WRMSRwasTaken/dnsdist.conf

## dnsdist.conf
controlSocket('127.0.0.1')
setACL({"0.0.0.0/0", "::/0"})

local mySubnets = {
    "127.0.0.0/8",
    "::1/128",
    "10.0.0.0/8",
    "2a0f:85c1:beef::/48",
    "2a0f:85c1:cafe::/48",
    "2a09:e1c1:efc0::/44",
    "2a02:24d8:7:21::/64"
}

function file_exists(name)
    local f=io.open(name,"r")
    if f~=nil then io.close(f) return true else return false end
end

local initialized = false
local waittime = 0
local domainlist = {}

setRules({
    newRuleAction(AllRule(), DropAction())
})
--addAction(AllRule(), DropAction())

function adddomains(domains)
    setRules({
        newRuleAction(AllRule(), DropAction())
    })

    for i, domain in ipairs(domains) do
        infolog("Adding domain to be served from authoritative pdns: " .. domain)

        addAction(domain, PoolAction("auth"), { name = domain })
    end

    addAction(AndRule{makeRule("version.bind"), QTypeRule(DNSQType.TXT), QClassRule(DNSClass.CHAOS)}, SpoofRawAction("\003\059\045\041", { aa=true, ttl=1337 }), { name = "version.bind" })
    addAction(AndRule{makeRule("hostname.bind"), QTypeRule(DNSQType.TXT), QClassRule(DNSClass.CHAOS)}, SpoofRawAction("\016mclp\049h\049s\049\046mcl\046gg", { aa=true, ttl=1337 }), { name = "hostname.bind" })
    addAction(AndRule{makeRule("id.server"), QTypeRule(DNSQType.TXT), QClassRule(DNSClass.CHAOS)}, SpoofRawAction("\016mclp\049h\049s\049\046mcl\046gg", { aa=true, ttl=1337 }), { name = "id.server" })

    --addAction(authdomains, PoolAction("auth"))
    --addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction("auth"))
    addAction("consul.", PoolAction("consul"), { name = "consul" })
    addAction("onion.", PoolAction("tor"), { name = "onion" })

    addAction(AndRule({
        TCPRule(false),
        NotRule(makeRule(mySubnets)),
    --}), ERCodeAction(DNSRCode.REFUSED), { name = "- answer refused -" })
    }), TCAction(), { name = "- answer truncated -" })

    rmRule(0)

    infolog("Rule generation done.")
end

function querypdns()
    local pdnsutil = io.popen("/usr/bin/pdnsutil list-all-zones")
    local pdnsdomainsstring = pdnsutil:read("*a")
    pdnsutil:close()

    if not(string.find(pdnsdomainsstring, "mcl.gg")) then
        return {}
    end

    local pdnsdomains = {}
    for pdnsdomain in pdnsdomainsstring:gmatch("[^\r\n]+") do
        table.insert(pdnsdomains, pdnsdomain)
    end

    table.sort(pdnsdomains)

    return pdnsdomains
end

function maintenance()
    if initialized then
        if waittime >= 300 then
            waittime = 0

            infolog("Querying pdns if domain list has changed...")
            domainquery = querypdns()

            if next(domainquery) == nil then
                warnlog("Could not get authoritative domains from pdnsutil, waiting till next query cycle...")
                return
            end

            if table.concat(domainquery) == table.concat(domainlist) then
                infolog("Domainlist did not change, waiting till next cycle...")
                return
            end

            domainlist = domainquery
            adddomains(domainquery)

        else
            waittime = waittime + 1
        end
        return
    end

    infolog("Loading authoritative domains from pdns...")
    domainquery = querypdns()

    if next(domainquery) == nil then
        warnlog("Could not get authoritative domains from pdnsutil, retrying...")
        return
    end

    domainlist = domainquery
    adddomains(domainquery)

    initialized = true
end

infolog("Listener Setup...")

addLocal("127.0.0.1", {maxInFlight=1000})
addLocal("::1", {maxInFlight=1000})
addLocal("10.10.3.99", {maxInFlight=1000})
addLocal("10.10.3.98", {maxInFlight=1000})
--addLocal("fd00:0:0:3::99", {maxInFlight=1000})
addLocal("2a09:e1c1:efc1:1337::53", {maxInFlight=1000})
addLocal("2a09:e1c1:efc1:1337::5353", {maxInFlight=1000})

addTLSLocal("0.0.0.0", { "/etc/ssl/private/certificates/mcl.gg.crt", "/etc/ssl/private/certificates/wrmsr.io.crt" }, { "/etc/ssl/private/certificates/mcl.gg.key", "/etc/ssl/private/certificates/wrmsr.io.key" }, { reusePort=true, tcpFastOpenQueueSize=500, minTLSVersion="tls1.2", maxInFlight=1000 })
addTLSLocal("::", { "/etc/ssl/private/certificates/mcl.gg.crt", "/etc/ssl/private/certificates/wrmsr.io.crt" }, { "/etc/ssl/private/certificates/mcl.gg.key", "/etc/ssl/private/certificates/wrmsr.io.key" }, { reusePort=true, tcpFastOpenQueueSize=500, minTLSVersion="tls1.2", maxInFlight=1000 })

addDOHLocal("0.0.0.0:8080", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })
addDOHLocal("[::]:8080", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })

--addDNSCryptBind("0.0.0.0:8443", "zarkon.mcl.gg", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true{{ additional_listener_config }} })
--addDNSCryptBind("[::]:8443", "zarkon.mcl.gg", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true{{ additional_listener_config }} })

--if not file_exists("/var/lib/dnsdist/providerPrivate.key") then
--    infolog("Generate DNSCrypt provider keys.")
--    generateDNSCryptProviderKeys("/var/lib/dnsdist/providerPublic.cert", "/var/lib/dnsdist/providerPrivate.key")
--end

--if not file_exists("/run/dnsdist/resolver.cert") then
    -- this should be recreated regularly => store in /run/dnsdist which gets cleaned at every restart
--    infolog("Generate new DNSCrypt keys.")
--    generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", os.date('%Y%m%d', os.time()), os.time(os.date("!*t")), os.time({year=2025, month=2, day=1, hour=00, minute=00}))
--end

webserver("0.0.0.0:8083")
setWebserverConfig({
    password="lel",
    apiKey="85VnCejHUf8dEGjTrBL4",
    acl="10.0.0.0/8"
})

infolog("Backend setup...")

newServer({address="127.0.0.153", name="recursive", maxInFlight=1000, useProxyProtocol=true})
newServer({address="127.0.0.253", pool="auth", name="authoritative",  maxInFlight=1000, useProxyProtocol=true})
newServer({address="10.10.3.2:8600", pool="consul", name="consul", checkInterval=5})
newServer({address="10.10.3.6:5353", pool="tor", name="tor", checkInterval=5, checkTimeout=5000})
	controlSocket('127.0.0.1')
	setACL({"0.0.0.0/0", "::/0"})

	local mySubnets = {
	"127.0.0.0/8",
	"::1/128",
	"10.0.0.0/8",
	"2a0f:85c1:beef::/48",
	"2a0f:85c1:cafe::/48",
	"2a09:e1c1:efc0::/44",
	"2a02:24d8:7:21::/64"
	}

	function file_exists(name)
	local f=io.open(name,"r")
	if f~=nil then io.close(f) return true else return false end
	end

	local initialized = false
	local waittime = 0
	local domainlist = {}

	setRules({
	newRuleAction(AllRule(), DropAction())
	})
	--addAction(AllRule(), DropAction())

	function adddomains(domains)
	setRules({
	newRuleAction(AllRule(), DropAction())
	})

	for i, domain in ipairs(domains) do
	infolog("Adding domain to be served from authoritative pdns: " .. domain)

	addAction(domain, PoolAction("auth"), { name = domain })
	end

	addAction(AndRule{makeRule("version.bind"), QTypeRule(DNSQType.TXT), QClassRule(DNSClass.CHAOS)}, SpoofRawAction("\003\059\045\041", { aa=true, ttl=1337 }), { name = "version.bind" })
	addAction(AndRule{makeRule("hostname.bind"), QTypeRule(DNSQType.TXT), QClassRule(DNSClass.CHAOS)}, SpoofRawAction("\016mclp\049h\049s\049\046mcl\046gg", { aa=true, ttl=1337 }), { name = "hostname.bind" })
	addAction(AndRule{makeRule("id.server"), QTypeRule(DNSQType.TXT), QClassRule(DNSClass.CHAOS)}, SpoofRawAction("\016mclp\049h\049s\049\046mcl\046gg", { aa=true, ttl=1337 }), { name = "id.server" })

	--addAction(authdomains, PoolAction("auth"))
	--addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction("auth"))
	addAction("consul.", PoolAction("consul"), { name = "consul" })
	addAction("onion.", PoolAction("tor"), { name = "onion" })

	addAction(AndRule({
	TCPRule(false),
	NotRule(makeRule(mySubnets)),
	--}), ERCodeAction(DNSRCode.REFUSED), { name = "- answer refused -" })
	}), TCAction(), { name = "- answer truncated -" })

	rmRule(0)

	infolog("Rule generation done.")
	end

	function querypdns()
	local pdnsutil = io.popen("/usr/bin/pdnsutil list-all-zones")
	local pdnsdomainsstring = pdnsutil:read("*a")
	pdnsutil:close()

	if not(string.find(pdnsdomainsstring, "mcl.gg")) then
	return {}
	end

	local pdnsdomains = {}
	for pdnsdomain in pdnsdomainsstring:gmatch("[^\r\n]+") do
	table.insert(pdnsdomains, pdnsdomain)
	end

	table.sort(pdnsdomains)

	return pdnsdomains
	end

	function maintenance()
	if initialized then
	if waittime >= 300 then
	waittime = 0

	infolog("Querying pdns if domain list has changed...")
	domainquery = querypdns()

	if next(domainquery) == nil then
	warnlog("Could not get authoritative domains from pdnsutil, waiting till next query cycle...")
	return
	end

	if table.concat(domainquery) == table.concat(domainlist) then
	infolog("Domainlist did not change, waiting till next cycle...")
	return
	end

	domainlist = domainquery
	adddomains(domainquery)

	else
	waittime = waittime + 1
	end
	return
	end

	infolog("Loading authoritative domains from pdns...")
	domainquery = querypdns()

	if next(domainquery) == nil then
	warnlog("Could not get authoritative domains from pdnsutil, retrying...")
	return
	end

	domainlist = domainquery
	adddomains(domainquery)

	initialized = true
	end

	infolog("Listener Setup...")

	addLocal("127.0.0.1", {maxInFlight=1000})
	addLocal("::1", {maxInFlight=1000})
	addLocal("10.10.3.99", {maxInFlight=1000})
	addLocal("10.10.3.98", {maxInFlight=1000})
	--addLocal("fd00:0:0:3::99", {maxInFlight=1000})
	addLocal("2a09:e1c1:efc1:1337::53", {maxInFlight=1000})
	addLocal("2a09:e1c1:efc1:1337::5353", {maxInFlight=1000})

	addTLSLocal("0.0.0.0", { "/etc/ssl/private/certificates/mcl.gg.crt", "/etc/ssl/private/certificates/wrmsr.io.crt" }, { "/etc/ssl/private/certificates/mcl.gg.key", "/etc/ssl/private/certificates/wrmsr.io.key" }, { reusePort=true, tcpFastOpenQueueSize=500, minTLSVersion="tls1.2", maxInFlight=1000 })
	addTLSLocal("::", { "/etc/ssl/private/certificates/mcl.gg.crt", "/etc/ssl/private/certificates/wrmsr.io.crt" }, { "/etc/ssl/private/certificates/mcl.gg.key", "/etc/ssl/private/certificates/wrmsr.io.key" }, { reusePort=true, tcpFastOpenQueueSize=500, minTLSVersion="tls1.2", maxInFlight=1000 })

	addDOHLocal("0.0.0.0:8080", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })
	addDOHLocal("[::]:8080", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })

	--addDNSCryptBind("0.0.0.0:8443", "zarkon.mcl.gg", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true{{ additional_listener_config }} })
	--addDNSCryptBind("[::]:8443", "zarkon.mcl.gg", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true{{ additional_listener_config }} })

	--if not file_exists("/var/lib/dnsdist/providerPrivate.key") then
	-- infolog("Generate DNSCrypt provider keys.")
	-- generateDNSCryptProviderKeys("/var/lib/dnsdist/providerPublic.cert", "/var/lib/dnsdist/providerPrivate.key")
	--end

	--if not file_exists("/run/dnsdist/resolver.cert") then
	-- this should be recreated regularly => store in /run/dnsdist which gets cleaned at every restart
	-- infolog("Generate new DNSCrypt keys.")
	-- generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", os.date('%Y%m%d', os.time()), os.time(os.date("!*t")), os.time({year=2025, month=2, day=1, hour=00, minute=00}))
	--end

	webserver("0.0.0.0:8083")
	setWebserverConfig({
	password="lel",
	apiKey="85VnCejHUf8dEGjTrBL4",
	acl="10.0.0.0/8"
	})

	infolog("Backend setup...")

	newServer({address="127.0.0.153", name="recursive", maxInFlight=1000, useProxyProtocol=true})
	newServer({address="127.0.0.253", pool="auth", name="authoritative", maxInFlight=1000, useProxyProtocol=true})
	newServer({address="10.10.3.2:8600", pool="consul", name="consul", checkInterval=5})
	newServer({address="10.10.3.6:5353", pool="tor", name="tor", checkInterval=5, checkTimeout=5000})
No results found