<div dir="ltr"><div dir="ltr"><div>Hi there,</div><div><br></div><div>Here are my responses - and my config file</div><div><br></div><div>addACL('<a href="http://0.0.0.0/0">0.0.0.0/0</a>')<br>addDOHLocal("<a href="http://0.0.0.0:443">0.0.0.0:443</a>", "/etc/ssl/certs/5c4e864be20f67a8.pem", "/etc/ssl/certs/ccccsan.key", { "/" }, { doTCP=true, reusePort=true, tcpFastOpenSize=0 } )<br>newServer({address="<a href="http://127.0.0.1:53">127.0.0.1:53</a>", qps=100 })<br>webserver ("<a href="http://192.168.5.112:8083">192.168.5.112:8083</a>", "admin@123", "<a href="http://192.168.5.0/24">192.168.5.0/24</a>")<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 27, 2021 at 6:38 PM Remi Gacogne via dnsdist <<a href="mailto:dnsdist@mailman.powerdns.com">dnsdist@mailman.powerdns.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Blason,<br>
<br>
On 1/27/21 10:49 AM, Blason R via dnsdist wrote:<br>
> I am implementing DOH with BIND as my backend. I do have certain queries <br>
> and would really appreciate it if community can help me?<br>
> <br>
> 1. After implementing dnsdist and BIND as downstream servers; I<br>
> observed that a lot of queries are being sent to ROOT DNS servers.<br>
> Any clue why?<br></blockquote><div>so those queries which are sent for loadbalancers? How do I at least stop those or stop logging? Since I am collecting the BIND queries.log this is unnecessarily increasing my DB size.<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
By default, dnsdist sends a query for the "<a href="http://a.root-servers.net" rel="noreferrer" target="_blank">a.root-servers.net</a>." name <br>
every second to check the availability of the backend. It can be changed <br>
via the 'checkName', 'checkType' and 'checkClass' parameters of the <br>
'newServer' directive.<br>
<br>
> 2. How do I enable logging of dnsdist? Can someone share config<br>
<br>
You might want to be more specific here, what exactly would you like to <br>
have in these logs?<br></blockquote><ul><li>I need to have query received</li><li>original client IP over DOH?</li><li>How do I debug for any issues? or daemon syslogs?</li></ul><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> 3. What effect it would cause on my BIND TTL value since dnsdist as a<br>
> frontend?<br>
<br>
Without seeing your configuration it's hard to answer. If you don't <br>
enable dnsdist's packet cache the answer from the backend will be passed <br>
to the client with the original TTL. If you do enable the packet cache <br>
then you can either let dnsdist decrement the TTL (default) or instruct <br>
it to keep the original TTL (the entry will still expire when the <br>
initial TTL gets to 0, but the answer is sent to the client with the <br>
original TTL) via the 'dontAge' parameter of the 'newPacketCache' directive.<br>
<br>
> 4. And since I am using DOH internally do I need to always go for<br>
> signed certificate or even self sign will do?<br>
<br>
That depends on what your clients are expecting, dnsdist itself doesn't <br>
care.<br></blockquote><div><b>So using DOH with all latest browser should not be a issue then.</b> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Best regards,<br>
-- <br>
Remi Gacogne<br>
PowerDNS.COM BV - <a href="https://www.powerdns.com/" rel="noreferrer" target="_blank">https://www.powerdns.com/</a><br>
_______________________________________________<br>
dnsdist mailing list<br>
<a href="mailto:dnsdist@mailman.powerdns.com" target="_blank">dnsdist@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a><br>
</blockquote></div></div>