[Pdns-users] Recursor forwarder DoT configuration
Otto Moerbeek
otto at drijf.net
Fri Sep 8 15:02:40 UTC 2023
On Fri, Sep 08, 2023 at 04:50:18PM +0200, Christoph via Pdns-users wrote:
> Hello!
>
> I'm looking for documentation about configuring
> recursor to talk DoT to a recursive resolver.
>
> This minimal config works:
>
> dot-to-port-853=yes
> forward-zones-recurse=.=1.1.1.1:853;1.0.0.1:853
>
> but compared to DNSdist newServer() configuration options
> I'm not sure about:
>
> - does it validate the server certificate? how do I configure the name when
> performing certificate verification?
No validation is done, this is hinted at in
https://docs.powerdns.com/recursor/settings.html#dot-to-auth-names
> - does it support TCP fast open?
Yes, if tcp-fast-open-connect=yes, but please read
https://docs.powerdns.com/recursor/performance.html#tcp-fast-open-support
> - does it support out of order processing?
No, but it will keep outgoing connections open for a while and
re-use if the opportunity arises. Some rules as regular TCP outgoing
queries apply, see the tcp-out-* settings.
> - how are queries distributed across multiple servers?
The recursor will use the fastest, but probe the slower ones once in a
while tio get up-to-date round-trip times.
> Or is it generally better to have a
> recursor -> dnsdist -> upstreams resolver
> setup to be able to use dnsdist's configuration options there?
if you have reasons to need these features, then yes.
>
> best regards,
> Christoph
More information about the Pdns-users
mailing list