Access Control

dnsdist can be used to front traditional recursive nameservers, these usually come with a way to limit the network ranges that may query it to prevent becoming an open resolver. To be a good internet citizen, dnsdist by default listens on the loopback address ( and limits queries to these loopback, RFC 1918 and other local addresses:

  • ::1/128
  • fc00::/7
  • fe80::/10

The ACL applies to queries received over UDP, TCP, DNS over TLS and DNS over HTTPS.

Further more, dnsdist only listens for queries on the local-loopback interface by default.

Listening on different addresses

To listen on other addresses than just the local addresses, use setLocal() and addLocal().

setLocal() resets the list of current listen addresses to the specified address and addLocal() adds an additional listen address. To listen on, and UDP-only on [2001:db8::15::47]:53, configure the following:

addLocal('') -- Port 53 is default is none is specified
addLocal('2001:db8::15::47', false)

Listen addresses cannot be modified at runtime and must be specified in the configuration file.

As dnsdist is IPv4 and IPv6 agnostic, this means that dnsdist internally does not know the difference. So feel free to listen on the magic or :: addresses, dnsdist does the right thing to set the return address of queries, but set your ACL properly.

Modifying the ACL

ACLs can be modified at runtime from the Working with the dnsdist Console. To inspect the currently active ACL, run showACL().

To add a new network range to the existing ACL, use addACL():

addACL('2001:db8::1') -- No netmask specified, only allow this address

To remove a previously added network range from the existing ACL, use rmACL():

rmACL('2001:db8::1') -- No netmask specified, only remove this address

dnsdist also has the setACL() function that accepts a list of netmasks and resets the ACL to that list:

setACL({'', '2001:db8:15::bea/64'})

To set the ACL from a file containing a list of netmasks, use setACLFromFile():