diff --git a/DnsServerCore/www/index.html b/DnsServerCore/www/index.html index a07c57fd..ac5eca57 100644 --- a/DnsServerCore/www/index.html +++ b/DnsServerCore/www/index.html @@ -460,9 +460,10 @@

example.com

Primary - DNSSEC - Enabled - Expiry: 01 Jan 2020 00:00:00 + DNSSEC + Enabled + catalog +
Expiry: 01 Jan 2020 00:00:00
@@ -832,6 +833,7 @@ + @@ -1012,7 +1014,7 @@
-
Enter IP addresses or network addresses one below another that are allowed to perform zone transfer for all zones without any TSIG authentication.
+
Enter IP addresses or network addresses one below another that are allowed to perform zone transfer for all zones without any TSIG authentication.
@@ -1020,7 +1022,7 @@
-
Enter IP addresses or network addresses one below another that are allowed to Notify all Secondary Zones.
+
Enter IP addresses or network addresses one below another that are allowed to Notify all Secondary Zones.
@@ -1190,11 +1192,11 @@
-
Enter IP addresses or network addresses one below another that are allowed to bypass the QPM limit.
+
Enter IP addresses or network addresses one below another that are allowed to bypass the QPM limit.
-
Note! Queries Per Minute (QPM) feature will limit requests from a client subnet based on its IP address and the specified subnet prefix lengths. The QPM limit configured will be compared with the average count from the sample size which means a client may exceed the QPM limit for a given minute but won't exceed for the given sample size in minutes. Rate limited clients will be listed in orange color on the dashboard top clients table.
+
Note! Queries Per Minute (QPM) feature will limit requests from a client subnet based on its IP address and the specified subnet prefix lengths except for loopback IP addresses. The QPM limit configured will be compared with the average count from the sample size which means a client may exceed the QPM limit for a given minute but won't exceed for the given sample size in minutes. Rate limited clients will be listed in orange color on the dashboard top clients table.
@@ -1331,6 +1333,7 @@

Note! The web service port changes will be automatically applied and so you do not need to manually restart the main service. The TLS certificate too will be automatically reloaded when the certificate file's date modified property on disk changes. This web page will be automatically redirected to the new web console URL after saving settings. The HTTPS protocol will be enabled only when a TLS certificate is configured.

When using a reverse proxy with the Web Service, you need to add X-Real-IP header to the proxy request with the IP address of the client to allow the Web server to know the real IP address of the client originating the request. For example, if you are using nginx as the reverse proxy, you can add proxy_set_header X-Real-IP $remote_addr; to make it work.

The web service uses Kestral web server which supports both HTTP/2 and HTTP/3 protocols when TLS certificate is configured. HTTP/3 protocol support is not available on all platforms. On Windows, it is available only on Windows 11 (build 22000 or later) and Windows Server 2022. On Linux, it requires libmsquic to be installed.

+

Note! The web service will always bind to [::] local address for HTTP/3 protocol since this is how the libmsquic library is designed to work.

Use the following openssl command to convert your TLS certificate that is in PEM format to PKCS #12 certificate (.pfx) format:

openssl pkcs12 -export -out "example.com.pfx" -inkey "privkey.pem" -in "cert.pem" -certfile "chain.pem"
@@ -1379,6 +1382,13 @@
Enable this option to accept DNS-over-HTTPS requests.
+
+ +
+
Enable this option to accept DNS-over-HTTP/3 requests.
+
@@ -1525,18 +1536,16 @@
-
Select this option to specify which networks (in CIDR form) must be allowed or denied. Denied networks are always matched first.
+
Select this option to specify networks that must be allowed or denied recursion.
- - - - - + + +
Enter IP addresses or network addresses one below another to allow access. Add ! character at the start to deny access, e.g. !0.0.0.0/0 will deny all. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback.
@@ -1590,6 +1599,15 @@
The amount of time the recursive resolver must wait between retries.
+
+ +
+ + (valid range 1-4; default 2) +
+
The number of concurrent requests that should be sent by the recursive resolver to the name servers.
+
+
@@ -1795,7 +1813,7 @@
-
Enter IP addresses or network addresses one below another that are allowed to bypass blocking.
+
Enter IP addresses or network addresses one below another that are allowed to bypass blocking.
@@ -2052,7 +2070,7 @@ -
Enter forwarder DNS Server IP addresses or URLs one below another in above text field or use the Quick Select list to select desired forwarder.
+
Enter forwarder DNS Server IP addresses or URLs one below another in above text field or use the Quick Select list to select desired forwarder.
@@ -2090,12 +2108,33 @@ -
Select a protocol that this DNS server must use to query the forwarders specified above.
+
Select a protocol that this DNS server must use to query the forwarders specified above.
-
Forwarders are upstream DNS servers which this DNS Server should use to resolve recursive queries. When more than one forwarders are configured, the DNS server will randomly select one or more forwarders (as per forwarder concurrency) to query and use the fastest response it receives from anyone of them. If none of the randomly selected forwarders respond in time then the ones left are tried before giving up. If no forwarders are configured then the DNS server will use preconfigured ROOT SERVERS to perform recursive resolution.
-
Note! To force DNS-over-HTTPS/3, use h3 URL scheme instead of https.
+
+ +
+
+ +
+
Enable this option to allow querying two or more forwarders concurrently instead of sequentially querying them in their given order. The DNS server will automatically select forwarders (based on their average latency) to query and use the fastest response it receives from any of them. If none of the selected forwarders respond in time, the DNS server will similarly select forwarders from the remaining ones and queries them till all are tried before giving up.
+
+
+ +
+ +
+ + (valid range 1-10; default 2) +
+
The number of concurrent requests that must be sent when Concurrent Forwarding is enabled for resolving a domain name.
+
+ +
Note! Forwarders are upstream DNS servers which this DNS Server must use to resolve domain names. If no forwarders are configured then the DNS server will use preconfigured ROOT HINTS to perform recursive resolution to resolve domain names.
+
Note! The https URL scheme will attempt to make DNS-over-HTTPS/3 request and will fallback to DNS-over-HTTPS/2 (and later to DNS-over-HTTPS/1.1) if it fails to connect. To force DNS-over-HTTPS/3, use h3 URL scheme instead of https but note that there wont be any protocol fallback if the connection attempt fails.
Help: Configuring DNS Server For Privacy & Security
Help: Configuring DNS-over-QUIC and HTTPS/3 For Technitium DNS Server
@@ -2118,15 +2157,6 @@
The amount of time the forwarder or conditional forwarder resolver must wait between retries.
- -
- -
- - (valid range 1-10; default 2) -
-
The number of concurrent requests that the forwarder or conditional forwarder resolver must send when resolving a domain name.
-
@@ -3280,7 +3310,7 @@

If you are an administrator, follow these steps to reset the 'admin' user's password:

  1. Stop the DNS server.
    2. -
  2. Find the DNS Server config folder and locate the auth.config file. The config folder will be found where the DNS Server is installed.
    3. +
  3. Find the DNS Server config folder and locate the auth.config file. The config folder will be found where the DNS Server is installed on Windows or /etc/dns/ folder on Linux.
  4. Rename the auth.config file as resetadmin.config
  5. Start the DNS Server to complete the password reset process.
  6. Just refresh this web page in the web browser to auto login with default credentials and quickly change the password.
    7. @@ -3356,22 +3386,49 @@
    +
    + +
    +
    + +
    +
    + +
    + + + + +
    + +
    + +
    Select a Catalog zone to register as its member zone.
    @@ -3389,13 +3446,14 @@
    - +
    +
    Enter the primary name server addresses to sync the zone from. When unspecified, the SOA Primary Name Server will be resolved and used.
    @@ -3439,6 +3497,7 @@ ns1.example.com ([2001:db8::]) +
    When enabled, the secondary zone will be validated using the ZONEMD record after every zone transfer. The zone will get disabled if the validation fails. The zone must be DNSSEC signed for the validation to work.
    @@ -3493,6 +3552,8 @@ ns1.example.com ([2001:db8::]) + +
    Enter a forwarder server address above. You can add more forwarders by adding FWD records after the zone is added.
    @@ -3571,8 +3632,6 @@ ns1.example.com ([2001:db8::])
    Help: How To Self Host Your Own Domain Name -
    - Help: Running A Root Server Locally On Your DNS Resolver
    @@ -3616,6 +3675,7 @@ ns1.example.com ([2001:db8::]) + @@ -3635,10 +3695,11 @@ ns1.example.com ([2001:db8::])
    -
    +
    - + + seconds
    @@ -3688,6 +3749,7 @@ ns1.example.com ([2001:db8::])
    +
    Note! Glue addresses are required only for delegating a subdomain name where the name server's domain name belongs to the delegated subdomain zone.
    @@ -3703,7 +3765,7 @@ ns1.example.com ([2001:db8::])
    - +
    @@ -3743,59 +3805,6 @@ ns1.example.com ([2001:db8::])
    - -
    - -
    - -
    -
    - -
    - -
    -
    - -
    -
    - -
    -
    - -
    -
    -
    - -
    - -
    - -
    -
    - -
    - -
    -
    - -
    -
    -
    @@ -3830,6 +3839,22 @@ ns1.example.com ([2001:db8::]) + + + @@ -4165,6 +4190,17 @@ MII... +
    + +
    + + (valid range 0-255; default 0) +
    +
    + Forwarders with high priority (lower value) will be queried before trying for low priority forwarders. Forwarders with the same priority will be concurrently queried. +
    +
    +
    @@ -4261,6 +4297,7 @@ MII...
    +
    @@ -4278,6 +4315,15 @@ MII...
    +
    + +
    + + seconds (set 0 to disable) +
    +
    Set to automatically delete the record when the value in seconds elapses since the record’s last modified time.
    +
    +
    @@ -4422,13 +4468,179 @@ MII...
    -
    +
    +
    +
    + +
    + +
    Select a Catalog zone to register as its member zone.
    +
    +
    + +
    + +
    +
    + +
    Enable to override Query Access option in the Catalog zone.
    +
    +
    + +
    Enable to override Zone Transfer option in the Catalog zone.
    +
    +
    + +
    Enable to override Notify option in the Catalog zone.
    +
    +
    +
    + + + +
    Note! When a zone becomes a member of a Catalog zone, all of the Catalog zone's Options are inherited unless they are explicitly overridden using the Override Options.
    +
    + +
    +
    + +
    + +
    Enter the primary name server addresses to sync the zone from. When unspecified, the SOA Primary Name Server will be resolved and used.
    +
    +
    + +
    + +
    +
    + +
    +
    + +
    +
    + +
    +
    +
    + +
    + +
    + +
    +
    + +
    + +
    +
    + +
    When enabled, the secondary zone will be validated using the ZONEMD record after every zone transfer. The zone will get disabled if the validation fails. The zone must be DNSSEC signed for the validation to work.
    +
    +
    +
    +
    +
    + +
    +
    +
    + +
    +
    + +
    Denies everyone from querying the zone by refusing the request.
    +
    +
    + +
    Allows everyone to query the zone.
    +
    +
    + +
    Allows only private networks to query the zone. Any request from a public network will be refused.
    +
    +
    + +
    Allows only the name servers with an NS record in the zone to query the zone.
    +
    +
    + +
    Uses the specified network access control list to allow/deny to query the zone.
    +
    +
    + +
    Allows zone's name servers and uses specified network access control list to allow/deny to query the zone.
    +
    +
    +
    + +
    + +
    + +
    Enter IP addresses or network addresses one below another to allow access. Add ! character at the start to deny access, e.g. !0.0.0.0/0 will deny all. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all.
    +
    +
    + +
    Note! The zone can always be queried from loopback IP addresses and internally by the DNS server irrespective of the Query Access configuration.
    +
    +
    + +
    @@ -4447,35 +4659,35 @@ MII...
    Allows everyone to perform a zone transfer.
    -
    +
    Allows only the name servers with an NS record in the zone to perform a zone transfer.
    -
    Allows only the specified name servers to perform a zone transfer.
    +
    Uses the specified network access control list to allow/deny to perform a zone transfer.
    -
    +
    -
    Allows both the zone's name servers and the specified name servers to perform a zone transfer.
    +
    Allows zone's name servers and uses specified network access control list to allow/deny to perform a zone transfer.
    - +
    - -
    Note: Enter the IP addresses of the name servers above. Network addresses are also accepted.
    + +
    Enter IP addresses or network addresses one below another to allow access. Add ! character at the start to deny access, e.g. !0.0.0.0/0 will deny all. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all.
    @@ -4485,7 +4697,7 @@ MII...
    -
    +
    @@ -4510,10 +4722,10 @@ MII...
    Does not notify any name server when the zone is updated.
    -
    +
    Notifies only the name servers with an NS record in the zone when the zone is updated.
    @@ -4524,7 +4736,7 @@ MII...
    Notifies only the specified name servers when the zone is updated.
    -
    +
    @@ -4581,30 +4793,31 @@ MII...
    -
    Allows only the specified IP addresses to perform dynamic updates.
    +
    Uses the specified network access control list to allow/deny to perform dynamic updates.
    -
    +
    -
    Allows both the zone's name servers and the specified IP addresses to perform dynamic updates.
    +
    Allows zone's name servers and uses specified network access control list to allow/deny to perform dynamic updates.
    - +
    - -
    Note: Enter the IP addresses of the dynamic update clients above. Network addresses are also accepted.
    + +
    Enter IP addresses or network addresses one below another to allow access. Add ! character at the start to deny access, e.g. !0.0.0.0/0 will deny all. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all.
    -
    Note! Dynamic updates should be allowed only to trusted IP addresses since they will be able to add/delete records in the zone. If no security policy is configured below then access will be provided only based on the options selected here. Thus setting up a security policy below is highly recommended.
    +
    Note! Dynamic updates should be allowed only to trusted IP addresses since they will be able to add/delete records in the zone.
    +
    Warning! If no security policy is configured in the Primary Zone then access will be provided only based on the options selected here. Thus setting up a security policy in the Primary Zone is highly recommended.
    @@ -4984,7 +5197,7 @@ MII... days (valid range 0-365; default 30; set 0 to disable)
    -
    +
    The frequency at which the DNS server must automatically rollover the key.
    @@ -5066,7 +5279,7 @@ MII...
    -
    +
    The TTL value to be used for DNSKEY records. A lower value will allow quicker addition or rollover to a new DNS Key at the cost of increased frequency of DNSKEY queries by resolvers.