Re: [dnsdist] DoH: 302 redirecting / to a help page

2019-09-16 Thread Stephane Bortzmeyer
On Mon, Sep 16, 2019 at 04:24:33PM +0200, Daniel Stirnimann wrote a message of 30 lines which said: > If your request went over IPv6 then this is expected because you added > the supportpagemap only on your IPv4 listener. Make sure you also add: It works, thanks. > Note also, the

Re: [dnsdist] DoH: 302 redirecting / to a help page

2019-09-16 Thread Stephane Bortzmeyer
On Mon, Sep 16, 2019 at 03:02:28PM +0200, Daniel Stirnimann wrote a message of 13 lines which said: > The feature is only available in 1.4.0-rc2. Is this version string correct? With 1.4.0-rc2, the configuration is accepted but seems ignored. I have: addDOHLocal("0.0.0.0:443",

Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-15 Thread Stephane Bortzmeyer
On Sun, Sep 15, 2019 at 12:20:46PM +0200, Andrew Nimmo wrote a message of 72 lines which said: > The acme.sh script has a standalone mode, if you have port 80 open: Thanks, I forgot about that (and, indeed, port 80 was available). So I did: certbot certonly --standalone --domain

[dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-15 Thread Stephane Bortzmeyer
[I believe I've checked the available documentation, and found nothing. Sorry, if I missed it.] My dnsdist setup (DoT and DoH) uses a CAcert certificate and it works fine. Now, I would like to move to Let's Encrypt but I do not see how to make it work from dnsdist. HTTP challenges? I don't think

Re: [dnsdist] Is dnsdist FIPS 140-2 Compliant?

2019-09-17 Thread Stephane Bortzmeyer
On Tue, Sep 17, 2019 at 09:14:54AM -0400, Brian Sullivan wrote a message of 57 lines which said: > I have a question from our compliance team, is dnsdist FIPS 140-2 compliant? I thought that FIPS-140 was about the security of hardware? With FIPS-140-2 requiring tamper evidence?

Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-16 Thread Stephane Bortzmeyer
On Sun, Sep 15, 2019 at 07:14:10PM +0200, ab...@t-ipnet.net wrote a message of 12 lines which said: > There is no need to restart dnsdist. > > /usr/sbin/dnsdist -e 'reloadAllCertificates()' If you have configured the console. Otherwise: The currently configured console key is not valid,

Re: [dnsdist] DoH: 302 redirecting / to a help page

2019-09-16 Thread Stephane Bortzmeyer
On Mon, Sep 16, 2019 at 11:13:03AM +0200, Remi Gacogne wrote a message of 94 lines which said: > supportpagemap = { newDOHResponseMapEntry("^/$", 302, > "https://support.mydoman.com;) } It seems cool, but it fails for me: Fatal Lua error: [string "chunk"]:9: attempt to call global

Re: [dnsdist] LogAction() is ignored?

2019-09-24 Thread Stephane Bortzmeyer
On Mon, Sep 23, 2019 at 11:20:29AM +0200, Remi Gacogne wrote a message of 98 lines which said: > If you are using our systemd unit file, note that we do set > PrivateTmp=true for security reasons, meaning that you'll need to look > for the actual log file in >

[dnsdist] LogAction() is ignored?

2019-09-22 Thread Stephane Bortzmeyer
I tried to log every query with: addAction(AllRule(), LogAction("/tmp/dnsdist.log", false, true, false)) buffered=false is here to be sure I see the queries immediately. dnsdist knows about the action: > showRules() # Matches Rule Action

Re: [dnsdist] LogAction() is ignored?

2019-09-22 Thread Stephane Bortzmeyer
On Sun, Sep 22, 2019 at 12:31:47PM +0200, bert hubert wrote a message of 23 lines which said: > After some offlist additional checking, this looks like a bug, Or a feature, to protect the privacy of the users :-) ___ dnsdist mailing list

[dnsdist] topClients and topQueries expiration of data

2019-10-21 Thread Stephane Bortzmeyer
Apparently, the data used by topeCLients() and topQueries() expire after some time (which is good, both for privacy and for memory use), even if you don't reboot the server but I do not find a documentation of the expiration algorithm and how to configure it (and I'm too lazy to read the source

Re: [dnsdist] topClients and topQueries expiration of data

2019-10-21 Thread Stephane Bortzmeyer
On Mon, Oct 21, 2019 at 05:09:31PM +0200, Daniel Stirnimann wrote a message of 15 lines which said: > its 10'000 queries in the ringbuffer: > > https://dnsdist.org/reference/config.html?highlight=setringbufferssize#setRingBuffersSize Thanks, it works.