Re: [Pdns-users] Recursor forwarder DoT configuration
On Fri, Sep 08, 2023 at 11:56:07PM +0200, Christoph via Pdns-users wrote: > Thanks a lot for the fast reply, very much appreciated! > best regards, > Christoph I do wonder about the purpose of the recursor in the recursor -> dnsdist -> upstream-recursive case. You might as well use dnsdist -> upstream-recursive With a caching dnsdist. Unless you need recursor specific functionality, of course. -Otto ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor forwarder DoT configuration
Thanks a lot for the fast reply, very much appreciated! best regards, Christoph ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor forwarder DoT configuration
On Fri, Sep 08, 2023 at 04:50:18PM +0200, Christoph via Pdns-users wrote: > Hello! > > I'm looking for documentation about configuring > recursor to talk DoT to a recursive resolver. > > This minimal config works: > > dot-to-port-853=yes > forward-zones-recurse=.=1.1.1.1:853;1.0.0.1:853 > > but compared to DNSdist newServer() configuration options > I'm not sure about: > > - does it validate the server certificate? how do I configure the name when > performing certificate verification? No validation is done, this is hinted at in https://docs.powerdns.com/recursor/settings.html#dot-to-auth-names > - does it support TCP fast open? Yes, if tcp-fast-open-connect=yes, but please read https://docs.powerdns.com/recursor/performance.html#tcp-fast-open-support > - does it support out of order processing? No, but it will keep outgoing connections open for a while and re-use if the opportunity arises. Some rules as regular TCP outgoing queries apply, see the tcp-out-* settings. > - how are queries distributed across multiple servers? The recursor will use the fastest, but probe the slower ones once in a while tio get up-to-date round-trip times. > Or is it generally better to have a > recursor -> dnsdist -> upstreams resolver > setup to be able to use dnsdist's configuration options there? if you have reasons to need these features, then yes. > > best regards, > Christoph ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor forwarder DoT configuration
On 08/09/2023 15:50, Christoph via Pdns-users wrote: - does it validate the server certificate? how do I configure the name when performing certificate verification? Not answering your questions about PDNS recursor specifically, but I'll just point out that 1.1.1.1:853 and 1.0.0.1:853 both have valid signed certificates with IP SANs, so certificate validation can be performed with IP address only. $ openssl s_client -connect 1.1.1.1:853 ... Verify return code: 0 (ok) Decoding the certificate with openssl x509 -noout -text: X509v3 Subject Alternative Name: DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.0.0.1, IP Address:1.1.1.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400 ... For the same reason, using https://1.1.1.1/ in your browser also works. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Recursor forwarder DoT configuration
Hello! I'm looking for documentation about configuring recursor to talk DoT to a recursive resolver. This minimal config works: dot-to-port-853=yes forward-zones-recurse=.=1.1.1.1:853;1.0.0.1:853 but compared to DNSdist newServer() configuration options I'm not sure about: - does it validate the server certificate? how do I configure the name when performing certificate verification? - does it support TCP fast open? - does it support out of order processing? - how are queries distributed across multiple servers? Or is it generally better to have a recursor -> dnsdist -> upstreams resolver setup to be able to use dnsdist's configuration options there? best regards, Christoph ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS DNSdist 1.8.1 released
Hello! We are very happy to release DNSdist 1.8.1 today, a maintenance release fixing a few bugs reported since 1.8.0: - Several bugs have been fixed in the health-check code, including one issue that could have resulted in some health-check responses to be lost - A crash has been fixed when dealing with DNS over HTTPS queries for which a X-Forwarded-For header overrides the initial source IP, which is not enabled by default - Re-connection failures are now more carefully handled for backend UDP sockets, avoiding high CPU usage in some network topology changes - Self-answered UDP responses with recvmmsg are not properly accounted for - A memory leak when processing TLS tickets with OpenSSL 3.x has been fixed - Cache hit and miss metrics with DoH queries are now properly accounted for - Christof Chen fixed an issue with SpoofAction, by copying the QClass from the request - A race has been fixed when creating the first TLS connections to a backend, which could have led to sub-optimal TLS session reuse - Short reads are now properly handled when doing backend upgrade discovery - Winfried Angele fixed an accidental change of disableZeroScope to disableZeroScoping - The group ownership of the dnsdist.conf file is now properly set when installed via RPM - Houtworm fixed the webserver configuration template for our docker container - phonedph1 fixed the console description of PoolAction and QPSPoolAction In addition to these fixes, Jacob Bunk made the TSIG query type available from Lua, and we improved the accounting of eBPF dynamic blocks. Finally it is now possible to declare custom metrics at runtime for use from Lua, and Lua FFI inspection functions are automatically loaded at runtime. Please see the DNSdist website [1] for the more complete changelog [2] and the current documentation. The upgrade guide is also available there [3]. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [4]. We are immensely grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features. The release tarball [5] and its signature [6] are available on the downloads website, and packages for several distributions are available from our repository [7]. [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-1.8.1 |3]: https://dnsdist.org/upgrade_guide.html#x-to-1-8-0 [4]: https://github.com/PowerDNS/pdns/issues/new/choose [5]: https://downloads.powerdns.com/releases/dnsdist-1.8.1.tar.bz2 [6]: https://downloads.powerdns.com/releases/dnsdist-1.8.1.tar.bz2.sig [7]: https://repo.powerdns.com -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature.asc Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
