maciej at soltysiak.com
Sun Apr 16 20:17:14 UTC 2017
On Sun, Apr 16, 2017 at 8:42 PM, Remi Gacogne <remi.gacogne at powerdns.com>
> On 04/16/2017 07:03 PM, Maciej Soltysiak wrote:
> > dnsdist doesn't serve the dnscrypt cert for me.
> > I set it up first with:
> > generateDNSCryptProviderKey("/opt/dnscrypt/etc/providerPublic.key",
> > "/opt/dnscrypt/etc/providerPrivate.key")
> > generateDNSCryptCertificate("/opt/dnscrypt/etc/providerPrivate.key",
> > "/opt/dnscrypt/etc/resolver.cert", "/run/dnscryptPrivate.key", 1,
> > 1492355593, 1492398793)
> > Then I added the bind with:
> > addDNSCryptBind("0.0.0.0:443 <http://0.0.0.0:443>",
> > "2.dnscrypt-cert.poz.dnscrypt.pl
> > <http://2.dnscrypt-cert.poz.dnscrypt.pl>",
> > "/opt/dnscrypt/etc/resolver.cert", "/run/dnscryptPrivate.key")
> > I made sure the permissions are that _dnsdist user can read the files.
> > When I connect using dnscrypt-proxy with 2.dnscrypt-cert.poz.dnscrypt.pl
> > <http://2.dnscrypt-cert.poz.dnscrypt.pl> as provider name, it sends the
> > packet to fetch the cert but dnsdist doesn't reply.
> > I'd normally think this means provider name mismatch, but it's the same.
> Even if the provider name did not match, I believe dnsdist should send a
> certificate response. Could you look at the output of the "dumpStats()"
> command to see if any counter increases? Oh, did you configure the ACL
> properly, because by default queries from non-rfc1918 addresses are
You're right! It was the ACL...
Funny, I added addACL("0/0") to the config assuming it would work.
I was surprised to see that dnsdist wouldn't accept it and It worked when I
btw. dumpStats() is really cool, thanks!
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dnsdist