summaryrefslogtreecommitdiffstats
path: root/dnsdist.conf-dist
blob: 93e061be5d9eae597992507cc4580fe6ca60d214 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
-- == Generic Configuration ==

-- only accept queries (Do53, DNSCrypt,  DoT or DoH) from a few subnets
-- see https://dnsdist.org/advanced/acl.html for more details
-- please be careful when dnsdist is deployed in front of a server
-- server granting access based on the source IP, as all queries will
-- seem to originate from dnsdist, which might be especially relevant for
-- AXFR, IXFR, NOTIFY and UPDATE
-- https://dnsdist.org/advanced/axfr.html
-- setACL({'192.0.2.0/28', '2001:DB8:1::/56'})

-- listen for console connection with the given secret key
-- https://dnsdist.org/guides/console.html
-- controlSocket("127.0.0.1:5900")
-- setKey("please generate a fresh private key with makeKey()")

-- start the web server on port 8083, using password 'set a random password here'
-- https://dnsdist.org/guides/webserver.html
-- webserver("127.0.0.1:8083", "set a random password here")

-- send statistics to PowerDNS metronome server https://metronome1.powerdns.com/
-- https://dnsdist.org/guides/carbon.html
-- carbonServer("37.252.122.50", 'unique-name')

-- accept plain DNS (Do53) queries on UDP/5200 and TCP/5200
-- addLocal("127.0.0.1:5200")

-- accept DNSCrypt queries on UDP/8443 and TCP/8443
-- https://dnsdist.org/guides/dnscrypt.html
-- addDNSCryptBind("127.0.0.1:8443", "2.provider.name", "DNSCryptResolver.cert", "DNSCryptResolver.key")

-- accept DNS over TLS (DoT) queries on TCP/9443
-- https://dnsdist.org/guides/dns-over-tls.html
-- addTLSLocal("127.0.0.1:9443", {"server.crt"}, {"server.key"}, { provider="openssl" })

-- accept DNS over HTTPS (DoH) queries on TCP/443
-- https://dnsdist.org/guides/dns-over-https.html
-- addDOHLocal("127.0.0.1:443", {"server.crt"}, {"server.key"})

-- define downstream servers, aka backends
-- https://dnsdist.org/guides/downstreams.html
-- https://dnsdist.org/guides/serverpools.html
-- https://dnsdist.org/guides/serverselection.html
-- newServer("192.0.2.1")
-- newServer({address="192.0.2.1:5300", pool="abuse"})

-- == Tuning ==

-- Increase the in-memory rings size (the default, 10000, is only one second at 10k qps) used by
-- live-traffic inspection features like grepq, and use 100 shards to improve performance
-- setRingBuffersSize(1000000, 100)

-- increase the number of TCP workers, each one being capable of handling a large number
-- of TCP connections since 1.4.0
-- setMaxTCPClientThreads(20)

-- == Sample Actions ==

-- https://dnsdist.org/rules-actions.html

-- send the queries for selected domain suffixes to the servers
-- in the 'abuse' pool
-- addAction(SuffixMatchNodeRule({"abuse.example.org.", "xxx."}), PoolAction("abuse"))

-- drop queries for this exact qname
-- addAction(QNameRule("drop-me.example.org."), DropAction())

-- send the queries from a selected subnet to the
-- abuse pool
-- addAction(NetmaskGroupRule("192.0.2.0/24"), PoolAction("abuse"))

-- Refuse incoming AXFR, IXFR, NOTIFY and UPDATE
-- Add trusted sources (slaves, masters) explicitely in front of this rule
-- addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))

-- == Dynamic Blocks ==

-- define a dynamic block rules group object, set a few limits and apply it
-- see https://dnsdist.org/guides/dynblocks.html for more details

-- local dbr = dynBlockRulesGroup()
-- dbr:setQueryRate(30, 10, "Exceeded query rate", 60)
-- dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60)
-- dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
-- dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 60)
-- dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)
-- function maintenance()
--  dbr:apply()
-- end

-- == Logging ==

-- connect to a remote protobuf logger and export queries and responses
-- https://dnsdist.org/reference/protobuf.html
-- rl = newRemoteLogger('127.0.0.1:4242')
-- addAction(AllRule(), RemoteLogAction(rl))
-- addResponseAction(AllRule(), RemoteLogResponseAction(rl))

-- DNSTAP is also supported
-- https://dnsdist.org/reference/dnstap.html
-- fstr = newFrameStreamUnixLogger(/path/to/unix/socket)
-- or
-- fstr = newFrameStreamTcpLogger('192.0.2.1:4242')
-- addAction(AllRule(), DnstapLogAction(fstr))
-- addResponseAction(AllRule(), DnstapLogResponseAction(fstr))

-- == Caching ==

-- https://dnsdist.org/guides/cache.html
-- create a packet cache of at most 100k entries,
-- and apply it to the default pool
-- pc = newPacketCache(100000)
-- getPool(""):setCache(pc)