[thirdparty/pdns.git] / pdns / dnsdistdist / dnsdistconf.lua

-- == Generic Configuration ==

-- only accept queries (Do53, DNSCrypt,  DoT or DoH) from a few subnets
-- see https://dnsdist.org/advanced/acl.html for more details
-- please be careful when dnsdist is deployed in front of a server
-- server granting access based on the source IP, as all queries will
-- seem to originate from dnsdist, which might be especially relevant for
-- AXFR, IXFR, NOTIFY and UPDATE
-- https://dnsdist.org/advanced/axfr.html
-- setACL({'192.0.2.0/28', '2001:DB8:1::/56'})

-- listen for console connection with the given secret key
-- https://dnsdist.org/guides/console.html
-- controlSocket("127.0.0.1:5900")
-- setKey("please generate a fresh private key with makeKey()")

-- start the web server on port 8083, using password 'set a random password here'
-- https://dnsdist.org/guides/webserver.html
-- webserver("127.0.0.1:8083", "set a random password here")

-- send statistics to PowerDNS metronome server https://metronome1.powerdns.com/
-- https://dnsdist.org/guides/carbon.html
-- carbonServer("37.252.122.50", 'unique-name')

-- accept plain DNS (Do53) queries on UDP/5200 and TCP/5200
-- addLocal("127.0.0.1:5200")

-- accept DNSCrypt queries on UDP/8443 and TCP/8443
-- https://dnsdist.org/guides/dnscrypt.html
-- addDNSCryptBind("127.0.0.1:8443", "2.provider.name", "DNSCryptResolver.cert", "DNSCryptResolver.key")

-- accept DNS over TLS (DoT) queries on TCP/9443
-- https://dnsdist.org/guides/dns-over-tls.html
-- addTLSLocal("127.0.0.1:9443", {"server.crt"}, {"server.key"}, { provider="openssl" })

-- accept DNS over HTTPS (DoH) queries on TCP/443
-- https://dnsdist.org/guides/dns-over-https.html
-- addDOHLocal("127.0.0.1:443", {"server.crt"}, {"server.key"})

-- define downstream servers, aka backends
-- https://dnsdist.org/guides/downstreams.html
-- https://dnsdist.org/guides/serverpools.html
-- https://dnsdist.org/guides/serverselection.html
-- newServer("192.0.2.1")
-- newServer({address="192.0.2.1:5300", pool="abuse"})

-- == Tuning ==

-- Increase the in-memory rings size (the default, 10000, is only one second at 10k qps) used by
-- live-traffic inspection features like grepq, and use 100 shards to improve performance
-- setRingBuffersSize(1000000, 100)

-- increase the number of TCP workers, each one being capable of handling a large number
-- of TCP connections since 1.4.0
-- setMaxTCPClientThreads(20)

-- == Sample Actions ==

-- https://dnsdist.org/rules-actions.html

-- send the queries for selected domain suffixes to the servers
-- in the 'abuse' pool
-- addAction(SuffixMatchNodeRule({"abuse.example.org.", "xxx."}), PoolAction("abuse"))

-- drop queries for this exact qname
-- addAction(QNameRule("drop-me.example.org."), DropAction())

-- send the queries from a selected subnet to the
-- abuse pool
-- addAction(NetmaskGroupRule("192.0.2.0/24"), PoolAction("abuse"))

-- Refuse incoming AXFR, IXFR, NOTIFY and UPDATE
-- Add trusted sources (slaves, masters) explicitely in front of this rule
-- addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))

-- == Dynamic Blocks ==

-- define a dynamic block rules group object, set a few limits and apply it
-- see https://dnsdist.org/guides/dynblocks.html for more details

-- local dbr = dynBlockRulesGroup()
-- dbr:setQueryRate(30, 10, "Exceeded query rate", 60)
-- dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60)
-- dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
-- dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 60)
-- dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)
-- function maintenance()
--  dbr:apply()
-- end

-- == Logging ==

-- connect to a remote protobuf logger and export queries and responses
-- https://dnsdist.org/reference/protobuf.html
-- rl = newRemoteLogger('127.0.0.1:4242')
-- addAction(AllRule(), RemoteLogAction(rl))
-- addResponseAction(AllRule(), RemoteLogResponseAction(rl))

-- DNSTAP is also supported
-- https://dnsdist.org/reference/dnstap.html
-- fstr = newFrameStreamUnixLogger(/path/to/unix/socket)
-- or
-- fstr = newFrameStreamTcpLogger('192.0.2.1:4242')
-- addAction(AllRule(), DnstapLogAction(fstr))
-- addResponseAction(AllRule(), DnstapLogResponseAction(fstr))

-- == Caching ==

-- https://dnsdist.org/guides/cache.html
-- create a packet cache of at most 100k entries,
-- and apply it to the default pool
-- pc = newPacketCache(100000)
-- getPool(""):setCache(pc)
Commit	Line	Data
b20ae08d RG	1	-- == Generic Configuration ==
	2
	3	-- only accept queries (Do53, DNSCrypt, DoT or DoH) from a few subnets
	4	-- see https://dnsdist.org/advanced/acl.html for more details
	5	-- please be careful when dnsdist is deployed in front of a server
	6	-- server granting access based on the source IP, as all queries will
	7	-- seem to originate from dnsdist, which might be especially relevant for
	8	-- AXFR, IXFR, NOTIFY and UPDATE
	9	-- https://dnsdist.org/advanced/axfr.html
	10	-- setACL({'192.0.2.0/28', '2001:DB8:1::/56'})
	11
ff484825	12	-- listen for console connection with the given secret key
b20ae08d RG	13	-- https://dnsdist.org/guides/console.html
	14	-- controlSocket("127.0.0.1:5900")
	15	-- setKey("please generate a fresh private key with makeKey()")
ff484825	16
4b775242	17	-- start the web server on port 8083, using password 'set a random password here'
b20ae08d RG	18	-- https://dnsdist.org/guides/webserver.html
	19	-- webserver("127.0.0.1:8083", "set a random password here")
	20
	21	-- send statistics to PowerDNS metronome server https://metronome1.powerdns.com/
	22	-- https://dnsdist.org/guides/carbon.html
	23	-- carbonServer("37.252.122.50", 'unique-name')
	24
	25	-- accept plain DNS (Do53) queries on UDP/5200 and TCP/5200
	26	-- addLocal("127.0.0.1:5200")
	27
	28	-- accept DNSCrypt queries on UDP/8443 and TCP/8443
	29	-- https://dnsdist.org/guides/dnscrypt.html
	30	-- addDNSCryptBind("127.0.0.1:8443", "2.provider.name", "DNSCryptResolver.cert", "DNSCryptResolver.key")
	31
	32	-- accept DNS over TLS (DoT) queries on TCP/9443
	33	-- https://dnsdist.org/guides/dns-over-tls.html
	34	-- addTLSLocal("127.0.0.1:9443", {"server.crt"}, {"server.key"}, { provider="openssl" })
	35
	36	-- accept DNS over HTTPS (DoH) queries on TCP/443
	37	-- https://dnsdist.org/guides/dns-over-https.html
	38	-- addDOHLocal("127.0.0.1:443", {"server.crt"}, {"server.key"})
	39
	40	-- define downstream servers, aka backends
	41	-- https://dnsdist.org/guides/downstreams.html
	42	-- https://dnsdist.org/guides/serverpools.html
	43	-- https://dnsdist.org/guides/serverselection.html
	44	-- newServer("192.0.2.1")
	45	-- newServer({address="192.0.2.1:5300", pool="abuse"})
	46
	47	-- == Tuning ==
	48
	49	-- Increase the in-memory rings size (the default, 10000, is only one second at 10k qps) used by
	50	-- live-traffic inspection features like grepq, and use 100 shards to improve performance
	51	-- setRingBuffersSize(1000000, 100)
	52
	53	-- increase the number of TCP workers, each one being capable of handling a large number
	54	-- of TCP connections since 1.4.0
	55	-- setMaxTCPClientThreads(20)
	56
	57	-- == Sample Actions ==
	58
	59	-- https://dnsdist.org/rules-actions.html
	60
	61	-- send the queries for selected domain suffixes to the servers
ff484825	62	-- in the 'abuse' pool
f8fe584a	63	-- addAction(SuffixMatchNodeRule({"abuse.example.org.", "xxx."}), PoolAction("abuse"))
b20ae08d RG	64
b20ae08d RG	65	-- drop queries for this exact qname
bceed53e	66	-- addAction(QNameRule("drop-me.example.org."), DropAction())
ff484825 RG	67
	68	-- send the queries from a selected subnet to the
	69	-- abuse pool
f8fe584a	70	-- addAction(NetmaskGroupRule("192.0.2.0/24"), PoolAction("abuse"))
b20ae08d RG	71
	72	-- Refuse incoming AXFR, IXFR, NOTIFY and UPDATE
	73	-- Add trusted sources (slaves, masters) explicitely in front of this rule
	74	-- addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))
	75
	76	-- == Dynamic Blocks ==
	77
	78	-- define a dynamic block rules group object, set a few limits and apply it
	79	-- see https://dnsdist.org/guides/dynblocks.html for more details
	80
	81	-- local dbr = dynBlockRulesGroup()
	82	-- dbr:setQueryRate(30, 10, "Exceeded query rate", 60)
	83	-- dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60)
	84	-- dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
	85	-- dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 60)
	86	-- dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)
	87	-- function maintenance()
	88	-- dbr:apply()
	89	-- end
	90
	91	-- == Logging ==
	92
	93	-- connect to a remote protobuf logger and export queries and responses
	94	-- https://dnsdist.org/reference/protobuf.html
	95	-- rl = newRemoteLogger('127.0.0.1:4242')
	96	-- addAction(AllRule(), RemoteLogAction(rl))
	97	-- addResponseAction(AllRule(), RemoteLogResponseAction(rl))
	98
	99	-- DNSTAP is also supported
	100	-- https://dnsdist.org/reference/dnstap.html
	101	-- fstr = newFrameStreamUnixLogger(/path/to/unix/socket)
	102	-- or
	103	-- fstr = newFrameStreamTcpLogger('192.0.2.1:4242')
	104	-- addAction(AllRule(), DnstapLogAction(fstr))
	105	-- addResponseAction(AllRule(), DnstapLogResponseAction(fstr))
	106
	107	-- == Caching ==
	108
	109	-- https://dnsdist.org/guides/cache.html
	110	-- create a packet cache of at most 100k entries,
	111	-- and apply it to the default pool
	112	-- pc = newPacketCache(100000)
	113	-- getPool(""):setCache(pc)