]> git.ipfire.org Git - thirdparty/pdns.git/blob - pdns/dnsdistconf.lua
projects / thirdparty / pdns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #9229 from rgacogne/dnsdist-webserver-allow-from
[thirdparty/pdns.git] / pdns / dnsdistconf.lua
1 -- == Generic Configuration ==
2
3 -- only accept queries (Do53, DNSCrypt, DoT or DoH) from a few subnets
4 -- see https://dnsdist.org/advanced/acl.html for more details
5 -- please be careful when dnsdist is deployed in front of a server
6 -- server granting access based on the source IP, as all queries will
7 -- seem to originate from dnsdist, which might be especially relevant for
8 -- AXFR, IXFR, NOTIFY and UPDATE
9 -- https://dnsdist.org/advanced/axfr.html
10 -- setACL({'192.0.2.0/28', '2001:DB8:1::/56'})
11
12 -- listen for console connection with the given secret key
13 -- https://dnsdist.org/guides/console.html
14 -- controlSocket("127.0.0.1:5900")
15 -- setKey("please generate a fresh private key with makeKey()")
16
17 -- start the web server on port 8083, using password 'set a random password here'
18 -- https://dnsdist.org/guides/webserver.html
19 -- webserver("127.0.0.1:8083", "set a random password here")
20
21 -- send statistics to PowerDNS metronome server https://metronome1.powerdns.com/
22 -- https://dnsdist.org/guides/carbon.html
23 -- carbonServer("37.252.122.50", 'unique-name')
24
25 -- accept plain DNS (Do53) queries on UDP/5200 and TCP/5200
26 -- addLocal("127.0.0.1:5200")
27
28 -- accept DNSCrypt queries on UDP/8443 and TCP/8443
29 -- https://dnsdist.org/guides/dnscrypt.html
30 -- addDNSCryptBind("127.0.0.1:8443", "2.provider.name", "DNSCryptResolver.cert", "DNSCryptResolver.key")
31
32 -- accept DNS over TLS (DoT) queries on TCP/9443
33 -- https://dnsdist.org/guides/dns-over-tls.html
34 -- addTLSLocal("127.0.0.1:9443", {"server.crt"}, {"server.key"}, { provider="openssl" })
35
36 -- accept DNS over HTTPS (DoH) queries on TCP/443
37 -- https://dnsdist.org/guides/dns-over-https.html
38 -- addDOHLocal("127.0.0.1:443", {"server.crt"}, {"server.key"})
39
40 -- define downstream servers, aka backends
41 -- https://dnsdist.org/guides/downstreams.html
42 -- https://dnsdist.org/guides/serverpools.html
43 -- https://dnsdist.org/guides/serverselection.html
44 -- newServer("192.0.2.1")
45 -- newServer({address="192.0.2.1:5300", pool="abuse"})
46
47 -- == Tuning ==
48
49 -- Increase the in-memory rings size (the default, 10000, is only one second at 10k qps) used by
50 -- live-traffic inspection features like grepq, and use 100 shards to improve performance
51 -- setRingBuffersSize(1000000, 100)
52
53 -- increase the number of TCP workers, each one being capable of handling a large number
54 -- of TCP connections since 1.4.0
55 -- setMaxTCPClientThreads(20)
56
57 -- == Sample Actions ==
58
59 -- https://dnsdist.org/rules-actions.html
60
61 -- send the queries for selected domain suffixes to the servers
62 -- in the 'abuse' pool
63 -- addAction({"abuse.example.org.", "xxx."}, PoolAction("abuse"))
64
65 -- drop queries for this exact qname
66 -- addAction(QNameRule("drop-me.example.org."), DropAction())
67
68 -- send the queries from a selected subnet to the
69 -- abuse pool
70 -- addAction("192.0.2.0/24", PoolAction("abuse"))
71
72 -- Refuse incoming AXFR, IXFR, NOTIFY and UPDATE
73 -- Add trusted sources (slaves, masters) explicitely in front of this rule
74 -- addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))
75
76 -- == Dynamic Blocks ==
77
78 -- define a dynamic block rules group object, set a few limits and apply it
79 -- see https://dnsdist.org/guides/dynblocks.html for more details
80
81 -- local dbr = dynBlockRulesGroup()
82 -- dbr:setQueryRate(30, 10, "Exceeded query rate", 60)
83 -- dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60)
84 -- dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
85 -- dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 60)
86 -- dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)
87 -- function maintenance()
88 -- dbr:apply()
89 -- end
90
91 -- == Logging ==
92
93 -- connect to a remote protobuf logger and export queries and responses
94 -- https://dnsdist.org/reference/protobuf.html
95 -- rl = newRemoteLogger('127.0.0.1:4242')
96 -- addAction(AllRule(), RemoteLogAction(rl))
97 -- addResponseAction(AllRule(), RemoteLogResponseAction(rl))
98
99 -- DNSTAP is also supported
100 -- https://dnsdist.org/reference/dnstap.html
101 -- fstr = newFrameStreamUnixLogger(/path/to/unix/socket)
102 -- or
103 -- fstr = newFrameStreamTcpLogger('192.0.2.1:4242')
104 -- addAction(AllRule(), DnstapLogAction(fstr))
105 -- addResponseAction(AllRule(), DnstapLogResponseAction(fstr))
106
107 -- == Caching ==
108
109 -- https://dnsdist.org/guides/cache.html
110 -- create a packet cache of at most 100k entries,
111 -- and apply it to the default pool
112 -- pc = newPacketCache(100000)
113 -- getPool(""):setCache(pc)
Unnamed repository; edit this file 'description' to name the repository.