dnsdist – Web Server/API TLS

The dnsdist web server and API at the time of writing does not have the ability to use TLS to secure traffic. Recently this was brought up on the dnsdist mailing list in the thread here.

The solution mentioned on the mailing list by Stephane Bortzmeyer was using stunnel; personally I like this option as there is only a very minimal amount of config required rather than having to use a full on reverse proxy like nginx or Apache.

dnsdist Configuration

The dnsdist configuration doesn’t require any specific changes; although you may want to change the listen port if you want stunnel to listen on the original port used by dnsdist.

The configuration is as usual:

-- Bind webserver to port 8080
-- stunnel will connect to this
webserver("[::]:8080")

-- Configuration for the web server
setWebserverConfig({
  password="my-super-long-password",
  apiKey="my-super-long-api-key",
  acl="0.0.0.0/0,::0/0",
})

stunnel Configuration

First stunnel will need to be installed. In my case this is a Debian based distribution:

apt -y install stunnel4

A drop in configuration file can then be created in /etc/stunnel (I used /etc/stunnel/dnsdist.conf). The configuration file name must end in “.conf“.

[dnsdist]

; Accept connections on both IPv4 and IPv6 via port 8081
accept  = :::8081

; Connect to dnsdist web server listening on port 8080
connect = localhost-ipv6:8080

; Use this certificate and key file
cert = /etc/letsencrypt/live/my-dns.example.com/fullchain.pem
key = /etc/letsencrypt/live/my-dns.example.com/privkey.pem

The stunnel service can then be restarted and you should be then able to access your dnsdist web interface/API with TLS:

systemctl restart stunnel4

Leave a Reply

Your email address will not be published. Required fields are marked *