lumathieu/cantal.luc-geo.fr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

dnsdist.conf update + enabling HSTS on DoH

Browse Source
This commit is contained in:
Lucas MATHIEU
2026-05-01 21:27:13 +02:00
parent 1f6d9f5086
commit 1978aa04d7
1 changed files with 22 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/dnsdist/dnsdist.conf
+22 -16
View File
@@ -1,15 +1,15 @@
-- /etc/dnsdist/dnsdist.conf: dndist conf. file for cantal -- /etc/dnsdist.conf: dndist conf. file for cantal
-- --
-- Last edition : 2025-07-07 -- Last edition : 2026-05-01
-- Last editor : @Campanu -- Last editor : Lucas MATHIEU
-- --
-- ACL -- ACL
setACL("0.0.0.0/0") setACL("0.0.0.0/0")
addACL("[::]/0") addACL("[::]/0")
-- Request rate limite -- Request rate limit
addAction(MaxQPSIPRule(100), DropAction()) addAction(MaxQPSIPRule(100), DropAction())
-- Backend servers -- Backend servers
setServerPolicy(firstAvailable) setServerPolicy(firstAvailable)
@@ -26,9 +26,10 @@ setMaxTCPConnectionDuration(1800)
setMaxTCPQueriesPerConnection(300) setMaxTCPQueriesPerConnection(300)
setMaxTCPConnectionsPerClient(10) setMaxTCPConnectionsPerClient(10)
-- DoT -- Frontend services
-- DNS-over-TLS
addTLSLocal( addTLSLocal(
"[2a01:e0a:4d5:3c20::101a]:853", "[2a01:e0a:1026:9bd0::101a]:853",
"/path/to/fullchain.pem", "/path/to/fullchain.pem",
"/path/to/privkey.key", "/path/to/privkey.key",
{ {
@@ -41,9 +42,9 @@ addTLSLocal(
} }
) )
-- DoH -- DNS-over-HTTP/2 (TLS)
addDOHLocal( addDOHLocal(
"[2a01:e0a:4d5:3c20::101a]:443", "[2a01:e0a:1026:9bd0::101a]:443",
"/path/to/fullchain.pem", "/path/to/fullchain.pem",
"/path/to/privkey.key", "/path/to/privkey.key",
{ {
@@ -58,13 +59,16 @@ addDOHLocal(
minTLSVersion = "tls1.2", minTLSVersion = "tls1.2",
ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384", ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384", ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
customResponseHeaders={["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\""}, customResponseHeaders = {
["Strict-Transport-Security"]="max-age=31536000; includeSubDomains; preload",
["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\"",
},
tcpFastOpenQueueSize = 256 tcpFastOpenQueueSize = 256
} }
) )
supportpagemap = { supportpagemap = {
newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) open-source and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."), newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) free and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."),
newDOHResponseMapEntry("^/help$", 200, "For the server policy, see <https://cantal.luc-geo.fr/#policy>."), newDOHResponseMapEntry("^/help$", 200, "For the server policy, see <https://cantal.luc-geo.fr/#policy>."),
newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"), newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"),
newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"), newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"),
@@ -74,13 +78,15 @@ supportpagemap = {
dohFE6 = getDOHFrontend(0) dohFE6 = getDOHFrontend(0)
dohFE6:setResponsesMap(supportpagemap) dohFE6:setResponsesMap(supportpagemap)
-- Webserver -- Webserver
webserver("192.168.X.X:X") webserver("192.168.X.X:8081")
setWebserverConfig( setWebserverConfig(
{ {
password = hashPassword("<password>"), password = hashPassword("<password>"),
apiKey = hashPassword("<api-key>"), apiKey = hashPassword("<api_key>"),
acl = "" acl = "192.168.X.0/24, fe80::/10, fc00::/7"
} }
) )