Configurations for DNSdist

Configuration examples for DNSdist PowerDNS

Default configuration provided:

• Default configuration provided by PowerDNS LUA

Admin:

• Enable web admin and console interfaces YAML / LUA

DoX services:

• Enable DoT, DoH, DoQ, ... YAML / LUA

Routing DNS traffic:

• Match Qname with regular expression YAML / LUA
• Tag your traffic and applied specified rules on it YAML / LUA
• Match your traffic from ECS client subnet YAML / LUA
• Read source IP client with ProxyProtocol and apply a specific routing on it YAML / LUA
• Add source IP client with ProxyProtocol YAML / LUA

Security:

• Ads/Malwares blocking with external CDB database YAML / LUA
• Blackhole/spoofing domains with external files YAML / LUA
• DNS tunneling blocking
• Blacklist IP addresses with DNS UPDATE control and dynamic blocking duration
• Blacklist IP during XX seconds, the list of IPs is managed with DNS notify and TTL for duration
• List of temporarily blocked domains, the list is managed with DNS notify
• Spoofing DNS responses like TXT, A, AAAA, MX and more...

Logging DNS traffic with DNS-collector:

• Remote DNS logging with DNSTAP protocol YAML / LUA
• Add extra informations in DNStap field YAML / LUA
• Remote DNS logging with Protobuf protocol YAML / LUA

Miscs:

• Full configuration with load balancing on public DNS resolvers
• Flush cache for domain with DNS NOTIFY
• Echo capability of ip address from domain name for development
• Resolve hostname from config
• Add uniq ID between queries and replies and send it through EDNS
• Set RequestorID with FFI

Run config from docker

sudo docker compose up -d

Reload configuration

sudo docker compose restart

Display logs

sudo docker compose logs -f
dnsdist 1.8.0 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2
Added downstream server 1.1.1.1:53
Listening on 0.0.0.0:53
ACL allowing queries from: 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, ::1/128, fc00::/7, fe80::/10
Console ACL allowing connections from: 127.0.0.0/8, ::1/128
Marking downstream 1.1.1.1:53 as 'up'
Polled security status of version 1.8.0 at startup, no known issues reported: OK

Testing DNS resolution

dig @127.0.0.1 -p 8053 +tcp google.com

Testing Web console access

curl -u admin:open http://127.0.0.1:8083