dns

service dns: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Domain Name Server (DNS) parameters

service dns dynamic

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Dynamic DNS

Required:

service dns dynamic interface <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Interface to send DDNS updates for

Instances:

Multiple

Required:

service dns dynamic interface <ifc> advisor <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Advisor to enable or disable DDNS on the interface

Reference:: system advisor <txt>

service dns dynamic interface <ifc> service <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – Service name used for DDNS

Instances:

Multiple

Required:

service dns dynamic interface <ifc> service <id> domain <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Domain registered with DDNS service

Values:

hostname – Hostname registered with DDNS service
record – Record to be updated for RFC2136

Instances:

Multiple

service dns dynamic interface <ifc> service <id> encrypted-password <password>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Encripted password or shared secret for DDNS service

Values:

secret – Secret for RFC2136

service dns dynamic interface <ifc> service <id> login <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Login for DDNS service

Values:

login – Login for DDNS service
keyname – Keyname for RFC2136

service dns dynamic interface <ifc> service <id> password <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Password for DDNS service

Values:

password – Password for DDNS service
secret – Secret for RFC2136

service dns dynamic interface <ifc> service <id> server <ipv4|id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Server to send DDNS update to

Values:

ipv4 – IP address of DDNS server
hostname – Hostname of DDNS server

service dns dynamic interface <ifc> service <id> ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – Time To Live

service dns dynamic interface <ifc> service <id> type <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Protocol used for DDNS service

Values:

id – Custom or predefined protocol

service dns dynamic interface <ifc> service <id> zone <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – Zone to be updated

service dns dynamic interface <ifc> update-frecuency <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – Time (in minutes) after which the domain is updated

service dns dynamic interface <ifc> use-web: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Web check used for obtaining the external IP address

service dns dynamic interface <ifc> use-web skip <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – Skip everything before this on the given URL

service dns dynamic interface <ifc> use-web url <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt – URL to obtain the current external IP address

service dns forwarding: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
DNS Forwarding

service dns forwarding cache-size <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DNS forwarding cache size

Values:

u32 – DNS forwarding cache size (0-10000)

service dns forwarding dhcp: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from DHCP

service dns forwarding dhcp interface <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Enable DNS servers received from DHCP for specified interface

Instances:

Multiple

service dns forwarding dhcp interface <ifc> priority <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DHCP DNS servers priority for specified interface

Values:

u32 – Level of priorities allowed (0-9)

service dns forwarding dhcp priority <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DHCP DNS servers priority

Values:

u32 – Level of priorities allowed (0-9)

service dns forwarding dhcpv6: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from DHCPv6

service dns forwarding dhcpv6 interface <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Enable DNS servers received from DHCPv6 for specified interface

Instances:

Multiple

service dns forwarding dhcpv6 interface <ifc> priority <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DHCPv6 DNS servers priority

Values:

u32 – Level of priorities allowed (0-9)

service dns forwarding dhcpv6 priority <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DHCPv6 DNS servers priority

Values:

u32 – Level of priorities allowed (0-9)

service dns forwarding disable-local-service: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Disable local-service option to accept DNS queries from any host on any subnet

service dns forwarding dnssec: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNSSEC validation and caching

service dns forwarding dnssec check-unsigned

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Check if unsigned replies are legitimate

This entails possible extra queries even for the majority of DNS zones which are not, at the moment, signed. If disabled, then those replies are assumed to be valid and passed on (without the “authentic data” bit set). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast.

service dns forwarding dnssec proxy

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients

This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the Authenticated Data bit correctly in all cases is not technically possible.

service dns forwarding domain <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DNS domain configuration

Values:

id – DNS domain name

Instances:

Multiple

service dns forwarding domain <id> dhcp: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from DHCP

service dns forwarding domain <id> dhcp interface <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Enable DNS servers received from DHCP for specified interface

Instances:

Multiple

service dns forwarding domain <id> dhcpv6: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from DHCPv6

service dns forwarding domain <id> dhcpv6 interface <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Enable DNS servers received from DHCPv6 for specified interface

Instances:

Multiple

service dns forwarding domain <id> name-server <ipv4>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DNS servers

Values:

ipv4 – DNS address IPv4
ipv6 – DNS address IPv6

Instances:

Multiple

service dns forwarding domain <id> name-server <ipv4> local-address <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local IP address to use as source for requests to this nameserver

Values:

ipv4 – Local IPv4 address for this nameserver
ipv6 – Local IPv6 address for this nameserver

Local IP address:

service dns forwarding domain <id> name-server <ipv4> local-interface <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Interface to use as source for requests to this nameserver

service dns forwarding domain <id> name-server <ipv4> local-vrf <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

VRF to use as source for requests to this nameserver

Reference:: system vrf <id>

service dns forwarding domain <id> name-server <ipv4> port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Port in which the DNS server is listening at. Defaults to port 53

Values:

u32 – DNS server listening port (1-65535)

service dns forwarding domain <id> ppp: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from PPP

service dns forwarding listen <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Interfaces to listen for DNS queries

Instances:

Multiple

service dns forwarding local-ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – TTL for static entries or DHCP leases

service dns forwarding logs

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Enables DNS forwarding logs

The DNS forwarding logs can be later on retreived by looking at the system journal.

service dns forwarding max-cache-ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – Maximum TTL for Cache Entries

service dns forwarding min-cache-ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Minimum TTL for Cache Entries

Values:

u32 – Minimum time for cache entries in seconds (1-3600)

service dns forwarding name-server <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DNS servers

Values:

ipv4 – DNS address IPv4
ipv6 – DNS address IPv6

Instances:

Multiple

service dns forwarding name-server <ipv4|ipv6> local-address <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local IP address to use as source for requests to this nameserver

Values:

ipv4 – Local IPv4 address for this nameserver
ipv6 – Local IPv6 address for this nameserver

Local IP address:

service dns forwarding name-server <ipv4|ipv6> local-interface <ifc>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ifc – Interface to use as source for requests to this nameserver

service dns forwarding name-server <ipv4|ipv6> local-vrf <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

VRF to use as source for requests to this nameserver

Reference:: system vrf <id>

service dns forwarding name-server <ipv4|ipv6> port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Port in which the DNS server is listening at. Defaults to port 53

Values:

u32 – DNS server listening port (1-65535)

service dns forwarding name-server <ipv4|ipv6> priority <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local DNS servers priority (the lower the value is, the higher the priority gets)

Values:

u32 – Level of priorities allowed (0-9)

service dns forwarding ppp: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from PPP

service dns forwarding ppp priority <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

PPP DNS servers priority

Values:

u32 – Level of priorities allowed (0-9)

service dns forwarding record: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
DNS static records used when resolving a request

service dns forwarding record cname <fqdn>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

fqdn – CNAME record pointing to an existing host record

Instances:

Multiple

Required:

service dns forwarding record host <fqdn>

service dns forwarding record cname <fqdn> target <fqdn>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Host this record points to

Reference:: service dns forwarding record host <fqdn>

service dns forwarding record cname <fqdn> ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – TTL for this host entry. By default, uses global configured value

service dns forwarding record host <fqdn>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

fqdn – Host records reference either an A, AAAA or PTR records to the DNS

Instances:

Multiple

service dns forwarding record host <fqdn> ipv4-address <ipv4>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ipv4 – IP address the host record points to

Instances:

Multiple

service dns forwarding record host <fqdn> ipv6-address <ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ipv6 – IP address the host record points to

Instances:

Multiple

service dns forwarding record host <fqdn> ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – TTL for this host entry. By default, uses global configured value

service dns forwarding record mx <fqdn>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

fqdn – MX record for directing mail on a LAN to a server

Instances:

Multiple

service dns forwarding record mx <fqdn> hostname <ipv4|ipv6|fqdn|id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Hostname the MX record is pointing to. Defaults to system’s hostname

Values:

ipv4 – IPv4 address the record points to
ipv6 – IPv6 address the record points to
fqdn – Fully qualified domain name the record points to
id – Hostname the record points to

service dns forwarding record mx <fqdn> preference <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – Preference of the MX record when querying the hostname

service dns forwarding record srv <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

SRV DNS records as specified at RFC2782

Values:

id – Service name for this SRV record

Instances:

Multiple

Required:

service dns forwarding record srv <id> protocol <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – Service protocol for this SRV record

Instances:

Multiple

Required:

service dns forwarding record srv <id> protocol <id> domain <fqdn>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

fqdn –
Service domain this SRV record uses

For example, if the SRV record refers to an IMAP mail server running at teldat.com domain, then domain will be “teldat.com”. “domain” should not be confused with “target”, which can have the same value but refer to different things.

service dns forwarding record srv <id> protocol <id> port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Service port this SRV points to

Values:

u32 – Port in which the service is listening to connections (1-65535)

service dns forwarding record srv <id> protocol <id> priority <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Priority of this SRV record

Values:

u32 – Priority of this SRV record. The lower the value is, the higher the priority gets

service dns forwarding record srv <id> protocol <id> target <fqdn>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Service domain this SRV points to

The target refers to the destination the SRV record is pointing to. In a mail server example, the target would be the FQDN in which the mail server lives.

Reference:: service dns forwarding record host <fqdn>

service dns forwarding record srv <id> protocol <id> weight <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Weight of this SRV record

Values:

u32 – Weight of this SRV record. The lower the value is, the higher the weight gets

service dns proxy

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DNS proxy service configuration options

Required:

service dns proxy balancing <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Load balancing algorithms for chosen servers

The DNS proxy queries all the servers given by the source lists. Once populated, servers are sorted from quickest to lowest, and that order will be used for performing the load balancing. Each time a query is made to a server, the time it takes is used to adjust how fast the proxy thinks the server is, using an exponentially weighted average. If the new calculated time happens to be slower than a randomly chosen candidate from the list of servers, then the entries are swapped. When this operation is applied over time, every server will get compared to all the others and the list is progressively kept sorted. Notice that when source lists are used, the servers are placed around the world. If “ph” strategy is chosen, very probably some queries will end-up using slower servers - that is why “p2” is probably the best strategy to use (and therefore the best). Have a look at server response times before choosing the strategy.

Values:

first – Always pick the fastest server in the list
p2 – Randomly choose between the top 2 fastest servers
ph – Randomly choose between the top fastest half of all servers
random – Just pick any random server from the list

service dns proxy blocklist: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Configures sources to block

service dns proxy blocklist ip: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Block IPs. RegEx is also supported

service dns proxy blocklist ip address <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt –
Block IPs based on a pattern

Blocklist are made of patterns. Thus, the following patterns are valid: 127.*

Instances:

Multiple

service dns proxy blocklist ip file <file>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

file – Loads a file containing the IPs to block

Instances:

Multiple

service dns proxy blocklist name: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Block domains by name. RegEx is also supported

service dns proxy blocklist name domain <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt –
Block domain based on a pattern

Blocklist are made of patterns. Thus, the following patterns are valid: example.com =example.com sex ads.* ads*.example.* Usually, these blocklist are handled directly with files. However, it is also possible to specify them manually. More information can be found at:

Instances:

Multiple

service dns proxy blocklist name file <file>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

file – Loads a file containing the domains to block

Instances:

Multiple

service dns proxy cache: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
DNS proxy caching options

service dns proxy cache max-negated-ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – How long, at most in seconds, a not found entry will be kept in cache

service dns proxy cache max-ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – How long, at most in seconds, an entry will be kept in cache

service dns proxy cache min-negated-ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – How long, at minimum in seconds, a not found entry will be kept in cache

service dns proxy cache min-ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – How long, at minimum in seconds, an entry will be kept in cache

service dns proxy cache size <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – Maximum number of entries in the cache

service dns proxy cipher <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Cipher algorithms ordered by preference

When this field is not set, the best algorithm will be used based on hardware characteristics that do not compromise the exchanged data. Notice that these algorithms conform a “preference”: If the server and the client agree on one, they will use it. However, if the server has no acceptable algorithm from the one the client asks for, it will just show a warning and choose the proper one. Notice that this feature will do nothing when the communication is encrypted using TLS v1.3: The best algorithm is automatically chosen based on hardware characteristics and connection speed.

Values:

u32 – Preference of the encryption algorithm (1-18)

Instances:

Multiple

Required:

service dns proxy cipher <u32> algorithm <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – Cipher algorithm to communicate with the server

service dns proxy cloaking: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Configures a set of host entries to point to one or multiple addresses

service dns proxy cloaking ignore-hosts: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Do not use system configured host entries

service dns proxy cloaking name <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

FQDN, IP, name or RegEx to match when cloaking

An example is worth a thousand words: 1. example.com 2. .example.com 3. *.example. 4. example[0-9]* The examples above will match a FQDN (1), all subdomains of “example.com” (2), all subdomains and all top-level domains (3) and all domains containing either no or “N” numbers at the end, including all top-level domains too (4). Furthermore, as the input value can be anything, here IP addresses may fit too.

Values:

name – FQDN, IP, name or regular expression used to match incoming requests

Instances:

Multiple

Required:

service dns proxy cloaking name <txt> destination <fqdn|ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Destination to point incoming petitions to

The incoming traffic may be pointed to another domain, IP or IPv6 address. Moreover, that traffic may be load balanced when setting more than one destination address.

Values:

fqdn – Domain name to point to
ipv4 – Address to point to
ipv6 – IPv6 Address to point to

Instances:

Multiple

service dns proxy cloaking ttl <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

u32 – Cloaking TTL used when serving defined entries

service dns proxy disable-protocol: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Choose the protocols that will not be used when securing DNS queries

service dns proxy disable-protocol dnscrypt: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Skip the DNSCrypt protocol if the server implements it

service dns proxy disable-protocol doh: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Skip the DNS-over-HTTPS protocol if the server implements it

service dns proxy fallback <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Fallback DNS resolvers when no other connection is available

These are normal, non-encrypted DNS resolvers, that will be only used for one-shot queries when retrieving the initial resolvers list and if the system DNS configuration doesn’t work.

Values:

ipv4 – IPv4 address where the resolver is listening at
ipv6 – IPv6 address where the resolver is listening at

Instances:

Multiple

service dns proxy fallback <ipv4|ipv6> port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Port in which the resolver is listening at

Values:

u32 – Port where resolver is listening at (1-65535)

service dns proxy force-tcp

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Always use TCP to connect to upstream servers

This can be useful if you need to route everything through a proxy (like Tor). Otherwise, enabling this option does not improve security and will only increase the latency.

service dns proxy ipv6: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
IPv6 options for configuring the service

service dns proxy ipv6 block: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Block any IPv6 requests (useful when IPv6 is not available)

service dns proxy ipv6 do-not-query: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Ignore DNS servers that are only accessible through IPv6

service dns proxy keepalive <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Keepalive for HTTP queries, in seconds

Values:

u32 – Keepalive in seconds

service dns proxy listen-address <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Address to listen to incoming connections

Values:

ipv4 – IPv4 address to listen at
ipv6 – IPv6 address to listen at

Local IP address:

Instances:

Multiple

service dns proxy listen-address <ipv4|ipv6> port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Port to listen at

Values:

u32 – Port to listen at (1-65535)

service dns proxy log: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable logging and configure related options

service dns proxy log level <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Log level to use. Defaults to “2”

Values:

u32 – Verbosity level. 0 is very verbose; 6 only contains fatal errors (0-6)

service dns proxy require: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Restrictions and limitations to apply to configured servers

service dns proxy require dnssec: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Servers must support DNS security extensions (DNSSEC)

service dns proxy require no-filter: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Servers must not enforce its own blocklist (for parental control, ad blocking, …)

service dns proxy require no-logs: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Servers must not log user queries (declarative)

service dns proxy server

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Configure the DNS proxy as a DoH server too

Required:

service dns proxy server cert

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Certificate to use for securing communications

Required:
Required:

service dns proxy server cert file <file>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

file –
Certificate file for the local DoH server

This certificate file can be generated locally or with an external tool such as Let’s Encrypt. With the first approach, the CA certificate has to be trusted by all clients. With the second approach, the CA certificate is usually trusted by all clients.

service dns proxy server cert key <file>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

file – Key for the DoH server certificate

service dns proxy server listen-address <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Address the local DoH server should listen to

Values:

ipv4 – IPv4 address the local DoH server should listen to
ipv6 – IPv6 address the local DoH server should listen to

Local IP address:

Instances:

Multiple

service dns proxy server listen-address <ipv4|ipv6> port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Port to listen at

Values:

u32 – Port to listen at (1-65535)

service dns proxy server path <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id –
Path of the DoH URL

This is not a file, but the part after the hostname in the URL. By convention, “/dns-query” is frequently chosen. For each listen address, the complete URL will have the form:

service dns proxy server-name <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – Server to use when querying DNS records

Instances:

Multiple

service dns proxy source <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Remote lists of available servers

Remote lists are a set of servers that are available for querying DNS records. The lists themselves contain all the required information for a client to connect to a server by simply using a known name. For example, to use Cloudflare as the DNS provider by using a list, it would be as simple as defining “service dns proxy server-name cloudflare”. That setting will automatically populate the DNS list for looking for the “cloudflare” provider data. Some companies publish their own lists with their servers. On the other hand, some projects decide to publish lists with generally available servers. An example is DNSCrypt:

Values:

source – Source identifier

Instances:

Multiple

Required:

service dns proxy source <id> minisign-key <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id –
Public key used to verify the content is legitimate

Lists can be served from any location, even from an untrusted ISP. When this occurs, the DNS proxy will immediately detect and reject the source it has been tampered with.

service dns proxy source <id> prefix <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – To avoid collisions with other sources, prefix for the declared servers

service dns proxy source <id> refresh-delay <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Refresh delay for the cached source list

Values:

u32 – Delay for cached source list in hours (24-720)

service dns proxy source <id> url <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt – URL to get the source from

Instances:

Multiple

service dns proxy static <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Static configuration for server definitions

Values:

name – Static definition name

Instances:

Unique

service dns proxy static <id> protocol

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Protocol identifier for this node

Instances:: Unique

service dns proxy static <id> protocol dns-crypt

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

The server uses DNSCrypt protocol

Required:
Required:

service dns proxy static <id> protocol dns-crypt dnssec: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
The server supports DNSSEC

service dns proxy static <id> protocol dns-crypt ip <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ipv4 – IP address of the server
ipv6 – IP address of the server

service dns proxy static <id> protocol dns-crypt no-filter: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
The server does not intentionally block domains

service dns proxy static <id> protocol dns-crypt no-logs: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
The server does not store any logs

service dns proxy static <id> protocol dns-crypt port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Port where the server is listening at

Values:

u32 – Port where the server is listening at (1-65535)

service dns proxy static <id> protocol dns-crypt provider

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DNS provider related data

Required:
Required:

service dns proxy static <id> protocol dns-crypt provider name <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – DNS provider name

service dns proxy static <id> protocol dns-crypt provider public-key <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Provider’s Ed25519 public key, as 32 raw bytes

Values:

key – Ed25519 public key

service dns proxy static <id> protocol dns-over-https

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

The server uses DNS over HTTPS (DoH) protocol

Required:

service dns proxy static <id> protocol dns-over-https dnssec: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
The server supports DNSSEC

service dns proxy static <id> protocol dns-over-https hash <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

The SHA256 digest of one of the TBS certificate

The SHA256 digest of one of the TBS certificate found in the validation chain, typically the certificate used to sign the resolver’s certificate. Multiple hashes can be provided for seamless rotations.

Values:

sha256 – SHA256 digest of one of the TBS certificate

Instances:

Multiple

service dns proxy static <id> protocol dns-over-https host

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Server host related information

Required:

service dns proxy static <id> protocol dns-over-https host name <fqdn>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

fqdn – Server hostname that will be used also as SNI name

service dns proxy static <id> protocol dns-over-https host path <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt – Absolute URI path. By default, “/dns-query” is used

service dns proxy static <id> protocol dns-over-https host port <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Server port number. If missing, port 443 is assumed

Values:

u32 – Server port number (1-65535)

service dns proxy static <id> protocol dns-over-https ip <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

ipv4 –
IP address of the server

The address can be left empty (unset). In that case, the host name will be resolved to an IP address using another resolver.
ipv6 –
IP address of the server

The address can be left empty (unset). In that case, the host name will be resolved to an IP address using another resolver.

service dns proxy static <id> protocol dns-over-https no-filter: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
The server does not intentionally block domains

service dns proxy static <id> protocol dns-over-https no-logs: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
The server does not store any logs

service dns proxy static <id> stamp <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id –
String that encodes all the required parameters to connect to a server

The stamp is a string that looks like:

service dns proxy timeout <u32>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Time to wait for a DNS query response, in milliseconds

If the available network has a lot of latency, it could be interesting to increase this value. The startup may be slower if changed so do not increase it too much.

Values:

u32 – Timeout in milliseconds

service dns proxy whitelist: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Configures sources to allow

service dns proxy whitelist ip: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Allow IPs. RegEx is also supported

service dns proxy whitelist ip address <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt –
Allow IPs based on a pattern

Whitelist are made of patterns. Thus, the following patterns are valid: 127.*

Instances:

Multiple

service dns proxy whitelist ip file <file>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

file – Loads a file containing the IPs to allow

Instances:

Multiple

service dns proxy whitelist name: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Allow domains by name. RegEx is also supported

service dns proxy whitelist name domain <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt –
Allow domain based on a pattern

Whitelist are made of patterns. Thus, the following patterns are valid: example.com =example.com sex ads.* ads*.example.* Usually, these whitelist are handled directly with files. However, it is also possible to specify them manually. More information can be found at:

Instances:

Multiple

service dns proxy whitelist name file <file>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

file – Loads a file containing the domains to allow

Instances:

Multiple

service dns resolver: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
DNS Resolver

service dns resolver dhcp: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from DHCP

service dns resolver dhcpv6: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from DHCPv6

service dns resolver local

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Resolves DNS queries by using a local service

Enabling this option will forward all DNS queries to a local service, previously configured at “service dns forwarding”

service dns resolver name-server <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DNS servers

Values:

ipv4 – DNS address IPv4
ipv6 – DNS address IPv6

Instances:

Multiple

service dns resolver ppp: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Enable DNS servers received from PPP

service dns static: AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Static host entries

service dns static host-name <txt>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

txt – Host name for static address mapping

Instances:

Multiple

Required:

service dns static host-name <txt> alias <id>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Values:

id – Alias for this address

Instances:

Multiple

service dns static host-name <txt> inet <ipv4|ipv6>

AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Address

Values:

ipv4 – IPv4 address
ipv6 – IPv6 address