[dnsdist] DNS over HTTPS

Remi Gacogne remi.gacogne at powerdns.com
Wed Jan 27 13:08:40 UTC 2021

Hi Blason,

On 1/27/21 10:49 AM, Blason R via dnsdist wrote:
> I am implementing DOH with BIND as my backend. I do have certain queries 
> and would really appreciate it if community can help me?
>  1. After implementing dnsdist and BIND as downstream servers; I
>     observed that a lot of queries are being sent to ROOT DNS servers.
>     Any clue why?

By default, dnsdist sends a query for the "a.root-servers.net." name 
every second to check the availability of the backend. It can be changed 
via the 'checkName', 'checkType' and 'checkClass' parameters of the 
'newServer' directive.

>  2. How do I enable logging of dnsdist? Can someone share config

You might want to be more specific here, what exactly would you like to 
have in these logs?

>  3. What effect it would cause on my BIND TTL value since dnsdist as a
>     frontend?

Without seeing your configuration it's hard to answer. If you don't 
enable dnsdist's packet cache the answer from the backend will be passed 
to the client with the original TTL. If you do enable the packet cache 
then you can either let dnsdist decrement the TTL (default) or instruct 
it to keep the original TTL (the entry will still expire when the 
initial TTL gets to 0, but the answer is sent to the client with the 
original TTL) via the 'dontAge' parameter of the 'newPacketCache' directive.

>  4. And since I am using DOH internally do I need to always go for
>     signed certificate or even self sign will do?

That depends on what your clients are expecting, dnsdist itself doesn't 

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dnsdist mailing list