From 9b049bc3306a92bfa8e9465d3f8fd285d63d2adb Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Tue, 16 Apr 2019 16:14:34 +0200 Subject: [PATCH] dnsdist: Add minimal documentation for DoH --- pdns/dnsdistdist/docs/reference/config.rst | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 4252d890a..8f8cb47c6 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -100,6 +100,25 @@ Listen Sockets higher than 0 to enable TCP Fast Open when available. Default is 0. +.. function:: addDOHLocal(address, certFile(s), keyFile(s) [, url [, options]]) + + .. versionadded:: 1.4.0 + + Listen on the specified address and TCP port for incoming DNS over HTTPS connections, presenting the specified X.509 certificate. + + :param str address: The IP Address with an optional port to listen on. + The default port is 443. + :param str certFile(s): The path to a X.509 certificate file in PEM format. + :param str keyFile(s): The path to the private key file corresponding to the certificate. + :param list url: A list of URLs to accept queries on. The default is /. + :param table options: A table with key: value pairs with listen options. + + Options: + + * ``idleTimeout=30``: int - Set the idle timeout, in seconds. + * ``ciphers``: str - The TLS ciphers to use, in OpenSSL format. Ciphers for TLS 1.3 must be specified via ``ciphersTLS13``. + * ``ciphersTLS13``: str - The TLS ciphers to use for TLS 1.3, in OpenSSL format. + .. function:: addTLSLocal(address, certFile(s), keyFile(s) [, options]) .. versionadded:: 1.3.0 @@ -694,6 +713,12 @@ Status, Statistics and More Print all statistics dnsdist gathers +.. function:: getDOHFrontend(idx) + + .. versionadded:: 1.4.0 + + Return the DOHFrontend object for the DNS over HTTPS bind of index ``idx``. + .. function:: getTLSContext(idx) .. versionadded:: 1.3.0 @@ -731,6 +756,12 @@ Status, Statistics and More Print a list of all the current addresses and ports dnsdist is listening on, also called ``frontends`` +.. function:: showDOHFrontends() + + .. versionadded:: 1.4.0 + + Print the list of all availables DNS over HTTPS frontends. + .. function:: showResponseLatency() Show a plot of the response time latency distribution @@ -1021,6 +1052,19 @@ Other functions Set to true (defaults to false) to allow empty responses (qdcount=0) with a NoError or NXDomain rcode (default) from backends. dnsdist drops these responses by default because it can't match them against the initial query since they don't contain the qname, qtype and qclass, and therefore the risk of collision is much higher than with regular responses. +DOHFrontend +~~~~~~~~~~~ + +.. class:: DOHFrontend + + .. versionadded:: 1.4.0 + + This object represents an address and port dnsdist is listening on for DNS over HTTPS queries. + + .. method:: TLSContext:reloadCertificate() + + Reload the current TLS certificate and key. + TLSContext ~~~~~~~~~~ -- 2.40.0