dns --- .. osdx:cfgcmd:: service dns .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Domain Name Server (DNS) parameters .. osdx:cfgcmd:: service dns dynamic .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Dynamic DNS :ref Required: .. osdx:cfgcmd:: service dns dynamic interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Interface to send DDNS updates for :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns dynamic interface advisor .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Advisor to enable or disable DDNS on the interface :ref Reference: system advisor * .. osdx:cfgcmd:: service dns dynamic interface service .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Service name used for DDNS :instances: Multiple :ref Required: :ref Required: :ref Required: :ref Required: .. osdx:cfgcmd:: service dns dynamic interface service domain .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Domain registered with DDNS service :arg hostname: Hostname registered with DDNS service :arg record: Record to be updated for RFC2136 :instances: Multiple .. osdx:cfgcmd:: service dns dynamic interface service encrypted-password .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Encripted password or shared secret for DDNS service :arg secret: Secret for RFC2136 .. osdx:cfgcmd:: service dns dynamic interface service login .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Login for DDNS service :arg login: Login for DDNS service :arg keyname: Keyname for RFC2136 .. osdx:cfgcmd:: service dns dynamic interface service password .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Password for DDNS service :arg password: Password for DDNS service :arg secret: Secret for RFC2136 .. osdx:cfgcmd:: service dns dynamic interface service server .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Server to send DDNS update to :arg ipv4: IP address of DDNS server :arg hostname: Hostname of DDNS server .. osdx:cfgcmd:: service dns dynamic interface service ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: Time To Live .. osdx:cfgcmd:: service dns dynamic interface service type .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Protocol used for DDNS service :arg id: Custom or predefined protocol .. osdx:cfgcmd:: service dns dynamic interface service zone .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Zone to be updated .. osdx:cfgcmd:: service dns dynamic interface update-frecuency .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: Time (in minutes) after which the domain is updated .. osdx:cfgcmd:: service dns dynamic interface use-web .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Web check used for obtaining the external IP address .. osdx:cfgcmd:: service dns dynamic interface use-web skip .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Skip everything before this on the given URL .. osdx:cfgcmd:: service dns dynamic interface use-web url .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: URL to obtain the current external IP address .. osdx:cfgcmd:: service dns forwarding .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS Forwarding .. osdx:cfgcmd:: service dns forwarding cache-size .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS forwarding cache size :arg u32: DNS forwarding cache size (0-10000) .. osdx:cfgcmd:: service dns forwarding dhcp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from DHCP .. osdx:cfgcmd:: service dns forwarding dhcp interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Enable DNS servers received from DHCP for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding dhcp interface priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DHCP DNS servers priority for specified interface :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding dhcp priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DHCP DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding dhcpv6 .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from DHCPv6 .. osdx:cfgcmd:: service dns forwarding dhcpv6 interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Enable DNS servers received from DHCPv6 for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding dhcpv6 interface priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DHCPv6 DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding dhcpv6 priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DHCPv6 DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding disable-local-service .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Disable local-service option to accept DNS queries from any host on any subnet .. osdx:cfgcmd:: service dns forwarding dnssec .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNSSEC validation and caching .. osdx:cfgcmd:: service dns forwarding dnssec check-unsigned .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Check if unsigned replies are legitimate This entails possible extra queries even for the majority of DNS zones which are not, at the moment, signed. If disabled, then those replies are assumed to be valid and passed on (without the "authentic data" bit set). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast. .. osdx:cfgcmd:: service dns forwarding dnssec proxy .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the Authenticated Data bit correctly in all cases is not technically possible. .. osdx:cfgcmd:: service dns forwarding domain .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS domain configuration :arg id: DNS domain name :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain dhcp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from DHCP .. osdx:cfgcmd:: service dns forwarding domain dhcp interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Enable DNS servers received from DHCP for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain dhcpv6 .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from DHCPv6 .. osdx:cfgcmd:: service dns forwarding domain dhcpv6 interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Enable DNS servers received from DHCPv6 for specified interface :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain name-server .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS servers :arg ipv4: DNS address IPv4 :arg ipv6: DNS address IPv6 :instances: Multiple .. osdx:cfgcmd:: service dns forwarding domain name-server local-address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Local IP address to use as source for requests to this nameserver :arg ipv4: Local IPv4 address for this nameserver :arg ipv6: Local IPv6 address for this nameserver :Local IP address: .. osdx:cfgcmd:: service dns forwarding domain name-server local-interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Interface to use as source for requests to this nameserver .. osdx:cfgcmd:: service dns forwarding domain name-server local-vrf .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k VRF to use as source for requests to this nameserver :ref Reference: system vrf * .. osdx:cfgcmd:: service dns forwarding domain name-server port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Port in which the DNS server is listening at. Defaults to port 53 :arg u32: DNS server listening port (1-65535) .. osdx:cfgcmd:: service dns forwarding domain ppp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from PPP .. osdx:cfgcmd:: service dns forwarding domain ppp interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from PPP for specified interface :ref Reference: interfaces pppoe * :instances: Multiple .. osdx:cfgcmd:: service dns forwarding listen .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Interfaces to listen for DNS queries :instances: Multiple .. osdx:cfgcmd:: service dns forwarding local-ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: TTL for static entries or DHCP leases .. osdx:cfgcmd:: service dns forwarding logs .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enables DNS forwarding logs The DNS forwarding logs can be later on retreived by looking at the system journal. .. osdx:cfgcmd:: service dns forwarding max-cache-ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: Maximum TTL for Cache Entries .. osdx:cfgcmd:: service dns forwarding min-cache-ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Minimum TTL for Cache Entries :arg u32: Minimum time for cache entries in seconds (1-3600) .. osdx:cfgcmd:: service dns forwarding name-server .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS servers :arg ipv4: DNS address IPv4 :arg ipv6: DNS address IPv6 :instances: Multiple .. osdx:cfgcmd:: service dns forwarding name-server local-address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Local IP address to use as source for requests to this nameserver :arg ipv4: Local IPv4 address for this nameserver :arg ipv6: Local IPv6 address for this nameserver :Local IP address: .. osdx:cfgcmd:: service dns forwarding name-server local-interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ifc: Interface to use as source for requests to this nameserver .. osdx:cfgcmd:: service dns forwarding name-server local-vrf .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k VRF to use as source for requests to this nameserver :ref Reference: system vrf * .. osdx:cfgcmd:: service dns forwarding name-server port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Port in which the DNS server is listening at. Defaults to port 53 :arg u32: DNS server listening port (1-65535) .. osdx:cfgcmd:: service dns forwarding name-server priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Local DNS servers priority (the lower the value is, the higher the priority gets) :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding ppp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from PPP .. osdx:cfgcmd:: service dns forwarding ppp interface .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from PPP for specified interface :ref Reference: interfaces pppoe * :instances: Multiple .. osdx:cfgcmd:: service dns forwarding ppp interface priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k PPP DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding ppp priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k PPP DNS servers priority :arg u32: Level of priorities allowed (0-9) .. osdx:cfgcmd:: service dns forwarding record .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS static records used when resolving a request .. osdx:cfgcmd:: service dns forwarding record cname .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg fqdn: CNAME record pointing to an existing host record :instances: Multiple :ref Required: service dns forwarding record host * .. osdx:cfgcmd:: service dns forwarding record cname target .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Host this record points to :ref Reference: service dns forwarding record host * .. osdx:cfgcmd:: service dns forwarding record cname ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: TTL for this host entry. By default, uses global configured value .. osdx:cfgcmd:: service dns forwarding record host .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg fqdn: Host records reference either an A, AAAA or PTR records to the DNS :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record host ipv4-address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ipv4: IP address the host record points to :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record host ipv6-address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ipv6: IP address the host record points to :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record host ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: TTL for this host entry. By default, uses global configured value .. osdx:cfgcmd:: service dns forwarding record mx .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg fqdn: MX record for directing mail on a LAN to a server :instances: Multiple .. osdx:cfgcmd:: service dns forwarding record mx hostname .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Hostname the MX record is pointing to. Defaults to system's hostname :arg ipv4: IPv4 address the record points to :arg ipv6: IPv6 address the record points to :arg fqdn: Fully qualified domain name the record points to :arg id: Hostname the record points to .. osdx:cfgcmd:: service dns forwarding record mx preference .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: Preference of the MX record when querying the hostname .. osdx:cfgcmd:: service dns forwarding record srv .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k SRV DNS records as specified at RFC2782 :arg id: Service name for this SRV record :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns forwarding record srv protocol .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Service protocol for this SRV record :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns forwarding record srv protocol domain .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg fqdn: Service domain this SRV record uses For example, if the SRV record refers to an IMAP mail server running at teldat.com domain, then domain will be "teldat.com". "domain" should not be confused with "target", which can have the same value but refer to different things. .. osdx:cfgcmd:: service dns forwarding record srv protocol port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Service port this SRV points to :arg u32: Port in which the service is listening to connections (1-65535) .. osdx:cfgcmd:: service dns forwarding record srv protocol priority .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Priority of this SRV record :arg u32: Priority of this SRV record. The lower the value is, the higher the priority gets .. osdx:cfgcmd:: service dns forwarding record srv protocol target .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Service domain this SRV points to The target refers to the destination the SRV record is pointing to. In a mail server example, the target would be the FQDN in which the mail server lives. :ref Reference: service dns forwarding record host * .. osdx:cfgcmd:: service dns forwarding record srv protocol weight .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Weight of this SRV record :arg u32: Weight of this SRV record. The lower the value is, the higher the weight gets .. osdx:cfgcmd:: service dns proxy .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS proxy service configuration options :ref Required: .. osdx:cfgcmd:: service dns proxy balancing .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Load balancing algorithms for chosen servers The DNS proxy queries all the servers given by the source lists. Once populated, servers are sorted from quickest to lowest, and that order will be used for performing the load balancing. Each time a query is made to a server, the time it takes is used to adjust how fast the proxy thinks the server is, using an exponentially weighted average. If the new calculated time happens to be slower than a randomly chosen candidate from the list of servers, then the entries are swapped. When this operation is applied over time, every server will get compared to all the others and the list is progressively kept sorted. Notice that when source lists are used, the servers are placed around the world. If "ph" strategy is chosen, very probably some queries will end-up using slower servers - that is why "p2" is probably the best strategy to use (and therefore the best). Have a look at server response times before choosing the strategy. :arg first: Always pick the fastest server in the list :arg p2: Randomly choose between the top 2 fastest servers :arg ph: Randomly choose between the top fastest half of all servers :arg random: Just pick any random server from the list .. osdx:cfgcmd:: service dns proxy blocklist .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Configures sources to block .. osdx:cfgcmd:: service dns proxy blocklist ip .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Block IPs. RegEx is also supported .. osdx:cfgcmd:: service dns proxy blocklist ip address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: Block IPs based on a pattern Blocklist are made of patterns. Thus, the following patterns are valid: 127.* :instances: Multiple .. osdx:cfgcmd:: service dns proxy blocklist ip file .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg file: Loads a file containing the IPs to block :instances: Multiple .. osdx:cfgcmd:: service dns proxy blocklist name .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Block domains by name. RegEx is also supported .. osdx:cfgcmd:: service dns proxy blocklist name domain .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: Block domain based on a pattern Blocklist are made of patterns. Thus, the following patterns are valid: example.com =example.com *sex* ads.* ads*.example.* Usually, these blocklist are handled directly with files. However, it is also possible to specify them manually. More information can be found at: :instances: Multiple .. osdx:cfgcmd:: service dns proxy blocklist name file .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg file: Loads a file containing the domains to block :instances: Multiple .. osdx:cfgcmd:: service dns proxy cache .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS proxy caching options .. osdx:cfgcmd:: service dns proxy cache max-negated-ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: How long, at most in seconds, a not found entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache max-ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: How long, at most in seconds, an entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache min-negated-ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: How long, at minimum in seconds, a not found entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache min-ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: How long, at minimum in seconds, an entry will be kept in cache .. osdx:cfgcmd:: service dns proxy cache size .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: Maximum number of entries in the cache .. osdx:cfgcmd:: service dns proxy cipher .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Cipher algorithms ordered by preference When this field is not set, the best algorithm will be used based on hardware characteristics that do not compromise the exchanged data. Notice that these algorithms conform a "preference": If the server and the client agree on one, they will use it. However, if the server has no acceptable algorithm from the one the client asks for, it will just show a warning and choose the proper one. Notice that this feature will do nothing when the communication is encrypted using TLS v1.3: The best algorithm is automatically chosen based on hardware characteristics and connection speed. :arg u32: Preference of the encryption algorithm (1-18) :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns proxy cipher algorithm .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Cipher algorithm to communicate with the server .. osdx:cfgcmd:: service dns proxy cloaking .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Configures a set of host entries to point to one or multiple addresses .. osdx:cfgcmd:: service dns proxy cloaking ignore-hosts .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Do not use system configured host entries .. osdx:cfgcmd:: service dns proxy cloaking name .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k FQDN, IP, name or RegEx to match when cloaking An example is worth a thousand words: 1. example.com 2. *.example.com 3. *.example.* 4. example[0-9]* The examples above will match a FQDN (1), all subdomains of "example.com" (2), all subdomains and all top-level domains (3) and all domains containing either no or "N" numbers at the end, including all top-level domains too (4). Furthermore, as the input value can be anything, here IP addresses may fit too. :arg name: FQDN, IP, name or regular expression used to match incoming requests :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns proxy cloaking name destination .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Destination to point incoming petitions to The incoming traffic may be pointed to another domain, IP or IPv6 address. Moreover, that traffic may be load balanced when setting more than one destination address. :arg fqdn: Domain name to point to :arg ipv4: Address to point to :arg ipv6: IPv6 Address to point to :instances: Multiple .. osdx:cfgcmd:: service dns proxy cloaking ttl .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg u32: Cloaking TTL used when serving defined entries .. osdx:cfgcmd:: service dns proxy disable-protocol .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Choose the protocols that will not be used when securing DNS queries .. osdx:cfgcmd:: service dns proxy disable-protocol dnscrypt .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Skip the DNSCrypt protocol if the server implements it .. osdx:cfgcmd:: service dns proxy disable-protocol doh .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Skip the DNS-over-HTTPS protocol if the server implements it .. osdx:cfgcmd:: service dns proxy fallback .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Fallback DNS resolvers when no other connection is available These are normal, non-encrypted DNS resolvers, that will be only used for one-shot queries when retrieving the initial resolvers list and if the system DNS configuration doesn't work. :arg ipv4: IPv4 address where the resolver is listening at :arg ipv6: IPv6 address where the resolver is listening at :instances: Multiple .. osdx:cfgcmd:: service dns proxy fallback port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Port in which the resolver is listening at :arg u32: Port where resolver is listening at (1-65535) .. osdx:cfgcmd:: service dns proxy force-tcp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Always use TCP to connect to upstream servers This can be useful if you need to route everything through a proxy (like Tor). Otherwise, enabling this option does not improve security and will only increase the latency. .. osdx:cfgcmd:: service dns proxy ipv6 .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k IPv6 options for configuring the service .. osdx:cfgcmd:: service dns proxy ipv6 block .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Block any IPv6 requests (useful when IPv6 is not available) .. osdx:cfgcmd:: service dns proxy ipv6 do-not-query .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Ignore DNS servers that are only accessible through IPv6 .. osdx:cfgcmd:: service dns proxy keepalive .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Keepalive for HTTP queries, in seconds :arg u32: Keepalive in seconds .. osdx:cfgcmd:: service dns proxy listen-address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Address to listen to incoming connections :arg ipv4: IPv4 address to listen at :arg ipv6: IPv6 address to listen at :Local IP address: :instances: Multiple .. osdx:cfgcmd:: service dns proxy listen-address port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Port to listen at :arg u32: Port to listen at (1-65535) .. osdx:cfgcmd:: service dns proxy log .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable logging and configure related options .. osdx:cfgcmd:: service dns proxy log level .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Log level to use. Defaults to "2" :arg u32: Verbosity level. 0 is very verbose; 6 only contains fatal errors (0-6) .. osdx:cfgcmd:: service dns proxy require .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Restrictions and limitations to apply to configured servers .. osdx:cfgcmd:: service dns proxy require dnssec .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Servers must support DNS security extensions (DNSSEC) .. osdx:cfgcmd:: service dns proxy require no-filter .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Servers must not enforce its own blocklist (for parental control, ad blocking, ...) .. osdx:cfgcmd:: service dns proxy require no-logs .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Servers must not log user queries (declarative) .. osdx:cfgcmd:: service dns proxy server .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Configure the DNS proxy as a DoH server too :ref Required: .. osdx:cfgcmd:: service dns proxy server cert .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Certificate to use for securing communications :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy server cert file .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg file: Certificate file for the local DoH server This certificate file can be generated locally or with an external tool such as Let's Encrypt. With the first approach, the CA certificate has to be trusted by all clients. With the second approach, the CA certificate is usually trusted by all clients. .. osdx:cfgcmd:: service dns proxy server cert key .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg file: Key for the DoH server certificate .. osdx:cfgcmd:: service dns proxy server listen-address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Address the local DoH server should listen to :arg ipv4: IPv4 address the local DoH server should listen to :arg ipv6: IPv6 address the local DoH server should listen to :Local IP address: :instances: Multiple .. osdx:cfgcmd:: service dns proxy server listen-address port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Port to listen at :arg u32: Port to listen at (1-65535) .. osdx:cfgcmd:: service dns proxy server path .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Path of the DoH URL This is not a file, but the part after the hostname in the URL. By convention, "/dns-query" is frequently chosen. For each listen address, the complete URL will have the form: .. osdx:cfgcmd:: service dns proxy server-name .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Server to use when querying DNS records :instances: Multiple .. osdx:cfgcmd:: service dns proxy source .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Remote lists of available servers Remote lists are a set of servers that are available for querying DNS records. The lists themselves contain all the required information for a client to connect to a server by simply using a known name. For example, to use Cloudflare as the DNS provider by using a list, it would be as simple as defining "service dns proxy server-name cloudflare". That setting will automatically populate the DNS list for looking for the "cloudflare" provider data. Some companies publish their own lists with their servers. On the other hand, some projects decide to publish lists with generally available servers. An example is DNSCrypt: :arg source: Source identifier :instances: Multiple :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy source minisign-key .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Public key used to verify the content is legitimate Lists can be served from any location, even from an untrusted ISP. When this occurs, the DNS proxy will immediately detect and reject the source it has been tampered with. .. osdx:cfgcmd:: service dns proxy source prefix .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: To avoid collisions with other sources, prefix for the declared servers .. osdx:cfgcmd:: service dns proxy source refresh-delay .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Refresh delay for the cached source list :arg u32: Delay for cached source list in hours (24-720) .. osdx:cfgcmd:: service dns proxy source url .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: URL to get the source from :instances: Multiple .. osdx:cfgcmd:: service dns proxy ssl-allow-insecure .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Disable validation of CA certificate .. osdx:cfgcmd:: service dns proxy static .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Static configuration for server definitions :arg name: Static definition name :instances: Unique .. osdx:cfgcmd:: service dns proxy static protocol .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Protocol identifier for this node :instances: Unique .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server uses DNSCrypt protocol :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt dnssec .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server supports DNSSEC .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt ip .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ipv4: IP address of the server :arg ipv6: IP address of the server .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt no-filter .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server does not intentionally block domains .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt no-logs .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server does not store any logs .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Port where the server is listening at :arg u32: Port where the server is listening at (1-65535) .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt provider .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS provider related data :ref Required: :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt provider name .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: DNS provider name .. osdx:cfgcmd:: service dns proxy static protocol dns-crypt provider public-key .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Provider's Ed25519 public key, as 32 raw bytes :arg key: Ed25519 public key .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server uses DNS over HTTPS (DoH) protocol :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https dnssec .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server supports DNSSEC .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https hash .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The SHA256 digest of one of the TBS certificate The SHA256 digest of one of the TBS certificate found in the validation chain, typically the certificate used to sign the resolver's certificate. Multiple hashes can be provided for seamless rotations. :arg sha256: SHA256 digest of one of the TBS certificate :instances: Multiple .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Server host related information :ref Required: .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host name .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg fqdn: Server hostname that will be used also as SNI name .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host path .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: Absolute URI path. By default, "/dns-query" is used .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https host port .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Server port number. If missing, port 443 is assumed :arg u32: Server port number (1-65535) .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https ip .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg ipv4: IP address of the server The address can be left empty (unset). In that case, the host name will be resolved to an IP address using another resolver. :arg ipv6: IP address of the server The address can be left empty (unset). In that case, the host name will be resolved to an IP address using another resolver. .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https no-filter .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server does not intentionally block domains .. osdx:cfgcmd:: service dns proxy static protocol dns-over-https no-logs .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k The server does not store any logs .. osdx:cfgcmd:: service dns proxy static stamp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: String that encodes all the required parameters to connect to a server The stamp is a string that looks like: .. osdx:cfgcmd:: service dns proxy timeout .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Time to wait for a DNS query response, in milliseconds If the available network has a lot of latency, it could be interesting to increase this value. The startup may be slower if changed so do not increase it too much. :arg u32: Timeout in milliseconds .. osdx:cfgcmd:: service dns proxy whitelist .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Configures sources to allow .. osdx:cfgcmd:: service dns proxy whitelist ip .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Allow IPs. RegEx is also supported .. osdx:cfgcmd:: service dns proxy whitelist ip address .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: Allow IPs based on a pattern Whitelist are made of patterns. Thus, the following patterns are valid: 127.* :instances: Multiple .. osdx:cfgcmd:: service dns proxy whitelist ip file .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg file: Loads a file containing the IPs to allow :instances: Multiple .. osdx:cfgcmd:: service dns proxy whitelist name .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Allow domains by name. RegEx is also supported .. osdx:cfgcmd:: service dns proxy whitelist name domain .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: Allow domain based on a pattern Whitelist are made of patterns. Thus, the following patterns are valid: example.com =example.com *sex* ads.* ads*.example.* Usually, these whitelist are handled directly with files. However, it is also possible to specify them manually. More information can be found at: :instances: Multiple .. osdx:cfgcmd:: service dns proxy whitelist name file .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg file: Loads a file containing the domains to allow :instances: Multiple .. osdx:cfgcmd:: service dns resolver .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS Resolver .. osdx:cfgcmd:: service dns resolver dhcp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from DHCP .. osdx:cfgcmd:: service dns resolver dhcpv6 .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from DHCPv6 .. osdx:cfgcmd:: service dns resolver local .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Resolves DNS queries by using a local service Enabling this option will forward all DNS queries to a local service, previously configured at "service dns forwarding" .. osdx:cfgcmd:: service dns resolver name-server .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k DNS servers :arg ipv4: DNS address IPv4 :arg ipv6: DNS address IPv6 :instances: Multiple .. osdx:cfgcmd:: service dns resolver ppp .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Enable DNS servers received from PPP .. osdx:cfgcmd:: service dns static .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Static host entries .. osdx:cfgcmd:: service dns static host-name .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg txt: Host name for static address mapping :instances: Multiple :ref Required: .. osdx:cfgcmd:: service dns static host-name alias .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k :arg id: Alias for this address :instances: Multiple .. osdx:cfgcmd:: service dns static host-name inet .. raw:: html AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k Address :arg ipv4: IPv4 address :arg ipv6: IPv6 address