|
| 1 | +# https |
| 2 | + |
| 3 | +**https** is a [CoreDNS](https://github.com/coredns/coredns) plugin that proxies DNS messages to upstream resolvers using DNS-over-HTTPS protocol. See [RFC 8484](https://tools.ietf.org/html/rfc8484). |
| 4 | + |
| 5 | +## Installation |
| 6 | + |
| 7 | +External CoreDNS plugins can be enabled in one of two ways: |
| 8 | + 1. [Build with compile-time configuration file](https://coredns.io/2017/07/25/compile-time-enabling-or-disabling-plugins/#build-with-compile-time-configuration-file) |
| 9 | + 2. [Build with external golang source code](https://coredns.io/2017/07/25/compile-time-enabling-or-disabling-plugins/#build-with-external-golang-source-code) |
| 10 | + |
| 11 | +## Syntax |
| 12 | + |
| 13 | +In its most basic form: |
| 14 | + |
| 15 | +~~~ |
| 16 | +https FROM TO... |
| 17 | +~~~ |
| 18 | + |
| 19 | +* **FROM** is the base domain to match for the request to be proxied. |
| 20 | +* **TO...** are the destination endpoints to proxy to. The number of upstreams is |
| 21 | + limited to 15. |
| 22 | + |
| 23 | +Multiple upstreams are randomized (see `policy`) on first use. When a proxy returns an error |
| 24 | +the next upstream in the list is tried. |
| 25 | + |
| 26 | +Extra knobs are available with an expanded syntax: |
| 27 | + |
| 28 | +~~~ |
| 29 | +https FROM TO... { |
| 30 | + except IGNORED_NAMES... |
| 31 | + tls CERT KEY CA |
| 32 | + tls_servername NAME |
| 33 | + policy random|round_robin|sequential |
| 34 | +} |
| 35 | +~~~ |
| 36 | + |
| 37 | +* **FROM** and **TO...** as above. |
| 38 | +* **IGNORED_NAMES** in `except` is a space-separated list of domains to exclude from proxying. |
| 39 | + Requests that match none of these names will be passed through. |
| 40 | +* `tls` **CERT** **KEY** **CA** define the TLS properties for TLS connection. From 0 to 3 arguments can be |
| 41 | + provided with the meaning as described below |
| 42 | + |
| 43 | + * `tls` - no client authentication is used, and the system CAs are used to verify the server certificate (by default) |
| 44 | + * `tls` **CA** - no client authentication is used, and the file CA is used to verify the server certificate |
| 45 | + * `tls` **CERT** **KEY** - client authentication is used with the specified cert/key pair. |
| 46 | + The server certificate is verified with the system CAs |
| 47 | + * `tls` **CERT** **KEY** **CA** - client authentication is used with the specified cert/key pair. |
| 48 | + The server certificate is verified using the specified CA file |
| 49 | + |
| 50 | +* `policy` specifies the policy to use for selecting upstream servers. The default is `random`. |
| 51 | + |
| 52 | + |
| 53 | +## Metrics |
| 54 | + |
| 55 | +If monitoring is enabled (via the *prometheus* plugin) then the following metric are exported: |
| 56 | + |
| 57 | +* `coredns_https_request_duration_seconds{to}` - duration per upstream interaction. |
| 58 | +* `coredns_https_requests_total{to}` - query count per upstream. |
| 59 | +* `coredns_https_responses_total{to, rcode}` - count of RCODEs per upstream. |
| 60 | + and we are randomly (this always uses the `random` policy) spraying to an upstream. |
| 61 | + |
| 62 | +## Examples |
| 63 | + |
| 64 | +Proxy all requests within `example.org.` to a DoH nameserver: |
| 65 | + |
| 66 | +~~~ corefile |
| 67 | +example.org { |
| 68 | + https . cloudflare-dns.com/dns-query |
| 69 | +} |
| 70 | +~~~ |
| 71 | + |
| 72 | +Forward everything except requests to `example.org` |
| 73 | + |
| 74 | +~~~ corefile |
| 75 | +. { |
| 76 | + https . dns.quad9.net/dns-query { |
| 77 | + except example.org |
| 78 | + } |
| 79 | +} |
| 80 | +~~~ |
| 81 | + |
| 82 | +Load balance all requests between multiple upstreams |
| 83 | + |
| 84 | +~~~ corefile |
| 85 | +. { |
| 86 | + https . dns.quad9.net/dns-query cloudflare-dns.com:443/dns-query dns.google/dns-query |
| 87 | +} |
| 88 | +~~~ |
| 89 | + |
| 90 | +Internal DoH server: |
| 91 | + |
| 92 | +~~~ corefile |
| 93 | +. { |
| 94 | + https . 10.0.0.10:853/dns-query { |
| 95 | + tls ca.crt |
| 96 | + tls_servername internal.domain |
| 97 | + } |
| 98 | +} |
| 99 | +~~~ |
0 commit comments