<?xml version="1.0"?> <!-- DNS forwarder configuration --> <interfaceDefinition> <node name="service"> <children> <node name="dns"> <properties> <help>Domain Name System related services</help> </properties> <children> <node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py"> <properties> <help>DNS forwarding</help> <priority>918</priority> </properties> <children> <leafNode name="cache-size"> <properties> <help>DNS forwarding cache size (default: 10000)</help> <valueHelp> <format>u32:0-2147483647</format> <description>DNS forwarding cache size</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-2147483647"/> </constraint> </properties> <defaultValue>10000</defaultValue> </leafNode> <leafNode name="dhcp"> <properties> <help>Interfaces whose DHCP client nameservers to forward requests to</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> <multi/> </properties> </leafNode> <leafNode name="dnssec"> <properties> <help>DNSSEC mode (default: process-no-validate)</help> <completionHelp> <list>off process-no-validate process log-fail validate</list> </completionHelp> <valueHelp> <format>off</format> <description>No DNSSEC processing whatsoever!</description> </valueHelp> <valueHelp> <format>process-no-validate</format> <description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description> </valueHelp> <valueHelp> <format>process</format> <description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description> </valueHelp> <valueHelp> <format>log-fail</format> <description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description> </valueHelp> <valueHelp> <format>validate</format> <description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description> </valueHelp> <constraint> <regex>^(off|process-no-validate|process|log-fail|validate)$</regex> </constraint> </properties> <defaultValue>process-no-validate</defaultValue> </leafNode> <tagNode name="domain"> <properties> <help>Domain to forward to a custom DNS server</help> </properties> <children> <leafNode name="server"> <properties> <help>Domain Name Server (DNS) to forward queries to</help> <valueHelp> <format>ipv4</format> <description>Domain Name Server (DNS) IPv4 address</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>Domain Name Server (DNS) IPv6 address</description> </valueHelp> <multi/> <constraint> <validator name="ipv4-address"/> <validator name="ipv6-address"/> </constraint> </properties> </leafNode> <leafNode name="addnta"> <properties> <help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help> <valueless/> </properties> </leafNode> <leafNode name="recursion-desired"> <properties> <help>Set the "recursion desired" bit in requests to the upstream nameserver</help> <valueless/> </properties> </leafNode> </children> </tagNode> <leafNode name="ignore-hosts-file"> <properties> <help>Do not use local /etc/hosts file in name resolution</help> <valueless/> </properties> </leafNode> <leafNode name="no-serve-rfc1918"> <properties> <help>Makes the server authoritatively not aware of RFC1918 addresses</help> <valueless/> </properties> </leafNode> <leafNode name="allow-from"> <properties> <help>Networks allowed to query this server</help> <valueHelp> <format>ipv4net</format> <description>IP address and prefix length</description> </valueHelp> <valueHelp> <format>ipv6net</format> <description>IPv6 address and prefix length</description> </valueHelp> <multi/> <constraint> <validator name="ip-prefix"/> </constraint> </properties> </leafNode> #include <include/listen-address.xml.i> <leafNode name="negative-ttl"> <properties> <help>Maximum amount of time negative entries are cached (default: 3600)</help> <valueHelp> <format>u32:0-7200</format> <description>Seconds to cache NXDOMAIN entries</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-7200"/> </constraint> </properties> <defaultValue>3600</defaultValue> </leafNode> #include <include/name-server-ipv4-ipv6.xml.i> <leafNode name="source-address"> <properties> <help>Local addresses from which to send DNS queries</help> <completionHelp> <script>${vyos_completion_dir}/list_local_ips.sh --both</script> </completionHelp> <valueHelp> <format>ipv4</format> <description>IPv4 address from which to send traffic</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>IPv6 address from which to send traffic</description> </valueHelp> <multi/> <constraint> <validator name="ipv4-address"/> <validator name="ipv6-address"/> </constraint> </properties> <defaultValue>0.0.0.0 ::</defaultValue> </leafNode> <leafNode name="system"> <properties> <help>Use system name servers</help> <valueless/> </properties> </leafNode> </children> </node> </children> </node> </children> </node> </interfaceDefinition>