Hello, Vladimir

Thank you for answering.

As I advised, I added policy, but it seems that I can not reverse lookup it again.

kometch@dns02:/etc/knot-resolver$ drill -x 192.168.122.223

;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 16206

;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;; 223.122.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:

;; AUTHORITY SECTION:

168.192.in-addr.arpa. 604038 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800

;; ADDITIONAL SECTION:

;; Query time: 1 msec

;; SERVER: 192.168.122.223

;; WHEN: Tue Apr 18 20:51:11 2017

;; MSG SIZE rcvd: 123

I checked the port(10053) with tcpdump, but it seems that no inquiries from kresd have been done.

Best regards.

On 2017/04/18 20:40:56, Vladimír Čunát <vladimir.cunat@nic.cz> wrote:
On 04/18/2017 01:33 PM, Horigome Yoshihito wrote:
> As you say, adding policy.del(0) no longer gets blocked.
> However, it is as follows and ANSWER is not returned.

The config you sent did not forward any reverse address ranges. Adding
rule for that should do what you want, if I guess your intentions correctly:

policy.add(policy.suffix(policy.FORWARD('192.168.122.223@10053',
'192.168.122.224@10053'), '168.192.in-addr.arpa'))

--Vladimir