[dnsdist] dnscrypt

[Maciej Soltysiak]

Hi Remi,

On Sun, Apr 16, 2017 at 8:42 PM, Remi Gacogne <remi.gacogne at powerdns.com>
wrote:

> Hi,
>
> On 04/16/2017 07:03 PM, Maciej Soltysiak wrote:
> > dnsdist doesn't serve the dnscrypt cert for me.
> >
> > I set it up first with:
> > generateDNSCryptProviderKey("/opt/dnscrypt/etc/providerPublic.key",
> > "/opt/dnscrypt/etc/providerPrivate.key")
> > generateDNSCryptCertificate("/opt/dnscrypt/etc/providerPrivate.key",
> > "/opt/dnscrypt/etc/resolver.cert", "/run/dnscryptPrivate.key", 1,
> > 1492355593, 1492398793)
> >
> > Then I added the bind with:
> > addDNSCryptBind("0.0.0.0:443 <http://0.0.0.0:443>",
> > "2.dnscrypt-cert.poz.dnscrypt.pl
> > <http://2.dnscrypt-cert.poz.dnscrypt.pl>",
> > "/opt/dnscrypt/etc/resolver.cert", "/run/dnscryptPrivate.key")
> >
> > I made sure the permissions are that _dnsdist user can read the files.
> >
> > When I connect using dnscrypt-proxy with 2.dnscrypt-cert.poz.dnscrypt.pl
> > <http://2.dnscrypt-cert.poz.dnscrypt.pl> as provider name, it sends the
> > packet to fetch the cert but dnsdist doesn't reply.
> >
> > I'd normally think this means provider name mismatch, but it's the same.
>
> Even if the provider name did not match, I believe dnsdist should send a
> certificate response. Could you look at the output of the "dumpStats()"
> command to see if any counter increases? Oh, did you configure the ACL
> properly, because by default queries from non-rfc1918 addresses are
> dropped?
>
You're right! It was the ACL...

Funny, I added addACL("0/0") to the config assuming it would work.
I was surprised to see that dnsdist wouldn't accept it and It worked when I
used
0.0.0.0/0

btw. dumpStats() is really cool, thanks!


> Regards,
>
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com

Best regards,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20170416/24585e4f/attachment.html>