dns --- .. osdx:cfgcmd:: service dns .. raw:: html SDE M10-Smart M2 RS420 AresC640 Domain Name Server (DNS) parameters .. osdx:cfgcmd:: service dns dynamic .. raw:: html SDE M10-Smart M2 RS420 AresC640 Dynamic DNS :ref Required: .. osdx:cfgcmd:: service dns dynamic interface .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Interface to send DDNS updates for :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns dynamic interface advisor .. raw:: html SDE M10-Smart M2 RS420 AresC640 Advisor to enable or disable DDNS on the interface :ref Reference: system advisor * .. osdx:cfgcmd:: service dns dynamic interface service .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Service name used for DDNS :instances: Multiple :ref Required: :ref Required: :ref Required: :ref Required: .. osdx:cfgcmd:: service dns dynamic interface service domain .. raw:: html SDE M10-Smart M2 RS420 AresC640 Domain registered with DDNS service :arg hostname: Hostname registered with DDNS service :arg record: Record to be updated for RFC2136 :instances: Multiple .. osdx:cfgcmd:: service dns dynamic interface service encrypted-password .. raw:: html SDE M10-Smart M2 RS420 AresC640 Encripted password or shared secret for DDNS service :arg secret: Secret for RFC2136 .. osdx:cfgcmd:: service dns dynamic interface service login .. raw:: html SDE M10-Smart M2 RS420 AresC640 Login for DDNS service :arg login: Login for DDNS service :arg keyname: Keyname for RFC2136 .. osdx:cfgcmd:: service dns dynamic interface service password .. raw:: html SDE M10-Smart M2 RS420 AresC640 Password for DDNS service :arg password: Password for DDNS service :arg secret: Secret for RFC2136 .. osdx:cfgcmd:: service dns dynamic interface service server .. raw:: html SDE M10-Smart M2 RS420 AresC640 Server to send DDNS update to :arg ipv4: IP address of DDNS server :arg hostname: Hostname of DDNS server .. osdx:cfgcmd:: service dns dynamic interface service ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: Time To Live .. osdx:cfgcmd:: service dns dynamic interface service type .. raw:: html SDE M10-Smart M2 RS420 AresC640 Protocol used for DDNS service :arg id: Custom or predefined protocol .. osdx:cfgcmd:: service dns dynamic interface service zone .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Zone to be updated .. osdx:cfgcmd:: service dns dynamic interface update-frecuency .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: Time (in minutes) after which the domain is updated .. osdx:cfgcmd:: service dns dynamic interface use-web .. raw:: html SDE M10-Smart M2 RS420 AresC640 Web check used for obtaining the external IP address .. osdx:cfgcmd:: service dns dynamic interface use-web skip .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Skip everything before this on the given URL .. osdx:cfgcmd:: service dns dynamic interface use-web url .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: URL to obtain the current external IP address .. osdx:cfgcmd:: service dns forwarding .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS Forwarding .. osdx:cfgcmd:: service dns forwarding cache-size .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS forwarding cache size :arg u32: DNS forwarding cache size (0-10000) .. osdx:cfgcmd:: service dns forwarding dhcp .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from DHCP .. osdx:cfgcmd:: service dns forwarding dhcp interface .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Enable DNS servers received from DHCP for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding dhcp interface priority .. raw:: html SDE M10-Smart M2 RS420 AresC640 DHCP DNS servers priority for specified interface :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding dhcp priority .. raw:: html SDE M10-Smart M2 RS420 AresC640 DHCP DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding dhcpv6 .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from DHCPv6 .. osdx:cfgcmd:: service dns forwarding dhcpv6 interface .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Enable DNS servers received from DHCPv6 for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding dhcpv6 interface priority .. raw:: html SDE M10-Smart M2 RS420 AresC640 DHCPv6 DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding dhcpv6 priority .. raw:: html SDE M10-Smart M2 RS420 AresC640 DHCPv6 DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding disable-local-service .. raw:: html SDE M10-Smart M2 RS420 AresC640 Disable local-service option to accept DNS queries from any host on any subnet .. osdx:cfgcmd:: service dns forwarding dnssec .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNSSEC validation and caching .. osdx:cfgcmd:: service dns forwarding dnssec check-unsigned .. raw:: html SDE M10-Smart M2 RS420 AresC640 Check if unsigned replies are legitimate This entails possible extra queries even for the majority of DNS zones which are not, at the moment, signed. If disabled, then those replies are assumed to be valid and passed on (without the "authentic data" bit set). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast. .. osdx:cfgcmd:: service dns forwarding dnssec proxy .. raw:: html SDE M10-Smart M2 RS420 AresC640 Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the Authenticated Data bit correctly in all cases is not technically possible. .. osdx:cfgcmd:: service dns forwarding domain .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS domain configuration :arg id: DNS domain name :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain dhcp .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from DHCP .. osdx:cfgcmd:: service dns forwarding domain dhcp interface .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Enable DNS servers received from DHCP for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain dhcpv6 .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from DHCPv6 .. osdx:cfgcmd:: service dns forwarding domain dhcpv6 interface .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Enable DNS servers received from DHCPv6 for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain name-server .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS servers :arg ipv4: DNS address IPv4 :arg ipv6: DNS address IPv6 :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain name-server local-address .. raw:: html SDE M10-Smart M2 RS420 AresC640 Local IP address to use as source for requests to this nameserver :arg ipv4: Local IPv4 address for this nameserver :arg ipv6: Local IPv6 address for this nameserver :Local IP address: .. osdx:cfgcmd:: service dns forwarding domain name-server local-interface .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Interface to use as source for requests to this nameserver .. osdx:cfgcmd:: service dns forwarding domain name-server local-vrf .. raw:: html SDE M10-Smart M2 RS420 AresC640 VRF to use as source for requests to this nameserver :ref Reference: system vrf * .. osdx:cfgcmd:: service dns forwarding domain name-server port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port in which the DNS server is listening at. Defaults to port 53 :arg u32: DNS server listening port (1-65535) .. osdx:cfgcmd:: service dns forwarding domain ppp .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from PPP .. osdx:cfgcmd:: service dns forwarding listen .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Interfaces to listen for DNS queries :instances: Multiple .. osdx:cfgcmd:: service dns forwarding local-ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: TTL for static entries or DHCP leases .. osdx:cfgcmd:: service dns forwarding logs .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enables DNS forwarding logs The DNS forwarding logs can be later on retreived by using either the operational commands or by looking at the system journal. .. osdx:cfgcmd:: service dns forwarding max-cache-ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: Maximum TTL for Cache Entries .. osdx:cfgcmd:: service dns forwarding min-cache-ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 Minimum TTL for Cache Entries :arg u32: Minimum time for cache entries in seconds (1-3600) .. osdx:cfgcmd:: service dns forwarding name-server .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS servers :arg ipv4: DNS address IPv4 :arg ipv6: DNS address IPv6 :instances: Multiple .. osdx:cfgcmd:: service dns forwarding name-server local-address .. raw:: html SDE M10-Smart M2 RS420 AresC640 Local IP address to use as source for requests to this nameserver :arg ipv4: Local IPv4 address for this nameserver :arg ipv6: Local IPv6 address for this nameserver :Local IP address: .. osdx:cfgcmd:: service dns forwarding name-server local-interface .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ifc: Interface to use as source for requests to this nameserver .. osdx:cfgcmd:: service dns forwarding name-server local-vrf .. raw:: html SDE M10-Smart M2 RS420 AresC640 VRF to use as source for requests to this nameserver :ref Reference: system vrf * .. osdx:cfgcmd:: service dns forwarding name-server port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port in which the DNS server is listening at. Defaults to port 53 :arg u32: DNS server listening port (1-65535) .. osdx:cfgcmd:: service dns forwarding name-server priority .. raw:: html SDE M10-Smart M2 RS420 AresC640 Local DNS servers priority (the lower the value is, the higher the priority gets) :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding ppp .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from PPP .. osdx:cfgcmd:: service dns forwarding ppp priority .. raw:: html SDE M10-Smart M2 RS420 AresC640 PPP DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding record .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS static records used when resolving a request .. osdx:cfgcmd:: service dns forwarding record cname .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg fqdn: CNAME record pointing to an existing host record :instances: Multiple :ref Required: service dns forwarding record host * .. osdx:cfgcmd:: service dns forwarding record cname target .. raw:: html SDE M10-Smart M2 RS420 AresC640 Host this record points to :ref Reference: service dns forwarding record host * .. osdx:cfgcmd:: service dns forwarding record cname ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: TTL for this host entry. By default, uses global configured value .. osdx:cfgcmd:: service dns forwarding record host .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg fqdn: Host records reference either an A, AAAA or PTR records to the DNS :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record host ipv4-address .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ipv4: IP address the host record points to :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record host ipv6-address .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ipv6: IP address the host record points to :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record host ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: TTL for this host entry. By default, uses global configured value .. osdx:cfgcmd:: service dns forwarding record mx .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg fqdn: MX record for directing mail on a LAN to a server :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record mx hostname .. raw:: html SDE M10-Smart M2 RS420 AresC640 Hostname the MX record is pointing to. Defaults to system's hostname :arg ipv4: IPv4 address the record points to :arg ipv6: IPv6 address the record points to :arg fqdn: Fully qualified domain name the record points to :arg id: Hostname the record points to .. osdx:cfgcmd:: service dns forwarding record mx preference .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: Preference of the MX record when querying the hostname .. osdx:cfgcmd:: service dns forwarding record srv .. raw:: html SDE M10-Smart M2 RS420 AresC640 SRV DNS records as specified at RFC2782 :arg id: Service name for this SRV record :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns forwarding record srv protocol .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Service protocol for this SRV record :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns forwarding record srv protocol domain .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg fqdn: Service domain this SRV record uses For example, if the SRV record refers to an IMAP mail server running at teldat.com domain, then domain will be "teldat.com". "domain" should not be confused with "target", which can have the same value but refer to different things. .. osdx:cfgcmd:: service dns forwarding record srv protocol port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Service port this SRV points to :arg u32: Port in which the service is listening to connections (1-65535) .. osdx:cfgcmd:: service dns forwarding record srv protocol priority .. raw:: html SDE M10-Smart M2 RS420 AresC640 Priority of this SRV record :arg u32: Priority of this SRV record. The lower the value is, the higher the priority gets .. osdx:cfgcmd:: service dns forwarding record srv protocol target .. raw:: html SDE M10-Smart M2 RS420 AresC640 Service domain this SRV points to The target refers to the destination the SRV record is pointing to. In a mail server example, the target would be the FQDN in which the mail server lives. :ref Reference: service dns forwarding record host * .. osdx:cfgcmd:: service dns forwarding record srv protocol weight .. raw:: html SDE M10-Smart M2 RS420 AresC640 Weight of this SRV record :arg u32: Weight of this SRV record. The lower the value is, the higher the weight gets .. osdx:cfgcmd:: service dns proxy .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS proxy service configuration options :ref Required: .. osdx:cfgcmd:: service dns proxy balancing .. raw:: html SDE M10-Smart M2 RS420 AresC640 Load balancing algorithms for chosen servers The DNS proxy queries all the servers given by the source lists. Once populated, servers are sorted from quickest to lowest, and that order will be used for performing the load balancing. Each time a query is made to a server, the time it takes is used to adjust how fast the proxy thinks the server is, using an exponentially weighted average. If the new calculated time happens to be slower than a randomly chosen candidate from the list of servers, then the entries are swapped. When this operation is applied over time, every server will get compared to all the others and the list is progressively kept sorted. Notice that when source lists are used, the servers are placed around the world. If "ph" strategy is chosen, very probably some queries will end-up using slower servers - that is why "p2" is probably the best strategy to use (and therefore the best). Have a look at server response times before choosing the strategy. :arg first: Always pick the fastest server in the list :arg p2: Randomly choose between the top 2 fastest servers :arg ph: Randomly choose between the top fastest half of all servers :arg random: Just pick any random server from the list .. osdx:cfgcmd:: service dns proxy blocklist .. raw:: html SDE M10-Smart M2 RS420 AresC640 Configures sources to block .. osdx:cfgcmd:: service dns proxy blocklist ip .. raw:: html SDE M10-Smart M2 RS420 AresC640 Block IPs. RegEx is also supported .. osdx:cfgcmd:: service dns proxy blocklist ip address .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: Block IPs based on a pattern Blocklist are made of patterns. Thus, the following patterns are valid: 127.* :instances: Multiple .. osdx:cfgcmd:: service dns proxy blocklist ip file .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg file: Loads a file containing the IPs to block :instances: Multiple .. osdx:cfgcmd:: service dns proxy blocklist name .. raw:: html SDE M10-Smart M2 RS420 AresC640 Block domains by name. RegEx is also supported .. osdx:cfgcmd:: service dns proxy blocklist name domain .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: Block domain based on a pattern Blocklist are made of patterns. Thus, the following patterns are valid: example.com =example.com *sex* ads.* ads*.example.* Usually, these blocklist are handled directly with files. However, it is also possible to specify them manually. More information can be found at: :instances: Multiple .. osdx:cfgcmd:: service dns proxy blocklist name file .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg file: Loads a file containing the domains to block :instances: Multiple .. osdx:cfgcmd:: service dns proxy cache .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS proxy caching options .. osdx:cfgcmd:: service dns proxy cache max-negated-ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: How long, at most in seconds, a not found entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache max-ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: How long, at most in seconds, an entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache min-negated-ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: How long, at minimum in seconds, a not found entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache min-ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: How long, at minimum in seconds, an entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache size .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: Maximum number of entries in the cache .. osdx:cfgcmd:: service dns proxy cipher .. raw:: html SDE M10-Smart M2 RS420 AresC640 Cipher algorithms ordered by preference When this field is not set, the best algorithm will be used based on hardware characteristics that do not compromise the exchanged data. Notice that these algorithms conform a "preference": If the server and the client agree on one, they will use it. However, if the server has no acceptable algorithm from the one the client asks for, it will just show a warning and choose the proper one. Notice that this feature will do nothing when the communication is encrypted using TLS v1.3: The best algorithm is automatically chosen based on hardware characteristics and connection speed. :arg u32: Preference of the encryption algorithm (1-18) :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns proxy cipher algorithm .. raw:: html SDE M10-Smart M2 RS420 AresC640 Cipher algorithm to communicate with the server :arg TLS_RSA_WITH_AES_128_CBC_SHA: [Secure] RSA with AES-128-CBC-SHA (up-to TLS v1.2) :arg TLS_RSA_WITH_AES_256_CBC_SHA: [Secure] RSA with AES-256-CBC-SHA (up-to TLS v1.2) :arg TLS_RSA_WITH_AES_128_GCM_SHA256: [Secure] RSA with AES-128-GCM-SHA256 (only in TLS v1.2) :arg TLS_RSA_WITH_AES_256_GCM_SHA384: [Secure] RSA with AES-256-GCM-SHA384 (only in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: [Secure] ECDHE RSA with AES-128-CBC-SHA (up-to in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: [Secure] ECDHE RSA with AES-256-CBC-SHA (up-to in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: [Secure] ECDHE RSA with AES-128-GCM-SHA256 (up-to in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: [Secure] ECDHE RSA with AES-256-GCM-SHA384 (up-to in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: [Secure] ECDHE RSA with ChaCha 20 and Poly 1305 (up-to in TLS v1.2) :arg TLS_RSA_WITH_RC4_128_SHA: [Insecure] RSA with RC4 and SHA1 (up-to in TLS v1.2) :arg TLS_RSA_WITH_3DES_EDE_CBC_SHA: [Insecure] RSA with 3DES-EDE-CBC and SHA1 (up-to in TLS v1.2) :arg TLS_RSA_WITH_AES_128_CBC_SHA256: [Insecure] RSA with AES-128-CBC and SHA256 (only in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_RC4_128_SHA: [Insecure] ECDHE RSA with RC4 and SHA1 (up-to in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: [Insecure] ECDHE RSA with 3DES-EDE-CBC and SHA1 (up-to in TLS v1.2) :arg TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: [Insecure] ECDHE RSA with AES-128-CBC and SHA256 (only in TLS v1.2) .. osdx:cfgcmd:: service dns proxy cloaking .. raw:: html SDE M10-Smart M2 RS420 AresC640 Configures a set of host entries to point to one or multiple addresses .. osdx:cfgcmd:: service dns proxy cloaking ignore-hosts .. raw:: html SDE M10-Smart M2 RS420 AresC640 Do not use system configured host entries .. osdx:cfgcmd:: service dns proxy cloaking name .. raw:: html SDE M10-Smart M2 RS420 AresC640 FQDN, IP, name or RegEx to match when cloaking An example is worth a thousand words: 1. example.com 2. *.example.com 3. *.example.* 4. example[0-9]* The examples above will match a FQDN (1), all subdomains of "example.com" (2), all subdomains and all top-level domains (3) and all domains containing either no or "N" numbers at the end, including all top-level domains too (4). Furthermore, as the input value can be anything, here IP addresses may fit too. :arg name: FQDN, IP, name or regular expression used to match incoming requests :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns proxy cloaking name destination .. raw:: html SDE M10-Smart M2 RS420 AresC640 Destination to point incoming petitions to The incoming traffic may be pointed to another domain, IP or IPv6 address. Moreover, that traffic may be load balanced when setting more than one destination address. :arg fqdn: Domain name to point to :arg ipv4: Address to point to :arg ipv6: IPv6 Address to point to :instances: Multiple .. osdx:cfgcmd:: service dns proxy cloaking ttl .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg u32: Cloaking TTL used when serving defined entries .. osdx:cfgcmd:: service dns proxy disable-protocol .. raw:: html SDE M10-Smart M2 RS420 AresC640 Choose the protocols that will not be used when securing DNS queries .. osdx:cfgcmd:: service dns proxy disable-protocol dnscrypt .. raw:: html SDE M10-Smart M2 RS420 AresC640 Skip the DNSCrypt protocol if the server implements it .. osdx:cfgcmd:: service dns proxy disable-protocol doh .. raw:: html SDE M10-Smart M2 RS420 AresC640 Skip the DNS-over-HTTPS protocol if the server implements it .. osdx:cfgcmd:: service dns proxy fallback .. raw:: html SDE M10-Smart M2 RS420 AresC640 Fallback DNS resolvers when no other connection is available These are normal, non-encrypted DNS resolvers, that will be only used for one-shot queries when retrieving the initial resolvers list and if the system DNS configuration doesn't work. :arg ipv4: IPv4 address where the resolver is listening at :arg ipv6: IPv6 address where the resolver is listening at :instances: Multiple .. osdx:cfgcmd:: service dns proxy fallback port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port in which the resolver is listening at :arg u32: Port where resolver is listening at (1-65535) .. osdx:cfgcmd:: service dns proxy force-tcp .. raw:: html SDE M10-Smart M2 RS420 AresC640 Always use TCP to connect to upstream servers This can be useful if you need to route everything through a proxy (like Tor). Otherwise, enabling this option does not improve security and will only increase the latency. .. osdx:cfgcmd:: service dns proxy ipv6 .. raw:: html SDE M10-Smart M2 RS420 AresC640 IPv6 options for configuring the service .. osdx:cfgcmd:: service dns proxy ipv6 block .. raw:: html SDE M10-Smart M2 RS420 AresC640 Block any IPv6 requests (useful when IPv6 is not available) .. osdx:cfgcmd:: service dns proxy ipv6 do-not-query .. raw:: html SDE M10-Smart M2 RS420 AresC640 Ignore DNS servers that are only accessible through IPv6 .. osdx:cfgcmd:: service dns proxy keepalive .. raw:: html SDE M10-Smart M2 RS420 AresC640 Keepalive for HTTP queries, in seconds :arg u32: Keepalive in seconds .. osdx:cfgcmd:: service dns proxy listen-address .. raw:: html SDE M10-Smart M2 RS420 AresC640 Address to listen to incoming connections :arg ipv4: IPv4 address to listen at :arg ipv6: IPv6 address to listen at :Local IP address: :instances: Multiple .. osdx:cfgcmd:: service dns proxy listen-address port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port to listen at :arg u32: Port to listen at (1-65535) .. osdx:cfgcmd:: service dns proxy log .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable logging and configure related options .. osdx:cfgcmd:: service dns proxy log level .. raw:: html SDE M10-Smart M2 RS420 AresC640 Log level to use. Defaults to "2" :arg u32: Verbosity level. 0 is very verbose; 6 only contains fatal errors (0-6) .. osdx:cfgcmd:: service dns proxy require .. raw:: html SDE M10-Smart M2 RS420 AresC640 Restrictions and limitations to apply to configured servers .. osdx:cfgcmd:: service dns proxy require dnssec .. raw:: html SDE M10-Smart M2 RS420 AresC640 Servers must support DNS security extensions (DNSSEC) .. osdx:cfgcmd:: service dns proxy require no-filter .. raw:: html SDE M10-Smart M2 RS420 AresC640 Servers must not enforce its own blocklist (for parental control, ad blocking, ...) .. osdx:cfgcmd:: service dns proxy require no-logs .. raw:: html SDE M10-Smart M2 RS420 AresC640 Servers must not log user queries (declarative) .. osdx:cfgcmd:: service dns proxy server .. raw:: html SDE M10-Smart M2 RS420 AresC640 Configure the DNS proxy as a DoH server too :ref Required: .. osdx:cfgcmd:: service dns proxy server cert .. raw:: html SDE M10-Smart M2 RS420 AresC640 Certificate to use for securing communications :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy server cert file .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg file: Certificate file for the local DoH server This certificate file can be generated locally or with an external tool such as Let's Encrypt. With the first approach, the CA certificate has to be trusted by all clients. With the second approach, the CA certificate is usually trusted by all clients. .. osdx:cfgcmd:: service dns proxy server cert key .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg file: Key for the DoH server certificate .. osdx:cfgcmd:: service dns proxy server listen-address .. raw:: html SDE M10-Smart M2 RS420 AresC640 Address the local DoH server should listen to :arg ipv4: IPv4 address the local DoH server should listen to :arg ipv6: IPv6 address the local DoH server should listen to :Local IP address: :instances: Multiple .. osdx:cfgcmd:: service dns proxy server listen-address port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port to listen at :arg u32: Port to listen at (1-65535) .. osdx:cfgcmd:: service dns proxy server path .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Path of the DoH URL This is not a file, but the part after the hostname in the URL. By convention, "/dns-query" is frequently chosen. For each listen address, the complete URL will have the form: .. osdx:cfgcmd:: service dns proxy server-name .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Server to use when querying DNS records :instances: Multiple .. osdx:cfgcmd:: service dns proxy source .. raw:: html SDE M10-Smart M2 RS420 AresC640 Remote lists of available servers Remote lists are a set of servers that are available for querying DNS records. The lists themselves contain all the required information for a client to connect to a server by simply using a known name. For example, to use Cloudflare as the DNS provider by using a list, it would be as simple as defining "service dns proxy server-name cloudflare". That setting will automatically populate the DNS list for looking for the "cloudflare" provider data. Some companies publish their own lists with their servers. On the other hand, some projects decide to publish lists with generally available servers. An example is DNSCrypt: :arg source: Source identifier :instances: Multiple :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy source minisign-key .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Public key used to verify the content is legitimate Lists can be served from any location, even from an untrusted ISP. When this occurs, the DNS proxy will immediately detect and reject the source it has been tampered with. .. osdx:cfgcmd:: service dns proxy source prefix .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: To avoid collisions with other sources, prefix for the declared servers .. osdx:cfgcmd:: service dns proxy source refresh-delay .. raw:: html SDE M10-Smart M2 RS420 AresC640 Refresh delay for the cached source list :arg u32: Delay for cached source list in hours (24-720) .. osdx:cfgcmd:: service dns proxy source url .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: URL to get the source from :instances: Multiple .. osdx:cfgcmd:: service dns proxy static .. raw:: html SDE M10-Smart M2 RS420 AresC640 Static configuration for server definitions :arg name: Static definition name :instances: Unique .. osdx:cfgcmd:: service dns proxy static protocol .. raw:: html SDE M10-Smart M2 RS420 AresC640 Protocol identifier for this node :instances: Unique .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server uses DNSCrypt protocol :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt dnssec .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server supports DNSSEC .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt ip .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ipv4: IP address of the server :arg ipv6: IP address of the server .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt no-filter .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server does not intentionally block domains .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt no-logs .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server does not store any logs .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Port where the server is listening at :arg u32: Port where the server is listening at (1-65535) .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt provider .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS provider related data :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt provider name .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: DNS provider name .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt provider public-key .. raw:: html SDE M10-Smart M2 RS420 AresC640 Provider's Ed25519 public key, as 32 raw bytes :arg key: Ed25519 public key .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server uses DNS over HTTPS (DoH) protocol :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https dnssec .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server supports DNSSEC .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https hash .. raw:: html SDE M10-Smart M2 RS420 AresC640 The SHA256 digest of one of the TBS certificate The SHA256 digest of one of the TBS certificate found in the validation chain, typically the certificate used to sign the resolver's certificate. Multiple hashes can be provided for seamless rotations. :arg sha256: SHA256 digest of one of the TBS certificate :instances: Multiple .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host .. raw:: html SDE M10-Smart M2 RS420 AresC640 Server host related information :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host name .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg fqdn: Server hostname that will be used also as SNI name .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host path .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: Absolute URI path. By default, "/dns-query" is used .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host port .. raw:: html SDE M10-Smart M2 RS420 AresC640 Server port number. If missing, port 443 is assumed :arg u32: Server port number (1-65535) .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https ip .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg ipv4: IP address of the server The address can be left empty (unset). In that case, the host name will be resolved to an IP address using another resolver. :arg ipv6: IP address of the server The address can be left empty (unset). In that case, the host name will be resolved to an IP address using another resolver. .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https no-filter .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server does not intentionally block domains .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https no-logs .. raw:: html SDE M10-Smart M2 RS420 AresC640 The server does not store any logs .. osdx:cfgcmd:: service dns proxy static stamp .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: String that encodes all the required parameters to connect to a server The stamp is a string that looks like: .. osdx:cfgcmd:: service dns proxy timeout .. raw:: html SDE M10-Smart M2 RS420 AresC640 Time to wait for a DNS query response, in milliseconds If the available network has a lot of latency, it could be interesting to increase this value. The startup may be slower if changed so do not increase it too much. :arg u32: Timeout in milliseconds .. osdx:cfgcmd:: service dns proxy whitelist .. raw:: html SDE M10-Smart M2 RS420 AresC640 Configures sources to allow .. osdx:cfgcmd:: service dns proxy whitelist ip .. raw:: html SDE M10-Smart M2 RS420 AresC640 Allow IPs. RegEx is also supported .. osdx:cfgcmd:: service dns proxy whitelist ip address .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: Allow IPs based on a pattern Whitelist are made of patterns. Thus, the following patterns are valid: 127.* :instances: Multiple .. osdx:cfgcmd:: service dns proxy whitelist ip file .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg file: Loads a file containing the IPs to allow :instances: Multiple .. osdx:cfgcmd:: service dns proxy whitelist name .. raw:: html SDE M10-Smart M2 RS420 AresC640 Allow domains by name. RegEx is also supported .. osdx:cfgcmd:: service dns proxy whitelist name domain .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: Allow domain based on a pattern Whitelist are made of patterns. Thus, the following patterns are valid: example.com =example.com *sex* ads.* ads*.example.* Usually, these whitelist are handled directly with files. However, it is also possible to specify them manually. More information can be found at: :instances: Multiple .. osdx:cfgcmd:: service dns proxy whitelist name file .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg file: Loads a file containing the domains to allow :instances: Multiple .. osdx:cfgcmd:: service dns resolver .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS Resolver .. osdx:cfgcmd:: service dns resolver dhcp .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from DHCP .. osdx:cfgcmd:: service dns resolver dhcpv6 .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from DHCPv6 .. osdx:cfgcmd:: service dns resolver local .. raw:: html SDE M10-Smart M2 RS420 AresC640 Resolves DNS queries by using a local service Enabling this option will forward all DNS queries to a local service, previously configured at "service dns forwarding" .. osdx:cfgcmd:: service dns resolver name-server .. raw:: html SDE M10-Smart M2 RS420 AresC640 DNS servers :arg ipv4: DNS address IPv4 :arg ipv6: DNS address IPv6 :instances: Multiple .. osdx:cfgcmd:: service dns resolver ppp .. raw:: html SDE M10-Smart M2 RS420 AresC640 Enable DNS servers received from PPP .. osdx:cfgcmd:: service dns static .. raw:: html SDE M10-Smart M2 RS420 AresC640 Static host entries .. osdx:cfgcmd:: service dns static host-name .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg txt: Host name for static address mapping :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns static host-name alias .. raw:: html SDE M10-Smart M2 RS420 AresC640 :arg id: Alias for this address :instances: Multiple .. osdx:cfgcmd:: service dns static host-name inet .. raw:: html SDE M10-Smart M2 RS420 AresC640 Address :arg ipv4: IPv4 address :arg ipv6: IPv6 address