From ca85097f20cab4912fda4f4b61cfde491448e001 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Thu, 4 Apr 2024 16:37:13 +0200 Subject: [PATCH] dnsdist: Document the `-C /dev/null` trick to generate a key as well As suggested by @phonedph1 (thanks!). --- pdns/dnsdistdist/docs/guides/console.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pdns/dnsdistdist/docs/guides/console.rst b/pdns/dnsdistdist/docs/guides/console.rst index 68164b8d5a..b039320f7d 100644 --- a/pdns/dnsdistdist/docs/guides/console.rst +++ b/pdns/dnsdistdist/docs/guides/console.rst @@ -15,15 +15,24 @@ Enabling the console without encryption enabled is not recommended. Note that en Once you have a console-enabled dnsdist, the first step to enable encryption is to generate a key with :func:`makeKey`:: - $ ./dnsdist -l 127.0.0.1:5300 + $ ./dnsdist -l 127.0.0.1:5300 -C /dev/null [..] > makeKey() setKey("ENCODED KEY") +The example above tells :program:`dnsdist` not to load the default configuration file (``-C /dev/null``) to prevent it +from trying to listen on privileged ports, connect to backends, etc. It also instructs :program:`dnsdist` not to listen +on the default (privileged) port 53 of all available addresses but on an unprivileged and hopefully available +port 5300 on the local interface instead (``-l 127.0.0.1:5300``). + The key does not have a specific format, so base-64 encoding 32 random bytes works as well:: $ dd if=/dev/random bs=1 count=32 status=none | base64 +or using ``openssl``:: + + $ openssl rand -base64 32 + Then add the generated :func:`setKey` line to your dnsdist configuration file, along with a :func:`controlSocket`: .. code-block:: lua -- 2.47.2