94 lines
2.7 KiB
Plaintext
94 lines
2.7 KiB
Plaintext
-- /etc/dnsdist.conf: dndist conf. file for cantal
|
|
--
|
|
-- Last edition : 2026-05-01
|
|
-- Last editor : @Campanu
|
|
--
|
|
|
|
-- ACL
|
|
setACL("0.0.0.0/0")
|
|
addACL("[::]/0")
|
|
|
|
-- Request rate limit
|
|
addAction(MaxQPSIPRule(100), DropAction())
|
|
|
|
-- Backend servers
|
|
setServerPolicy(firstAvailable)
|
|
newServer({address = "[::1]:53", useClientSubnet = false, name = "cantal-unbound"})
|
|
|
|
-- Cache
|
|
pc = newPacketCache(100000)
|
|
getPool(""):setCache(pc)
|
|
|
|
-- Tweaks
|
|
setMaxUDPOutstanding(65535)
|
|
setMaxTCPClientThreads(30)
|
|
setMaxTCPConnectionDuration(1800)
|
|
setMaxTCPQueriesPerConnection(300)
|
|
setMaxTCPConnectionsPerClient(10)
|
|
|
|
-- Frontend services
|
|
-- DNS-over-TLS
|
|
addTLSLocal(
|
|
"[2a01:e0a:1026:9bd0::101a]:853",
|
|
"/etc/dnsdist/server-dns.pem",
|
|
"/etc/dnsdist/server-dns.key",
|
|
{
|
|
provider = "openssl",
|
|
minTLSVersion = "tls1.2",
|
|
ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
|
|
ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
|
|
tcpFastOpenQueueSize = 256,
|
|
maxInFlight = 300
|
|
}
|
|
)
|
|
|
|
-- DNS-over-HTTP/2 (TLS)
|
|
addDOHLocal(
|
|
"[2a01:e0a:1026:9bd0::101a]:443",
|
|
"/etc/dnsdist/server-dns.pem",
|
|
"/etc/dnsdist/server-dns.key",
|
|
{
|
|
"/dns-query",
|
|
"/",
|
|
"/help",
|
|
"/about",
|
|
"/policy",
|
|
"/rfc"
|
|
},
|
|
{
|
|
minTLSVersion = "tls1.2",
|
|
ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
|
|
ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
|
|
customResponseHeaders = {
|
|
["Strict-Transport-Security"]="max-age=31536000; includeSubDomains; preload",
|
|
["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\"",
|
|
},
|
|
tcpFastOpenQueueSize = 256
|
|
}
|
|
)
|
|
|
|
supportpagemap = {
|
|
newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) free and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."),
|
|
newDOHResponseMapEntry("^/help$", 200, "For the server policy, see <https://cantal.luc-geo.fr/#policy>."),
|
|
newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"),
|
|
newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"),
|
|
newDOHResponseMapEntry("^/rfc$", 307, "https://datatracker.ietf.org/doc/html/rfc8484")
|
|
}
|
|
|
|
dohFE6 = getDOHFrontend(0)
|
|
dohFE6:setResponsesMap(supportpagemap)
|
|
|
|
-- Webserver
|
|
webserver("192.168.X.X:8081")
|
|
setWebserverConfig(
|
|
{
|
|
password = hashPassword("<password>"),
|
|
apiKey = hashPassword("<api_key>"),
|
|
acl = "192.168.X.0/24, fe80::/10, fc00::/7"
|
|
}
|
|
)
|
|
|
|
-- Console
|
|
controlSocket('[::1]:5199')
|
|
setKey("<key>")
|