From: Remi Gacogne Date: Wed, 6 Jun 2018 12:32:33 +0000 (+0200) Subject: dnsdist: Clarify that local connections to the console should be encrypted too X-Git-Tag: dnsdist-1.3.1~34^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=350c690a90971e33209dc0eff1cf7a9c0e8fa445;p=pdns dnsdist: Clarify that local connections to the console should be encrypted too --- diff --git a/pdns/dnsdistdist/docs/guides/console.rst b/pdns/dnsdistdist/docs/guides/console.rst index 3238f9db7..c163a202b 100644 --- a/pdns/dnsdistdist/docs/guides/console.rst +++ b/pdns/dnsdistdist/docs/guides/console.rst @@ -11,7 +11,7 @@ The console can be enabled with :func:`controlSocket`: controlSocket('192.0.2.53:5199') -Exposing the console to the network without encryption enabled is not recommended. To enable encryption, first generate a key with :func:`makeKey`:: +Enabling the console without encryption enabled is not recommended. To enable encryption, first generate a key with :func:`makeKey`:: $ ./dnsdist -l 127.0.0.1:5300 [..] @@ -48,4 +48,6 @@ Since 1.3.0, dnsdist supports restricting which client can connect to the consol setConsoleACL('192.0.2.0/24') The default value is '127.0.0.1', restricting the use of the console to local users. Please make sure that encryption is enabled -before using :func:`addConsoleACL` or :func:`setConsoleACL` to allow connection from remote clients. +before using :func:`addConsoleACL` or :func:`setConsoleACL` to allow connection from remote clients. Even if the console is +restricted to local users, the use of encryption is still strongly advised to prevent unauthorized local users from connecting to +the console. diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 55a816911..5d12abd5b 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -155,7 +155,8 @@ Control Socket, Console and Webserver Bind to ``addr`` and listen for a connection for the console. Since 1.3.0 only connections from local users are allowed by default, :func:`addConsoleACL` and :func:`setConsoleACL` can be used to enable remote connections. Please make sure - that encryption has been enabled with :func:`setKey` before doing so. + that encryption has been enabled with :func:`setKey` before doing so. Enabling encryption is also strongly advised for + local connections, since not enabling it allows any local user to connect to the console. :param str address: An IP address with optional port. By default, the port is 5199.