-- /etc/dnsdist/dnsdist.conf: dndist conf. file for cantal
-- 
-- Last edition : 2025-07-06
-- Last editor : @Campanu
-- 

-- ACL
setACL("0.0.0.0/0")
addACL("[::]/0")

-- Request rate limite
addAction(MaxQPSIPRule(100), DropAction()) 

-- Backend servers
setServerPolicy(firstAvailable)
newServer({address = "[::1]:53", useClientSubnet = false, name = "cantal-unbound"})

-- Cache
pc = newPacketCache(100000)
getPool(""):setCache(pc)

-- Tweaks
setMaxUDPOutstanding(65535)
setMaxTCPClientThreads(30)
setMaxTCPConnectionDuration(1800)
setMaxTCPQueriesPerConnection(300)
setMaxTCPConnectionsPerClient(10)

-- DoT
addTLSLocal(
    "[2a01:e0a:4d5:3c20::101a]:853",
    "/path/to/fullchain.pem",
    "/path/to/privkey.key",
    {
        provider = "openssl",
        minTLSVersion = "tls1.2",
        ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
        ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
        tcpFastOpenQueueSize = 256,
        maxInFlight = 300
    }
)

-- DoH
addDOHLocal(
    "[2a01:e0a:4d5:3c20::101a]:443",
    "/path/to/fullchain.pem",
    "/path/to/privkey.key",
    {
        "/dns-query",
        "/",
        "/help",
        "/about",
        "/policy",
        "/rfc"
    },
    {
        minTLSVersion = "tls1.2",
        ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
        ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
        customResponseHeaders={["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\""}
    }
)

supportpagemap = {
    newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) open-source and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."),
    newDOHResponseMapEntry("^/help$", 200, "For the server policy, see <https://cantal.luc-geo.fr/#policy>."),
    newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"),
    newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"),
    newDOHResponseMapEntry("^/rfc$", 307, "https://datatracker.ietf.org/doc/html/rfc8484")
}

dohFE6 = getDOHFrontend(0)
dohFE6:setResponsesMap(supportpagemap)

-- Webserver
webserver("192.168.X.X:X")
setWebserverConfig(
    {
        password = hashPassword("<password>"),
        apiKey = hashPassword("<api-key>"),
        acl = ""
    }
)

-- Console
controlSocket('[::1]:5199')
setKey("<key>")