6 dnsdist can be used to front traditional recursive nameservers, these usually come with a way to limit the network ranges that may query it to prevent becoming an :term:`open resolver`.
7 To be a good internet citizen, dnsdist by default listens on the loopback address (`127.0.0.1:53`) and limits queries to these loopback, :rfc:`1918` and other local addresses:
19 The ACL applies to queries received over UDP, TCP, DNS over TLS and DNS over HTTPS.
21 Further more, dnsdist only listens for queries on the local-loopback interface by default.
23 Listening on different addresses
24 --------------------------------
26 To listen on other addresses than just the local addresses, use :func:`setLocal` and :func:`addLocal`.
28 :func:`setLocal` **resets** the list of current listen addresses to the specified address and :func:`addLocal` adds an additional listen address.
29 To listen on ``127.0.0.1:5300``, ``192.0.2.1:53`` and UDP-only on ``[2001:db8::15::47]:53``, configure the following:
33 setLocal('127.0.0.1:5300')
34 addLocal('192.0.2.1') -- Port 53 is default is none is specified
35 addLocal('2001:db8::15::47', false)
37 Listen addresses cannot be modified at runtime and must be specified in the configuration file.
39 As dnsdist is IPv4 and IPv6 agnostic, this means that dnsdist internally does not know the difference.
40 So feel free to listen on the magic ``0.0.0.0`` or ``::`` addresses, dnsdist does the right thing to set the return address of queries, but set your :term:`ACL` properly.
45 ACLs can be modfied at runtime from the :ref:`Console`.
46 To inspect the currently active :term:`ACL`, run :func:`showACL`.
48 To add a new network range to the existing ACL, use :func:`addACL`:
52 addACL('192.0.2.0/25')
53 addACL('2001:db8::1') -- No netmask specified, only allow this address
55 dnsdist also has the :func:`setACL` function that accepts a list of netmasks and resets the ACL to that list:
60 setACL({'192.0.2.0/25', '2001:db8:15::bea/64'})
projects / thirdparty / pdns.git / blob