]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/dnsdistdist/docs/reference/config.rst
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #6364 from rgacogne/dnsdist-macro-sonar
[thirdparty/pdns.git] / pdns / dnsdistdist / docs / reference / config.rst
CommitLineData
20d81666
PL		 1.. highlight:: lua
2
3Configuration Reference
4=======================
5
6This page lists all configuration options for dnsdist.
7
8.. note::
9
10 When an IPv6 IP:PORT combination is needed, the bracketed syntax from :rfc:`RFC 3986 <3986#section-3.2.2>` should be used.
11 e.g. "[2001:DB8:14::C0FF:FEE]:5300".
12
13Functions and Types
14-------------------
15
16Within dnsdist several core object types exist:
17
18* :class:`Server`: generated with :func:`newServer`, represents a downstream server
19* :class:`ComboAddress`: represents an IP address and port
20* :class:`DNSName`: represents a domain name
21* :class:`NetmaskGroup`: represents a group of netmasks
22* :class:`QPSLimiter`: implements a QPS-based filter
23* :class:`SuffixMatchNode`: represents a group of domain suffixes for rapid testing of membership
24* :class:`DNSHeader`: represents the header of a DNS packet
bd51e34c 25* :class:`ClientState`: sometimes also called Bind or Frontend, represents the addresses and ports dnsdist is listening on
20d81666
PL		 26
27The existence of most of these objects can mostly be ignored, unless you plan to write your own hooks and policies, but it helps to understand an expressions like:
28
29.. code-block:: lua
30
31 getServer(0).order=12 -- set order of server 0 to 12
32 getServer(0):addPool("abuse") -- add this server to the abuse pool
33
34The ``.`` means ``order`` is a data member, while the ``:`` means ``addPool`` is a member function.
35
36Global configuration
37--------------------
38
39.. function:: includeDirectory(path)
40
41 Include configuration files from ``path``.
42
43 :param str path: The directory to load the configuration from
44
45Listen Sockets
46~~~~~~~~~~~~~~
47
48.. function:: addLocal(address[, options])
49
50 .. versionadded:: 1.2.0
51
52 Add to the list of listen addresses.
53
54 :param str address: The IP Address with an optional port to listen on.
55 The default port is 53.
56 :param table options: A table with key: value pairs with listen options.
57
58 Options:
59
60 * ``doTCP=true``: bool - Also bind on TCP on ``address``.
61 * ``reusePort=false``: bool - Set the ``SO_REUSEPORT`` socket option.
4bc167b8
RG		 62 * ``tcpFastOpenSize=0``: int - Set the TCP Fast Open queue size, enabling TCP Fast Open when available and the value is larger than 0.
63 * ``interface=""``: str - Set the network interface to use.
64 * ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
20d81666
PL		 65
66 .. code-block:: lua
67
68 addLocal('0.0.0.0:5300', { doTCP=true, reusePort=true })
69
70 This will bind to both UDP and TCP on port 5300 with SO_REUSEPORT enabled.
71
72.. function:: addLocal(address[[[,do_tcp], so_reuseport], tcp_fast_open_qsize])
73
74 .. deprecated:: 1.2.0
75
76 Add to the list of addresses listened on.
77
78 :param str address: The IP Address with an optional port to listen on.
79 The default port is 53.
80 :param bool do_tcp: Also bind a TCP port on ``address``, defaults to true.
81 :param bool so_reuseport: Use ``SO_REUSEPORT`` if it is available, defaults to false
5d31a326
RG		 82 :param int tcp_fast_open_qsize: The size of the TCP Fast Open queue. Set to a number
83 higher than 0 to enable TCP Fast Open when available.
84 Default is 0.
20d81666 85
a227f47d
RG		 86.. function:: addTLSLocal(address, certFile, keyFile[, options])
87
88 .. versionadded:: 1.3.0
89
90 Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
91
92 :param str address: The IP Address with an optional port to listen on.
93 The default port is 853.
94 :param str certFile: The path to a X.509 certificate file in PEM format.
95 :param str keyFile: The path to the private key file corresponding to the certificate.
96 :param table options: A table with key: value pairs with listen options.
97
98 Options:
99
100 * ``doTCP=true``: bool - Also bind on TCP on ``address``.
101 * ``reusePort=false``: bool - Set the ``SO_REUSEPORT`` socket option.
102 * ``tcpFastOpenSize=0``: int - Set the TCP Fast Open queue size, enabling TCP Fast Open when available and the value is larger than 0.
103 * ``interface=""``: str - Set the network interface to use.
104 * ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
105 * ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time.
106 * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used.
107 * ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.
108 * ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
109 * ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
110
20d81666
PL		 111.. function:: setLocal(address[, options])
112
113 .. versionadded:: 1.2.0
114
115 Remove the list of listen addresses and add a new one.
116
117 :param str address: The IP Address with an optional port to listen on.
118 The default port is 53.
119 :param table options: A table with key: value pairs with listen options.
120
121 The options that can be set are the same as :func:`addLocal`.
122
123.. function:: setLocal(address[[[,do_tcp], so_reuseport], tcp_fast_open_qsize])
124
125 .. deprecated:: 1.2.0
126
127 Remove the list of listen addresses and add a new one.
128
129 :param str address: The IP Address with an optional port to listen on.
130 The default port is 53.
131 :param bool do_tcp: Also bind a TCP port on ``address``, defaults to true.
132 :param bool so_reuseport: Use ``SO_REUSEPORT`` if it is available, defaults to false
5d31a326
RG		 133 :param int tcp_fast_open_qsize: The size of the TCP Fast Open queue. Set to a number
134 higher than 0 to enable TCP Fast Open when available.
135 Default is 0.
20d81666
PL		 136
137Control Socket, Console and Webserver
138~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
139
140.. function:: controlSocket(address)
141
142 Bind to ``addr`` and listen for a connection for the console
143
144 :param str address: An IP address with optional port. By default, the port is 5199.
145
6f2a4580
PD		 146.. function:: inClientStartup()
147
148 Returns true while the console client is parsing the configuration.
149
20d81666
PL		 150.. function:: makeKey()
151
152 Generate and print an encryption key.
153
506bb661
RG		 154.. function:: setConsoleConnectionsLogging(enabled)
155
156 .. versionadded:: 1.2.0
157
158 Whether to log the opening and closing of console connections.
159
160 :param bool enabled: Default to true.
161
20d81666
PL		 162.. function:: setKey(key)
163
164 Use ``key`` as shared secret between the client and the server
165
166 :param str key: An encoded key, as generated by :func:`makeKey`
167
168.. function:: testCrypto()
169
170 Test the crypto code, will report errors when something is not ok.
171
172Webserver
173~~~~~~~~~
174
175.. function:: webServer(listen_address, password[, apikey[, custom_headers]])
176
177 Launch the :doc:`../guides/webserver` with statistics and the API.
178
179 :param str listen_address: The IP address and Port to listen on
180 :param str password: The password required to access the webserver
181 :param str apikey: The key required to access the API
182 :param {[str]=str,...} custom_headers: Allows setting custom headers and removing the defaults
183
184.. function:: setAPIWritable(allow [,dir])
185
186 Allow modifications via the API.
187 Optionally saving these changes to disk.
188 Modifications done via the API will not be written to the configuration by default and will not persist after a reload
189
190 :param bool allow: Set to true to allow modification through the API
191 :param str dir: A valid directory where the configuration files will be written by the API.
192
193Access Control Lists
194~~~~~~~~~~~~~~~~~~~~
195
196.. function:: addACL(netmask)
197
198 Add a netmask to the existing ACL
199
200 :param str netmask: A CIDR netmask, e.g. ``"192.0.2.0/24"``. Without a subnetmask, only the specific address is allowed.
201
202.. function:: setACL(netmasks)
203
204 Remove the existing ACL and add the netmasks from the table.
205
206 :param {str} netmasks: A table of CIDR netmask, e.g. ``{"192.0.2.0/24", "2001:DB8:14::/56"}``. Without a subnetmask, only the specific address is allowed.
207
208EDNS Client Subnet
209~~~~~~~~~~~~~~~~~~
210
211.. function:: setECSSourcePrefixV4(prefix)
212
213 When ``useClientSubnet`` in :func:`newServer` is set and dnsdist adds an EDNS Client Subnet Client option to the query, truncate the requestors IPv4 address to ``prefix`` bits
214
215 :param int prefix: The prefix length
216
217.. function:: setECSSourcePrefixV6(prefix)
218
219 When ``useClientSubnet`` in :func:`newServer` is set and dnsdist adds an EDNS Client Subnet Client option to the query, truncate the requestor's IPv6 address to bits
220
221 :param int prefix: The prefix length
222
223Ringbuffers
224~~~~~~~~~~~
225
226.. function:: setRingBuffersSize(num)
227
228 Set the capacity of the ringbuffers used for live traffic inspection to ``num``
229
230 :param int num: The maximum amount of queries to keep in the ringbuffer. Defaults to 10000
231
232Servers
233-------
234
235.. function:: newServer(server_string)
236 newServer(server_table)
237
238 Add a new backend server. Call this function with either a string::
239
240 newServer(
241 "IP:PORT" -- IP and PORT of the backend server
242 )
243
244 or a table::
245
246 newServer({
247 address="IP:PORT", -- IP and PORT of the backend server (mandatory)
c19aa18d
RG		 248 qps=NUM, -- Limit the number of queries per second to NUM, when using the `firstAvailable` policy
249 order=NUM, -- The order of this server, used by the `leastOustanding` and `firstAvailable` policies
250 weight=NUM, -- The weight of this server, used by the `wrandom` and `whashed` policies
5d31a326
RG		 251 pool=STRING|{STRING}, -- The pools this server belongs to (unset or empty string means default pool) as a string or table of strings
252 retries=NUM, -- The number of TCP connection attempts to the backend, for a given query
253 tcpConnectTimeout=NUM, -- The timeout (in seconds) of a TCP connection attempt
254 tcpSendTimeout=NUM, -- The timeout (in seconds) of a TCP write attempt
255 tcpRecvTimeout=NUM, -- The timeout (in seconds) of a TCP read attempt
256 tcpFastOpen=BOOL, -- Whether to enable TCP Fast Open
c0e7123d 257 ipBindAddrNoPort=BOOL, -- Whether to enable IP_BIND_ADDRESS_NO_PORT if available, default: true
5d31a326 258 name=STRING, -- The name associated to this backend, for display purpose
de9f7157 259 checkClass=NUM, -- Use NUM as QCLASS in the health-check query, default: DNSClass.IN
20d81666
PL		 260 checkName=STRING, -- Use STRING as QNAME in the health-check query, default: "a.root-servers.net."
261 checkType=STRING, -- Use STRING as QTYPE in the health-check query, default: "A"
262 setCD=BOOL, -- Set the CD (Checking Disabled) flag in the health-check query, default: false
fc1e69ee 263 maxCheckFailures=NUM, -- Allow NUM check failures before declaring the backend down, default: 1
20d81666
PL		 264 mustResolve=BOOL, -- Set to true when the health check MUST return a NOERROR RCODE and an answer
265 useClientSubnet=BOOL, -- Add the client's IP address in the EDNS Client Subnet option when forwarding the query to this backend
18f707fa 266 source=STRING, -- The source address or interface to use for queries to this backend, by default this is left to the kernel's address selection
20d81666
PL		 267 -- The following formats are supported:
268 -- "address", e.g. "192.0.2.2"
269 -- "interface name", e.g. "eth0"
270 -- "address@interface", e.g. "192.0.2.2@eth0"
18f707fa 271 addXPF=NUM -- Add the client's IP address and port to the query, along with the original destination address and port,
c85f69a8 272 -- using the experimental XPF record from `draft-bellis-dnsop-xpf <https://datatracker.ietf.org/doc/draft-bellis-dnsop-xpf/>`_ and the specified option code. Default is disabled (0)
20d81666
PL		 273 })
274
275 :param str server_string: A simple IP:PORT string.
276 :param table server_table: A table with at least a 'name' key
277
278.. function:: getServer(index) -> Server
279
280 Get a :class:`Server`
281
282 :param int index: The number of the server (as seen in :func:`showServers`).
283 :returns: The :class:`Server` object or nil
284
285.. function:: getServers()
286
287 Returns a table with all defined servers.
288
289.. function:: rmServer(index)
290 rmServer(server)
291
292 Remove a backend server.
293
294 :param int index: The number of the server (as seen in :func:`showServers`).
295 :param Server server: A :class:`Server` object as returned by e.g. :func:`getServer`.
296
297Server Functions
298~~~~~~~~~~~~~~~~
299A server object returned by :func:`getServer` can be manipulated with these functions.
300
301.. class:: Server
302
303 This object represents a backend server. It has several methods.
304
d9018741 305 .. method:: Server:addPool(pool)
20d81666 306
d9018741 307 Add this server to a pool.
20d81666 308
d9018741 309 :param str pool: The pool to add the server to
20d81666 310
d9018741 311 .. method:: Server:getName() -> string
20d81666 312
d9018741 313 Get the name of this server.
20d81666 314
d9018741 315 :returns: The name of the server, or an empty string if it does not have one
20d81666 316
d9018741 317 .. method:: Server:getNameWithAddr() -> string
20d81666 318
d9018741 319 Get the name plus IP address and port of the server
20d81666 320
d9018741 321 :returns: A string containing the server name if any plus the server address and port
20d81666 322
d9018741 323 .. method:: Server:getOutstanding() -> int
20d81666 324
d9018741 325 Get the number of outstanding queries for this server.
20d81666 326
d9018741 327 :returns: The number of outstanding queries
20d81666 328
d9018741 329 .. method:: Server:isUp() -> bool
20d81666 330
d9018741 331 Returns the up status of the server
20d81666 332
d9018741 333 :returns: true when the server is up, false otherwise
20d81666 334
d9018741 335 .. method:: Server:rmPool(pool)
20d81666 336
d9018741 337 Removes the server from the named pool
20d81666 338
d9018741 339 :param str pool: The pool to remove the server from
20d81666 340
d9018741 341 .. method:: Server:setAuto([status])
d92708ed 342
d9018741
PL		 343 .. versionchanged:: 1.3.0
344 ``status`` optional parameter added.
20d81666 345
d9018741
PL		 346 Set the server in the default auto state.
347 This will enable health check queries that will set the server ``up`` and ``down`` appropriately.
d92708ed 348
d9018741 349 :param bool status: Set the initial status of the server to ``up`` (true) or ``down`` (false) instead of using the last known status
20d81666 350
d9018741 351 .. method:: Server:setQPS(limit)
20d81666 352
d9018741 353 Limit the queries per second for this server.
20d81666 354
d9018741 355 :param int limit: The maximum number of queries per second
20d81666 356
d9018741 357 .. method:: Server:setDown()
20d81666 358
d9018741
PL		 359 Set the server in an ``DOWN`` state.
360 The server will not receive queries and the health checks are disabled
20d81666 361
d9018741 362 .. method:: Server:setUp()
20d81666 363
d9018741
PL		 364 Set the server in an ``UP`` state.
365 This server will still receive queries and health checks are disabled
20d81666 366
d9018741 367 Apart from the functions, a :class:`Server` object has these attributes:
20d81666 368
d9018741 369 .. attribute:: Server.name
20d81666 370
d9018741 371 The name of the server
20d81666 372
d9018741 373 .. attribute:: Server.upStatus
20d81666 374
d9018741 375 Whether or not this server is up or down
20d81666 376
d9018741 377 .. attribute:: Server.order
20d81666 378
d9018741 379 The order of the server
20d81666 380
d9018741 381 .. attribute:: Server.weight
20d81666 382
d9018741 383 The weight of the server
20d81666
PL		 384
385Pools
386-----
387
388:class:`Server`\ s can be part of any number of pools.
5d31a326
RG		 389Pools are automatically created when a server is added to a pool (with :func:`newServer`), or can be manually created with :func:`addPool`.
390
391.. function:: addPool(name) -> ServerPool
392
393 Returns a :class:`ServerPool`.
394
395 :param string name: The name of the pool to create
20d81666
PL		 396
397.. function:: getPool(name) -> ServerPool
398
399 Returns a :class:`ServerPool` or nil.
400
401 :param string name: The name of the pool
402
5d31a326
RG		 403.. function:: rmPool(name)
404
405 Remove the pool named `name`.
406
407 :param string name: The name of the pool to remove
408
20d81666
PL		 409.. function:: getPoolServers(name) -> [ Server ]
410
411 Returns a list of :class:`Server`\ s or nil.
412
413 :param string name: The name of the pool
414
415.. class:: ServerPool
416
417 This represents the pool where zero or more servers are part of.
418
d9018741 419 .. method:: ServerPool:getCache() -> PacketCache
20d81666 420
d9018741 421 Returns the :class:`PacketCache` for this pool or nil.
20d81666 422
d9018741 423 .. method:: ServerPool:setCache(cache)
20d81666 424
d9018741 425 Adds ``cache`` as the pool's cache.
20d81666 426
d9018741 427 :param PacketCache cache: The new cache to add to the pool
20d81666 428
d9018741 429 .. method:: ServerPool:unsetCache()
20d81666 430
d9018741 431 Removes the cache from this pool.
20d81666
PL		 432
433PacketCache
434~~~~~~~~~~~
435
436A Pool can have a packet cache to answer queries directly in stead of going to the backend.
437See :doc:`../guides/cache` for a how to.
438
4bc167b8
RG		 439.. function:: newPacketCache(maxEntries[, maxTTL=86400[, minTTL=0[, temporaryFailureTTL=60[, staleTTL=60[, dontAge=false[, numberOfShards=1[, deferrableInsertLock=true]]]]]]]) -> PacketCache
440
441 .. versionchanged:: 1.2.0
442 ``numberOfShard`` and ``deferrableInsertLock`` parameters added.
20d81666
PL		 443
444 Creates a new :class:`PacketCache` with the settings specified.
445
446 :param int maxEntries: The maximum number of entries in this cache
447 :param int maxTTL: Cap the TTL for records to his number
448 :param int minTTL: Don't cache entries with a TTL lower than this
449 :param int temporaryFailureTTL: On a SERVFAIL or REFUSED from the backend, cache for this amount of seconds
450 :param int staleTTL: When the backend servers are not reachable, send responses if the cache entry is expired at most this amount of seconds
4bc167b8
RG		 451 :param bool dontAge: Don't reduce TTLs when serving from the cache. Use this when :program:`dnsdist` fronts a cluster of authoritative servers
452 :param int numberOfShards: Number of shards to divide the cache into, to reduce lock contention
453 :param bool deferrableInsertLock: Whether the cache should give up insertion if the lock is held by another thread, or simply wait to get the lock
20d81666
PL		 454
455.. class:: PacketCache
456
457 Represents a cache that can be part of :class:`ServerPool`.
458
d9018741 459 .. method:: PacketCache:expunge(n)
20d81666 460
d9018741 461 Remove entries from the cache, leaving at most ``n`` entries
20d81666 462
d9018741 463 :param int n: Number of entries to keep
20d81666 464
d9018741 465 .. method:: PacketCache:expungeByName(name [, qtype=dnsdist.ANY[, suffixMatch=false]])
20d81666 466
d9018741
PL		 467 .. versionchanged:: 1.2.0
468 ``suffixMatch`` parameter added.
20d81666 469
d9018741 470 Remove entries matching ``name`` and type from the cache.
20d81666 471
d9018741
PL		 472 :param DNSName name: The name to expunge
473 :param int qtype: The type to expunge
474 :param bool suffixMatch: When set to true, remove al entries under ``name``
20d81666 475
d9018741 476 .. method:: PacketCache:isFull() -> bool
20d81666 477
d9018741 478 Return true if the cache has reached the maximum number of entries.
20d81666 479
d9018741 480 .. method:: PacketCache:printStats()
20d81666 481
d9018741 482 Print the cache stats (hits, misses, deferred lookups and deferred inserts).
20d81666 483
d9018741 484 .. method:: PacketCache:purgeExpired(n)
20d81666 485
d9018741 486 Remove expired entries from the cache until there is at most ``n`` entries remaining in the cache.
20d81666 487
d9018741 488 :param int n: Number of entries to keep
20d81666 489
d9018741 490 .. method:: PacketCache:toString() -> string
20d81666 491
d9018741 492 Return the number of entries in the Packet Cache, and the maximum number of entries
20d81666 493
bd51e34c
RG		 494Client State
495------------
496
497Also called frontend or bind, the Client State object returned by :func:`getBind` and listed with :func:`showBinds` represents an address and port dnsdist is listening on.
498
499.. function:: getBind(index) -> ClientState
500
d9018741 501 Return a :class:`ClientState` object.
bd51e34c
RG		 502
503 :param int index: The object index
504
505ClientState functions
506~~~~~~~~~~~~~~~~~~~~~
507
508.. class:: ClientState
509
510 This object represents an address and port dnsdist is listening on. When ``reuseport`` is in use, several ClientState objects can be present for the same address and port.
511
d9018741 512 .. method:: ClientState:attachFilter(filter)
bd51e34c 513
d9018741 514 Attach a BPF filter to this frontend.
bd51e34c 515
d9018741 516 :param BPFFilter filter: The filter to attach to this frontend
bd51e34c 517
d9018741 518 .. method:: ClientState:detachFilter()
bd51e34c 519
d9018741 520 Remove the BPF filter associated to this frontend, if any.
bd51e34c 521
d9018741 522 .. method:: ClientState:toString() -> string
bd51e34c 523
d9018741 524 Return the address and port this frontend is listening on.
bd51e34c 525
d9018741 526 :returns: The address and port this frontend is listening on
bd51e34c 527
d9018741 528 .. attribute:: ClientState.muted
bd51e34c 529
d9018741 530 If set to true, queries received on this frontend will be normally processed and sent to a backend if needed, but no response will be ever be sent to the client over UDP. TCP queries are processed normally and responses sent to the client.
bd51e34c 531
20d81666
PL		 532Status, Statistics and More
533---------------------------
534
535.. function:: dumpStats()
536
537 Print all statistics dnsdist gathers
538
a227f47d 539.. function:: getTLSContext(idx)
d9018741 540
a227f47d
RG		 541 .. versionadded:: 1.3.0
542
543 Return the TLSContext object for the context of index ``idx``.
544
20d81666
PL		 545.. function:: grepq(selector[, num])
546 grepq(selectors[, num])
547
548 Prints the last ``num`` queries matching ``selector`` or ``selectors``.
549
550 The selector can be:
551
552 * a netmask (e.g. '192.0.2.0/24')
553 * a DNS name (e.g. 'dnsdist.org')
554 * a response time (e.g. '100ms')
555
556 :param str selector: Select queries based on this property.
557 :param {str} selectors: A lua table of selectors. Only queries matching all selectors are shown
558 :param int num: Show a maximum of ``num`` recent queries, default is 10.
559
560.. function:: showACL()
561
562 Print a list of all allowed netmasks.
563
77d43b54
RG		 564.. function:: showBinds()
565
566 Print a list of all the current addresses and ports dnsdist is listening on, also called ``frontends``
567
20d81666
PL		 568.. function:: showResponseLatency()
569
77d43b54 570 Show a plot of the response time latency distribution
20d81666
PL		 571
572.. function:: showServers()
573
574 This function shows all backend servers currently configured and some statistics.
575 These statics have the following fields:
576
577 * ``#`` - The number of the server, can be used as the argument for :func:`getServer`
578 * ``Address`` - The IP address and port of the server
579 * ``State`` - The current state of the server
580 * ``Qps`` - Current number of queries per second
581 * ``Qlim`` - Configured maximum number of queries per second
582 * ``Ord`` - The order number of the server
583 * ``Wt`` - The weight of the server
584 * ``Queries`` - Total amount of queries sent to this server
585 * ``Drops`` - Number of queries that were dropped by this server
586 * ``Drate`` - Number of queries dropped per second by this server
587 * ``Lat`` - The latency of this server in milliseconds
588 * ``Pools`` - The pools this server belongs to
589
590.. function:: showTCPStats()
591
77d43b54 592 Show some statistics regarding TCP
20d81666 593
a227f47d 594.. function:: showTLSContexts()
d9018741 595
a227f47d
RG		 596 .. versionadded:: 1.3.0
597
598 Print the list of all availables DNS over TLS contexts.
599
20d81666
PL		 600.. function:: showVersion()
601
602 Print the version of dnsdist
603
604.. function:: topBandwidth([num])
605
606 Print the top ``num`` clients that consume the most bandwidth.
607
608 :param int num: Number to show, defaults to 10.
609
610.. function:: topClients([num])
611
612 Print the top ``num`` clients sending the most queries over length of ringbuffer
613
614 :param int num: Number to show, defaults to 10.
615
616.. function:: topQueries([num[, labels]])
617
618 Print the ``num`` most popular QNAMEs from queries.
619 Optionally grouped by the rightmost ``labels`` DNS labels.
620
621 :param int num: Number to show, defaults to 10
622 :param int label: Number of labels to cut down to
623
624.. function:: topResponses([num[, rcode[, labels]]])
625
967f6a7f 626 Print the ``num`` most seen responses with an RCODE of ``rcode``.
20d81666
PL		 627 Optionally grouped by the rightmost ``labels`` DNS labels.
628
629 :param int num: Number to show, defaults to 10
967f6a7f 630 :param int rcode: :ref:`Response code <DNSRCode>`, defaults to 0 (No Error)
20d81666
PL		 631 :param int label: Number of labels to cut down to
632
633.. function:: topSlow([num[, limit[, labels]]])
634
635 Print the ``num`` slowest queries that are slower than ``limit`` milliseconds.
636 Optionally grouped by the rightmost ``labels`` DNS labels.
637
638 :param int num: Number to show, defaults to 10
af4b7afb 639 :param int limit: Show queries slower than this amount of milliseconds, defaults to 2000
20d81666
PL		 640 :param int label: Number of labels to cut down to
641
642.. _dynblocksref:
643
644Dynamic Blocks
645--------------
646
647.. function:: addDynBlocks(addresses, message[, seconds=10[, action]])
648
649 .. versionchanged:: 1.2.0
650 ``action`` parameter added.
651
652 Block a set of addresses with ``message`` for (optionally) a number of seconds.
653 The default number of seconds to block for is 10.
654
655 :param addresses: set of Addresses as returned by an exceed function
656 :param string message: The message to show next to the blocks
657 :param int seconds: The number of seconds this block to expire
658 :param int action: The action to take when the dynamic block matches, see :ref:`here <DNSAction>`. (default to the one set with :func:`setDynBlocksAction`)
659
660.. function:: clearDynBlocks()
661
662 Remove all current dynamic blocks.
663
664.. function:: showDynBlocks()
665
666 List all dynamic blocks in effect.
667
668.. function:: setDynBlocksAction(action)
669
670 Set which action is performed when a query is blocked.
752d505b 671 Only DNSAction.Drop (the default), DNSAction.Refused and DNSAction.Truncate are supported.
20d81666 672
20d81666
PL		 673.. _exceedfuncs:
674
675Getting addresses that exceeded parameters
676~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
677
678.. function:: exceedServFails(rate, seconds)
679
680 Get set of addresses that exceed ``rate`` servfails/s over ``seconds`` seconds
681
682 :param int rate: Number of Servfails per second to exceed
683 :param int seconds: Number of seconds the rate has been exceeded
684
685.. function:: exceedNXDOMAINs(rate, seconds)
686
687 get set of addresses that exceed ``rate`` NXDOMAIN/s over ``seconds`` seconds
688
689 :param int rate: Number of NXDOMAIN per second to exceed
690 :param int seconds: Number of seconds the rate has been exceeded
691
692.. function:: exceedRespByterate(rate, seconds)
693
694 get set of addresses that exceeded ``rate`` bytes/s answers over ``seconds`` seconds
695
696 :param int rate: Number of bytes per second to exceed
697 :param int seconds: Number of seconds the rate has been exceeded
698
699.. function:: exceedQRate(rate, seconds)
700
701 Get set of address that exceed ``rate`` queries/s over ``seconds`` seconds
702
703 :param int rate: Number of queries per second to exceed
704 :param int seconds: Number of seconds the rate has been exceeded
705
706.. function:: exceedQTypeRate(type, rate, seconds)
707
708 Get set of address that exceed ``rate`` queries/s for queries of QType ``type`` over ``seconds`` seconds
709
710 :param int type: QType
711 :param int rate: Number of QType queries per second to exceed
712 :param int seconds: Number of seconds the rate has been exceeded
713
714Other functions
715---------------
716
717.. function:: maintenance()
718
719 If this function exists, it is called every second to so regular tasks.
720 This can be used for e.g. :doc:`Dynamic Blocks <../guides/dynblocks>`.
a227f47d
RG		 721
722TLSContext
723~~~~~~~~~~
724
725.. class:: TLSContext
d9018741 726
a227f47d
RG		 727 .. versionadded:: 1.3.0
728
729 This object represents an address and port dnsdist is listening on for DNS over TLS queries.
730
d9018741 731 .. method:: TLSContext:rotateTicketsKey()
a227f47d 732
d9018741 733 Replace the current TLS tickets key by a new random one.
a227f47d 734
d9018741 735 .. method:: TLSContext:loadTicketsKeys(ticketsKeysFile)
a227f47d 736
d9018741 737 Load new tickets keys from the selected file, replacing the existing ones. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
a227f47d 738
d9018741 739 :param str ticketsKeysFile: The path to a file from where TLS tickets keys should be loaded.
Unnamed repository; edit this file 'description' to name the repository.