From a2debc645a201db6c3bba4568bad1f2d47761d7c Mon Sep 17 00:00:00 2001 From: Shreyas Zare Date: Sat, 19 Oct 2024 17:12:53 +0530 Subject: [PATCH] webapp: updated html to support new custom real ip headers feature for admin web service and DoH. Added support for blocking answer ttl option. Added support for secondary root zone option. Added support for new notify option for catalog zones. Other minor changes done. --- DnsServerCore/www/index.html | 76 +++++++++++++++++++++++++++++------- 1 file changed, 61 insertions(+), 15 deletions(-) diff --git a/DnsServerCore/www/index.html b/DnsServerCore/www/index.html index b0e5c991..32a9dc5f 100644 --- a/DnsServerCore/www/index.html +++ b/DnsServerCore/www/index.html @@ -948,7 +948,7 @@
- +
The primary fully qualified domain name used by this DNS Server to identify itself.
@@ -993,7 +993,7 @@
- +
The default SOA Responsible Person email address to use when adding a Primary Zone.
@@ -1215,7 +1215,7 @@ milliseconds (valid range 1000-90000; default 10000) -
The amount of time a TCP socket must wait for an ACK before closing the connection. This option will apply for DNS requests being received by the DNS Server over TCP, TLS, or HTTPS transports.
+
The maximum amount of time the DNS Server will wait for the response to be sent. This option will apply for DNS requests being received by the DNS Server over TCP, TLS, TcpProxy, or HTTPS transports.
@@ -1224,7 +1224,7 @@ milliseconds (valid range 1000-90000; default 10000)
-
The amount of time a TCP socket must wait for data before closing the connection. This option will apply for DNS requests being received by the DNS Server over TCP, TLS, or HTTPS transports.
+
The maximum amount of time the DNS Server will wait for receiving data. This option will apply for DNS requests being received by the DNS Server over TCP, TLS, TcpProxy, or HTTPS transports.
@@ -1251,7 +1251,7 @@ (default 100)
-
The maximum number of pending inbound connections. This option applies to TCP, TLS, and QUIC transport protocols.
+
The maximum number of pending inbound connections. This option applies to TCP, TLS, TcpProxy, and QUIC transport protocols.
@@ -1316,7 +1316,7 @@
- +
Specify a PKCS #12 certificate (.pfx or .p12) file path on the server. The path can be relative to the DNS server's config folder. The certificate must contain private key.
@@ -1324,14 +1324,22 @@
- +
Enter the certificate (.pfx) password, if any.
+
+ +
+ +
+
The HTTP header that must be used to read client's actual IP address when the request comes from a reverse proxy with a private IP address.
+
+

Note! The web service port changes will be automatically applied and so you do not need to manually restart the main service. The TLS certificate too will be automatically reloaded when the certificate file's date modified property on disk changes. This web page will be automatically redirected to the new web console URL after saving settings. The HTTPS protocol will be enabled only when a TLS certificate is configured.

-

When using a reverse proxy with the Web Service, you need to add X-Real-IP header to the proxy request with the IP address of the client to allow the Web server to know the real IP address of the client originating the request. For example, if you are using nginx as the reverse proxy, you can add proxy_set_header X-Real-IP $remote_addr; to make it work.

+

When using a reverse proxy with the Web Service, you need to add X-Real-IP header to the proxy request with the IP address of the client to allow the Web server to know the real IP address of the client originating the request. For example, if you are using nginx as the reverse proxy, you can add proxy_set_header X-Real-IP $remote_addr; to make it work.

The web service uses Kestral web server which supports both HTTP/2 and HTTP/3 protocols when TLS certificate is configured. HTTP/3 protocol support is not available on all platforms. On Windows, it is available only on Windows 11 (build 22000 or later) and Windows Server 2022. On Linux, it requires libmsquic to be installed.

Note! The web service will always bind to [::] local address for HTTP/3 protocol since this is how the libmsquic library is designed to work.

Use the following openssl command to convert your TLS certificate that is in PEM format to PKCS #12 certificate (.pfx) format:

@@ -1455,7 +1463,7 @@
- +
Specify a PKCS #12 certificate (.pfx or .p12) file path on the server. The path can be relative to the DNS server's config folder. The certificate must contain private key.
@@ -1463,16 +1471,24 @@
- +
Enter the certificate (.pfx) password, if any.
+
+ +
+ +
+
The HTTP header that must be used to read client's actual IP address when the request comes from a reverse proxy with a private IP address.
+
+

Note! These optional DNS server protocol changes will be automatically applied and so you do not need to manually restart the main service. The TLS certificate too will be automatically reloaded when the certificate file's date modified property on disk changes. The DNS-over-TLS, DNS-over-QUIC, and DNS-over-HTTPS protocols will be enabled only when a TLS certificate is configured.

These optional DNS server protocols are used to host these as a service. You do not need to enable these optional protocols to use them with Forwarders or Conditional Forwarder Zones.

For DNS-over-HTTP, use http://localhost:8053/dns-query with a TLS terminating reverse proxy like nginx. For DNS-over-TLS, use tls-certificate-domain:853, for DNS-over-QUIC, use tls-certificate-domain:853, and for DNS-over-HTTPS use https://tls-certificate-domain/dns-query to configure supported DNS clients.

-

When using a reverse proxy with the DNS-over-HTTP service, you need to add X-Real-IP header to the proxy request with the IP address of the client to allow the DNS server to know the real IP address of the client originating the request. For example, if you are using nginx as the reverse proxy, you can add proxy_set_header X-Real-IP $remote_addr; to make it work.

+

When using a reverse proxy with the DNS-over-HTTP service, you need to add X-Real-IP header to the proxy request with the IP address of the client to allow the DNS server to know the real IP address of the client originating the request. For example, if you are using nginx as the reverse proxy, you can add proxy_set_header X-Real-IP $remote_addr; to make it work.

DNS-over-QUIC protocol support is not available on all platforms. On Windows, it is available only on Windows 11 (build 22000 or later) and Windows Server 2022. On Linux, it requires libmsquic to be installed.

Note! The DNS-over-HTTP/3 protocol will always bind to [::] local address since this is how the libmsquic library is designed to work.

Use the following openssl command to convert your TLS certificate that is in PEM format to PKCS #12 certificate (.pfx) format:

@@ -1849,6 +1865,15 @@
+
+ +
+ + seconds (default 30) +
+
The TTL value in seconds that must be used for the records in a blocking response. This is the TTL value that the client will use to cache the blocking response.
+
+
@@ -1949,7 +1974,7 @@
- +
@@ -1963,14 +1988,14 @@
- +
- +
@@ -2198,7 +2223,7 @@
- +
The folder path on the server where the log files should be saved. The path can be relative to the DNS server's config folder.
@@ -3420,6 +3445,12 @@ Secondary Catalog Zone
+
+ +
@@ -4743,6 +4774,13 @@ ns1.example.com ([2001:db8::])
Notifies both the zone's name servers and the specified name servers when the zone is updated.
+
+ +
Notifies specified name servers for member zone updates and secondary catalog name servers for catalog zone updates.
+
@@ -4754,6 +4792,14 @@ ns1.example.com ([2001:db8::]) +
+ +
+ +
Enter only the IP addresses of the Secondary Catalog name servers above.
+
+
+