addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(NetmaskGroupRule("192.168.1.0/24"))}), RCodeAction(DNSRCode.REFUSED))
-.. versionchanged:: 1.4.0
- Before 1.4.0, the QTypes were in the ``dnsdist`` namespace. Use ``dnsdist.AXFR`` and ``dnsdist.IXFR`` in these versions.
- Before 1.4.0, the RCodes were in the ``dnsdist`` namespace. Use ``dnsdist.REFUSED`` in these versions.
-
A different way would be to configure dnsdist to pass the source IP of the client to the backend. The different options
to do that are described in :doc:`Passing the source address to the backend <passing-source-address>`.
-- this rule will route SOA, AXFR and IXFR queries to a specific pool of servers
addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction("primary"))
-.. versionchanged:: 1.8.0
- Since 1.8.0, dnsdist will no longer cache responses to AXFR and IXFR queries.
-
In front of secondaries
-----------------------
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(NetmaskGroupRule("192.168.1.0/24"))}), RCodeAction(DNSRCode.REFUSED))
-.. versionchanged:: 1.4.0
- Before 1.4.0, the RCodes were in the ``dnsdist`` namespace. Use ``dnsdist.REFUSED`` in these versions.
-
.. warning::
Be wary of dnsdist caching the responses to NOTIFY queries and sending these to the wrong clients.
When dispatching UDP queries to backend servers, dnsdist keeps track of at most **n** outstanding queries for each backend.
This number **n** can be tuned by the :func:`setMaxUDPOutstanding` directive, defaulting to 65535 which is the maximum value.
-.. versionchanged:: 1.4.0
- The default was 10240 before 1.4.0
-
-Large installations running dnsdist before 1.4.0 are advised to increase the default value at the cost of a slightly increased memory usage.
-
Looking at ``udp-in-errors`` in :func:`dumpStats` will reveal whether the system is dropping UDP datagrams because dnsdist does not pick them up fast enough. In that case it might be good to add more :func:`addLocal` directives.
In the same way, if the number of ``Drops`` in :func:`showServers` increase fast enough, it might mean that the backend is overloaded but also that the UDP received thread is. In that case adding more :func:`newServer`
.. function:: setServerPolicyLuaFFI(name, function)
- .. versionadded:: 1.5.0
-
.. versionchanged:: 1.9.2
Returning a value equal or greater than the number of servers will be interpreted as all servers being unavailable.
.. function:: setServerPolicyLuaFFIPerThread(name, code)
- .. versionadded:: 1.6.0
-
.. versionchanged:: 1.9.2
Returning a value equal or greater than the number of servers will be interpreted as all servers being unavailable.
.. function:: setRoundRobinFailOnNoServer(value)
- .. versionadded:: 1.4.0
-
By default the roundrobin load-balancing policy will still try to select a backend even if all backends are currently down. Setting this to true will make the policy fail and return that no server is available instead.
:param bool value: whether to fail when all servers are down
.. function:: setWeightedBalancingFactor(factor)
- .. versionadded: 1.5.0
-
Set the maximum imbalance between the number of outstanding queries intended for a given server, based on its weight,
and the actual number, when using the ``whashed``, ``wrandom`` or ``orderedWrandUntag`` load-balancing policy.
Default is 0, which disables the bounded-load algorithm.
:query string type: DNS type, optional. Defaults to all types when unset
:query string suffix: Set to any value to wipe treat ``name`` as a suffix
- .. versionadded:: 1.8.0
-
Allows removing entries from a cache. The pool to which the cache is associated should be specified in the ``pool`` parameter, and the name to remove in the ``name`` parameter.
By default only entries matching the exact name will be removed, but it is possible to remove all entries below that name by passing the ``suffix`` parameter set to any value.
By default entries for all types for the name are removed, but it is possible to only remove entries for a specific type by passing the ``type`` parameter set to the requested type. Supported values are DNS type names as a strings (``AAAA``), or numerical values (as either ``#64`` or ``TYPE64``).
.. http:get:: /api/v1/servers/localhost/pool
- .. versionadded:: 1.6.1
-
Get a quick overview of the pool named "pool-name".
:query string pool-name: Name of the pool, required
.. function:: ClearRecordTypesResponseAction(types)
- .. versionadded:: 1.8.0
-
Removes given type(s) records from the response. Beware you can accidentally turn the answer into a NODATA response
without a SOA record in the additional section in which case you may want to use :func:`NegativeAndSOAAction` to generate an answer,
see example below.
.. function:: ContinueAction(action)
- .. versionadded:: 1.4.0
-
Execute the specified action and override its return with None, making it possible to continue the processing.
Subsequent rules are processed after this action.
:param int milliseconds: The amount of milliseconds to delay the response
-.. function:: DisableECSAction()
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetDisableECSAction` instead.
-
- Disable the sending of ECS to the backend.
- Subsequent rules are processed after this action.
-
-.. function:: DisableValidationAction()
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetDisableValidationAction` instead.
-
- Set the CD bit in the query and let it go through.
- Subsequent rules are processed after this action.
-
.. function:: DnstapLogAction(identity, logger[, alterFunction])
Send the current query to a remote logger as a :doc:`dnstap <dnstap>` message.
Drop the packet.
-.. function:: ECSOverrideAction(override)
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetECSOverrideAction` instead.
-
- Whether an existing EDNS Client Subnet value should be overridden (true) or not (false).
- Subsequent rules are processed after this action.
-
- :param bool override: Whether or not to override ECS value
-
-.. function:: ECSPrefixLengthAction(v4, v6)
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetECSPrefixLengthAction` instead.
-
- Set the ECS prefix length.
- Subsequent rules are processed after this action.
-
- :param int v4: The IPv4 netmask length
- :param int v6: The IPv6 netmask length
-
.. function:: ERCodeAction(rcode [, options])
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.5.0
- Added the optional parameter ``options``.
-
Reply immediately by turning the query into a response with the specified EDNS extended ``rcode``.
``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
.. function:: HTTPStatusAction(status, body, contentType="" [, options])
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.5.0
- Added the optional parameter ``options``.
-
.. versionchanged:: 2.0.0
The ``options`` parameter is now deprecated.
.. function:: KeyValueStoreLookupAction(kvs, lookupKey, destinationTag)
- .. versionadded:: 1.4.0
-
Does a lookup into the key value store referenced by 'kvs' using the key returned by 'lookupKey',
and storing the result if any into the tag named 'destinationTag'.
The store can be a CDB (:func:`newCDBKVStore`) or a LMDB database (:func:`newLMDBKVStore`).
.. function:: KeyValueStoreRangeLookupAction(kvs, lookupKey, destinationTag)
- .. versionadded:: 1.7.0
-
Does a range-based lookup into the key value store referenced by 'kvs' using the key returned by 'lookupKey',
and storing the result if any into the tag named 'destinationTag'.
This assumes that there is a key in network byte order for the last element of the range (for example 2001:0db8:ffff:ffff:ffff:ffff:ffff:ffff for 2001:db8::/32) which contains the first element of the range (2001:0db8:0000:0000:0000:0000:0000:0000) (optionally followed by any data) as value, also in network byte order, and that there is no overlapping ranges in the database.
.. function:: LimitTTLResponseAction(min[, max [, types]])
- .. versionadded:: 1.8.0
-
Cap the TTLs of the response to the given boundaries.
:param int min: The minimum allowed value
.. function:: LogAction([filename[, binary[, append[, buffered[, verboseOnly[, includeTimestamp]]]]]])
- .. versionchanged:: 1.4.0
- Added the optional parameters ``verboseOnly`` and ``includeTimestamp``, made ``filename`` optional.
-
- .. versionchanged:: 1.7.0
- Added the ``reload`` method.
-
Log a line for each query, to the specified ``file`` if any, to the console (require verbose) if the empty string is given as filename.
If an empty string is supplied in the file name, the logging is done to stdout, and only in verbose mode by default. This can be changed by setting ``verboseOnly`` to false.
.. function:: LogResponseAction([filename[, append[, buffered[, verboseOnly[, includeTimestamp]]]]]])
- .. versionadded:: 1.5.0
-
- .. versionchanged:: 1.7.0
- Added the ``reload`` method.
-
Log a line for each response, to the specified ``file`` if any, to the console (require verbose) if the empty string is given as filename.
If an empty string is supplied in the file name, the logging is done to stdout, and only in verbose mode by default. This can be changed by setting ``verboseOnly`` to false.
.. function:: LuaFFIAction(function)
- .. versionadded:: 1.5.0
-
Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi-interface.h``.
The ``function`` should return a :ref:`DNSAction`. If the Lua code fails, ServFail is returned.
.. function:: LuaFFIPerThreadAction(function)
- .. versionadded:: 1.7.0
-
Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi-interface.h``.
The ``function`` should return a :ref:`DNSAction`. If the Lua code fails, ServFail is returned.
.. function:: LuaFFIPerThreadResponseAction(function)
- .. versionadded:: 1.7.0
-
Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi-interface.h``.
The ``function`` should return a :ref:`DNSResponseAction`. If the Lua code fails, ServFail is returned.
.. function:: LuaFFIResponseAction(function)
- .. versionadded:: 1.5.0
-
Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi-interface.h``.
The ``function`` should return a :ref:`DNSResponseAction`. If the Lua code fails, ServFail is returned.
:param string function: the name of a Lua function
-.. function:: MacAddrAction(option)
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetMacAddrAction` instead.
-
- Add the source MAC address to the query as EDNS0 option ``option``.
- This action is currently only supported on Linux.
- Subsequent rules are processed after this action.
-
- :param int option: The EDNS0 option number
-
.. function:: NegativeAndSOAAction(nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum [, options])
- .. versionadded:: 1.6.0
-
- .. versionchanged:: 1.8.0
- Added the ``soaInAuthoritySection`` option.
-
Turn a question into a response, either a NXDOMAIN or a NODATA one based on ''nxd'', setting the QR bit to 1 and adding a SOA record in the additional section.
- Note that this function was called :func:`SetNegativeAndSOAAction` before 1.6.0.
:param bool nxd: Whether the answer is a NXDOMAIN (true) or a NODATA (false)
:param string zone: The owner name for the SOA record
Does nothing.
Subsequent rules are processed after this action.
-.. function:: NoRecurseAction()
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetNoRecurseAction` instead.
-
- Strip RD bit from the question, let it go through.
- Subsequent rules are processed after this action.
-
.. function:: PoolAction(poolname [, stop])
- .. versionchanged:: 1.8.0
- Added the ``stop`` optional parameter.
-
Send the packet into the specified pool. If ``stop`` is set to false, subsequent rules will be processed after this action.
:param string poolname: The name of the pool
.. function:: QPSPoolAction(maxqps, poolname [, stop])
- .. versionchanged:: 1.8.0
- Added the ``stop`` optional parameter.
-
Send the packet into the specified pool only if it does not exceed the ``maxqps`` queries per second limits. If ``stop`` is set to false, subsequent rules will be processed after this action.
Letting the subsequent rules apply otherwise.
.. function:: RCodeAction(rcode [, options])
- .. versionchanged:: 1.5.0
- Added the optional parameter ``options``.
-
Reply immediately by turning the query into a response with the specified ``rcode``.
``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
.. function:: RemoteLogAction(remoteLogger[, alterFunction [, options [, metas]]])
- .. versionchanged:: 1.4.0
- ``ipEncryptKey`` optional key added to the options table.
-
- .. versionchanged:: 1.8.0
- ``metas`` optional parameter added.
- ``exportTags`` optional key added to the options table.
-
.. versionchanged:: 2.2.0
``exportTagsKeyOnly``, ``exportTagsPrefixes`` and ``exportTagsStripPrefixes`` optional keys added to the options table.
.. function:: RemoteLogResponseAction(remoteLogger[, alterFunction[, includeCNAME [, options [, metas [, delay]]]]])
- .. versionchanged:: 1.4.0
- ``ipEncryptKey`` optional key added to the options table.
-
- .. versionchanged:: 1.8.0
- ``metas`` optional parameter added.
- ``exportTags`` optional key added to the options table.
-
.. versionchanged:: 1.9.0
``exportExtendedErrorsToMeta`` optional key added to the options table.
.. function:: SetAdditionalProxyProtocolValueAction(type, value)
- .. versionadded:: 1.6.0
-
Add a Proxy-Protocol Type-Length value to be sent to the server along with this query. It does not replace any
existing value with the same type but adds a new value.
Be careful that Proxy Protocol values are sent once at the beginning of the TCP connection for TCP and DoT queries.
.. function:: SetDisableECSAction()
- .. versionadded:: 1.6.0
-
Disable the addition of EDNS Client Subnet information by :program:`dnsdist` before passing queries to the backend.
This does not remove any existing EDNS Client Subnet value sent by the client, please have a look at :func:`SetEDNSOptionAction` instead.
Subsequent rules are processed after this action.
.. function:: SetDisableValidationAction()
- .. versionadded:: 1.6.0
-
Set the CD bit in the query and let it go through.
Subsequent rules are processed after this action.
Note that this function was called :func:`DisableValidationAction` before 1.6.0.
.. function:: SetECSOverrideAction(override)
- .. versionadded:: 1.6.0
-
Whether an existing EDNS Client Subnet value should be overridden (true) or not (false).
Subsequent rules are processed after this action.
Note that this function was called :func:`ECSOverrideAction` before 1.6.0.
.. function:: SetECSPrefixLengthAction(v4, v6)
- .. versionadded:: 1.6.0
-
Set the ECS prefix length.
Subsequent rules are processed after this action.
Note that this function was called :func:`ECSPrefixLengthAction` before 1.6.0.
.. function:: SetEDNSOptionAction(option)
- .. versionadded:: 1.7.0
-
Add arbitrary EDNS option and data to the query. Any existing EDNS content with the same option code will be overwritten.
Subsequent rules are processed after this action.
.. function:: SetMacAddrAction(option)
- .. versionadded:: 1.6.0
-
Add the source MAC address to the query as EDNS0 option ``option``.
This action is currently only supported on Linux.
Subsequent rules are processed after this action.
.. function:: SetMaxReturnedTTLAction(max)
- .. versionadded:: 1.8.0
-
Cap the TTLs of the response to the given maximum, but only after inserting the response into the packet cache with the initial TTL values.
:param int max: The maximum allowed value
.. function:: SetMaxReturnedTTLResponseAction(max)
- .. versionadded:: 1.8.0
-
Cap the TTLs of the response to the given maximum, but only after inserting the response into the packet cache with the initial TTL values.
:param int max: The maximum allowed value
.. function:: SetMaxTTLResponseAction(max)
- .. versionadded:: 1.8.0
-
Cap the TTLs of the response to the given maximum.
:param int max: The maximum allowed value
.. function:: SetMinTTLResponseAction(min)
- .. versionadded:: 1.8.0
-
Cap the TTLs of the response to the given minimum.
:param int min: The minimum allowed value
.. function:: SetNoRecurseAction()
- .. versionadded:: 1.6.0
-
Strip RD bit from the question, let it go through.
Subsequent rules are processed after this action.
Note that this function was called :func:`NoRecurseAction` before 1.6.0.
-.. function:: SetNegativeAndSOAAction(nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum [, options])
-
- .. versionadded:: 1.5.0
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`NegativeAndSOAAction` instead.
-
- Turn a question into a response, either a NXDOMAIN or a NODATA one based on ''nxd'', setting the QR bit to 1 and adding a SOA record in the additional section.
-
- :param bool nxd: Whether the answer is a NXDOMAIN (true) or a NODATA (false)
- :param string zone: The owner name for the SOA record
- :param int ttl: The TTL of the SOA record
- :param string mname: The mname of the SOA record
- :param string rname: The rname of the SOA record
- :param int serial: The value of the serial field in the SOA record
- :param int refresh: The value of the refresh field in the SOA record
- :param int retry: The value of the retry field in the SOA record
- :param int expire: The value of the expire field in the SOA record
- :param int minimum: The value of the minimum field in the SOA record
- :param table options: A table with key: value pairs with options
-
- Options:
-
- * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
- * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
- * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
-
.. function:: SetProxyProtocolValuesAction(values)
- .. versionadded:: 1.5.0
-
Set the Proxy-Protocol Type-Length values to be sent to the server along with this query to ``values``.
Subsequent rules are processed after this action.
.. function:: SetReducedTTLResponseAction(percentage)
- .. versionadded:: 1.8.0
-
Reduce the TTL of records in a response to a percentage of the original TTL. For example,
passing 50 means that the original TTL will be cut in half.
Subsequent rules are processed after this action.
.. function:: SetSkipCacheAction()
- .. versionadded:: 1.6.0
-
Don't lookup the cache for this query, don't store the answer.
Subsequent rules are processed after this action.
Note that this function was called :func:`SkipCacheAction` before 1.6.0.
.. function:: SetSkipCacheResponseAction()
- .. versionadded:: 1.6.0
-
Don't store this answer into the cache.
Subsequent rules are processed after this action.
.. function:: SetTagAction(name, value)
- .. versionadded:: 1.6.0
-
- .. versionchanged:: 1.7.0
- Prior to 1.7.0 :func:`SetTagAction` would not overwrite an existing tag value if already set.
-
Associate a tag named ``name`` with a value of ``value`` to this query, that will be passed on to the response.
This function will overwrite any existing tag value.
Subsequent rules are processed after this action.
.. function:: SetTagResponseAction(name, value)
- .. versionadded:: 1.6.0
-
- .. versionchanged:: 1.7.0
- Prior to 1.7.0 :func:`SetTagResponseAction` would not overwrite an existing tag value if already set.
-
Associate a tag named ``name`` with a value of ``value`` to this response.
This function will overwrite any existing tag value.
Subsequent rules are processed after this action.
.. function:: SetTempFailureCacheTTLAction(ttl)
- .. versionadded:: 1.6.0
-
Set the cache TTL to use for ServFail and Refused replies. TTL is not applied for successful replies.
Subsequent rules are processed after this action.
Note that this function was called :func:`TempFailureCacheTTLAction` before 1.6.0.
* ``traceparentOptionCode``: integer, default 65500. The EDNS option code for TRACEPARENT EDNS option.
* ``sendDownstreamTraceparent``: boolean, default false. When true, a TRACEPARENT EDNS option is added to the downstream query with the active Trace ID and the last Span ID of the trace.
-.. function:: SkipCacheAction()
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetSkipAction` instead.
-
- Don't lookup the cache for this query, don't store the answer.
- Subsequent rules are processed after this action.
-
.. function:: SNMPTrapAction([message])
Send an SNMP trap, adding the optional ``message`` string as the query description.
.. function:: SpoofAction(ip [, options])
SpoofAction(ips [, options])
- .. versionchanged:: 1.5.0
- Added the optional parameter ``options``.
-
- .. versionchanged:: 1.6.0
- Up to 1.6.0, the syntax for this function was ``SpoofAction(ips[, ip[, options]])``.
-
Forge a response with the specified IPv4 (for an A query) or IPv6 (for an AAAA) addresses.
If you specify multiple addresses, all that match the query type (A, AAAA or ANY) will get spoofed in.
.. function:: SpoofCNAMEAction(cname [, options])
- .. versionchanged:: 1.5.0
- Added the optional parameter ``options``.
-
Forge a response with the specified CNAME value.
:param string cname: The name to respond with
.. function:: SpoofRawAction(rawAnswer [, options])
SpoofRawAction(rawAnswers [, options])
- .. versionadded:: 1.5.0
-
- .. versionchanged:: 1.6.0
- Up to 1.6.0, it was only possible to spoof one answer.
-
.. versionchanged:: 1.9.0
Added the optional parameter ``typeForAny``.
.. function:: SpoofSVCAction(svcParams [, options])
- .. versionadded:: 1.7.0
-
Forge a response with the specified SVC record data. If the list contains more than one :class:`SVCRecordParameters` (generated via :func:`newSVCRecordParameters`) object, they are all returned,
and should have different priorities.
The hints provided in the SVC parameters, if any, will also be added as A/AAAA records in the additional section, using the target name present in the parameters as owner name if it's not empty (root) and the qname instead.
.. function:: SpoofPacketAction(rawPacket, len)
- .. versionadded:: 1.8.0
-
Spoof a raw self-generated answer
:param string rawPacket: The raw wire-ready DNS answer
:param int len: The length of the packet
-.. function:: TagAction(name, value)
-
- .. deprecated:: 1.6.0
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetTagAction` instead.
-
- Associate a tag named ``name`` with a value of ``value`` to this query, that will be passed on to the response.
- Subsequent rules are processed after this action.
-
- :param string name: The name of the tag to set
- :param string value: The value of the tag
-
-.. function:: TagResponseAction(name, value)
-
- .. deprecated:: 1.6.0
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetTagResponseAction` instead.
-
- Associate a tag named ``name`` with a value of ``value`` to this response.
- Subsequent rules are processed after this action.
-
- :param string name: The name of the tag to set
- :param string value: The value of the tag
-
.. function:: TCAction()
- .. versionchanged:: 1.7.0
- This action is now only performed over UDP transports.
-
Create answer to query with the TC bit set, and the RA bit set to the value of RD in the query, to force the client to TCP.
Before 1.7.0 this action was performed even when the query had been received over TCP, which required the use of :func:`TCPRule` to
prevent the TC bit from being set over TCP transports.
.. function:: TeeAction(remote[, addECS[, local [, addProxyProtocol]]])
- .. versionchanged:: 1.8.0
- Added the optional parameter ``local``.
-
.. versionchanged:: 1.9.0
Added the optional parameter ``addProxyProtocol``.
:param str local: The local address to use to send queries. The default is to let the kernel pick one.
:param bool addProxyProtocol: Whether to prepend a proxy protocol v2 payload in front of the query. Default to false.
-.. function:: TempFailureCacheTTLAction(ttl)
-
- .. deprecated:: 1.6.0
-
- This function has been deprecated in 1.6.0 and removed in 1.7.0, please use :func:`SetTempFailureCacheTTLAction` instead.
-
- Set the cache TTL to use for ServFail and Refused replies. TTL is not applied for successful replies.
- Subsequent rules are processed after this action.
-
- :param int ttl: Cache TTL for temporary failure replies
-
.. function:: UnsetTagAction(name)
.. versionadded:: 2.1.0
.. function:: addCapabilitiesToRetain(capabilities)
- .. versionadded:: 1.7.0
-
Accept a Linux capability as a string, or a list of these, to retain after startup so that privileged operations can still be performed at runtime.
Keeping ``CAP_SYS_ADMIN`` on kernel 5.8+ for example allows loading eBPF programs and altering eBPF maps at runtime even if the ``kernel.unprivileged_bpf_disabled`` sysctl is set.
Note that this does not grant the capabilities to the process, doing so might be done by running it as root which we don't advise, or by adding capabilities via the systemd unit file, for example.
.. function:: reloadAllCertificates()
- .. versionadded:: 1.4.0
-
Reload all DNSCrypt and TLS certificates, along with their associated keys.
.. function:: setSyslogFacility(facility)
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.6.0
- ``facility`` can now be a string.
-
Set the syslog logging facility to ``facility``.
:param int or str facility: The new facility as a numeric value (raw value as defined in syslog.h), or as a case-insensitive string ("LOCAL0", or "daemon", for example). Defaults to LOG_DAEMON.
.. function:: addLocal(address[, options])
- .. versionchanged:: 1.4.0
- Removed ``doTCP`` from the options. A listen socket on TCP is always created.
-
- .. versionchanged:: 1.5.0
- Added ``tcpListenQueueSize`` parameter.
-
- .. versionchanged:: 1.6.0
- Added ``maxInFlight`` and ``maxConcurrentTCPConnections`` parameters.
-
.. versionchanged:: 1.9.0
Added the ``enableProxyProtocol`` parameter, which was always ``true`` before 1.9.0, and the``xskSocket`` one.
.. function:: addDOHLocal(address, [certFile(s) [, keyFile(s) [, urls [, options]]]])
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.5.0
- ``internalPipeBufferSize``, ``sendCacheControlHeaders``, ``sessionTimeout``, ``trustForwardedForHeader`` options added.
- ``url`` now defaults to ``/dns-query`` instead of ``/``, and does exact matching instead of accepting sub-paths. Added ``tcpListenQueueSize`` parameter.
-
- .. versionchanged:: 1.6.0
- ``enableRenegotiation``, ``exactPathMatching``, ``maxConcurrentTCPConnections`` and ``releaseBuffers`` options added.
- ``internalPipeBufferSize`` now defaults to 1048576 on Linux.
-
- .. versionchanged:: 1.8.0
- ``certFile`` now accepts a :class:`TLSCertificate` object or a list of such objects (see :func:`newTLSCertificate`)
- ``additionalAddresses``, ``ignoreTLSConfigurationErrors`` and ``keepIncomingHeaders`` options added.
-
.. versionchanged:: 1.9.0
``enableProxyProtocol``, ``ktls``, ``library``, ``proxyProtocolOutsideTLS``, ``readAhead``, ``tlsAsyncMode`` options added.
.. function:: addTLSLocal(address, certFile(s), keyFile(s) [, options])
- .. versionchanged:: 1.4.0
- ``ciphersTLS13``, ``minTLSVersion``, ``ocspResponses``, ``preferServerCiphers``, ``keyLogFile`` options added.
- .. versionchanged:: 1.5.0
- ``sessionTimeout`` and ``tcpListenQueueSize`` options added.
- .. versionchanged:: 1.6.0
- ``enableRenegotiation``, ``maxConcurrentTCPConnections``, ``maxInFlight`` and ``releaseBuffers`` options added.
- .. versionchanged:: 1.8.0
- ``tlsAsyncMode`` option added.
- .. versionchanged:: 1.8.0
- ``certFile`` now accepts a :class:`TLSCertificate` object or a list of such objects (see :func:`newTLSCertificate`).
- ``additionalAddresses``, ``ignoreTLSConfigurationErrors`` and ``ktls`` options added.
.. versionchanged:: 1.9.0
``enableProxyProtocol``, ``readAhead`` and ``proxyProtocolOutsideTLS`` options added.
.. versionchanged:: 2.2.0
.. function:: clearConsoleHistory()
- .. versionadded:: 1.6.0
-
Clear the internal (in-memory) buffers of console commands. These buffers are used to provide the :func:`delta` command and
console completion and history, and can end up being quite large when a lot of commands are issued via the console, consuming
a noticeable amount of memory.
.. function:: inConfigCheck()
- .. versionadded:: 1.5.0
-
Returns true while the configuration is being checked, ie when run with ``--check-config``.
.. function:: makeKey()
.. function:: setConsoleMaximumConcurrentConnections(max)
- .. versionadded:: 1.6.0
-
Set the maximum number of concurrent console connections.
:param int max: The maximum number of concurrent console connections, or 0 which means an unlimited number. Defaults to 100
.. function:: hashPassword(password [, workFactor])
- .. versionadded:: 1.7.0
-
Hash the supplied password using a random salt, and returns a string that can be used with :func:`setWebserverConfig`.
For example, to get a hashed version of the ``test`` password:
:param string password: The password to hash
:param int workFactor: The work factor to use for the hash function (currently scrypt), as a power of two. Default is 1024.
-.. function:: webserver(listen_address [, password[, apikey[, customHeaders[, acl]]]])
-
- .. versionchanged:: 1.5.0
- ``acl`` optional parameter added.
+.. function:: webserver(listen_address)
- .. versionchanged:: 1.6.0
- The ``password`` parameter is now optional.
- The use of optional parameters is now deprecated. Please use :func:`setWebserverConfig` instead.
-
- .. versionchanged:: 1.8.0
- The ``password``, ``apikey``, ``customHeaders`` and ``acl`` parameters is no longer supported.
- Please use :func:`setWebserverConfig` instead.
-
- Launch the :doc:`../guides/webserver` with statistics and the API. Note that the parameters are global, so the parameter from the last ``webserver`` will override any existing ones. For this reason :func:`setWebserverConfig` should be used instead of specifying optional parameters here.
+ Launch the :doc:`../guides/webserver` with statistics and the API. Use :func:`setWebserverConfig` to configure the webserver
:param str listen_address: The IP address and Port to listen on
:param str password: The password required to access the webserver
.. function:: setWebserverConfig(options)
- .. versionchanged:: 1.5.0
- ``acl`` optional parameter added.
-
- .. versionchanged:: 1.6.0
- ``statsRequireAuthentication``, ``maxConcurrentConnections`` optional parameters added.
-
- .. versionchanged:: 1.7.0
- The optional ``password`` and ``apiKey`` parameters now accept hashed passwords.
- The optional ``hashPlaintextCredentials`` parameter has been added.
-
- .. versionchanged:: 1.8.0
- ``apiRequiresAuthentication``, ``dashboardRequiresAuthentication`` optional parameters added.
-
.. versionchanged:: 2.1.0
``allowCrossOriginRequests`` and ``prometheusAddInstanceLabel`` optional parameters added.
.. function:: showWebserverConfig()
- .. versionadded:: 1.7.0
-
Show the current webserver configuration. See :func:`webserver`.
.. function:: setACLFromFile(fname)
- .. versionadded:: 1.6.0
-
Reset the ACL to the list of netmasks from the given file. See :ref:`ACL` for more information.
:param str fname: The path to a file containing a list of netmasks. Empty lines or lines starting with "#" are ignored.
.. function:: setProxyProtocolACL(netmasks)
- .. versionadded:: 1.6.0
-
Set the list of netmasks from which a Proxy Protocol header will be required, over UDP, TCP and DNS over TLS. The default is empty. Note that a proxy protocol payload will be required from these clients, regular DNS queries will no longer be accepted if they are not preceded by a proxy protocol payload. Be also aware that, if :func:`setProxyProtocolApplyACLToProxiedClients` is set (default is false), the general ACL will be applied to the source IP address as seen by dnsdist first, but also to the source IP address provided in the Proxy Protocol header.
:param {str} netmasks: A table of CIDR netmask, e.g. ``{"192.0.2.0/24", "2001:DB8:14::/56"}``. Without a subnetmask, only the specific address is allowed.
.. function:: setProxyProtocolApplyACLToProxiedClients(apply)
- .. versionadded:: 1.6.0
-
Whether the general ACL should be applied to the source IP address provided in the Proxy Protocol header, in addition to being applied to the source IP address as seen by dnsdist first.
:param bool apply: Whether it should be applied or not (default is false).
.. function:: setRingBuffersOptions(options)
- .. versionadded:: 1.8.0
-
.. versionchanged:: 2.1.0
``samplingRate`` option added.
.. function:: setRingBuffersSize(num [, numberOfShards])
- .. versionchanged:: 1.6.0
- ``numberOfShards`` defaults to 10.
-
Set the capacity of the ringbuffers used for live traffic inspection to ``num``, and the number of shards to ``numberOfShards`` if specified.
Increasing the number of entries comes at both a memory cost (around 250 MB for 1 million entries) and a CPU processing cost, so we strongly advise not going over 1 million entries.
.. function:: newServer(server_string)
newServer(server_table)
- .. versionchanged:: 1.4.0
- Added ``checkInterval``, ``checkTimeout`` and ``rise`` to server_table.
-
- .. versionchanged:: 1.5.0
- Added ``useProxyProtocol`` to server_table.
-
- .. versionchanged:: 1.6.0
- Added ``maxInFlight`` to server_table.
-
- .. versionchanged:: 1.7.0
- Added ``addXForwardedHeaders``, ``caStore``, ``checkTCP``, ``ciphers``, ``ciphers13``, ``dohPath``, ``enableRenegotiation``, ``releaseBuffers``, ``subjectName``, ``tcpOnly``, ``tls`` and ``validateCertificates`` to server_table.
-
- .. versionchanged:: 1.8.0
- Added ``autoUpgrade``, ``autoUpgradeDoHKey``, ``autoUpgradeInterval``, ``autoUpgradeKeep``, ``autoUpgradePool``, ``maxConcurrentTCPConnections``, ``subjectAddr``, ``lazyHealthCheckSampleSize``, ``lazyHealthCheckMinSampleCount``, ``lazyHealthCheckThreshold``, ``lazyHealthCheckFailedInterval``, ``lazyHealthCheckMode``, ``lazyHealthCheckUseExponentialBackOff``, ``lazyHealthCheckMaxBackOff``, ``lazyHealthCheckWhenUpgraded``, ``healthCheckMode`` and ``ktls`` to server_table.
-
.. versionchanged:: 1.9.0
Added ``MACAddr``, ``proxyProtocolAdvertiseTLS`` and ``xskSockets`` to server_table.
.. function:: getServer(index) -> Server
- .. versionchanged:: 1.5.0
- ``index`` might be an UUID.
-
Get a :class:`Server`
:param int or str index: The number of the server (as seen in :func:`showServers`) or its UUID as a string.
rmServer(uuid)
rmServer(server)
- .. versionchanged:: 1.5.0
- ``uuid`` selection added.
-
Remove a backend server.
:param int or str index: The number of the server (as seen in :func:`showServers`), its UUID as a string, or a server object.
.. method:: getLatency() -> double
- .. versionadded:: 1.6.0
-
Return the average latency of this server over the last 128 UDP queries, in microseconds.
:returns: The number of outstanding queries
.. method:: getDrops() -> int
- .. versionadded:: 1.6.0
-
Get the number of dropped queries for this server.
:returns: The number of dropped queries
.. method:: setLazyAuto([status])
- .. versionadded:: 1.8.0
-
Set the server in the ``lazy`` health-check mode.
This will only enable active health check queries after a configurable threshold of failing regular queries has been reached, and
only for a short time. See :ref:`Healthcheck` for a more detailed explanation.
.. function:: getPoolNames() -> [ table of names]
- .. versionadded:: 1.8.0
-
Returns a table of all pool names
.. function:: showPools()
A Pool can have a packet cache to answer queries directly instead of going to the backend.
See :doc:`../guides/cache` for a how to.
-.. function:: newPacketCache(maxEntries[, maxTTL=86400[, minTTL=0[, temporaryFailureTTL=60[, staleTTL=60[, dontAge=false[, numberOfShards=1[, deferrableInsertLock=true[, maxNegativeTTL=3600[, parseECS=false]]]]]]]) -> PacketCache
-
- .. deprecated:: 1.4.0
-
- Creates a new :class:`PacketCache` with the settings specified.
-
- :param int maxEntries: The maximum number of entries in this cache
- :param int maxTTL: Cap the TTL for records to his number
- :param int minTTL: Don't cache entries with a TTL lower than this
- :param int temporaryFailureTTL: On a SERVFAIL or REFUSED from the backend, cache for this amount of seconds
- :param int staleTTL: When the backend servers are not reachable, and global configuration ``setStaleCacheEntriesTTL`` is set appropriately, TTL that will be used when a stale cache entry is returned
- :param bool dontAge: Don't reduce TTLs when serving from the cache. Use this when :program:`dnsdist` fronts a cluster of authoritative servers
- :param int numberOfShards: Number of shards to divide the cache into, to reduce lock contention
- :param bool deferrableInsertLock: Whether the cache should give up insertion if the lock is held by another thread, or simply wait to get the lock
- :param int maxNegativeTTL: Cache a NXDomain or NoData answer from the backend for at most this amount of seconds, even if the TTL of the SOA record is higher
- :param bool parseECS: Whether any EDNS Client Subnet option present in the query should be extracted and stored to be able to detect hash collisions involving queries with the same qname, qtype and qclass but a different incoming ECS value. Enabling this option adds a parsing cost and only makes sense if at least one backend might send different responses based on the ECS value, so it's disabled by default
-
.. function:: newPacketCache(maxEntries, [options]) -> PacketCache
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.6.0
- ``cookieHashing`` parameter added.
- ``numberOfShards`` now defaults to 20.
-
- .. versionchanged:: 1.7.0
- ``skipOptions`` parameter added.
-
.. versionchanged:: 1.9.0
``maximumEntrySize`` parameter added.
.. method:: expungeByName(name [, qtype=DNSQType.ANY[, suffixMatch=false]])
- .. versionchanged:: 1.6.0
- ``name`` can now also be a string
-
.. versionchanged:: 2.2.0
``name`` can now also be a list of strings or DNSNames
.. method:: getAddressListByDomain(domain)
- .. versionadded:: 1.8.0
-
This method looks up the answers present in the cache for the supplied domain, and returns the list of addresses present in the answer section of these answers (in A records for IPv4 addresses, and AAAA records for IPv6 ones). The addresses are returned as a list of :class:`ComboAddress` objects.
:param DNSName domain: The domain to look for
.. method:: getDomainListByAddress(addr)
- .. versionadded:: 1.8.0
-
Return a list of domains, as :class:`DNSName` objects, for which an answer is present in the cache and has a corresponding A record (for IPv4 addresses) or AAAA record (for IPv6 addresses) in the answer section.
:param ComboAddress addr: The address to look for
.. method:: getStats()
- .. versionadded:: 1.4.0
-
Return the cache stats (number of entries, hits, misses, deferred lookups, deferred inserts, lookup collisions, insert collisions and TTL too shorts) as a Lua table.
.. method:: isFull() -> bool
.. function:: getBindCount()
- .. versionadded:: 1.5.0
-
Return the number of binds (Do53, DNSCrypt, DoH and DoT).
ClientState functions
.. method:: getEffectiveTLSProvider() -> string
- .. versionadded:: 1.7.0
-
Return the name of the TLS provider actually used.
.. method:: getRequestedTLSProvider() -> string
- .. versionadded:: 1.7.0
-
Return the name of the TLS provider requested in the configuration.
.. method:: getType() -> string
- .. versionadded:: 1.7.0
-
Return the type of the frontend: UDP, UDP (DNSCrypt), TCP, TCP (DNSCrypt), TCP (DNS over TLS) or TCP (DNS over HTTPS).
.. method:: toString() -> string
.. function:: getDOHFrontend(idx)
- .. versionadded:: 1.4.0
-
Return the :class:`DOHFrontend` object for the DNS over HTTPS bind of index ``idx``.
.. function:: getDOHFrontendCount()
- .. versionadded:: 1.5.0
-
Return the number of :class:`DOHFrontend` binds.
.. function:: getDOH3Frontend(idx)
.. function:: getListOfAddressesOfNetworkInterface(itf)
- .. versionadded:: 1.8.0
-
Return the list of addresses configured on a given network interface, as strings.
This function requires support for ``getifaddrs``, which is known to be present on FreeBSD, Linux, and OpenBSD at least.
.. function:: getListOfNetworkInterfaces()
- .. versionadded:: 1.8.0
-
Return the list of network interfaces configured on the system, as strings.
This function requires support for ``getifaddrs``, which is known to be present on FreeBSD, Linux, and OpenBSD at least.
.. function:: getListOfRangesOfNetworkInterface(itf)
- .. versionadded:: 1.8.0
-
Return the list of network ranges configured on a given network interface, as strings.
This function requires support for ``getifaddrs``, which is known to be present on FreeBSD, Linux, and OpenBSD at least.
.. function:: getMACAddress(ip) -> str
- .. versionadded:: 1.8.0
-
Return the link-level address (MAC) corresponding to the supplied neighbour IP address, if known by the kernel.
The link-level address is returned as a raw binary string. An empty string is returned if no matching entry has been found.
This function is only implemented on Linux.
.. function:: getOutgoingTLSSessionCacheSize()
- .. versionadded:: 1.7.0
-
Return the number of TLS sessions (for outgoing connections) currently cached.
.. function:: getTLSContext(idx)
.. function:: getTLSFrontendCount()
- .. versionadded:: 1.5.0
-
Return the number of TLSFrontend binds.
.. function:: getTopCacheHitResponseRules([top])
- .. versionadded:: 1.6.0
-
Return the cache-hit response rules that matched the most.
:param int top: How many response rules to return. Default is 10.
.. function:: getTopCacheInsertedResponseRules([top])
- .. versionadded:: 1.8.0
-
Return the cache-inserted response rules that matched the most.
:param int top: How many response rules to return. Default is 10.
.. function:: getTopResponseRules([top])
- .. versionadded:: 1.6.0
-
Return the response rules that matched the most.
:param int top: How many response rules to return. Default is 10.
.. function:: getTopRules([top])
- .. versionadded:: 1.6.0
-
Return the rules that matched the most.
:param int top: How many rules to return. Default is 10.
.. function:: getTopSelfAnsweredRules([top])
- .. versionadded:: 1.6.0
-
Return the self-answered rules that matched the most.
:param int top: How many rules to return. Default is 10.
.. function:: setVerbose(verbose)
- .. versionadded:: 1.8.0
-
Set whether log messages issued at the verbose level should be logged. This is turned off by default.
:param bool verbose: Set to true if you want to enable verbose logging
.. function:: getVerbose()
- .. versionadded:: 1.8.0
-
Get whether log messages issued at the verbose level should be logged. This is turned off by default.
.. function:: setVerboseHealthChecks(verbose)
.. function:: setVerboseLogDestination(dest)
- .. versionadded:: 1.8.0
-
Set a destination file to write the 'verbose' log messages to, instead of sending them to syslog and/or the standard output which is the default.
Note that these messages will no longer be sent to syslog or the standard output once this option has been set.
There is no rotation or file size limit.
.. function:: showDOHFrontends()
- .. versionadded:: 1.4.0
-
Print the list of all available DNS over HTTPS frontends.
.. function:: showDOH3Frontends()
.. function:: showDOHResponseCodes()
- .. versionadded:: 1.4.0
-
Print the HTTP response codes statistics for all available DNS over HTTPS frontends.
.. function:: showDOQFrontends()
.. function:: showServers([options])
- .. versionchanged:: 1.4.0
- ``options`` optional parameter added
-
This function shows all backend servers currently configured and some statistics.
These statistics have the following fields:
.. function:: showTLSErrorCounters()
- .. versionadded:: 1.4.0
-
Display metrics about TLS handshake failures.
.. function:: showTLSContexts()
.. function:: topCacheHitResponseRules([top [, options]])
- .. versionadded:: 1.6.0
-
This function shows the cache-hit response rules that matched the most.
:param int top: How many rules to show.
.. function:: topCacheInsertedResponseRules([top [, options]])
- .. versionadded:: 1.8.0
-
This function shows the cache-inserted response rules that matched the most.
:param int top: How many rules to show.
.. function:: topResponseRules([top [, options]])
- .. versionadded:: 1.6.0
-
This function shows the response rules that matched the most.
:param int top: How many rules to show.
.. function:: topRules([top [, options]])
- .. versionadded:: 1.6.0
-
This function shows the rules that matched the most.
:param int top: How many rules to show.
.. function:: topSelfAnsweredResponseRules([top [, options]])
- .. versionadded:: 1.6.0
-
This function shows the self-answered response rules that matched the most.
:param int top: How many rules to show.
.. function:: setDynBlocksPurgeInterval(sec)
- .. versionadded:: 1.6.0
-
Set at which interval, in seconds, the expired dynamic blocks entries will be effectively removed from the tree. Entries are not applied anymore as
soon as they expire, but they remain in the tree for a while for performance reasons. Removing them makes the addition of new entries faster and
frees up the memory they use.
.. method:: setMasks(v4, v6, port)
- .. versionadded:: 1.7.0
-
.. versionchanged:: 2.1.0
Queries and corresponding responses coming from an excluded (see :meth:`DynBlockRulesGroup::excludeRange`) client no longer count towards the thresholds for the aggregated subnet the client belongs to.
.. method:: setRCodeRatio(rcode, ratio, seconds, reason, blockingTime, minimumNumberOfResponses [, action [, warningRate, [options]]])
- .. versionadded:: 1.5.0
-
.. versionchanged:: 2.0.0
``options`` optional parameter added
.. method:: setSuffixMatchRule(seconds, reason, blockingTime, action, visitor, [options])
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.7.0
- This visitor function can now optionally return an additional string which will be set as the ``reason`` for the dynamic block.
-
.. versionchanged:: 1.9.0
This visitor function can now optionally return an additional integer which will be set as the ``action`` for the dynamic block.
.. method:: setSuffixMatchRuleFFI(seconds, reason, blockingTime, action , visitor, [options])
- .. versionadded:: 1.4.0
-
.. versionchanged:: 2.0.0
``options`` optional parameter added
.. method:: setQuiet(quiet)
- .. versionadded:: 1.4.0
-
Set whether newly blocked clients or domains should be logged.
:param bool quiet: True means that insertions will not be logged, false that they will. Default is false.
.. method:: excludeDomains(domains)
- .. versionadded:: 1.4.0
-
Exclude this domain, or list of domains, meaning that no dynamic block will ever be inserted for this domain via :meth:`DynBlockRulesGroup.setSuffixMatchRule` or :meth:`DynBlockRulesGroup.setSuffixMatchRuleFFI`. Default to empty, meaning rules are applied to all domains.
:param str domain: A domain, or list of domains, as strings, like for example "powerdns.com"
.. method:: excludeRange(netmasks)
- .. versionchanged:: 1.6.0
- This method now accepts a :class:`NetmaskGroup` object.
-
Exclude this range, or list of ranges, meaning that no dynamic block will ever be inserted for clients in that range. Default to empty, meaning rules are applied to all ranges. When used in combination with :meth:`DynBlockRulesGroup.includeRange`, the more specific entry wins.
:param list netmasks: A :class:`NetmaskGroup` object, or a netmask or list of netmasks as strings, like for example "192.0.2.1/24"
.. method:: includeRange(netmasks)
- .. versionchanged:: 1.6.0
- This method now accepts a :class:`NetmaskGroup` object.
-
Include this range, or list of ranges, meaning that rules will be applied to this range. When used in combination with :meth:`DynBlockRulesGroup.excludeRange`, the more specific entry wins.
:param list netmasks: A :class:`NetmaskGroup` object, or a netmask or list of netmasks as strings, like for example "192.0.2.1/24"
.. method:: removeRange(netmasks)
- .. versionadded:: 1.8.3
-
Remove a previously included or excluded range. The range should be an exact match of the existing entry to remove.
:param list netmasks: A :class:`NetmaskGroup` object, or a netmask or list of netmasks as strings, like for example "192.0.2.1/24"
.. attribute:: hits
- .. versionadded:: 1.8.0
-
The number of cache hits for that node.
.. attribute:: nxdomains
.. method:: add(name)
- .. versionchanged:: 1.4.0
- This method now accepts strings, lists of DNSNames and lists of strings.
-
Add a suffix to the current set.
:param DNSName name: The suffix to add to the set.
.. method:: getBestMatch(name) -> DNSName
- .. versionadded:: 1.8.0
-
Returns the best match for the supplied name, or nil if there was no match.
:param DNSName name: The name to look up.
.. method:: remove(name)
- .. versionadded:: 1.5.0
-
Remove a suffix from the current set.
:param DNSName name: The suffix to remove from the set.
.. function:: getCurrentTime() -> timespec
- .. versionadded:: 1.8.0
-
Return the current time, in whole seconds and nanoseconds since epoch.
:returns: A timespec object, see :ref:`timespec`
.. function:: getResolvers(path)
- .. versionadded:: 1.8.0
-
This function can be used to get a Lua table of name servers from a file in the resolv.conf format.
:param str path: The path to the file, usually /etc/resolv.conf
.. function:: threadmessage(cmd, dict)
- .. versionadded:: 1.8.0
-
This function, if it exists, is called when a separate thread (made with :func:`newThread`) calls :func:`submitToMainThread`.
.. function:: newThread(code)
- .. versionadded:: 1.8.0
-
Spawns a separate thread running the supplied code.
Code is supplied as a string, not as a function object.
Note that this function does nothing in 'client' or 'config-check' modes.
.. function:: submitToMainThread(cmd, dict)
- .. versionadded:: 1.8.0
-
Must be called from a separate thread (made with :func:`newThread`), submits data to the main thread by calling :func:`threadmessage` in it.
If no ``threadmessage`` receiver is present in the main thread, ``submitToMainThread`` logs an error but returns normally.
.. function:: setAllowEmptyResponse()
- .. versionadded:: 1.4.0
-
Set to true (defaults to false) to allow empty responses (qdcount=0) with a NoError or NXDomain rcode (default) from backends. dnsdist drops these responses by default because it can't match them against the initial query since they don't contain the qname, qtype and qclass, and therefore the risk of collision is much higher than with regular responses.
.. function:: setDropEmptyQueries(drop)
- .. versionadded:: 1.6.0
-
Set to true (defaults to false) to drop empty queries (qdcount=0) right away, instead of answering with a NotImp rcode. dnsdist used to drop these queries by default because most rules and existing Lua code expects a query to have a qname, qtype and qclass. However :rfc:`7873` uses these queries to request a server cookie, and :rfc:`8906` as a conformance test, so answering these queries with NotImp is much better than not answering at all.
:param bool drop: Whether to drop these queries (defaults to false)
.. function:: setProxyProtocolMaximumPayloadSize(size)
- .. versionadded:: 1.6.0
-
Set the maximum size of a Proxy Protocol payload that dnsdist is willing to accept, in bytes. The default is 512, which is more than enough except for very large TLV data. This setting can't be set to a value lower than 16 - the absolute minimum size of a Proxy Protocol header.
:param int size: The maximum size in bytes (default is 512)
.. function:: setTCPFastOpenKey(key)
- .. versionadded:: 1.8.0
-
Set the supplied ``TCP Fast Open`` key on all frontends. This can for example be used to allow all dnsdist instances in an anycast cluster to use the same ``TCP Fast Open`` key, reducing round-trips.
:param string key: The format of the key can be found in ``/proc/sys/net/ipv4/tcp_fastopen_key``
.. function:: makeIPCipherKey(password) -> string
- .. versionadded:: 1.4.0
-
Hashes the password to generate a 16-byte key that can be used to pseudonymize IP addresses with IP cipher.
.. function:: generateOCSPResponse(pathToServerCertificate, pathToCACertificate, pathToCAPrivateKey, outputFile, numberOfDaysOfValidity, numberOfMinutesOfValidity)
- .. versionadded:: 1.4.0
-
When a local PKI is used to issue the certificate, or for testing purposes, :func:`generateOCSPResponse` can be used to generate an OCSP response file for a certificate, using the certificate and private key of the certification authority that signed that certificate.
The resulting file can be directly used with the :func:`addDOHLocal` or the :func:`addTLSLocal` functions.
.. function:: getRingEntries()
- .. versionadded:: 1.8.0
-
Return a list of all the entries, queries and responses alike, that are present in the in-memory ring buffers, as :class:`LuaRingEntry` objects.
.. function:: loadTLSEngine(engineName [, defaultString])
- .. versionadded:: 1.8.0
-
Load the OpenSSL engine named ``engineName``, setting the engine default string to ``defaultString`` if supplied. Engines can be used to accelerate cryptographic operations, like for example Intel QAT.
At the moment up to a maximum of 32 loaded engines are supported, and that support is experimental.
Some engines might actually degrade performance unless the TLS asynchronous mode of OpenSSL is enabled. To enable it see the ``tlsAsyncMode`` parameter on :func:`addTLSLocal` and :func:`addDOHLocal`.
.. function:: loadTLSProvider(providerName)
- .. versionadded:: 1.8.0
-
Load the OpenSSL provider named ``providerName``. Providers can be used to accelerate cryptographic operations, like for example Intel QAT.
At the moment up to a maximum of 32 loaded providers are supported, and that support is experimental.
Note that :func:`loadTLSProvider` is only available when building against OpenSSL version >= 3.0 and with the `--enable-tls-provider` configure flag on. In other cases, :func:`loadTLSEngine` should be used instead.
.. function:: newTLSCertificate(pathToCert[, options])
- .. versionadded:: 1.8.0
-
Creates a :class:`TLSCertificate` object suited to be used with functions like :func:`addDOHLocal`, :func:`addDOH3Local`, :func:`addDOQLocal` and :func:`addTLSLocal` for TLS certificate configuration.
``PKCS12`` files are only supported by the ``openssl`` provider, password-protected or not.
.. class:: DOHFrontend
- .. versionadded:: 1.4.0
-
This object represents an address and port dnsdist is listening on for DNS over HTTPS queries.
.. method:: getAddressAndPort() -> string
- .. versionadded:: 1.7.1
-
Return the address and port this frontend is listening on.
.. method:: loadNewCertificatesAndKeys(certFile(s), keyFile(s))
- .. versionadded:: 1.6.1
-
- .. versionchanged:: 1.8.0
- ``certFile`` now accepts a TLSCertificate object or a list of such objects (see :func:`newTLSCertificate`)
-
- :param str certFile(s): The path to a X.509 certificate file in PEM format, a list of paths to such files, or a TLSCertificate object.
+ :param str certFile(s): The path to a X.509 certificate file in PEM format, a list of paths to such files, or a TLSCertificate object (see :func:`newTLSCertificate`).
:param str keyFile(s): The path to the private key file corresponding to the certificate, or a list of paths to such files, whose order should match the certFile(s) ones. Ignored if ``certFile`` contains TLSCertificate objects.
.. method:: loadTicketsKeys(ticketsKeysFile)
.. function:: newDOHResponseMapEntry(regex, status, content [, headers]) -> DOHResponseMapEntry
- .. versionadded:: 1.4.0
-
Return a DOHResponseMapEntry that can be used with :meth:`DOHFrontend.setResponsesMap`. Every query whose path is listed in the ``urls`` parameter to :func:`addDOHLocal` and matches the regular expression supplied in ``regex`` will be immediately answered with a HTTP response.
The status of the HTTP response will be the one supplied by ``status``, and the content set to the one supplied by ``content``, except if the status is a redirection (3xx) in which case the content is expected to be the URL to redirect to.
.. class:: LuaRingEntry
- .. versionadded:: 1.8.0
-
This object represents an entry from the in-memory ring buffers, query or response.
.. attribute:: backend
.. class:: timespec
- .. versionadded:: 1.8.0
-
This object represents a timestamp in the timespec format.
.. attribute:: tv_sec
.. method:: getAddressAndPort() -> string
- .. versionadded:: 1.7.1
-
Return the address and port this frontend is listening on.
.. method:: loadNewCertificatesAndKeys(certFile(s), keyFile(s))
.. method:: loadTicketsKeys(ticketsKeysFile)
- .. versionadded:: 1.6.0
-
Load new tickets keys from the selected file, replacing the existing ones. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
See :doc:`../advanced/tls-sessions-management` for more information.
.. method:: reloadCertificates()
- .. versionadded:: 1.6.0
-
Reload the current TLS certificate and key pairs.
.. method:: rotateTicketsKey()
- .. versionadded:: 1.6.0
-
Replace the current TLS tickets key by a new random one.
EDNS on Self-generated answers
.. function:: setPayloadSizeOnSelfGeneratedAnswers(payloadSize)
- .. versionchanged:: 1.6.0
- Default value changed from 1500 to 1232.
-
Set the UDP payload size advertised via EDNS on self-generated responses. In accordance with
:rfc:`RFC 6891 <6891#section-6.2.5>`, values lower than 512 will be treated as equal to 512.
These constants represent the different `RCODEs <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6>`__ for DNS messages.
-.. versionchanged:: 1.4.0
- The prefix is changed from ``dnsdist`` to ``DNSRCode``.
-
-.. versionchanged:: 1.7.0
- The lookup fallback from ``dnsdist`` to ``DNSRCode`` was removed.
-
- ``DNSRCode.NOERROR``
- ``DNSRCode.FORMERR``
- ``DNSRCode.SERVFAIL``
DNSAction
---------
-.. versionchanged:: 1.5.0
- ``DNSAction.SpoofRaw`` has been added.
-
-.. versionchanged:: 1.8.0
- ``DNSAction.SpoofPacket`` has been added.
-
.. versionchanged:: 2.0.0
``DNSAction.SetTag`` has been added.
DNSQType
--------
-.. versionchanged:: 1.4.0
- The prefix is changed from ``dnsdist.`` to ``DNSQType``.
-
-.. versionchanged:: 1.7.0
- The lookup fallback from ``dnsdist`` to ``DNSQType`` was removed.
-
All named `QTypes <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4>`__ are available as constants, prefixed with ``DNSQType.``, e.g.:
* ``DNSQType.AAAA``
.. function:: declareMetric(name, type, description [, prometheusName|options]) -> bool
- .. versionadded:: 1.8.0
-
- .. versionchanged:: 1.8.1
- This function can now be used at runtime, instead of only at configuration time.
-
.. versionchanged:: 2.0.0
This function now takes options, with ``withLabels`` option added. ``prometheusName`` can now be provided in options.
.. function:: incMetric(name [, step|options]) -> int
- .. versionadded:: 1.8.0
-
- .. versionchanged:: 1.8.1
- Optional ``step`` parameter added.
-
.. versionchanged:: 2.0.0
This function now takes options, with ``labels`` option added. ``step`` can now be provided in options.
.. function:: decMetric(name [, step|options]) -> int
- .. versionadded:: 1.8.0
-
- .. versionchanged:: 1.8.1
- Optional ``step`` parameter added.
-
.. versionchanged:: 2.0.0
This function now takes options, with ``labels`` option added. ``step`` can now be provided in options.
.. function:: getMetric(name [, options]) -> double
- .. versionadded:: 1.8.0
-
- .. versionchanged:: 2.0.0
- This function now takes options, with ``labels`` option added.
-
.. note::
Labels are only available for prometheus. Metrics with labels are otherwise ignored.
.. function:: setMetric(name, value [, options]) -> double
- .. versionadded:: 1.8.0
-
.. versionchanged:: 2.0.0
This function now takes options, with ``labels`` option added.
.. function:: addDNSCryptBind(address, provider, certFile(s), keyFile(s) [, options])
- .. versionchanged:: 1.4.0
- Removed ``doTCP`` from the options. A listen socket on TCP is always created.
- ``certFile(s)`` and ``keyFile(s)`` now accept a list of files.
-
- .. versionchanged:: 1.5.0
- Added ``tcpListenQueueSize`` parameter.
-
- .. versionchanged:: 1.6.0
- Added ``maxInFlight`` and ``maxConcurrentTCPConnections`` parameters.
-
Adds a DNSCrypt listen socket on ``address``.
:param string address: The address and port to listen on
.. function:: getDNSCryptBindCount()
- .. versionadded:: 1.5.0
-
Return the number of DNSCrypt binds.
Certificates
.. method:: reloadCertificates()
- .. versionadded:: 1.6.0
-
Reload the current TLS certificate and key pairs.
.. method:: removeInactiveCertificate(serial)
.. method:: makeRelative(name) -> DNSName
- .. versionadded:: 1.8.0
-
Provided that the current name is part of the supplied name, returns a new DNSName
composed only of the labels that are below the supplied name (ie making www.powerdns.com
relative to powerdns.com would return only wwww)
.. method:: toStringNoDot() -> string
- .. versionadded:: 1.8.0
-
Returns a human-readable form of the DNSName, without the trailing dot.
.. method:: wirelength() -> int
.. function:: newDNSPacketOverlay(packet) -> DNSPacketOverlay
- .. versionadded:: 1.8.0
-
Returns a DNSPacketOverlay
:param str packet: The DNS payload
.. class:: DNSPacketOverlay
- .. versionadded:: 1.8.0
-
The DNSPacketOverlay object has several attributes, all of them read-only:
.. attribute:: qname
.. class:: DNSRecord
- .. versionadded:: 1.8.0
-
This object represents an unparsed DNS record, as returned by the :ref:`DNSPacketOverlay` class. It has several attributes, all of them read-only:
.. attribute:: name
.. versionchanged:: 2.0.0
Added ``connectionCount`` option.
- .. versionchanged:: 1.5.0
- Added the optional parameter ``options``.
-
Create a Frame Stream Logger object, to use with :func:`DnstapLogAction` and :func:`DnstapLogResponseAction`.
This version will log to a local AF_UNIX socket.
.. versionchanged:: 2.0.0
Added ``connectionCount`` option.
- .. versionchanged:: 1.5.0
- Added the optional parameter ``options``.
-
Create a Frame Stream Logger object, to use with :func:`DnstapLogAction` and :func:`DnstapLogResponseAction`.
This version will log to a possibly remote TCP socket.
Needs tcp_writer support in libfstrm.
.. attribute:: deviceID
- .. versionadded:: 1.8.0
-
The identifier of the remote device, which will be exported via ProtoBuf if set.
.. attribute:: deviceName
- .. versionadded:: 1.8.0
-
The name of the remote device, which will be exported via ProtoBuf if set.
.. attribute:: dh
.. attribute:: pool
- .. versionadded:: 1.8.0
-
The pool of servers to which this query will be routed.
.. attribute:: qclass
.. attribute:: requestorID
- .. versionadded:: 1.8.0
-
The identifier of the requestor, which will be exported via ProtoBuf if set.
.. attribute:: rcode
.. method:: addProxyProtocolValue(type, value)
- .. versionadded:: 1.6.0
-
Add a proxy protocol TLV entry of type ``type`` and ``value`` to the current query.
:param int type: The type of the new value, ranging from 0 to 255 (both included)
.. method:: getContent() -> str
- .. versionadded:: 1.8.0
-
Get the content of the DNS packet as a string
.. method:: getDO() -> bool
.. method:: getHTTPHeaders() -> table
- .. versionadded:: 1.4.0
- .. versionchanged:: 1.8.0
- see ``keepIncomingHeaders`` on :func:`addDOHLocal`
-
Return the HTTP headers for a DoH query, as a table whose keys are the header names and values the header values.
Since 1.8.0 it is necessary to set the ``keepIncomingHeaders`` option to true on :func:`addDOHLocal` to be able to use this method.
.. method:: getHTTPHost() -> string
- .. versionadded:: 1.4.0
-
Return the HTTP Host for a DoH query, which may or may not contain the port.
:returns: The host of the DoH query
.. method:: getHTTPPath() -> string
- .. versionadded:: 1.4.0
-
Return the HTTP path for a DoH query.
:returns: The path part of the DoH query URI
.. method:: getHTTPQueryString() -> string
- .. versionadded:: 1.4.0
-
Return the HTTP query string for a DoH query.
:returns: The query string part of the DoH query URI
.. method:: getHTTPScheme() -> string
- .. versionadded:: 1.4.0
-
Return the HTTP scheme for a DoH query.
:returns: The scheme of the DoH query, for example ``http`` or ``https``
.. method:: getProtocol() -> string
- .. versionadded:: 1.7.0
-
Return the transport protocol this query was received over, as a string. The possible values are:
* "Do53 UDP"
.. method:: getProxyProtocolValues() -> table
- .. versionadded:: 1.6.0
-
Return a table of the Proxy Protocol values currently set for this query.
:returns: A table whose keys are types and values are binary-safe strings
.. method:: getQueryTime() -> timespec
- .. versionadded:: 1.8.0
-
Return the time at which the current query has been received, in whole seconds and nanoseconds since epoch, as a :ref:`timespec` object.
:returns: A :ref:`timespec` object
.. method:: getServerNameIndication() -> string
- .. versionadded:: 1.4.0
-
Return the TLS Server Name Indication (SNI) value sent by the client over DoT or DoH, if any. See :func:`SNIRule`
for more information, especially about the availability of SNI over DoH.
.. method:: getTrailingData() -> string
- .. versionadded:: 1.4.0
-
Get all data following the DNS message.
:returns: The trailing data as a null-safe string
.. method:: changeName(newName) -> bool
- .. versionadded:: 1.8.0
-
Change the qname of the current query in the DNS payload.
The reverse operation will have to be done on the response to set it back to the initial name, or the client will be confused and likely drop the response.
See :func:`DNSResponse:changeName`.
.. method:: setContent(data)
- .. versionadded:: 1.8.0
-
Replace the whole DNS payload of the query with the supplied data. The new DNS payload must include the DNS header, whose ID will be adjusted to match the one of the existing query.
For example, this replaces the whole DNS payload of queries for custom.async.tests.powerdns.com and type A, turning it them into ``FORMERR`` responses, including EDNS with the ``DNSSECOK`` bit set and a UDP payload size of 1232:
.. method:: setEDNSOption(code, data)
- .. versionadded:: 1.8.0
-
Add arbitrary EDNS option and data to the query. Any existing EDNS content with the same option code will be overwritten.
:param int code: The EDNS option code
.. method:: setHTTPResponse(status, body, contentType="")
- .. versionadded:: 1.4.0
-
Set the HTTP status code and content to immediately send back to the client.
For HTTP redirects (3xx), the string supplied in ``body`` should be the URL to redirect to.
For 200 responses, the value of the content type header can be specified via the ``contentType`` parameter.
.. method:: setNegativeAndAdditionalSOA(nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum)
- .. versionadded:: 1.5.0
-
Turn a question into a response, either a NXDOMAIN or a NODATA one based on ``nxd``, setting the QR bit to 1 and adding a SOA record in the additional section.
:param bool nxd: Whether the answer is a NXDOMAIN (true) or a NODATA (false)
.. method:: setProxyProtocolValues(values)
- .. versionadded:: 1.5.0
-
Set the Proxy-Protocol Type-Length values to send to the backend along with this query.
:param table values: A table of types and values to send, for example: ``{ [0x00] = "foo", [0x42] = "bar" }``. Note that the type must be an integer. Try to avoid these values: 0x01 - 0x05, 0x20 - 0x25, 0x30 as those are predefined in https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt (search for `PP2_TYPE_ALPN`)
.. method:: setRestartable()
- .. versionadded:: 1.8.0
-
Make it possible to restart that query after receiving the response, for example to try a different pool of servers after receiving a SERVFAIL or a REFUSED response.
Under the hood, this tells dnsdist to keep a copy of the initial query around so that we can send it a second time if needed. Copying the initial DNS payload has a small memory and CPU cost and thus is not done by default.
See also :func:`DNSResponse:restart`.
.. method:: setTag(key, value)
- .. versionchanged:: 1.7.0
- Prior to 1.7.0 calling :func:`DNSQuestion:setTag` would not overwrite an existing tag value if already set.
-
Set a tag into the DNSQuestion object. Overwrites the value if any already exists.
:param string key: The tag's key
.. method:: setTagArray(tags)
- .. versionchanged:: 1.7.0
- Prior to 1.7.0 calling :func:`DNSQuestion:setTagArray` would not overwrite existing tag values if already set.
-
Set an array of tags into the DNSQuestion object. Overwrites the values if any already exist.
:param table tags: A table of tags, using strings as keys and values
.. method:: setTrailingData(tail) -> bool
- .. versionadded:: 1.4.0
-
Set the data following the DNS message, overwriting anything already present.
:param string tail: The new data
.. method:: spoof(ip|ips|raw|raws [, typeForAny])
- .. versionadded:: 1.6.0
-
.. versionchanged:: 1.9.0
Optional parameter ``typeForAny`` added.
.. method:: suspend(asyncID, queryID, timeoutMS) -> bool
- .. versionadded:: 1.8.0
-
Suspend the processing for the current query, making it asynchronous. The query is then placed into memory, in a map called the Asynchronous Holder, until it is either resumed or the supplied timeout kicks in. The object is stored under a key composed of the tuple (`asyncID`, `queryID`) which is needed to retrieve it later, which can be done via :func:`getAsynchronousObject`.
Note that the DNSQuestion object should NOT be accessed after successfully calling this method.
Returns true on success and false on failure, indicating that the query has not been suspended and the normal processing will continue.
.. method:: changeName(initialName) -> bool
- .. versionadded:: 1.8.0
-
Change, in the DNS payload of the current response, the qname and the owner name of records to the supplied new name, if they are matching exactly the initial qname.
This only makes if the reverse operation was performed on the query, or the client will be confused and likely drop the response.
Note that only records whose owner name matches the qname in the initial response will be rewritten, and that only the owner name itself will be altered,
.. method:: restart()
- .. versionadded:: 1.8.0
-
Discard the received response and restart the processing of the query. For this function to be usable, the query should have been made restartable first, via :func:`DNSQuestion:setRestartable`.
For example, to restart the processing after selecting a different pool of servers:
.. method:: getID() -> int
- .. versionadded:: 1.8.0
-
Get the ID.
.. method:: getRA() -> bool
.. method:: getTC() -> bool
- .. versionadded:: 1.8.1
-
Get the TC flag.
.. method:: setAA(aa)
.. class:: AsynchronousObject
- .. versionadded:: 1.8.0
-
This object holds a representation of a DNS query or response that has been suspended.
.. method:: drop() -> bool
.. function:: getAsynchronousObject(asyncID, queryID) -> AsynchronousObject
- .. versionadded:: 1.8.0
-
Retrieves an asynchronous object stored into the Asynchronous holder.
:param int asyncID: A numeric identifier used to identify the query when it was suspended
newBPFFilter(v4Parameters, v6Parameters, qnamesParameters) -> BPFFilter (1.7.x)
newBPFFilter(maxV4, maxV6, maxQNames) -> BPFFilter (before 1.7.0)
- .. versionchanged:: 1.7.0
- This function now supports a table for each parameters, and the ability to use pinned eBPF maps.
- .. versionchanged:: 1.8.0
- This function now gets its parameters via a table.
-
Return a new eBPF socket filter with a maximum of maxV4 IPv4, maxV6 IPv6 and maxQNames qname entries in the block tables.
Maps can be pinned to a filesystem path, which makes their content persistent across restarts and allows external programs to read their content and to add new entries. dnsdist will try to load maps that are pinned to a filesystem path on startups, inheriting any existing entries, and fall back to creating them if they do not exist yet. Note that the user dnsdist is running under must have the right privileges to read and write to the given file, and to go through all the directories in the path leading to that file. The pinned path must be on a filesystem of type ``BPF``, usually below ``/sys/fs/bpf/``.
.. method:: addRangeRule(Netmask , action [, force=false])
- .. versionadded:: 1.8.0
-
Block all IP addresses in this range.
DNSDist eBPF code first checks if an exact IP match is found, then if a range matches, and finally if a DNSName does.
.. method:: rmRangeRule(Netmask)
- .. versionadded:: 1.8.0
-
:param Netmask string: The rule you want to remove
.. method:: lsRangeRule()
- .. versionadded:: 1.8.0
-
List all range rule.
.. method:: unblockQName(name [, qtype=65535])
.. class:: KeyValueStore
- .. versionadded:: 1.4.0
-
Represents a Key Value Store
.. method:: lookup(key [, wireFormat])
.. function:: KeyValueLookupKeyQName([wireFormat]) -> KeyValueLookupKey
- .. versionadded:: 1.4.0
-
Return a new KeyValueLookupKey object that, when passed to :func:`KeyValueStoreLookupAction` or :func:`KeyValueStoreLookupRule`, will return the qname of the query in DNS wire format.
:param bool wireFormat: Whether to do the lookup in wire format (default) or in plain text
.. function:: KeyValueLookupKeySourceIP([v4mask [, v6mask]]) -> KeyValueLookupKey
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.5.0
- Optional parameters ``v4mask`` and ``v6mask`` added.
-
- .. versionchanged:: 1.7.0
- Optional parameter ``includePort`` added.
-
Return a new KeyValueLookupKey object that, when passed to :func:`KeyValueStoreLookupAction` or :func:`KeyValueStoreLookupRule`, will return the source IP of the client in network byte-order.
:param int v4mask: Mask applied to IPv4 addresses. Default is 32 (the whole address)
.. function:: KeyValueLookupKeySuffix([minLabels [, wireFormat]]) -> KeyValueLookupKey
- .. versionadded:: 1.4.0
-
Return a new KeyValueLookupKey object that, when passed to :func:`KeyValueStoreLookupAction` or :func:`KeyValueStoreLookupRule`, will return a vector of keys based on the labels of the qname in DNS wire format or plain text.
For example if the qname is sub.domain.powerdns.com. the following keys will be returned:
.. function:: KeyValueLookupKeyTag(tagName) -> KeyValueLookupKey
- .. versionadded:: 1.4.0
-
Return a new KeyValueLookupKey object that, when passed to :func:`KeyValueStoreLookupAction`, will return the value of the corresponding tag for this query, if it exists.
:param str tagName: The name of the tag.
.. function:: newCDBKVStore(filename, refreshDelay) -> KeyValueStore
- .. versionadded:: 1.4.0
-
Return a new KeyValueStore object associated to the corresponding CDB database. The modification time
of the CDB file will be checked every 'refreshDelay' second and the database re-opened if needed.
.. function:: newLMDBKVStore(filename, dbName [, noLock]) -> KeyValueStore
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.7.0
- Added the optional parameter ``noLock``.
-
Return a new KeyValueStore object associated to the corresponding LMDB database. The database must have been created
with the ``MDB_NOSUBDIR`` flag. Since 1.7.0, the database is opened with the ``MDB_READONLY`` flag, and optionally with ``MDB_NOLOCK`` if ``noLock`` is set to true.
\r
.. function:: vinfolog(line)\r
\r
- .. versionadded:: 1.8.0\r
-\r
Writes an info line if dnsdist is running in verbose (debug) mode.\r
\r
:param str line: The line to write.\r
.. function:: newNetmask(str) -> Netmask
newNetmask(ca, bits) -> Netmask
- .. versionadded:: 1.5.0
-
Returns a Netmask
:param string str: A netmask, like ``192.0.2.0/24``.
.. class:: Netmask
- .. versionadded:: 1.5.0
-
Represents a netmask.
.. method:: getBits() -> int
.. method:: setRequestor(address [, port])
- .. versionchanged:: 1.5.0
- ``port`` optional parameter added.
-
Set the requestor's address.
:param ComboAddress address: The address to set to
.. method:: setRequestorFromString(address [, port])
- .. versionchanged:: 1.5.0
- ``port`` optional parameter added.
-
Set the requestor's address from a string.
:param string address: The address to set to
.. method:: setResponder(address [, port])
- .. versionchanged:: 1.5.0
- ``port`` optional parameter added.
-
Set the responder's address.
:param ComboAddress address: The address to set to
.. method:: setResponderFromString(address [, port])
- .. versionchanged:: 1.5.0
- ``port`` optional parameter added.
-
Set the responder's address.
:param string address: The address to set to
.. function:: addAction(DNSrule, action [, options])
- .. versionchanged:: 1.6.0
- Added ``name`` to the ``options``.
-
.. versionchanged:: 1.9.0
Passing a string or list of strings instead of a :class:`DNSRule` is deprecated, use :func:`NetmaskGroupRule` or :func:`QNameSuffixRule` instead
.. function:: mvRuleToTop()
- .. versionadded:: 1.6.0
-
This function moves the last rule to the first position. Before 1.6.0 this was handled by :func:`topRule`.
.. function:: setRules(rules)
* ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
* ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
-.. function:: topRule()
-
- .. versionchanged:: 1.6.0
- Replaced by :func:`mvRuleToTop`
-
- Before 1.6.0 this function used to move the last rule to the first position, which is now handled by :func:`mvRuleToTop`.
-
.. function:: rmRule(id)
- .. versionchanged:: 1.6.0
- ``id`` can now be a string representing the name of the rule.
-
Remove rule ``id``.
:param int id: The position of the rule to remove if ``id`` is numerical, its UUID or name otherwise
.. function:: addResponseAction(DNSRule, action [, options])
- .. versionchanged:: 1.6.0
- Added ``name`` to the ``options``.
-
.. versionchanged:: 1.9.0
Passing a string or list of strings instead of a :class:`DNSRule` is deprecated, use :func:`NetmaskGroupRule` or :func:`QNameSuffixRule` instead
.. function:: mvResponseRuleToTop()
- .. versionadded:: 1.6.0
-
This function moves the last response rule to the first position. Before 1.6.0 this was handled by :func:`topResponseRule`.
.. function:: rmResponseRule(id)
- .. versionchanged:: 1.6.0
- ``id`` can now be a string representing the name of the rule.
-
Remove response rule ``id``.
:param int id: The position of the rule to remove if ``id`` is numerical, its UUID or name otherwise
.. function:: topResponseRule()
- .. versionchanged:: 1.6.0
- Replaced by :func:`mvResponseRuleToTop`
-
Before 1.6.0 this function used to move the last response rule to the first position, which is now handled by :func:`mvResponseRuleToTop`.
Cache hits
.. function:: addCacheHitResponseAction(DNSRule, action [, options])
- .. versionchanged:: 1.6.0
- Added ``name`` to the ``options``.
-
.. versionchanged:: 1.9.0
Passing a string or list of strings instead of a :class:`DNSRule` is deprecated, use :func:`NetmaskGroupRule` or :func:`QNameSuffixRule` instead
.. function:: mvCacheHitResponseRuleToTop()
- .. versionadded:: 1.6.0
-
This function moves the last cache hit response rule to the first position. Before 1.6.0 this was handled by :func:`topCacheHitResponseRule`.
.. function:: rmCacheHitResponseRule(id)
- .. versionchanged:: 1.6.0
- ``id`` can now be a string representing the name of the rule.
-
:param int id: The position of the rule to remove if ``id`` is numerical, its UUID or name otherwise
.. function:: showCacheHitResponseRules([options])
* ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
* ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
-.. function:: topCacheHitResponseRule()
-
- .. versionchanged:: 1.6.0
- Replaced by :func:`mvCacheHitResponseRuleToTop`
-
- Before 1.6.0 this function used to move the last cache hit response rule to the first position, which is now handled by :func:`mvCacheHitResponseRuleToTop`.
-
Cache inserted
--------------
.. function:: addCacheInsertedResponseAction(DNSRule, action [, options])
- .. versionadded:: 1.8.0
-
.. versionchanged:: 1.9.0
Passing a string or list of strings instead of a :class:`DNSRule` is deprecated, use :func:`NetmaskGroupRule` or :func:`QNameSuffixRule` instead
.. function:: mvCacheInsertedResponseRule(from, to)
- .. versionadded:: 1.8.0
-
Move cache inserted response rule ``from`` to a position where it is in front of ``to``.
``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
.. function:: mvCacheInsertedResponseRuleToTop()
- .. versionadded:: 1.8.0
-
This function moves the last cache inserted response rule to the first position.
.. function:: rmCacheInsertedResponseRule(id)
- .. versionadded:: 1.8.0
-
:param int id: The position of the rule to remove if ``id`` is numerical, its UUID or name otherwise
.. function:: showCacheInsertedResponseRules([options])
- .. versionadded:: 1.8.0
-
Show all defined cache inserted response rules, optionally displaying their UUIDs.
:param table options: A table with key: value pairs with display options.
.. function:: addSelfAnsweredResponseAction(DNSRule, action [, options])
- .. versionchanged:: 1.6.0
- Added ``name`` to the ``options``.
-
.. versionchanged:: 1.9.0
Passing a string or list of strings instead of a :class:`DNSRule` is deprecated, use :func:`NetmaskGroupRule` or :func:`QNameSuffixRule` instead
.. function:: mvSelfAnsweredResponseRuleToTop()
- .. versionadded:: 1.6.0
-
This function moves the last self-answered response rule to the first position. Before 1.6.0 this was handled by :func:`topSelfAnsweredResponseRule`.
.. function:: rmSelfAnsweredResponseRule(id)
- .. versionchanged:: 1.6.0
- ``id`` can now be a string representing the name of the rule.
-
Remove self answered response rule ``id``.
:param int id: The position of the rule to remove if ``id`` is numerical, its UUID or name otherwise
* ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
* ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
-.. function:: topSelfAnsweredResponseRule()
-
- .. versionchanged:: 1.6.0
- Replaced by :func:`mvSelfAnsweredResponseRuleToTop`
-
- Before 1.6.0 this function used to move the last self-answered response rule to the first position, which is now handled by :func:`mvSelfAnsweredResponseRuleToTop`.
-
- Move the last self answered response rule to the first position.
-
Timeout
-------
.. function:: newRuleAction(rule, action[, options])
- .. versionchanged:: 1.6.0
- Added ``name`` to the ``options``.
-
Return a pair of DNS Rule and DNS Action, to be used with :func:`setRules`.
:param Rule rule: A Rule (see :doc:`selectors`)
.. function:: EDNSOptionRule(optcode)
- .. versionadded:: 1.4.0
-
Matches queries or responses with the specified EDNS option present.
``optcode`` is specified as an integer, or a constant such as `EDNSOptionCode.ECS`.
.. function:: EDNSVersionRule(version)
- .. versionadded:: 1.4.0
-
Matches queries or responses with an OPT record whose EDNS version is greater than the specified EDNS version.
:param int version: The EDNS version to match on
.. function:: HTTPHeaderRule(name, regex)
- .. versionadded:: 1.4.0
-
- .. versionchanged:: 1.8.0
- see ``keepIncomingHeaders`` on :func:`addDOHLocal`
-
Matches DNS over HTTPS queries with a HTTP header ``name`` whose content matches the regular expression ``regex`` in Posix Extended Regular Expressions format. The match is done in a case-insensitive way.
Since 1.8.0 it is necessary to set the ``keepIncomingHeaders`` option to true on :func:`addDOHLocal` to be able to use this rule.
.. function:: HTTPPathRegexRule(regex)
- .. versionadded:: 1.4.0
-
Matches DNS over HTTPS queries with a HTTP path matching the regular expression supplied in ``regex`` in Posix Extended Regular Expressions format. The match is done in a case-insensitive way. For example, if the query has been sent to the https://192.0.2.1:443/PowerDNS?dns=... URL, the path would be '/PowerDNS'.
Only valid DNS over HTTPS queries are matched. If you want to match all HTTP queries, see :meth:`DOHFrontend:setResponsesMap` instead.
.. function:: HTTPPathRule(path)
- .. versionadded:: 1.4.0
-
Matches DNS over HTTPS queries with a HTTP path of ``path``. For example, if the query has been sent to the https://192.0.2.1:443/PowerDNS?dns=... URL, the path would be '/PowerDNS'.
Only valid DNS over HTTPS queries are matched. If you want to match all HTTP queries, see :meth:`DOHFrontend:setResponsesMap` instead.
.. function:: KeyValueStoreLookupRule(kvs, lookupKey)
- .. versionadded:: 1.4.0
-
Return true if the key returned by 'lookupKey' exists in the key value store referenced by 'kvs'.
The store can be a CDB (:func:`newCDBKVStore`) or a LMDB database (:func:`newLMDBKVStore`).
The key can be based on the qname (:func:`KeyValueLookupKeyQName` and :func:`KeyValueLookupKeySuffix`),
.. function:: KeyValueStoreRangeLookupRule(kvs, lookupKey)
- .. versionadded:: 1.7.0
-
Does a range-based lookup into the key value store referenced by 'kvs' using the key returned by 'lookupKey' and returns true if there is a range covering that key.
This assumes that there is a key, in network byte order, for the last element of the range (for example 2001:0db8:ffff:ffff:ffff:ffff:ffff:ffff for 2001:db8::/32) which contains the first element of the range (2001:0db8:0000:0000:0000:0000:0000:0000) (optionally followed by any data) as value, still in network byte order, and that there is no overlapping ranges in the database.
.. function:: LuaFFIPerThreadRule(function)
- .. versionadded:: 1.7.0
-
Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi-interface.h``.
The ``function`` should return true if the query matches, or false otherwise. If the Lua code fails, false is returned.
.. function:: LuaFFIRule(function)
- .. versionadded:: 1.5.0
-
Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi-interface.h``.
The ``function`` should return true if the query matches, or false otherwise. If the Lua code fails, false is returned.
.. function:: LuaRule(function)
- .. versionadded:: 1.5.0
-
Invoke a Lua function that accepts a :class:`DNSQuestion` object.
The ``function`` should return true if the query matches, or false otherwise. If the Lua code fails, false is returned.
.. function:: MaxQPSIPRule(qps[, v4Mask[, v6Mask[, burst[, expiration[, cleanupDelay[, scanFraction [, shards]]]]]]])
- .. versionchanged:: 1.8.0
- ``shards`` parameter added
-
Matches traffic for a subnet specified by ``v4Mask`` or ``v6Mask`` exceeding ``qps`` queries per second up to ``burst`` allowed.
This rule keeps track of QPS by netmask or source IP. This state is cleaned up regularly if ``cleanupDelay`` is greater than zero,
removing existing netmasks or IP addresses that have not been seen in the last ``expiration`` seconds.
.. function:: NetmaskGroupRule(nmg[, src[, quiet]])
- .. versionchanged:: 1.4.0
- ``quiet`` parameter added
-
.. versionchanged:: 1.9.0
The ``nmg`` parameter now accepts a string or a list of strings in addition to a class:`NetmaskGroup` object.
.. function:: ProxyProtocolValueRule(type [, value])
- .. versionadded:: 1.6.0
-
- Matches queries that have a proxy protocol TLV value of the specified type. If ``value`` is set,
the content of the value should also match the content of ``value``.
:param int type: The type of the value, ranging from 0 to 255 (both included)
.. function:: QNameSetRule(set)
- .. versionadded:: 1.4.0
-
Matches if the set contains exact qname.
To match subdomain names, see :func:`QNameSuffixRule`.
.. function:: SNIRule(name)
- .. versionadded:: 1.4.0
-
Matches against the TLS Server Name Indication value sent by the client, if any. Only makes
sense for DoT or DoH, and for that last one matching on the HTTP Host header using :func:`HTTPHeaderRule`
might provide more consistent results.
.. function:: PoolOutstandingRule(poolname, limit)
- .. versionadded:: 1.7.0
-
Check whether a pool has total outstanding queries above limit
.. code-block:: Lua
.. function:: newSVCRecordParameters(priority, target[, SVCParams]) -> SVCRecordParameters
- .. versionadded:: 1.7.0
-
Returns a :class:`SVCRecordParameters` to use with :func:`SpoofSVCAction`.
.. code-block:: Lua
.. class:: SVCRecordParameters
- .. versionadded:: 1.7.0
-
Represents Service Binding (SVCB, HTTPS) record parameters, which can be used with :func:`SpoofSVCAction`.
.. function:: setDoHDownstreamCleanupInterval(interval)
- .. versionadded:: 1.7.0
-
Set how often, in seconds, the outgoing DoH connections to backends of a given worker thread are scanned to expunge the ones that are no longer usable. The default is 60 so once per minute and per worker thread.
:param int interval: The interval in seconds.
.. function:: setDoHDownstreamMaxIdleTime(max)
- .. versionadded:: 1.7.0
-
Set how long, in seconds, an outgoing DoH connection to a backend might stay idle before being closed. The default is 300 so 5 minutes.
:param int max: The maximum time in seconds.
.. function:: setMaxIdleDoHConnectionsPerDownstream(max)
- .. versionadded:: 1.7.0
-
Set the maximum number of inactive DoH connections to a backend cached by each DoH worker thread. These connections can be reused when a new query comes in, instead of having to establish a new connection. dnsdist regularly checks whether the other end has closed any cached connection, closing them in that case.
:param int max: The maximum number of inactive connections to keep. Default is 10, so 10 connections per backend and per DoH worker thread.
.. function:: setMaxCachedTCPConnectionsPerDownstream(max)
- .. versionadded:: 1.6.0
-
Set the maximum number of inactive TCP connections to a backend cached by each TCP worker thread. These connections can be reused when a new query comes in, instead of having to establish a new connection. dnsdist regularly checks whether the other end has closed any cached connection, closing them in that case.
:param int max: The maximum number of inactive connections to keep. Default is 10, so 10 connections per backend and per TCP worker thread.
.. function:: setMaxTCPClientThreads(num)
- .. versionchanged:: 1.6.0
- Before 1.6.0 the default value was 10.
- .. versionchanged:: 1.7.0
- The default value has been set back to 10.
-
.. warning::
Be wary of using a too large value for this setting. :program:`dnsdist` keeps a per-thread cache of TCP connections to its backends so using a large value could, in addition to creating a lot of threads,
lead to a very high number of TCP connections to the backends. PowerDNS Recursor, for example, has a low default limit (128) for the number of incoming TCP connections it is willing to accept.
- Set the maximum of TCP client threads, handling TCP connections. Before 1.4.0 a TCP thread could only handle a single incoming TCP connection at a time, while after 1.4.0 it can handle a larger number of them simultaneously.
-
- Note that before 1.6.0 the TCP worker threads were created at runtime, adding a new thread when the existing ones seemed to struggle with the load, until the maximum number of threads had been reached. Starting with 1.6.0 the configured number of worker threads are immediately created at startup.
+ Set the maximum of TCP client threads, handling TCP connections. A TCP client thread can handle a larger number of connections simultaneously.
- In 1.6.0 the default value was at least 10 TCP workers, but could be more if there is more than 10 TCP listeners (added via :func:`addDNSCryptBind`, :func:`addLocal`, or :func:`addTLSLocal`). In that last case there would have been as many TCP workers as TCP listeners. This led to issues in setups with a large number of TCP listeners and was therefore reverted back to 10 in 1.7.0.
+ The configured number of worker threads are immediately created at startup.
:param int num: The number of TCP worker threads.
.. function:: setMaxTCPQueuedConnections(num)
- .. versionchanged:: 1.6.0
- Before 1.6.0 the default value was 1000 on all systems.
-
Set the maximum number of TCP connections queued (waiting to be picked up by a client thread), defaults to 1000 (10000 on Linux since 1.6.0). 0 means unlimited.
:param int num:
.. function:: setMaxUDPOutstanding(num)
- .. versionchanged:: 1.4.0
- Before 1.4.0 the default value was 10240
-
Set the maximum number of outstanding UDP queries to a given backend server. This can only be set at configuration time and defaults to 65535 (10240 before 1.4.0).
:param int num:
.. function:: setOutgoingDoHWorkerThreads(num)
- .. versionadded:: 1.7.0
-
Set the number of worker threads to use for outgoing DoH. That number defaults to 0 but is automatically raised to 1 when DoH is enabled on at least one backend.
.. function:: setStaleCacheEntriesTTL(num)
.. function:: setTCPDownstreamCleanupInterval(interval)
- .. versionadded:: 1.6.0
-
Set how often, in seconds, the outgoing TCP connections to backends of a given worker thread are scanned to expunge the ones that are no longer usable. The default is 60 so once per minute and per worker thread.
:param int interval: The interval in seconds.
.. function:: setDoHDownstreamMaxIdleTime(max)
- .. versionadded:: 1.7.0
-
Set how long, in seconds, an outgoing DoH connection to a backend might stay idle before being closed. The default is 300 so 5 minutes.
:param int max: The maximum time in seconds.
.. function:: setRandomizedIdsOverUDP(val)
- .. versionadded:: 1.8.0
-
Setting this parameter to true (default is false) will randomize the IDs in outgoing UDP queries, at a small performance cost, ignoring the :func:`setMaxUDPOutstanding`
value. This is only useful if the path between dnsdist and the backend is not trusted and the 'TCP-only', DNS over TLS or DNS over HTTPS transports cannot be used.
See also :func:`setRandomizedOutgoingSockets`.
.. function:: setRandomizedOutgoingSockets(val)
- .. versionadded:: 1.8.0
-
Setting this parameter to true (default is false) will randomize the outgoing socket used when forwarding a query to a backend.
The default is to use a round-robin mechanism to select the outgoing socket.
This requires configuring the backend to use more than one outgoing socket via the ``sockets`` parameter of :func:`newServer`
.. function:: setTCPInternalPipeBufferSize(size)
- .. versionadded:: 1.6.0
-
Set the size in bytes of the internal buffer of the pipes used internally to distribute connections to TCP (and DoT) workers threads. Requires support for ``F_SETPIPE_SZ`` which is present in Linux since 2.6.35. The actual size might be rounded up to a multiple of a page size. 0 means that the OS default size is used. The default value is 0, except on Linux where it is 1048576 since 1.6.0.
:param int size: The size in bytes.
.. function:: setTCPUseSinglePipe(val)
- .. deprecated:: 1.6.0
-
Whether the incoming TCP connections should be put into a single queue instead of using per-thread queues. Defaults to false. That option was useful before 1.4.0 when a single TCP connection could block a TCP worker thread, but should not be used in recent versions where the per-thread queues model avoids waking up all idle workers when a new connection arrives. This option will be removed in 1.7.0.
:param bool val:
.. function:: setUDPSocketBufferSizes(recv, send)
- .. versionadded:: 1.7.0
-
Set the size of the receive (``SO_RCVBUF``) and send (``SO_SNDBUF``) buffers for incoming UDP sockets. On Linux the default
values correspond to ``net.core.rmem_default`` and ``net.core.wmem_default`` , and the maximum values are restricted
by ``net.core.rmem_max`` and ``net.core.wmem_max``.
cpu-iowait
----------
-.. versionadded:: 1.5.0
-
Time spent waiting for I/O to complete by the whole system, in units of USER_HZ.
cpu-steal
---------
-.. versionadded:: 1.5.0
-
Stolen time, which is the time spent by the whole system in other operating systems when running in a virtualized environment, in units of USER_HZ.
cpu-sys-msec
proxy-protocol-invalid
----------------------
-.. versionadded:: 1.6.0
-
Number of queries dropped because of an invalid Proxy Protocol header.
queries
rule-truncated
--------------
-.. versionadded:: 1.6.0
-
Number of truncated answers returned because of a rule.
security-status
tcp-listen-overflows
--------------------
-.. versionadded:: 1.6.0
-
From ``/proc/net/netstat`` ``ListenOverflows``.
tcp-query-pipe-full
udp-in-csum-errors
------------------
-.. versionadded:: 1.7.0
-
From ``/proc/net/snmp`` ``InErrors``.
udp-in-errors
-------------
-.. versionadded:: 1.5.0
-
From ``/proc/net/snmp`` ``InErrors``.
udp-noport-errors
-----------------
-.. versionadded:: 1.5.0
-
From ``/proc/net/snmp`` ``NoPorts``.
udp-recvbuf-errors
------------------
-.. versionadded:: 1.5.0
-
From ``/proc/net/snmp`` ``RcvbufErrors``.
udp-sndbuf-errors
-----------------
-.. versionadded:: 1.5.0
-
From ``/proc/net/snmp`` ``SndbufErrors``.
udp6-in-csum-errors
-------------------
-.. versionadded:: 1.7.0
-
From ``/proc/net/snmp6`` ``InErrors``.
udp6-in-errors
--------------
-.. versionadded:: 1.7.0
-
From ``/proc/net/snmp6`` ``InErrors``.
udp6-noport-errors
------------------
-.. versionadded:: 1.7.0
-
From ``/proc/net/snmp6`` ``NoPorts``.
udp6-recvbuf-errors
-------------------
-.. versionadded:: 1.7.0
-
From ``/proc/net/snmp6`` ``RcvbufErrors``.
udp6-sndbuf-errors
------------------
-.. versionadded:: 1.7.0
-
From ``/proc/net/snmp6`` ``SndbufErrors``.
uptime
projects / thirdparty / pdns.git / commitdiff
