Add "PROXY protocol" Support -> quick win: DoH, DOT, DNSCrypt, Loadbalancing, dns rulesets with dnsdist

UPDATE:
“DNS X-Proxied-For” (XPF) is probably outdated, since today (20.03.2020) dnsdist also supports the PROXY protocol.

####################################################################

I have been running my own DNS infrastructure for some time now, including my own recursive DNS servers.
Currently the setup consists of dnsdist (DNS proxy) and unbound.
I have learned to appreciate dnsdist, because it allows to create DoH, DoT, DNSCrypt, load balancing and DNS rulesets very easily.

However, if you use dnsdist in front of pi-hole, only the dnsdist ip address will appear in the pi-hole logs. Since this problem is known (e.g. http Proxy), there is a draft “DNS X-Proxied-For” available. Dnsdist supports this in the newServer command (addXPF), but pi-hole does not understand the “DNS X-Proxied-For” entry.

It would be cool if we could include “DNS X-Proxied-For” in pi-hole, then you could take advantage of dnsdist.

https://tools.ietf.org/id/draft-bellis-dnsop-xpf-02.html

https://dnsdist.org/index.html
https://dnsdist.org/reference/config.html?highlight=newserver#newServer
https://dnsdist.org/guides/dns-over-https.html
https://dnsdist.org/guides/dns-over-tls.html

https://blog.powerdns.com/2018/03/30/dnsdist-1-3-0-released/

https://dnsprivacy.org/wiki/m/mobile.action#page/1278004

UPDATE:

Not sure whether it would be prudent to support this.

“DNS X-Proxied-For” is not a standard, not even an RFC yet. Its corresponding internet draft has been around since January 2017 and has expired in September 2018:

Since the “DNS X-Proxied-For” approach will probably not be further developed, the proxy protocol (v2) should be implemented in pihole.

dnsdist:


Nginx should also support this (proxy_protocol on;)

HAProxy:

A problem in this is that it handled by pihole-FTL/dnsmasq and I think dnsmasq is responding to the resolve as latest.

If we look at dnsdist which has several ways of providing the client IP address/subnet then Pihole has the extract the x-proxied-for address and use that, for logging and bookkeeping.
No need for replace, tagging, routing needed. Dnsdist gets the reply back and sends it to the client.

https://dnsdist.org/ is very nice software to front end a DNS server. Not just for this particular request but for all kinds of needs.

Unfortunately, dnsdist (or other proxies) is currently not very easy to use with pihole, because the pihole gui only shows the source IP of dnsdist.
Of course you can create a workaround with policy based routing (I don’t think it works with dnsdist) but I would like to have an easier solution (I run everything with docker).

I thought XPF was the solution at first, but the proxy protocol is probably more common.

Unfortunately, a few things are still missing in order to make this work in the future.
My DoH setup:
Internet —(HTTPS,443)—> Haproxy —(HTTP,80, docker internal)—> dnsdist —(dns,53, docker internal)—> pihole --(dns,53, docker internal)—> unbound

My DoT setup:
Internet —(DoT,853)—> dnsdist —(dns,53, docker internal)—> pihole --(dns,53, docker internal)—> unbound

Missing:
Haproxy —(HTTP,80, docker internal)—> dnsdist. (only DoH)
- X-Forwarded-For support, only relevant if several services are to be used via port 443.
- dnsdist: https://github.com/PowerDNS/pdns/issues/8661

dnsdist —(dns,53, docker internal)—> pihole. (DoH and DoT)
- proxy protocol support
- dnsdist: https://github.com/PowerDNS/pdns/pull/8874
- pihole: nothing found for the proxy protocol yet, therefore this post

Which service would have to be adapted for the proxy protocol for pihole, pihole-FTL or dnsmasq? Which service provides the DNS port 53 for the clients?

Now dnsdist 1.5.0 (alpha) is available with Proxy Protocol and X-Forwarded-For support. Now pihole should follow.