[dnsdist] dnsdist: tls support webserver api ?

denis.machard at orange.com denis.machard at orange.com
Thu Sep 9 07:50:59 UTC 2021


Hi,

Many thanks for responses. In my context, I prefer stunnel to the reverse proxy but it's just my opinion. I write a tutorial and added the link in the wiki. https://gist.github.com/dmachard/9c252e91ea842fa8b730e30bcba080ae

I also applied this approach with stunnel for outgoing dnstap stream.

Configuration of dnsdist:

[dnsdist-dnstaptls]
client=yes
accept=/var/run/stunnel/dnstap.sock
connect=<your_dnstap_collector>:6000

denis

-----Message d'origine-----
De : Stephane Bortzmeyer <bortzmeyer at nic.fr> 
Envoyé : lundi 6 septembre 2021 09:20
À : MACHARD Denis DTSI/DIF <denis.machard at orange.com>
Cc : dnsdist at mailman.powerdns.com
Objet : Re: [dnsdist] dnsdist: tls support webserver api ?

On Fri, Sep 03, 2021 at 09:17:19AM +0000,  dmachard via dnsdist <dnsdist at mailman.powerdns.com> wrote  a message of 149 lines which said:

> I would like to know if  it's planned to support tls on the webserver 
> api and web interface ?

In the mean time, I use stunnel in front of dnsdist.

Configuration of dnsdist:

webserver("[::1]:8082")
setWebserverConfig(... whatever)

Configuration of stunnel:

; TLS front-end to a web server
[dnsdist]
; Accepts both IPv4 and IPv6
accept  = :::8083
connect = localhost-ipv6:8082
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.key

Certificates are obtained from CAcert but any CA you recognize will work.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.



More information about the dnsdist mailing list