[dnsdist] DNS over HTTPS
Remi Gacogne
remi.gacogne at powerdns.com
Wed Jan 27 13:08:40 UTC 2021
Hi Blason,
On 1/27/21 10:49 AM, Blason R via dnsdist wrote:
> I am implementing DOH with BIND as my backend. I do have certain queries
> and would really appreciate it if community can help me?
>
> 1. After implementing dnsdist and BIND as downstream servers; I
> observed that a lot of queries are being sent to ROOT DNS servers.
> Any clue why?
By default, dnsdist sends a query for the "a.root-servers.net." name
every second to check the availability of the backend. It can be changed
via the 'checkName', 'checkType' and 'checkClass' parameters of the
'newServer' directive.
> 2. How do I enable logging of dnsdist? Can someone share config
You might want to be more specific here, what exactly would you like to
have in these logs?
> 3. What effect it would cause on my BIND TTL value since dnsdist as a
> frontend?
Without seeing your configuration it's hard to answer. If you don't
enable dnsdist's packet cache the answer from the backend will be passed
to the client with the original TTL. If you do enable the packet cache
then you can either let dnsdist decrement the TTL (default) or instruct
it to keep the original TTL (the entry will still expire when the
initial TTL gets to 0, but the answer is sent to the client with the
original TTL) via the 'dontAge' parameter of the 'newPacketCache' directive.
> 4. And since I am using DOH internally do I need to always go for
> signed certificate or even self sign will do?
That depends on what your clients are expecting, dnsdist itself doesn't
care.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dnsdist
mailing list