a simple DoH/DoT using only dnsdist

In this blog post I will describe the easiest installation of a DoH/DoT VM for personal use, using dnsdist.

Next I will present a full installation example (from start) with dnsdist and PowerDNS.

Server Notes: Ubuntu 18.04
Client Notes: Archlinux

Every {{ }} is a variable you need to change.
Do NOT copy/paste without making the changes.


Login to VM

and became root

$ ssh {{ VM }}
$ sudo -i

from now on, we are running commands as root.


dnsdist DoH/DoT

If you just need your own DoH and DoT instance, then dnsdist will forward your cleartext queries to another public DNS server with the below configuration.

cat > /etc/dnsdist/dnsdist.conf <<EOF

-- resets the list to this array

addDOHLocal('', '/etc/dnsdist/fullchain.pem', '/etc/dnsdist/privkey.pem')
addTLSLocal('', '/etc/dnsdist/fullchain.pem', '/etc/dnsdist/privkey.pem')


You will need -of course- to have your certificates before hand.
That’s It !

a DoH/DoT using dnsdist and powerdns

For people that need a more in-depth article, here are my notes on how to setup from scratch an entire VM with powerdns recursor and dnsdist.

Let’s Begin:

Enable PowerDNS Repos

Add key

curl -sL | apt-key add -

Create PowerDNS source list

cat > /etc/apt/sources.list.d/powerdns.list <<EOF
deb [arch=amd64] bionic-dnsdist-14 main
deb [arch=amd64] bionic-rec-42 main

cat > /etc/apt/preferences.d/pdns <<EOF
Package: pdns-* dnsdist*
Pin: origin
Pin-Priority: 600

Update System and Install packages

apt-get update
apt-get -qy install dnsdist pdns-recursor certbot

You may see errors from powerdns, like

  failed: E: Sub-process /usr/bin/dpkg returned an error code (1)

ignore them for the time being.

PowerDNS Recursor

We are going to setup our recursor first and let’s make it a little interesting.

PowerDNS Configuration

cat > /etc/powerdns/recursor.conf <<EOF

chmod 0644 /etc/powerdns/recursor.conf
chown pdns:pdns /etc/powerdns/recursor.conf

Create a custom response

This will be handy for testing our dns from cli.

cat > /etc/powerdns/pdns.lua <<EOF
domainame = "test.{{ DOMAIN }}"
response  = "{{ VM_ipv4.address }}"

function nxdomain(dq)
    if dq.qname:equal(domainame) then
        dq.rcode=0 -- make it a normal answer
        dq:addAnswer(pdns.A, response)
        dq.variable = true -- disable packet cache
        return true
    return false

chmod 0644 /etc/powerdns/pdns.lua
chown pdns:pdns /etc/powerdns/pdns.lua


Let’s make it more interesting, block trackers and ads.

cat > /usr/local/bin/ <<EOF

# Get StevenBlack hosts
curl -sLo /tmp/hosts.txt

touch /etc/powerdns/hosts.txt

# Get diff
diff -q <(sort -V /etc/powerdns/hosts.txt | column -t) <(sort -V /tmp/hosts.txt | column -t)

# Get Lines
LINES=`grep -c ^ /tmp/hosts.txt`

# Check & restart if needed
if [ "${LINES}" -gt "200" -a "${DIFF_STATUS}" != "0" ]; then
    mv -f /tmp/hosts.txt /etc/powerdns/hosts.txt
    chmod 0644 /etc/powerdns/hosts.txt
    chown pdns:pdns /etc/powerdns/hosts.txt
    systemctl restart pdns-recursor

# vim: sts=2 sw=2 ts=2 et

chmod +x /usr/local/bin/

Be Careful with Copy/Paste. Check the $ dollar sign.

OpenNic Project

Is it possible to make it more interesting ?
Yes! by using OpenNIC Project, instead of the default root NS

cat > /usr/local/bin/ <<EOF

# Get root hints
dig . NS @ | egrep -v '^;|^$' > /tmp/root.hints

touch /etc/powerdns/root.hints

# Get diff
diff -q <(sort -V /etc/powerdns/root.hints | column -t) <(sort -V /tmp/root.hints | column -t)

# Get Lines
LINES=`grep -c ^ /tmp/root.hints`

# Check & restart if needed
if [ "${LINES}" -gt "20" -a "${DIFF_STATUS}" != "0" ]; then
    mv -f /tmp/root.hints /etc/powerdns/root.hints
    chmod 0644 /etc/powerdns/root.hints
    chown pdns:pdns /etc/powerdns/root.hints
    systemctl restart pdns-recursor

# vim: sts=2 sw=2 ts=2 et

chmod +x /usr/local/bin/


dnsdist is a DNS load balancer with enhanced features.

dnsdist configuration

cat > /etc/dnsdist/dnsdist.conf <<EOF
-- resets the list to this array

addDOHLocal('', '/etc/dnsdist/fullchain.pem', '/etc/dnsdist/privkey.pem')
addTLSLocal('', '/etc/dnsdist/fullchain.pem', '/etc/dnsdist/privkey.pem')



Now it is time to get a new certificate with the help of letsencrypt.

Replace {{ DOMAIN }} with your domain

We need to create the post hook first and this is why we need to copy the certificates under dnsdist folder.

cat > /usr/local/bin/ <<EOF

cp -f /etc/letsencrypt/live/{{ DOMAIN }}/*pem /etc/dnsdist/
systemctl restart dnsdist.service

# vim: sts=2 sw=2 ts=2 et

chmod +x /usr/local/bin/

and of course create a certbot script.

Caveat: I have the dry-run option in the below script. When you are ready, remove it.

cat > /usr/local/bin/ <<EOF

certbot --dry-run --agree-tos --standalone certonly --register-unsafely-without-email
    --pre-hook 'systemctl stop dnsdist'
    --post-hook /usr/local/bin/
    -d {{ DOMAIN }} -d doh.{{ DOMAIN }} -d dot.{{ DOMAIN }}

# vim: sts=2 sw=2 ts=2 et

chmod +x /usr/local/bin/


Now open your firewall to the below TCP Ports:

ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 853/tcp
  • TCP 80 for certbot
  • TCP 443 for dnsdist (DoT) and certbot !
  • TCP 853 for dnsdist (DoH)

Let’s Encrypt

When you are ready, run the script


That’s it !


For this blog post, my test settings are:


DoT - Client

From systemd 243+ there is an option to validate certificates on DoT but

systemd-resolved only validates the DNS server certificate if it is issued for the server’s IP address (a rare occurrence).

so it is best to use: opportunistic


systemctl restart systemd-resolved


resolvectl query                    -- link: eth0

-- Information acquired via protocol DNS in 1.9ms.
-- Data is authenticated: no

DoH - Client

Firefox Settings


Firefox TRR



Click on DNS leak test site to verify


Tag(s): DoH, DoT, PowerDNS, dnsdist
DNS RPZ with PowerDNS

Domain Name Service Response Policy Zones

from PowerDNS Recursor documentation :

Response Policy Zone is an open standard developed by Paul Vixie (ISC and Farsight) and Vernon Schryver (Rhyolite), to modify DNS responses based on a policy loaded via a zonefile.

Sometimes it is called: DNS Firewall

Reading Material

aka useful links:


An example scheme to get a a better understanding on the concept behind RPZ.



The main purposes of implentanting DNS RPZ in your DNS Infrastructure are to dynamicaly DNS sinkhole:

  • Malicious domains,
  • Implement goverment regulations,
  • Prevent users to visit domains that are blocked via legal reasons.

by maintaining a single RPZ zone (or many) or even getting a subscription from another cloud provider.

Althouth for SOHO enviroments I suggest reading this blog post: Removing Ads with your PowerDNS Resolver and customize it to your needs.

RPZ Policies

These are the RPZ Policies we can use with PowerDNS.

  • Policy.Custom (default policy)
  • Policy.Drop
  • Policy.NXDOMAIN
  • Policy.NODATA
  • Policy.Truncate
  • Policy.NoAction


Will return a NoError, CNAME answer with the value specified with
defcontent, when looking up the result of this CNAME, RPZ is not taken into account

Use Case

Modify the DNS responces with a list of domains to a specific sinkhole dns record.

eg. --->
* --->                --->
*                --->                --->
*                --->

DNS sinkhole record

Create an explicit record outside of the DNS RPZ scheme.

A type A Resource Record to a domain zone that points to is okay, or use an explicit host file that the resolver can read. In the PowerDNS Recursor the configuration for this, are these two lines:



$ echo "" >> /etc/pdns-recursor/hosts.blocked

and reload the service.

RPZ functionality is set by reading a bind dns zone file, so create a simple file:


; Time To Live
$TTL 86400

; Start Of Authorite
@       IN  SOA authns.localhost. hostmaster. 2018042901 14400 7200 1209600 86400

; Declare Name Server
@                    IN  NS      authns.localhost.


RPZ support configuration is done via our Lua configuration mechanism

In the pdns-recursor configuration file: /etc/pdns-recursor/recursor.conf we need to declare a lua configuration file:


Lua-RPZ Configuration file

that points to the file. In this example, we will use Policy.Custom to send every DNS query to our default content:


rpzFile("/etc/pdns-recursor/", {defpol=Policy.Custom, defcontent=""})

Restart PowerDNS Recursor

At this moment, restart the powerdns recusor

# systemctl restart pdns-recursor


# service pdns-recursor restart

and watch for any error log.

Domains to sinkhole

Append to the all the domains you need to sinkhole. The defcontent="" will ignore the content of the zone, but records must be valid, or else pdns-recursor will not read the rpz bind zone file.

; Time To Live
$TTL 86400

; Start Of Authorite
@   IN  SOA authns.localhost. hostmaster. 2018042901 14400 7200 1209600 86400

; Declare Name Server
@                    IN  NS      authns.localhost.

; Domains to sinkhole  IN  CNAME  IN  CNAME            IN  CNAME
*          IN  CNAME            IN  CNAME
*          IN  CNAME

When finished, you can reload the lua configuration file that read the file, without restarting the powerdns recursor.

# rec_control reload-lua-config

Verify with dig

testing the dns results with dig:

$ dig

;           IN  A

;; ANSWER SECTION:        86400   IN  CNAME   86261   IN  A

$ dig

;     IN  A

;; ANSWER SECTION:  86400   IN  CNAME   86229   IN  A


test the wildcard record in

$ dig

;       IN  A

;; ANSWER SECTION:    86400   IN  CNAME   86400   IN  A

Tag(s): dns, rpz, PowerDNS
PowerDNS Remote Backend

One of the great features that PowerDNS has, is the concepts of ‘backends’.

Backends give you the ability to choose the datastore you would like to save (or not) your dns data. If you are looking to migrate from another dns server (lets say bind ics) with bind zone files support, then you can choose the bind backend, copy the files and voila !

PowerDNS can also support multiple backends. So you can build/test your “new” infrastructure without compromise any existing data structure or as the consultants love to say: “With no-downtime!” Another approach is that you can add support for provisioning automate mechanism or whatever else you can think of !

A very good example of Pipe Backend is the PowerDNS Dynamic Reverse script that @kargig has modified to support reverse ipv6 responses (amazing, right ?).

I have a few (half–baked) ideas that I would like to implement with PowerDNS and I was looking on Remote Backend. It took me some time to understand the logic behind this (as I am not a developer, nor I will ever be!) and create a proof of concept script.

So this is my initial script, that I would like to share:
pdns remote - pipe

It doesnt do anything (yet), just sends everything to your syslog (/var/log/messages) for debugging.

The key to success is this quote:

You must always reply with JSON hash with at least one key, ‘result’

Tag(s): PowerDNS
Removing Ads with your PowerDNS Resolver

In my previous post , I documented my notes on setting up a new PowerDNS Recursor for our own clients.

In this post, I will present a simple way to reduce unnecessary traffic by blocking every FQDN you dont want.



Download a well known custom HOSTS file:

# curl -s -L -o /etc/pdns-recursor/hosts.blocked

Add your FQDNs you want to block,

# echo "" >> /etc/pdns-recursor/hosts.blocked

be very careful not to block something you need.
Reminder: No support for wildcards, only FQDNs


Edit your /etc/pdns-recursor/recursor.conf to support the new hosts file:


restart your pdns and test it

# dig @localhost

;; ANSWER SECTION:   86400   IN  A

Once you have done that, you can edit your hosts.blocked when ever you want!
But dont forget to reload:

# rec_control reload-zones

Tag(s): PowerDNS
Build your own DNS Recursor with PowerDNS in five minutes

First rule of DNS: Always keep in separted machines your authoritative and recursor DNS server.

Disclaimer: The below notes are made on a fresh centos7 server. This is not an openresolver, is just for personal use. You need to adjust your settings.



PowerDNS is an amazing product. Has two flavors, one for Authoritative NS and one for Recursor. I always use @KeesMonshouwer RPMs for two reasons:

a. Works perfectly
b. I trust his work


  • Installation

    Let’s start, by installing the pdns-recursor:

    # rpm -ivh
  • User/Group

    Verify that you have the pdns User/Group, if not create them:

    # grep pdns /etc/group
    # grep pdns /etc/passwd
    pdns-recursor:x:996:996:PowerDNS Recursor:/dev/null:/sbin/nologin
  • root hint

    Create the hint (root NS) zone:

    # dig NS . | grep -vE '^;|^$'  | sort -V > /etc/pdns-recursor/root.hint

    I prefer to use and work with the opennicproject cause it’s an amazing community open DNS project. They also provide their own gTLDs and the majority of them dont have any logs at all or they anonymize the dns logs. In the times we are living, I prefer my DNS queries NOT to be obtained and recorded by companies.

    I strongly suggest to participate to this amazing community project.

    So my root.hint file is the result of this:

    # dig . NS @ | grep -v '^;' | sort -u -V  > /etc/pdns-recursor/root.hint

    Dont forget to edit your /etc/pdns-recursor/recursor.conf so that you tell pdns where is your root hint file:

  • ACL

    As i mentioned above, I dont want (at the current moment) to create an openresolver. So I need to create an ACL.

    That can be done by two ways (combined or separated).

  • iptables

    The first one is via iptables. My iptables default policy is DROP, so I need to ACCEPT tcp/udp traffic from the networks I want to provide dns recursion. The below example are for a specific IP and a class C (/24) network

    # TCP
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT
    # UDP
    -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT
    -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT

    Dont forget to restart your iptable service.

  • ACL in pdns

    The second way is by configure the allow-from pdns setting accordingly:

    # vim /etc/pdns-recursor/recursor.conf
    allow-from=, XXX.XXX.XXX.XXX, YYY.YYY.YYY.0/24
  • Listen IP address

    PowerDNS Recursor will start on your local IP address. To change it to your public IP, you need to edit the below entry:

    # vim /etc/pdns-recursor/recursor.conf
    local-address=, XXX.XXX.XXX.XXX

    At this point you are ready to start and use your own DNS recursor.

    # systemctl status pdns-recursor.service
    # systemctl enable pdns-recursor.service
  • Testing

    Before you exit your machine, you need to test your DNS server.

    # dig soa @

    and from a machine inside your ACL:

    # dig soa @XXX.XXX.XXX.XXX

    Everything must work just fine.