dnsdist.yml

# Listeners
binds:
  - listen_address: "0.0.0.0:53"
    protocol: Do53
    reuseport: true
    threads: 6
    tcp:
      fast_open_queue_size: 256
  - listen_address: "0.0.0.0:443"
    protocol: DoH
    reuseport: true
    threads: 4
    tcp:
      fast_open_queue_size: 256
    tls:
      certificates:
        - certificate: "/etc/dnsdist/dnsdist-ecc.crt"
          key: "/etc/dnsdist/dnsdist-ecc.key"
        - certificate: "/etc/dnsdist/dnsdist-rsa.crt"
          key: "/etc/dnsdist/dnsdist-rsa.key"
      ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
      ciphers_tls_13: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
    doh:
      paths:
        - "/dns-query"
  - listen_address: "0.0.0.0:443"
    protocol: DoH3
    reuseport: true
    threads: 4
    tls:
      certificates:
        - certificate: "/etc/dnsdist/dnsdist-ecc.crt"
          key: "/etc/dnsdist/dnsdist-ecc.key"
        - certificate: "/etc/dnsdist/dnsdist-rsa.crt"
          key: "/etc/dnsdist/dnsdist-rsa.key"
      ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
      ciphers_tls_13: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
    doh:
      paths:
        - "/dns-query"
  - listen_address: "0.0.0.0:853"
    protocol: DoT
    reuseport: true
    threads: 4
    tcp:
      fast_open_queue_size: 256
    tls:
      certificates:
        - certificate: "/etc/dnsdist/dnsdist-ecc.crt"
          key: "/etc/dnsdist/dnsdist-ecc.key"
        - certificate: "/etc/dnsdist/dnsdist-rsa.crt"
          key: "/etc/dnsdist/dnsdist-rsa.key"
      ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
      ciphers_tls_13: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
  - listen_address: "0.0.0.0:784"
    protocol: DoQ
    reuseport: true
    threads: 4
    tls:
      certificates:
        - certificate: "/etc/dnsdist/dnsdist-ecc.crt"
          key: "/etc/dnsdist/dnsdist-ecc.key"
        - certificate: "/etc/dnsdist/dnsdist-rsa.crt"
          key: "/etc/dnsdist/dnsdist-rsa.key"
      ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
      ciphers_tls_13: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
  - listen_address: "0.0.0.0:853"
    protocol: DoQ
    reuseport: true
    threads: 4
    tls:
      certificates:
        - certificate: "/etc/dnsdist/dnsdist-ecc.crt"
          key: "/etc/dnsdist/dnsdist-ecc.key"
        - certificate: "/etc/dnsdist/dnsdist-rsa.crt"
          key: "/etc/dnsdist/dnsdist-rsa.key"
      ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
      ciphers_tls_13: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

acl:
  - 10.0.0.0/8
  - 100.64.0.0/10
  - 127.0.0.1/32
# Some entries removed

# Increase the in-memory rings size (the default, 10000, is only one second at 10k qps) used by
# live-traffic inspection features like grepq, and use 100 shards to improve performance
ring_buffers:
  size: 1000000
  shards: 100

netmask_groups:
  - name: "dc_networks"
    netmasks:
      - "10.20.0.0/24"
      - "10.20.1.0/24"
      - "10.20.16.0/24"
  - name: "partner_networks"
    netmasks:
      - "192.168.96.0/24"
      - "10.128.0.0/16"


query_rules:
  - selector:
      type: "QName"
      qname: "use-application-dns.net"
    action:
      type: "RCode"
      rcode: "NXDOMAIN"

# Define load balancing method
# Using 'first available' should steer most traffic locally while
# whashed uses weighted policy, but assigns questions with identical hash to identical servers,
# allowing for better cache concentration (‘sticky queries’).
load_balancing_policies:
  default_policy: "firstAvailable"
  consistent_hashing_balancing_factor: 1.1

backends:
  - address: "127.0.0.1:5300"
    name: "local"
    order: 1
    protocol: "Do53"
    weight: 100000
    queries_per_second: 15000
    use_proxy_protocol: true
    use_client_subnet: true
    sockets: 8
    health_checks:
      mode: "lazy"
      interval: 1
      max_failures: 3
      rise: 2
      lazy:
        mode: "TimeoutOnly"
        threshold: 30
        min_sample_count: 10
        sample_size: 100
  - address: "80.71.82.118:5300"
    name: "anycastdns10"
    order: 3
    protocol: "Do53"
    weight: 1000
    queries_per_second: 5000
    use_proxy_protocol: true
    use_client_subnet: true
    sockets: 8
    health_checks:
      mode: "lazy"
      interval: 1
      max_failures: 3
      rise: 2
      lazy:
        mode: "TimeoutOnly"
        threshold: 30
        min_sample_count: 10
        sample_size: 100
# Some entries removed

# eBPF map configuration
ebpf:
  ipv4:
    max_entries: 8192
  ipv6:
    max_entries: 1024
  cidr_ipv4:
    max_entries: 8192
  cidr_ipv6:
    max_entries: 1024
  qnames:
    max_entries: 8192
  external: false

dynamic_rules_settings:
  default_action: "Refused"

# Generate a warning if we detect a query rate above 100 qps for at least 10s.
# If the query rate raises above 300 qps for 10 seconds, we'll block the client for 60 seconds.
dynamic_rules:
  - name: "query-rate"
    mask_ipv4: 32
    mask_ipv6: 64
    rules:
      - type: "query-rate"
        rate: 300
        seconds: 10
        action_duration: 60
        warning_rate: 100
        comment: "query rate exceeded"
      - type: "qtype-rate"
        qtype: 255 # ANY
        rate: 5
        seconds: 10
        action_duration: 60
        comment: "ANY rate exceeded"
  - name: "rcode-rate"
    mask_ipv4: 32
    mask_ipv6: 64
    rules:
      - type: "rcode-rate"
        rcode: "NXDOMAIN"
        rate: 20
        seconds: 10
        action_duration: 60
        comment: "NXDOMAIN rate exceeded"
      - type: "rcode-rate"
        rcode: "SERVFAIL"
        rate: 20
        seconds: 10
        action_duration: 60
        comment: "SERVFAIL rate exceeded"

# Configure packet cache
packet_caches:
  - name: "default-cache"
    size: 5000000
    max_ttl: 600
    min_ttl: 0
    temporary_failure_ttl: 10
    stale_ttl: 60
    max_negative_ttl: 60
    shards: 20
    dont_age: false

pools:
  - name: ""
    packet_cache: "default-cache"
  - name: "internal"
    packet_cache: "internal-cache"

# Webserver for API
webserver:
  listen_addresses:
    - "127.0.0.1:8083"
  password: "$scrypt$ln=10,p=1,r=8$V42g5Qybm8qPFcABMIUz/w==$A8AnugHML7flTJuDBoFnTPaon9Q/aoo66KU+EZp8x9E="
  api_key: "$scrypt$ln=10,p=1,r=8$tYW5Y0qXUNHWeU8Reg+fwA==$xGPc/d7QvOyk6KBfX10mU+KLkjSEg5woT1Mc6Ur1rmc="
  stats_require_authentication: false
  acl:
    - "127.0.0.0/8"

console:
  listen_address: "127.0.0.1"
  key: "<REDACTED>"