From e6882b041e044f0704b1d9548f22376b0e8ba923 Mon Sep 17 00:00:00 2001
From: Lucas MATHIEU <lucas.mathieu@luc-geo.fr>
Date: Fri, 1 May 2026 20:50:18 +0200
Subject: [PATCH] dnsdist.conf update

---
 etc/dnsdist/dnsdist.conf | 42 ++++++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/etc/dnsdist/dnsdist.conf b/etc/dnsdist/dnsdist.conf
index 2313169..db65461 100644
--- a/etc/dnsdist/dnsdist.conf
+++ b/etc/dnsdist/dnsdist.conf
@@ -1,15 +1,15 @@
--- /etc/dnsdist/dnsdist.conf: dndist conf. file for cantal
--- 
--- Last edition : 2025-07-07
+-- /etc/dnsdist.conf: dndist conf. file for cantal
+--
+-- Last edition : 2026-05-01
 -- Last editor : @Campanu
--- 
+--
 
 -- ACL
 setACL("0.0.0.0/0")
 addACL("[::]/0")
 
--- Request rate limite
-addAction(MaxQPSIPRule(100), DropAction()) 
+-- Request rate limit
+addAction(MaxQPSIPRule(100), DropAction())
 
 -- Backend servers
 setServerPolicy(firstAvailable)
@@ -26,11 +26,12 @@ setMaxTCPConnectionDuration(1800)
 setMaxTCPQueriesPerConnection(300)
 setMaxTCPConnectionsPerClient(10)
 
--- DoT
+-- Frontend services
+-- DNS-over-TLS
 addTLSLocal(
-    "[2a01:e0a:4d5:3c20::101a]:853",
-    "/path/to/fullchain.pem",
-    "/path/to/privkey.key",
+    "[2a01:e0a:1026:9bd0::101a]:853",
+    "/etc/dnsdist/server-dns.pem",
+    "/etc/dnsdist/server-dns.key",
     {
         provider = "openssl",
         minTLSVersion = "tls1.2",
@@ -41,11 +42,11 @@ addTLSLocal(
     }
 )
 
--- DoH
+-- DNS-over-HTTP/2 (TLS)
 addDOHLocal(
-    "[2a01:e0a:4d5:3c20::101a]:443",
-    "/path/to/fullchain.pem",
-    "/path/to/privkey.key",
+    "[2a01:e0a:1026:9bd0::101a]:443",
+    "/etc/dnsdist/server-dns.pem",
+    "/etc/dnsdist/server-dns.key",
     {
         "/dns-query",
         "/",
@@ -58,13 +59,16 @@ addDOHLocal(
         minTLSVersion = "tls1.2",
         ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
         ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
-        customResponseHeaders={["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\""},
+        customResponseHeaders = {
+            ["Strict-Transport-Security"]="max-age=31536000; includeSubDomains; preload",
+            ["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\"",
+        },
         tcpFastOpenQueueSize = 256
     }
 )
 
 supportpagemap = {
-    newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) open-source and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."),
+    newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) free and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."),
     newDOHResponseMapEntry("^/help$", 200, "For the server policy, see <https://cantal.luc-geo.fr/#policy>."),
     newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"),
     newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"),
@@ -75,12 +79,12 @@ dohFE6 = getDOHFrontend(0)
 dohFE6:setResponsesMap(supportpagemap)
 
 -- Webserver
-webserver("192.168.X.X:X")
+webserver("192.168.X.X:8081")
 setWebserverConfig(
     {
         password = hashPassword("<password>"),
-        apiKey = hashPassword("<api-key>"),
-        acl = ""
+        apiKey = hashPassword("<api_key>"),
+        acl = "192.168.X.0/24, fe80::/10, fc00::/7"
     }
 )