ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Document the new PROXY-related options for dig

Browse Source 
This commit adds new documentation for +[no]proxy and +[no]proxy-plain
dig options.
This commit is contained in:
Artem Boldariev
2023-10-18 16:51:06 +03:00
parent e0afd614c3
commit e87f980d42
1 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
bin/dig/dig.rst
View File

@@ -507,6 +507,44 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
mandatory. Responses to padded queries may also be padded, but only
if the query uses TCP or DNS COOKIE.
.. option:: +proxy[=src_addr[#src_port]-dst_addr[#dst_port]], +noproxy
When this option is set, :program:`dig` adds PROXYv2 headers to the
queries. When source and destination addresses are specified, the
headers contain them and use the ``PROXY`` command. It means for
the remote peer that the queries were sent on behalf of another
node and that the PROXYv2 header reflects the original connection
endpoints. The default source port is ``0`` and destination port is
`53`.
For encrypted DNS transports, to prevent accidental information
leakage, encryption is applied to the PROXYv2 headers: the headers
are sent right after the handshake process has been completed.
For plain DNS transports, no encryption is applied to the PROXYv2
headers.
If the addressees are omitted, PROXYv2 headers, that use the
``LOCAL`` command set, are added instead. For the remote peer, that
means that the queries were sent on purpose without being relayed,
so the real connection endpoint addresses must be used.
.. option:: +proxy-plain[=src_addr[#src_port]-dst_addr[#dst_port], +noproxy-plain
The same as ``+[no]proxy``, but instructs ``dig`` to send PROXYv2
headers ahead of any encryption, before any handshake messages are
sent. That makes :program:`dig` behave exactly how it is described
in the PROXY protocol specification, but not all software expects
such behaviour.
Please consult the software documentation to find out if you need
this option. (for example, ``dnsdist`` expects encrypted PROXYv2
headers sent over TLS when encryption is used, while ``HAProxy``
and many other software packages expect plain ones).
For plain DNS transports the option is effectively an alias for the
``+[no]proxy`` described above.
.. option:: +qid=value
This option specifies the query ID to use when sending queries.