API tools faq
paste
ajoergensen

dnsdist.conf

ajoergensen
Sep 17th, 2025
38
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Lua 4.33 KB | None | 0 0
raw download clone embed print report
  1. -- Main listener
  2. setLocal("0.0.0.0:53", { reusePort=true, useClientSubnet=true, tcpFastOpenSize=5, doTCP=true, cpu={0}, numberOfShards=16 })
  3.  
  4. -- Additional listener threads
  5. addLocal("0.0.0.0:53", {reusePort=true, useClientSubnet=true, tcpFastOpenSize=5, doTCP=true, cpu={ 1 }, numberOfShards=16 })
  6. addLocal("0.0.0.0:53", {reusePort=true, useClientSubnet=true, tcpFastOpenSize=5, doTCP=true, cpu={ 2 }, numberOfShards=16 })
  7. addLocal("0.0.0.0:53", {reusePort=true, useClientSubnet=true, tcpFastOpenSize=5, doTCP=true, cpu={ 3 }, numberOfShards=16 })
  8.  
  9. -- Increase the in-memory rings size (the default, 10000, is only one second at 10k qps) used by
  10. -- live-traffic inspection features like grepq, and use 100 shards to improve performance
  11. setRingBuffersSize(1000000, 100)
  12.  
  13. -- ACL for customer networks
  14. addACL("10.0.0.0/8")
  15. addACL("100.64.0.0/10")
  16. addACL("127.0.0.1/32")
  17. -- some addACL lines removed
  18.  
  19. -- load balancing policy. Using 'first available' should steer most traffic locally
  20. -- https://dnsdist.org/guides/serverselection.html#firstavailable
  21. setServerPolicy(firstAvailable)
  22. newServer({address="80.71.82.2:5300",name="anycastdns21",qps=5000,order="1",useProxyProtocol=true})
  23. newServer({address="80.71.82.118:5300",name="anycastdns10",qps=5000,order="3",useProxyProtocol=true})
  24. -- Some newServer lines removed
  25.  
  26. -- Define rate limits
  27.  
  28. -- Dynamic rules
  29. local dbr = dynBlockRulesGroup()
  30.  
  31. -- Generate a warning if we detect a query rate above 100 qps for at least 10s.
  32. -- If the query rate raises above 300 qps for 10 seconds, we'll block the client for 60 seconds.
  33. dbr:setQueryRate(300, 10, "Exceeded query rate", 60, 100)
  34.  
  35. -- If more than 20 NXD responses per second measured over 10 seconds, block for 60 seconds
  36. dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60)
  37.  
  38. -- If more than 20 SERVFAIL responses per second measured over 10 seconds, block for 60 seconds
  39. dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
  40.  
  41. -- If more than 5 ANY qps measured over 10 seconds, block for 60 seconds
  42. dbr:setQTypeRate(DNSQType.ANY, 5, 10, "Exceeded ANY rate", 60)
  43.  
  44. -- If more than 10Kb/s responses measured over 10 seconds. Disabled for now.
  45. -- dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 60)
  46.  
  47.  
  48. function maintenance()
  49.   dbr:apply()
  50. end
  51.  
  52. -- Configure packet cache
  53. pc = newPacketCache(1000000, {maxTTL=600, minTTL=0, temporaryFailureTTL=10, staleTTL=60, maxNegativeTTL=60, numberOfShards=4, dontAge=false})
  54. getPool(""):setCache(pc)
  55.  
  56. -- Webserver for API
  57. webserver("127.0.0.1:8083")
  58. setWebserverConfig({statsRequireAuthentication=false, apiKey='$scrypt$ln=10,p=1,r=8$tYW5Y0qXUNHWeU8Reg+fwA==$xGPc/d7QvOyk6KBfX10mU+KLkjSEg5woT1Mc6Ur1rmc=', acl='192.168.1.0/24, 172.25.1.0/24, 127.0.0.0/8', password='$scrypt$ln=10,p=1,r=8$V42g5Qybm8qPFcABMIUz/w==$A8AnugHML7flTJuDBoFnTPaon9Q/aoo66KU+EZp8x9E='})
  59.  
  60. -- Control socket (for using the local console
  61. controlSocket("127.0.0.1")
  62. setKey("<REDACTED>")
  63.  
  64.  
  65. -- Define DNS-over-HTTPS interface
  66. addDOHLocal('0.0.0.0', { '/etc/dnsdist/dnsdist-ecc.crt', '/etc/dnsdist/dnsdist-rsa.crt'}, { '/etc/dnsdist/dnsdist-ecc.key', '/etc/dnsdist/dnsdist-rsa.key'}, { '/', '/dns-query' }, { reusePort=true, minTLSVersion='tls1.2', ciphers='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305', ciphersTLS13='TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256', tcpFastOpenQueueSize=256,  })
  67.  
  68. -- Define DNS-over-TLS interface
  69. addTLSLocal('0.0.0.0', { '/etc/dnsdist/dnsdist-ecc.crt', '/etc/dnsdist/dnsdist-rsa.crt'}, { '/etc/dnsdist/dnsdist-ecc.key', '/etc/dnsdist/dnsdist-rsa.key'}, { reusePort=true, minTLSVersion='tls1.2', ciphers='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305', ciphersTLS13='TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256', tcpFastOpenQueueSize=256 })
  70.  
  71. -- Block Firefox automatic DoH (https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet)
  72. addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!