From d20875294f36c894f6f2e453d0718ae74ed0c516 Mon Sep 17 00:00:00 2001
From: Seji64 <seji@tihoda.de>
Date: Fri, 20 Sep 2024 16:38:08 +0200
Subject: [PATCH] fix reload.certs.snidust action/hook

---
 configs/dnsdist/conf.d/00-SniDust.conf | 15 +++++++++++++++
 configs/dnsdist/dnsdist.conf.template  |  8 +++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/configs/dnsdist/conf.d/00-SniDust.conf b/configs/dnsdist/conf.d/00-SniDust.conf
index 8904fb5..083dd2d 100644
--- a/configs/dnsdist/conf.d/00-SniDust.conf
+++ b/configs/dnsdist/conf.d/00-SniDust.conf
@@ -6,6 +6,21 @@ function trim(s)
     return s:match "^%s*(.*%S)" or ""
 end
 
+function ReloadCerts(dq)
+    infolog("[INFO] [SniDust] Reloading certs...")
+
+    -- prevent the query from going upstream
+    dq.dh:setQR(true)
+
+    -- load
+    reloadAllCertificates()
+
+    infolog("[INFO] [SniDust] Certs reloaded!")
+
+    -- respond with a local address just in case
+    return DNSAction.Spoof, "127.0.0.7"
+end
+
 -- read all the domains in a set
 function LoadBlocklists(smn, folder)
     f = io.popen('/bin/ls ' .. folder .. '*.lst')
diff --git a/configs/dnsdist/dnsdist.conf.template b/configs/dnsdist/dnsdist.conf.template
index bb4f6aa..af1cc33 100644
--- a/configs/dnsdist/dnsdist.conf.template
+++ b/configs/dnsdist/dnsdist.conf.template
@@ -24,9 +24,11 @@ echo ""
 echo "-- Add plain DNS bind"
 echo "addLocal('${DNSDIST_BIND_IP}:5300')"
 echo ""
+
 if [ "${DNSDIST_ENABLE_DOT}" == "true" ]; then
     echo "-- Add DoT bind"
     echo "addTLSLocal('${DNSDIST_BIND_IP}:8530','/etc/dnsdist/certs/tls.pem','/etc/dnsdist/certs/tls.key')"
+    echo ""
 else
     echo "-- TLS Endpoints disabled"
 fi
@@ -69,12 +71,12 @@ echo "-- query reload.domainlist.snidust.local to reload Blocklist"
 echo "addAction(AndRule({QNameRule(\"reload.domainlist.snidust.local\"),QTypeRule(\"A\")}),LuaAction(ReloadBlocklist))"
 echo ""
 
-echo "-- queryreload.acl.snidust.local to reload Blocklist"
+echo "-- query reload.acl.snidust.local to reload Blocklist"
 echo "addAction(AndRule({QNameRule(\"reload.acl.snidust.local\"),QTypeRule(\"A\")}),LuaAction(ReloadACL))"
 echo ""
 
-echo "-- queryreload.certs.snidust.local to reload certificates used for DoT"
-echo "addAction(AndRule({QNameRule(\"reload.certs.snidust.local\"),QTypeRule(\"A\")}),reloadAllCertificates())"
+echo "-- query reload.certs.snidust.local to reload certificates used for DoT"
+echo "addAction(AndRule({QNameRule(\"reload.certs.snidust.local\"),QTypeRule(\"A\")}),LuaAction(ReloadCerts))"
 echo ""
 
 if [ "${SPOOF_ALL_DOMAINS}" == "true" ]; then