DNS server

The DNS server allows replying and forwarding DNS queries.

By default, the DNS server listens on all interfaces. the DNS server listens and replies to queries can be restricted with the bind command:

vsr running dns-server# bind eth0

the DNS server also forwards queries for the hosts that are not configured locally to other servers. These servers are the ones configured in the DNS client configuration context.

This feature can be disabled with the use-system-servers configuration option:

vsr running dns-server# use-system-servers false

Here is an example of DNS server configuration:

vsr running config# vrf main
vsr running vrf main# dns-server
vsr running dns-server# bind eth0
vsr running dns-server# record example1.local 10.0.0.2 2010::2
vsr running dns-server# record example2 12.0.0.2
vsr running dns-server# use-system-servers false
vsr running dns-server# commit

To display the DNS server state:

vsr running config# show state vrf main dns-server
dns-server
    enabled true
    use-system-servers false
    bind eth0
    record example1.local 10.0.0.2 2010::2
    record example2 12.0.0.2
    ..

The same configuration can be made using this NETCONF XML configuration:

vsr running config# show config xml absolute vrf main dns-server
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <dns-server xmlns="urn:6wind:vrouter/dns-server">
      <enabled>true</enabled>
      <use-system-servers>false</use-system-servers>
      <record>
        <name>example1.local</name>
        <ip>10.0.0.2</ip>
        <ip>2010::2</ip>
      </record>
      <record>
        <name>example2</name>
        <ip>12.0.0.2</ip>
      </record>
      <bind>eth0</bind>
    </dns-server>
  </vrf>
</config>

See also

The DNS server command reference for details and the DNS system server command reference for details.

For debugging purposes, it’s possible to log queries received by the DNS server in the logging configuration context. Be careful, with this option the DNS server can be very verbose:

vsr running config# vrf main
vsr running vrf main# dns-server
vsr running dns-server# logging
vsr running logging# enabled true

Then you can use the show log command to see DNS server logs:

vsr> show log service dns-server
Jul 06 12:52:17 vsr systemd[1]: Starting DNS server service on netns vrf1...
Jul 06 12:52:17 vsr dnsmasq[5780]: started, version 2.79 cachesize 150
Jul 06 12:52:17 vsr dnsmasq[5780]: reading /etc/resolv.conf
Jul 06 12:52:17 vsr dnsmasq[5780]: using nameserver 125.0.0.1#53
Jul 06 12:52:17 vsr dnsmasq[5780]: read /etc/hosts - 4 addresses
Jul 06 12:52:17 vsr systemd[1]: Started DNS server service on netns vrf1.
Jul 06 12:52:24 vsr dnsmasq[5780]: query[A] example1 from 100.0.0.1
Jul 06 12:52:24 vsr dnsmasq[5780]: forwarded example1 to 125.0.0.1
Jul 06 12:52:24 vsr dnsmasq[5780]: reply example1 is 1.0.0.1
Jul 06 12:53:09 vsr dnsmasq[5780]: query[A] example2 from 100.0.0.1
Jul 06 12:53:09 vsr dnsmasq[5780]: forwarded example2 to 125.0.0.1
Jul 06 12:53:15 vsr dnsmasq[5780]: query[AAAA] example2 from 100.0.0.1
Jul 06 12:53:15 vsr dnsmasq[5780]: forwarded example2 to 125.0.0.1
Jul 06 12:53:15 vsr dnsmasq[5780]: reply example2 is 2002::1

See also

The show log command reference for details about log filtering.

It’s also possible to display statistics about the dns-server cache and queries with the show dns-server command:

vsr> show dns-server vrf main
Cache: 66632, 2 records inserted
queries total 2
queries forwarded 2
queries answered locally 0

queries requested by tls 2
queries requested by https 2
queries unwanted 0

See also

The show dns-server command reference for details.

TLS

It’s possible to enable DoT to encrypt the DNS resolution. To do so, a certificate is needed and used in the configuration:

vsr running config# / vrf main dns-server tls certificate-name MYCERTIFICATE

See also

The Import certificate command reference for details.

That’s all to enable DoT. Then in order to enable DoH with a simple configuration:

vsr running config# / vrf main dns-server tls dns-over-https true

It can be tested it with the kdig tool.

kdig @127.0.0.1 +tls +short myhostname A

Forward TLS

In order to enable forward TLS, use the following config:

vsr running config# / vrf main dns-server forward-tls use-system-certificates true
vsr running config# / vrf main dns-server server 8.8.8.8 source 10.100.0.1 tls-authenticate-name dns.google

This configuration will forward all DNS requests in TCP to 8.8.8.8 with dns.google as authenticate name. It will use the system certificate. In order to use custom bundle to validate the certificate, it can be configured like that:

vsr running config# / vrf main dns-server forward-tls certificates INT_CA
vsr running config# / vrf main dns-server forward-tls certificates ROOT_CA

Certificates should be put from intermediate to root one to be validated properly.