DNS server¶
The DNS server allows replying and forwarding DNS queries.
By default, the DNS server listens on all interfaces. the DNS server
listens and replies to queries can be restricted with the bind
command:
vsr running dns-server# bind eth0
the DNS server also forwards queries for the hosts that are not configured locally to other servers. These servers are the ones configured in the DNS client configuration context.
This feature can be disabled with the use-system-servers
configuration
option:
vsr running dns-server# use-system-servers false
Here is an example of DNS server configuration:
vsr running config# vrf main
vsr running vrf main# dns-server
vsr running dns-server# bind eth0
vsr running dns-server# record example1.local 10.0.0.2 2010::2
vsr running dns-server# record example2 12.0.0.2
vsr running dns-server# use-system-servers false
vsr running dns-server# commit
To display the DNS server state:
vsr running config# show state vrf main dns-server
dns-server
enabled true
use-system-servers false
bind eth0
record example1.local 10.0.0.2 2010::2
record example2 12.0.0.2
..
The same configuration can be made using this NETCONF XML configuration:
vsr running config# show config xml absolute vrf main dns-server
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<dns-server xmlns="urn:6wind:vrouter/dns-server">
<enabled>true</enabled>
<use-system-servers>false</use-system-servers>
<record>
<name>example1.local</name>
<ip>10.0.0.2</ip>
<ip>2010::2</ip>
</record>
<record>
<name>example2</name>
<ip>12.0.0.2</ip>
</record>
<bind>eth0</bind>
</dns-server>
</vrf>
</config>
See also
The DNS server command reference for details and the DNS system server command reference for details.
For debugging purposes, it’s possible to log queries received by the DNS
server in the logging
configuration context. Be careful, with this option the
DNS server can be very verbose:
vsr running config# vrf main
vsr running vrf main# dns-server
vsr running dns-server# logging
vsr running logging# enabled true
Then you can use the show log
command to see DNS server logs:
vsr> show log service dns-server
Jul 06 12:52:17 vsr systemd[1]: Starting DNS server service on netns vrf1...
Jul 06 12:52:17 vsr dnsmasq[5780]: started, version 2.79 cachesize 150
Jul 06 12:52:17 vsr dnsmasq[5780]: reading /etc/resolv.conf
Jul 06 12:52:17 vsr dnsmasq[5780]: using nameserver 125.0.0.1#53
Jul 06 12:52:17 vsr dnsmasq[5780]: read /etc/hosts - 4 addresses
Jul 06 12:52:17 vsr systemd[1]: Started DNS server service on netns vrf1.
Jul 06 12:52:24 vsr dnsmasq[5780]: query[A] example1 from 100.0.0.1
Jul 06 12:52:24 vsr dnsmasq[5780]: forwarded example1 to 125.0.0.1
Jul 06 12:52:24 vsr dnsmasq[5780]: reply example1 is 1.0.0.1
Jul 06 12:53:09 vsr dnsmasq[5780]: query[A] example2 from 100.0.0.1
Jul 06 12:53:09 vsr dnsmasq[5780]: forwarded example2 to 125.0.0.1
Jul 06 12:53:15 vsr dnsmasq[5780]: query[AAAA] example2 from 100.0.0.1
Jul 06 12:53:15 vsr dnsmasq[5780]: forwarded example2 to 125.0.0.1
Jul 06 12:53:15 vsr dnsmasq[5780]: reply example2 is 2002::1
See also
The show log command reference for details about log filtering.
It’s also possible to display statistics about the dns-server cache and queries
with the show dns-server
command:
vsr> show dns-server vrf main
Cache: 66632, 2 records inserted
queries total 2
queries forwarded 2
queries answered locally 0
queries requested by tls 2
queries requested by https 2
queries unwanted 0
See also
The show dns-server command reference for details.
TLS¶
It’s possible to enable DoT to encrypt the DNS resolution. To do so, a certificate is needed and used in the configuration:
vsr running config# / vrf main dns-server tls certificate-name MYCERTIFICATE
See also
The Import certificate command reference for details.
That’s all to enable DoT. Then in order to enable DoH with a simple configuration:
vsr running config# / vrf main dns-server tls dns-over-https true
It can be tested it with the kdig
tool.
kdig @127.0.0.1 +tls +short myhostname A
Forward TLS¶
In order to enable forward TLS, use the following config:
vsr running config# / vrf main dns-server forward-tls use-system-certificates true
vsr running config# / vrf main dns-server server 8.8.8.8 source 10.100.0.1 tls-authenticate-name dns.google
This configuration will forward all DNS requests in TCP to 8.8.8.8
with
dns.google
as authenticate name. It will use the system certificate.
In order to use custom bundle to validate the certificate, it can be configured
like that:
vsr running config# / vrf main dns-server forward-tls certificates INT_CA
vsr running config# / vrf main dns-server forward-tls certificates ROOT_CA
Certificates should be put from intermediate to root one to be validated properly.