]>
Commit | Line | Data |
---|---|---|
b20ae08d RG |
1 | -- == Generic Configuration == |
2 | ||
3 | -- only accept queries (Do53, DNSCrypt, DoT or DoH) from a few subnets | |
4 | -- see https://dnsdist.org/advanced/acl.html for more details | |
5 | -- please be careful when dnsdist is deployed in front of a server | |
6 | -- server granting access based on the source IP, as all queries will | |
7 | -- seem to originate from dnsdist, which might be especially relevant for | |
8 | -- AXFR, IXFR, NOTIFY and UPDATE | |
9 | -- https://dnsdist.org/advanced/axfr.html | |
10 | -- setACL({'192.0.2.0/28', '2001:DB8:1::/56'}) | |
11 | ||
ff484825 | 12 | -- listen for console connection with the given secret key |
b20ae08d RG |
13 | -- https://dnsdist.org/guides/console.html |
14 | -- controlSocket("127.0.0.1:5900") | |
15 | -- setKey("please generate a fresh private key with makeKey()") | |
ff484825 | 16 | |
4b775242 | 17 | -- start the web server on port 8083, using password 'set a random password here' |
b20ae08d RG |
18 | -- https://dnsdist.org/guides/webserver.html |
19 | -- webserver("127.0.0.1:8083", "set a random password here") | |
20 | ||
21 | -- send statistics to PowerDNS metronome server https://metronome1.powerdns.com/ | |
22 | -- https://dnsdist.org/guides/carbon.html | |
23 | -- carbonServer("37.252.122.50", 'unique-name') | |
24 | ||
25 | -- accept plain DNS (Do53) queries on UDP/5200 and TCP/5200 | |
26 | -- addLocal("127.0.0.1:5200") | |
27 | ||
28 | -- accept DNSCrypt queries on UDP/8443 and TCP/8443 | |
29 | -- https://dnsdist.org/guides/dnscrypt.html | |
30 | -- addDNSCryptBind("127.0.0.1:8443", "2.provider.name", "DNSCryptResolver.cert", "DNSCryptResolver.key") | |
31 | ||
32 | -- accept DNS over TLS (DoT) queries on TCP/9443 | |
33 | -- https://dnsdist.org/guides/dns-over-tls.html | |
34 | -- addTLSLocal("127.0.0.1:9443", {"server.crt"}, {"server.key"}, { provider="openssl" }) | |
35 | ||
36 | -- accept DNS over HTTPS (DoH) queries on TCP/443 | |
37 | -- https://dnsdist.org/guides/dns-over-https.html | |
38 | -- addDOHLocal("127.0.0.1:443", {"server.crt"}, {"server.key"}) | |
39 | ||
40 | -- define downstream servers, aka backends | |
41 | -- https://dnsdist.org/guides/downstreams.html | |
42 | -- https://dnsdist.org/guides/serverpools.html | |
43 | -- https://dnsdist.org/guides/serverselection.html | |
44 | -- newServer("192.0.2.1") | |
45 | -- newServer({address="192.0.2.1:5300", pool="abuse"}) | |
46 | ||
47 | -- == Tuning == | |
48 | ||
49 | -- Increase the in-memory rings size (the default, 10000, is only one second at 10k qps) used by | |
50 | -- live-traffic inspection features like grepq, and use 100 shards to improve performance | |
51 | -- setRingBuffersSize(1000000, 100) | |
52 | ||
53 | -- increase the number of TCP workers, each one being capable of handling a large number | |
54 | -- of TCP connections since 1.4.0 | |
55 | -- setMaxTCPClientThreads(20) | |
56 | ||
57 | -- == Sample Actions == | |
58 | ||
59 | -- https://dnsdist.org/rules-actions.html | |
60 | ||
61 | -- send the queries for selected domain suffixes to the servers | |
ff484825 | 62 | -- in the 'abuse' pool |
f8fe584a | 63 | -- addAction(SuffixMatchNodeRule({"abuse.example.org.", "xxx."}), PoolAction("abuse")) |
b20ae08d RG |
64 | |
65 | -- drop queries for this exact qname | |
bceed53e | 66 | -- addAction(QNameRule("drop-me.example.org."), DropAction()) |
ff484825 RG |
67 | |
68 | -- send the queries from a selected subnet to the | |
69 | -- abuse pool | |
f8fe584a | 70 | -- addAction(NetmaskGroupRule("192.0.2.0/24"), PoolAction("abuse")) |
b20ae08d RG |
71 | |
72 | -- Refuse incoming AXFR, IXFR, NOTIFY and UPDATE | |
73 | -- Add trusted sources (slaves, masters) explicitely in front of this rule | |
74 | -- addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED)) | |
75 | ||
76 | -- == Dynamic Blocks == | |
77 | ||
78 | -- define a dynamic block rules group object, set a few limits and apply it | |
79 | -- see https://dnsdist.org/guides/dynblocks.html for more details | |
80 | ||
81 | -- local dbr = dynBlockRulesGroup() | |
82 | -- dbr:setQueryRate(30, 10, "Exceeded query rate", 60) | |
83 | -- dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60) | |
84 | -- dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60) | |
85 | -- dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 60) | |
86 | -- dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60) | |
87 | -- function maintenance() | |
88 | -- dbr:apply() | |
89 | -- end | |
90 | ||
91 | -- == Logging == | |
92 | ||
93 | -- connect to a remote protobuf logger and export queries and responses | |
94 | -- https://dnsdist.org/reference/protobuf.html | |
95 | -- rl = newRemoteLogger('127.0.0.1:4242') | |
96 | -- addAction(AllRule(), RemoteLogAction(rl)) | |
97 | -- addResponseAction(AllRule(), RemoteLogResponseAction(rl)) | |
98 | ||
99 | -- DNSTAP is also supported | |
100 | -- https://dnsdist.org/reference/dnstap.html | |
101 | -- fstr = newFrameStreamUnixLogger(/path/to/unix/socket) | |
102 | -- or | |
103 | -- fstr = newFrameStreamTcpLogger('192.0.2.1:4242') | |
104 | -- addAction(AllRule(), DnstapLogAction(fstr)) | |
105 | -- addResponseAction(AllRule(), DnstapLogResponseAction(fstr)) | |
106 | ||
107 | -- == Caching == | |
108 | ||
109 | -- https://dnsdist.org/guides/cache.html | |
110 | -- create a packet cache of at most 100k entries, | |
111 | -- and apply it to the default pool | |
112 | -- pc = newPacketCache(100000) | |
113 | -- getPool(""):setCache(pc) |