-- When an IPv6 IP:PORT combination is needed, the bracketed syntax from RFC 3986 should be used. e.g. “[2001:DB8:14::C0FF:FEE]:5300”
-- https://dnsdist.org/reference/config.html?highlight=servfail

--addTLSLocal('0.0.0.0', '/etc/letsencrypt/live/dns.jp.blahdns.com/fullchain.pem', '/etc/letsencrypt/live/dns.jp.blahdns.com/privkey.pem', { doTCP=true, reusePort=true })
--addTLSLocal("[::]", '/etc/letsencrypt/live/dns.jp.blahdns.com/fullchain.pem', '/etc/letsencrypt/live/dns.jp.blahdns.com/privkey.pem', { doTCP=true, reusePort=true})

addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.blahdns.com", "/etc/dnsdist/ssl.cert", "/etc/dnsdist/ssl.key")
addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.blahdns.com", "/etc/dnsdist/ssl.cert", "/etc/dnsdist/ssl.key")

addLocal('0.0.0.0:53', { doTCP=true, reusePort=true})
addLocal('[::]:53', { doTCP=true, reusePort=true})

addAction(MaxQPSIPRule(10, 32, 48), DropAction())
addAction(QTypeRule(dnsdist.ANY) ,DropAction())
addAction(QTypeRule(dnsdist.PTR) ,DropAction())

-- Force TCP
addAction(AndRule({NotRule(OrRule({QTypeRule(dnsdist.TXT), QTypeRule(dnsdist.A), QTypeRule(dnsdist.AAAA)})),TCPRule(false)}), TCAction())


setACL({'0.0.0.0/0', '::/0' })

-- https://dnsdist.org/reference/constants.html#dnsaction
-- https://dnsdist.org/rules-actions.html#addLuaAction
-- https://stackoverflow.com/questions/11271547/does-lua-have-or-comparisons

local dbr = dynBlockRulesGroup()
dbr:setQTypeRate(dnsdist.PTR, 5, 10, "Exceeded PTR rate", 60)
dbr:setQTypeRate(dnsdist.TXT, 5, 10, "Exceeded TXT rate", 60)
dbr:setQTypeRate(dnsdist.SOA, 5, 10, "Exceeded SOA rate", 60)
dbr:setQTypeRate(dnsdist.MX, 3, 10, "Exceeded MX rate", 60)
dbr:setQTypeRate(dnsdist.SRV, 3, 10, "Exceeded SRV rate", 60)
dbr:setQTypeRate(dnsdist.NS, 3, 10, "Exceeded PTR rate", 60)
dbr:setQTypeRate(dnsdist.SIG, 3, 10, "Exceeded PTR rate", 60)

function maintenance()
  dbr:apply()
end

newServer({address="127.0.0.1:50", checkType="A", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
newServer({address="[::1]:50", checkType="AAAA", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})

newServer({address="[::1]:51", checkType="AAAA", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
-- function luarule(dq)
--   if(dq.qtype==dnsdist.ANY)
--    then
--        return DNSAction.ServFail
--    else
--       return DNSAction.None
--    end
-- end
-- addLuaAction(AllRule(), luarule)