[dnsdist] DNS over HTTPS

Blason R blason16 at gmail.com
Wed Jan 27 17:39:01 UTC 2021

Hi there,

Here are my responses - and my config file

addDOHLocal("", "/etc/ssl/certs/5c4e864be20f67a8.pem",
"/etc/ssl/certs/ccccsan.key", { "/" }, { doTCP=true, reusePort=true,
tcpFastOpenSize=0 } )
newServer({address="", qps=100 })
webserver ("", "admin at 123", "")

On Wed, Jan 27, 2021 at 6:38 PM Remi Gacogne via dnsdist <
dnsdist at mailman.powerdns.com> wrote:

> Hi Blason,
> On 1/27/21 10:49 AM, Blason R via dnsdist wrote:
> > I am implementing DOH with BIND as my backend. I do have certain queries
> > and would really appreciate it if community can help me?
> >
> >  1. After implementing dnsdist and BIND as downstream servers; I
> >     observed that a lot of queries are being sent to ROOT DNS servers.
> >     Any clue why?
so those queries which are sent for loadbalancers? How do I at least stop
those or stop logging? Since I am collecting the BIND queries.log this is
unnecessarily increasing my DB size.

> By default, dnsdist sends a query for the "a.root-servers.net." name
> every second to check the availability of the backend. It can be changed
> via the 'checkName', 'checkType' and 'checkClass' parameters of the
> 'newServer' directive.
> >  2. How do I enable logging of dnsdist? Can someone share config
> You might want to be more specific here, what exactly would you like to
> have in these logs?

   - I need to have query received
   - original client IP over DOH?
   - How do I debug for any issues? or daemon syslogs?

> >  3. What effect it would cause on my BIND TTL value since dnsdist as a
> >     frontend?
> Without seeing your configuration it's hard to answer. If you don't
> enable dnsdist's packet cache the answer from the backend will be passed
> to the client with the original TTL. If you do enable the packet cache
> then you can either let dnsdist decrement the TTL (default) or instruct
> it to keep the original TTL (the entry will still expire when the
> initial TTL gets to 0, but the answer is sent to the client with the
> original TTL) via the 'dontAge' parameter of the 'newPacketCache'
> directive.
> >  4. And since I am using DOH internally do I need to always go for
> >     signed certificate or even self sign will do?
> That depends on what your clients are expecting, dnsdist itself doesn't
> care.
*So using DOH with all latest browser should not be a issue then.*

> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210127/13a2dd6d/attachment.htm>

More information about the dnsdist mailing list