done. May 14 09:51:32.132661 osdx ca-certificates[132096]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:32.135562 osdx ca-certificates[132098]: done. May 14 09:51:32.320141 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:32.321358 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:32.334859 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:32.347472 osdx dnscrypt-proxy[132208]: dnscrypt-proxy 2.0.45 May 14 09:51:32.347539 osdx dnscrypt-proxy[132208]: Network connectivity detected May 14 09:51:32.347755 osdx dnscrypt-proxy[132208]: Dropping privileges May 14 09:51:32.350165 osdx dnscrypt-proxy[132208]: Network connectivity detected May 14 09:51:32.350202 osdx dnscrypt-proxy[132208]: Now listening to 127.0.0.1:53 [UDP] May 14 09:51:32.350208 osdx dnscrypt-proxy[132208]: Now listening to 127.0.0.1:53 [TCP] May 14 09:51:32.350239 osdx dnscrypt-proxy[132208]: Firefox workaround initialized May 14 09:51:32.350244 osdx dnscrypt-proxy[132208]: Loading the set of cloaking rules from [/tmp/tmp0stodph9] May 14 09:51:32.351186 osdx dnscrypt-proxy[132208]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file May 14 09:51:32.353452 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:32.498950 osdx dnscrypt-proxy[132208]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 May 14 09:51:32.498966 osdx dnscrypt-proxy[132208]: [RD] OK (DoH) - rtt: 124ms May 14 09:51:32.498973 osdx dnscrypt-proxy[132208]: Server with the lowest initial latency: RD (rtt: 124ms) May 14 09:51:32.498978 osdx dnscrypt-proxy[132208]: dnscrypt-proxy is ready - live servers: 1
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
May 14 09:51:39.358209 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:51:39.359914 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:51:39.359961 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:51:39.367861 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:51:39.691447 osdx osdx-coredump[133893]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 14 09:51:39.700639 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system coredump delete all'. May 14 09:51:40.166587 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:40.251577 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:40.341587 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:40.415070 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:40.523137 osdx ubnt-cfgd[133911]: inactive May 14 09:51:40.544163 osdx INFO[133919]: FRR daemons did not change May 14 09:51:40.643511 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:40.655368 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:40.673073 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:40.821066 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. May 14 09:51:41.052893 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:41.132745 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:51:41.242844 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:51:41.308622 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:51:41.413500 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:51:41.526081 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:51:41.584137 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. May 14 09:51:41.707035 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. May 14 09:51:41.761549 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:51:41.874548 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:41.928528 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:42.043050 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:42.114932 osdx ubnt-cfgd[134083]: inactive May 14 09:51:42.141131 osdx INFO[134091]: FRR daemons did not change May 14 09:51:42.155883 osdx ca-certificates[134107]: Updating certificates in /etc/ssl/certs... May 14 09:51:42.683469 osdx ca-certificates[135111]: 1 added, 0 removed; done. May 14 09:51:42.686573 osdx ca-certificates[135117]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:42.689404 osdx ca-certificates[135119]: done. May 14 09:51:42.764365 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:42.765984 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:42.770033 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:42.793582 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:42.793898 osdx dnscrypt-proxy[135123]: dnscrypt-proxy 2.0.45 May 14 09:51:42.793962 osdx dnscrypt-proxy[135123]: Network connectivity detected May 14 09:51:42.794171 osdx dnscrypt-proxy[135123]: Dropping privileges May 14 09:51:42.796730 osdx dnscrypt-proxy[135123]: Network connectivity detected May 14 09:51:42.796759 osdx dnscrypt-proxy[135123]: Now listening to 127.0.0.1:53 [UDP] May 14 09:51:42.796763 osdx dnscrypt-proxy[135123]: Now listening to 127.0.0.1:53 [TCP] May 14 09:51:42.796784 osdx dnscrypt-proxy[135123]: Firefox workaround initialized May 14 09:51:42.796788 osdx dnscrypt-proxy[135123]: Loading the set of cloaking rules from [/tmp/tmpfi9huwvc] May 14 09:51:42.952136 osdx dnscrypt-proxy[135123]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 May 14 09:51:42.952158 osdx dnscrypt-proxy[135123]: [RD] OK (DoH) - rtt: 131ms May 14 09:51:42.952168 osdx dnscrypt-proxy[135123]: Server with the lowest initial latency: RD (rtt: 131ms) May 14 09:51:42.952173 osdx dnscrypt-proxy[135123]: dnscrypt-proxy is ready - live servers: 1 May 14 09:51:47.955208 osdx OSDxCLI[2678]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. May 14 09:51:50.054775 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
May 14 09:51:50.287553 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:51:50.288004 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:51:50.288050 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:51:50.296953 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:51:50.612748 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:50.669819 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:51:50.787811 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:51:50.849629 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:50.956058 osdx ubnt-cfgd[135177]: inactive May 14 09:51:50.978869 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:51:50.978898 osdx dnscrypt-proxy[135123]: Stopped. May 14 09:51:50.979977 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:51:50.980084 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:51.056664 osdx ca-certificates[135262]: Clearing symlinks in /etc/ssl/certs... May 14 09:51:51.319873 osdx ca-certificates[135833]: done. May 14 09:51:51.323378 osdx ca-certificates[135842]: Updating certificates in /etc/ssl/certs... May 14 09:51:51.749125 osdx ca-certificates[136693]: 140 added, 0 removed; done. May 14 09:51:51.751961 osdx ca-certificates[136699]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:51.754777 osdx ca-certificates[136701]: done. May 14 09:51:51.768973 osdx INFO[136704]: FRR daemons did not change May 14 09:51:51.769272 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:51.771842 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:51.789619 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:53.127261 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:51:53.195556 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:51:53.296792 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:51:53.379953 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:51:53.478368 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:51:53.572381 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:51:53.690479 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. May 14 09:51:53.762319 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. May 14 09:51:53.857358 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:51:53.983241 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:51:54.038982 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:51:54.181774 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:51:54.252914 osdx ubnt-cfgd[136741]: inactive May 14 09:51:54.277717 osdx INFO[136751]: FRR daemons did not change May 14 09:51:54.293183 osdx ca-certificates[136767]: Updating certificates in /etc/ssl/certs... May 14 09:51:54.848798 osdx ca-certificates[137770]: 1 added, 0 removed; done. May 14 09:51:54.852787 osdx ca-certificates[137777]: Running hooks in /etc/ca-certificates/update.d... May 14 09:51:54.855760 osdx ca-certificates[137779]: done. May 14 09:51:55.024271 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:51:55.025362 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:51:55.039391 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:51:55.048736 osdx dnscrypt-proxy[137889]: dnscrypt-proxy 2.0.45 May 14 09:51:55.048814 osdx dnscrypt-proxy[137889]: Network connectivity detected May 14 09:51:55.049045 osdx dnscrypt-proxy[137889]: Dropping privileges May 14 09:51:55.052160 osdx dnscrypt-proxy[137889]: Network connectivity detected May 14 09:51:55.052436 osdx dnscrypt-proxy[137889]: Now listening to 127.0.0.1:53 [UDP] May 14 09:51:55.052487 osdx dnscrypt-proxy[137889]: Now listening to 127.0.0.1:53 [TCP] May 14 09:51:55.052562 osdx dnscrypt-proxy[137889]: Firefox workaround initialized May 14 09:51:55.052611 osdx dnscrypt-proxy[137889]: Loading the set of cloaking rules from [/tmp/tmppjtjm920] May 14 09:51:55.071108 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:51:55.486836 osdx dnscrypt-proxy[137889]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 May 14 09:51:55.486852 osdx dnscrypt-proxy[137889]: [RD] OK (DoH) - rtt: 400ms May 14 09:51:55.486863 osdx dnscrypt-proxy[137889]: Server with the lowest initial latency: RD (rtt: 400ms) May 14 09:51:55.486868 osdx dnscrypt-proxy[137889]: dnscrypt-proxy is ready - live servers: 1 May 14 09:52:00.222020 osdx OSDxCLI[2678]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. May 14 09:52:02.306196 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
May 14 09:52:02.546111 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:52:02.547905 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:52:02.547970 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:52:02.556118 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:52:02.827784 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:02.920550 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:52:03.037519 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:52:03.098601 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:03.220244 osdx ubnt-cfgd[137964]: inactive May 14 09:52:03.242506 osdx dnscrypt-proxy[137889]: Stopped. May 14 09:52:03.242584 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:52:03.243636 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:52:03.243763 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:03.329170 osdx ca-certificates[138051]: Clearing symlinks in /etc/ssl/certs... May 14 09:52:03.601310 osdx ca-certificates[138621]: done. May 14 09:52:03.604467 osdx ca-certificates[138630]: Updating certificates in /etc/ssl/certs... May 14 09:52:04.034828 osdx ca-certificates[139481]: 140 added, 0 removed; done. May 14 09:52:04.037716 osdx ca-certificates[139487]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:04.040543 osdx ca-certificates[139489]: done. May 14 09:52:04.057167 osdx INFO[139492]: FRR daemons did not change May 14 09:52:04.057679 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:04.073745 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:04.091620 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:05.427023 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:05.486730 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:52:05.587102 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:52:05.650691 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:52:05.750858 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:52:05.853763 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:52:05.911510 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. May 14 09:52:06.013825 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. May 14 09:52:06.070018 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:52:06.182988 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:52:06.240112 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:52:06.361753 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:06.433421 osdx ubnt-cfgd[139529]: inactive May 14 09:52:06.457968 osdx INFO[139539]: FRR daemons did not change May 14 09:52:06.473903 osdx ca-certificates[139555]: Updating certificates in /etc/ssl/certs... May 14 09:52:06.989630 osdx ca-certificates[140559]: 1 added, 0 removed; done. May 14 09:52:06.993489 osdx ca-certificates[140565]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:06.996351 osdx ca-certificates[140567]: done. May 14 09:52:07.168194 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:07.169376 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:07.180442 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:07.189811 osdx dnscrypt-proxy[140677]: dnscrypt-proxy 2.0.45 May 14 09:52:07.189884 osdx dnscrypt-proxy[140677]: Network connectivity detected May 14 09:52:07.190107 osdx dnscrypt-proxy[140677]: Dropping privileges May 14 09:52:07.192103 osdx dnscrypt-proxy[140677]: Network connectivity detected May 14 09:52:07.192131 osdx dnscrypt-proxy[140677]: Now listening to 127.0.0.1:53 [UDP] May 14 09:52:07.192135 osdx dnscrypt-proxy[140677]: Now listening to 127.0.0.1:53 [TCP] May 14 09:52:07.192156 osdx dnscrypt-proxy[140677]: Firefox workaround initialized May 14 09:52:07.192159 osdx dnscrypt-proxy[140677]: Loading the set of cloaking rules from [/tmp/tmpc6eshgby] May 14 09:52:07.212788 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:07.348420 osdx dnscrypt-proxy[140677]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 May 14 09:52:07.348438 osdx dnscrypt-proxy[140677]: [RD] OK (DoH) - rtt: 132ms May 14 09:52:07.348446 osdx dnscrypt-proxy[140677]: Server with the lowest initial latency: RD (rtt: 132ms) May 14 09:52:07.348451 osdx dnscrypt-proxy[140677]: dnscrypt-proxy is ready - live servers: 1 May 14 09:52:07.367399 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
May 14 09:52:07.572309 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:52:07.575902 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:52:07.575953 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:52:07.582834 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:52:07.833263 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:07.891631 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:52:07.990622 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:52:08.050804 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:08.151680 osdx ubnt-cfgd[140748]: inactive May 14 09:52:08.173275 osdx dnscrypt-proxy[140677]: Stopped. May 14 09:52:08.173292 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:52:08.174007 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:52:08.174102 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:08.245850 osdx ca-certificates[140834]: Clearing symlinks in /etc/ssl/certs... May 14 09:52:08.511218 osdx ca-certificates[141404]: done. May 14 09:52:08.515507 osdx ca-certificates[141412]: Updating certificates in /etc/ssl/certs... May 14 09:52:08.931444 osdx ca-certificates[142263]: 140 added, 0 removed; done. May 14 09:52:08.934315 osdx ca-certificates[142270]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:08.937263 osdx ca-certificates[142272]: done. May 14 09:52:08.953802 osdx INFO[142275]: FRR daemons did not change May 14 09:52:08.954261 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:08.956660 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:08.983669 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:09.030260 osdx systemd[1]: systemd-timedated.service: Deactivated successfully. May 14 09:52:10.270561 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:10.332872 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:52:10.435819 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:52:10.512159 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:52:10.605078 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:52:10.680597 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:52:10.764729 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. May 14 09:52:10.864165 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. May 14 09:52:10.938348 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:52:11.059247 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:52:11.115186 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:52:11.262131 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:11.339854 osdx ubnt-cfgd[142314]: inactive May 14 09:52:11.368200 osdx INFO[142324]: FRR daemons did not change May 14 09:52:11.383342 osdx ca-certificates[142340]: Updating certificates in /etc/ssl/certs... May 14 09:52:11.911022 osdx ca-certificates[143344]: 1 added, 0 removed; done. May 14 09:52:11.914656 osdx ca-certificates[143350]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:11.917490 osdx ca-certificates[143352]: done. May 14 09:52:12.076251 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:12.077502 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:12.091863 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:12.098206 osdx dnscrypt-proxy[143462]: dnscrypt-proxy 2.0.45 May 14 09:52:12.098261 osdx dnscrypt-proxy[143462]: Network connectivity detected May 14 09:52:12.098454 osdx dnscrypt-proxy[143462]: Dropping privileges May 14 09:52:12.100475 osdx dnscrypt-proxy[143462]: Network connectivity detected May 14 09:52:12.100502 osdx dnscrypt-proxy[143462]: Now listening to 127.0.0.1:53 [UDP] May 14 09:52:12.100507 osdx dnscrypt-proxy[143462]: Now listening to 127.0.0.1:53 [TCP] May 14 09:52:12.100528 osdx dnscrypt-proxy[143462]: Firefox workaround initialized May 14 09:52:12.100533 osdx dnscrypt-proxy[143462]: Loading the set of cloaking rules from [/tmp/tmp5y0i217b] May 14 09:52:12.110222 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:12.240851 osdx dnscrypt-proxy[143462]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 May 14 09:52:12.240864 osdx dnscrypt-proxy[143462]: [RD] OK (DoH) - rtt: 114ms May 14 09:52:12.240872 osdx dnscrypt-proxy[143462]: Server with the lowest initial latency: RD (rtt: 114ms) May 14 09:52:12.240876 osdx dnscrypt-proxy[143462]: dnscrypt-proxy is ready - live servers: 1 May 14 09:52:12.285173 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
May 14 09:52:12.497859 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:52:12.499911 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:52:12.499977 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:52:12.509532 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:52:12.771337 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:12.876079 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:52:12.964401 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:52:13.068916 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:13.136956 osdx ubnt-cfgd[143531]: inactive May 14 09:52:13.157066 osdx dnscrypt-proxy[143462]: Stopped. May 14 09:52:13.157095 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:52:13.158280 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:52:13.158403 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:13.239779 osdx ca-certificates[143617]: Clearing symlinks in /etc/ssl/certs... May 14 09:52:13.530740 osdx ca-certificates[144186]: done. May 14 09:52:13.534587 osdx ca-certificates[144195]: Updating certificates in /etc/ssl/certs... May 14 09:52:13.991395 osdx ca-certificates[145047]: 140 added, 0 removed; done. May 14 09:52:13.994261 osdx ca-certificates[145053]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:13.997152 osdx ca-certificates[145055]: done. May 14 09:52:14.012978 osdx INFO[145058]: FRR daemons did not change May 14 09:52:14.013368 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:14.015973 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:14.034009 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:15.359627 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:15.420236 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:52:15.522732 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:52:15.589545 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:52:15.694708 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:52:15.797939 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:52:15.854389 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. May 14 09:52:15.955885 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. May 14 09:52:16.013561 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:52:16.121533 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:52:16.175783 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:52:16.283246 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:16.351033 osdx ubnt-cfgd[145095]: inactive May 14 09:52:16.373385 osdx INFO[145105]: FRR daemons did not change May 14 09:52:16.389127 osdx ca-certificates[145121]: Updating certificates in /etc/ssl/certs... May 14 09:52:16.926412 osdx ca-certificates[146125]: 1 added, 0 removed; done. May 14 09:52:16.929191 osdx ca-certificates[146131]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:16.932075 osdx ca-certificates[146133]: done. May 14 09:52:17.104157 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:17.105401 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:17.127715 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:17.142855 osdx dnscrypt-proxy[146243]: dnscrypt-proxy 2.0.45 May 14 09:52:17.142939 osdx dnscrypt-proxy[146243]: Network connectivity detected May 14 09:52:17.143198 osdx dnscrypt-proxy[146243]: Dropping privileges May 14 09:52:17.146063 osdx dnscrypt-proxy[146243]: Network connectivity detected May 14 09:52:17.146088 osdx dnscrypt-proxy[146243]: Now listening to 127.0.0.1:53 [UDP] May 14 09:52:17.146092 osdx dnscrypt-proxy[146243]: Now listening to 127.0.0.1:53 [TCP] May 14 09:52:17.146114 osdx dnscrypt-proxy[146243]: Firefox workaround initialized May 14 09:52:17.146118 osdx dnscrypt-proxy[146243]: Loading the set of cloaking rules from [/tmp/tmpdkrcla24] May 14 09:52:17.152177 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:17.308788 osdx dnscrypt-proxy[146243]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 May 14 09:52:17.308807 osdx dnscrypt-proxy[146243]: [RD] OK (DoH) - rtt: 133ms May 14 09:52:17.308815 osdx dnscrypt-proxy[146243]: Server with the lowest initial latency: RD (rtt: 133ms) May 14 09:52:17.308820 osdx dnscrypt-proxy[146243]: dnscrypt-proxy is ready - live servers: 1 May 14 09:52:22.311402 osdx OSDxCLI[2678]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. May 14 09:52:24.447367 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
May 14 09:52:24.665990 osdx systemd-journald[1884]: Runtime Journal (/run/log/journal/0288f6065d6743618e90e784ba8b9df5) is 2.0M, max 15.3M, 13.3M free. May 14 09:52:24.667903 osdx systemd-journald[1884]: Received client request to rotate journal, rotating. May 14 09:52:24.667962 osdx systemd-journald[1884]: Vacuuming done, freed 0B of archived journals from /run/log/journal/0288f6065d6743618e90e784ba8b9df5. May 14 09:52:24.678102 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'system journal clear'. May 14 09:52:24.971184 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:25.030657 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'delete '. May 14 09:52:25.143117 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. May 14 09:52:25.204324 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:25.305379 osdx ubnt-cfgd[146317]: inactive May 14 09:52:25.325029 osdx dnscrypt-proxy[146243]: Stopped. May 14 09:52:25.325105 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... May 14 09:52:25.326320 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. May 14 09:52:25.326450 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:25.412622 osdx ca-certificates[146403]: Clearing symlinks in /etc/ssl/certs... May 14 09:52:25.676109 osdx ca-certificates[146973]: done. May 14 09:52:25.679591 osdx ca-certificates[146982]: Updating certificates in /etc/ssl/certs... May 14 09:52:26.148443 osdx ca-certificates[147832]: 140 added, 0 removed; done. May 14 09:52:26.151305 osdx ca-certificates[147839]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:26.156237 osdx ca-certificates[147841]: done. May 14 09:52:26.173981 osdx INFO[147844]: FRR daemons did not change May 14 09:52:26.174511 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:26.177047 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:26.198270 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:27.581324 osdx OSDxCLI[2678]: User 'admin' entered the configuration menu. May 14 09:52:27.645270 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. May 14 09:52:27.741932 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. May 14 09:52:27.806419 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. May 14 09:52:27.901014 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. May 14 09:52:28.001010 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 2bf8e614357d7ffe91a319d2d25e8046a64f2d349a757e66b5e8c8ccea2231f5'. May 14 09:52:28.056326 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. May 14 09:52:28.158339 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. May 14 09:52:28.211941 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 14 09:52:28.352406 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. May 14 09:52:28.419739 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 14 09:52:28.554129 osdx OSDxCLI[2678]: User 'admin' added a new cfg line: 'show working'. May 14 09:52:28.656224 osdx ubnt-cfgd[147881]: inactive May 14 09:52:28.682996 osdx INFO[147891]: FRR daemons did not change May 14 09:52:28.697264 osdx ca-certificates[147907]: Updating certificates in /etc/ssl/certs... May 14 09:52:29.215450 osdx ca-certificates[148911]: 1 added, 0 removed; done. May 14 09:52:29.219027 osdx ca-certificates[148917]: Running hooks in /etc/ca-certificates/update.d... May 14 09:52:29.221749 osdx ca-certificates[148919]: done. May 14 09:52:29.392296 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 14 09:52:29.393612 osdx cfgd[1681]: [2678]Completed change to active configuration May 14 09:52:29.408420 osdx OSDxCLI[2678]: User 'admin' committed the configuration. May 14 09:52:29.414866 osdx dnscrypt-proxy[149029]: dnscrypt-proxy 2.0.45 May 14 09:52:29.414967 osdx dnscrypt-proxy[149029]: Network connectivity detected May 14 09:52:29.415182 osdx dnscrypt-proxy[149029]: Dropping privileges May 14 09:52:29.417771 osdx dnscrypt-proxy[149029]: Network connectivity detected May 14 09:52:29.417968 osdx dnscrypt-proxy[149029]: Now listening to 127.0.0.1:53 [UDP] May 14 09:52:29.418007 osdx dnscrypt-proxy[149029]: Now listening to 127.0.0.1:53 [TCP] May 14 09:52:29.418053 osdx dnscrypt-proxy[149029]: Firefox workaround initialized May 14 09:52:29.418080 osdx dnscrypt-proxy[149029]: Loading the set of cloaking rules from [/tmp/tmpql96fyc4] May 14 09:52:29.432441 osdx OSDxCLI[2678]: User 'admin' left the configuration menu. May 14 09:52:29.580123 osdx dnscrypt-proxy[149029]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 May 14 09:52:29.580136 osdx dnscrypt-proxy[149029]: [RD] OK (DoH) - rtt: 136ms May 14 09:52:29.580144 osdx dnscrypt-proxy[149029]: Server with the lowest initial latency: RD (rtt: 136ms) May 14 09:52:29.580148 osdx dnscrypt-proxy[149029]: dnscrypt-proxy is ready - live servers: 1 May 14 09:52:34.593842 osdx OSDxCLI[2678]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. May 14 09:52:36.711428 osdx OSDxCLI[2678]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.