dnsdist-filtering/dnsdist.conf at main · cbuijs/dnsdist-filtering · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
-- START --

local fullchain = "/etc/letsencrypt/live/domain.tld/fullchain.pem"
local privkey = "/etc/letsencrypt/live/domain.tld/privkey.pem"

-- Listening Ports
do53filteredport = 53
do53unfilteredport = 8053
dohfilteredport = 443
dohunfilteredport = 8443
dotfilteredport = 853
dotunfilteredport = 8853

-- DNS/Do53 Filtered (Port 53)
setLocal("0.0.0.0:" .. do53filteredport, {reusePort=true})
addLocal("[::0]:" .. do53filteredport, {reusePort=true})

-- DNS/Do53 UnFiltered (Port 8053)
addLocal("0.0.0.0:" .. do53unfilteredport, {reusePort=true})
addLocal("[::0]:" .. do53unfilteredport, {reusePort=true})

-- DOH Filtered (Port 443)
addDOHLocal("0.0.0.0:" .. dohfilteredport, fullchain, privkey, "/dns-query", {reusePort=true, minTLSVersion="tls1.3", provider="openssl", releaseBuffers=true})
addDOHLocal("[::0]:" .. dohfilteredport, fullchain, privkey, "/dns-query", {reusePort=true, minTLSVersion="tls1.3", provider="openssl", releaseBuffers=true})

-- DOH UnFiltered (Port 8443)
addDOHLocal("0.0.0.0:" .. dohunfilteredport, fullchain, privkey, "/dns-query", {reusePort=true, minTLSVersion="tls1.3", provider="openssl", releaseBuffers=true})
addDOHLocal("[::0]:" .. dohunfilteredport, fullchain, privkey, "/dns-query", {reusePort=true, minTLSVersion="tls1.3", provider="openssl", releaseBuffers=true})

-- DOT Filtered (Port 853)
addTLSLocal("0.0.0.0:853", fullchain, privkey, {reusePort=true, minTLSVersion="tls1.3", preferServerCiphers=true, provider="openssl", releaseBuffers=true})
addTLSLocal("[::0]:853", fullchain, privkey, {reusePort=true, minTLSVersion="tls1.3", preferServerCiphers=true, provider="openssl", releaseBuffers=true})

-- DOT UnFiltered (Port 8853)
addTLSLocal("0.0.0.0:" .. dotunfilteredport, fullchain, privkey, {reusePort=true, minTLSVersion="tls1.3", preferServerCiphers=true, provider="openssl", releaseBuffers=true})
addTLSLocal("[::0]:" .. dotunfilteredport, fullchain, privkey, {reusePort=true, minTLSVersion="tls1.3", preferServerCiphers=true, provider="openssl", releaseBuffers=true})

-- ACL
setACL('0.0.0.0/0')
addACL('::/0')

-- Healthcheck logs
setVerboseHealthChecks(true)

-- No Call Home
setSecurityPollSuffix("")

-- ECS
addAction(AllRule(), SetECSOverrideAction(true))
addAction(AllRule(), SetECSPrefixLengthAction(24, 56))

-- Set Pools
addAction(AndRule({OrRule({DSTPortRule(do53unfilteredport), DSTPortRule(dohunfilteredport), DSTPortRule(dotunfilteredport)})}), PoolAction("unfiltered"))
addAction(AndRule({OrRule({DSTPortRule(do53filteredport), DSTPortRule(dohfilteredport), DSTPortRule(dotfilteredport)})}), ContinueAction(PoolAction("filtered")))

-- Load Filtering Code/Lists
includeDirectory("conf.d")

-- Cache
unfilteredcache=newPacketCache(8192, {keepStaleData=false, dontAge=false, temporaryFailureTTL=60, parseECS=true})
getPool("unfiltered"):setCache(unfilteredcache)
filteredcache=newPacketCache(8192, {keepStaleData=false, dontAge=false, temporaryFailureTTL=60, parseECS=true})
getPool("filtered"):setCache(filteredcache)

-- Resolvers UnFiltered (DoH Google)
newServer({address="8.8.8.8:443", name="unfiltered41", pool="unfiltered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls=”openssl”, subjectName="dns.google", dohPath="/dns-query"})
newServer({address="8.8.4.4:443", name="unfiltered42", pool="unfiltered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls="openssl", subjectName="dns.google", dohPath="/dns-query"})
newServer({address="[2001:4860:4860::8888]:443", name="unfiltered61", pool="unfiltered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls="openssl", subjectName="dns.google", dohPath="/dns-query"})
newServer({address="[2001:4860:4860::8844]:443", name="unfiltered62", pool="unfiltered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls="openssl", subjectName="dns.google", dohPath="/dns-query"})

-- Resolvers Filtered (DoH Google)
newServer({address="8.8.8.8:443", name="filtered41", pool="filtered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls="openssl", subjectName="dns.google", dohPath="/dns-query"})
newServer({address="8.8.4.4:443", name="filtered42", pool="filtered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls="openssl", subjectName="dns.google", dohPath="/dns-query"})
newServer({address="[2001:4860:4860::8888]:443", name="filtered61", pool="filtered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls="openssl", subjectName="dns.google", dohPath="/dns-query"})
newServer({address="[2001:4860:4860::8844]:443", name="filtered62", pool="filtered", tcpOnly=false, checkName="www.google.com", checkType="A", mustResolve=true, checkInterval=5, useClientSubnet=true, disableZeroScope=false, tls="openssl", subjectName="dns.google", dohPath="/dns-query"})

-- Make All Servers UP to start with
for key,value in pairs(getServers()) do
    srv = key - 1
    infolog("SERVER-UP: " .. getServer(srv):getNameWithAddr())
    getServer(srv):setUp()
end

-- END --