Issue Summary:
I need to forward DNS queries to a secondary DNS server if a specific value (IP address) is returned in the DNS response. Specifically, if the answer contains 192.168.1.1, I want the request to be forwarded to 10.10.10.1 for re-resolution.
Expected Behavior:
A user queries for a domain (e.g., dig alibaba.com).
If the result contains the IP address 192.168.1.1, the query should be automatically forwarded to another DNS server (e.g., 10.10.10.1) for further resolution.
Current Attempt:
lua
policy.add(policy.all(function (state, req)
log("info Policy function triggered")
-- Get the DNS answer section
local answer = req:answer()
if answer then
for _, record in ipairs(answer) do
-- Check if the response is an A record and contains the IP 192.168.1.1
if record.stype == kres.type.A and tostring(record.rdata) == '192.168.1.1' then
log("info IP is 192.168.1.1, forwarding to 10.10.10.1")
-- Forward the query to the specified DNS server
return policy.FORWARD({'10.10.10.1'})
end
end
else
log("info No answer found")
end
return kres.DONE
end), true)
Issue:
The function triggers correctly, but the query is not being forwarded to the specified DNS server when the condition (record.rdata == '192.168.1.1') is met.
Steps to Reproduce:
Add the above Lua code to the Knot Resolver configuration.
Query for a domain (dig alibaba.com).
If the result contains the IP 192.168.1.1, the query should be forwarded, but it does not.
Environment:
Knot Resolver Version: [Include version]
Operating System: [Your OS]
Configuration: [Any relevant additional configuration]
Desired Solution:
I would like the query to forward correctly to 10.10.10.1 whenever the answer contains 192.168.1.1. Any guidance on why the forward might not be triggered or if additional configurations are needed would be appreciated.
Hello,
we are observing that Knot-resolver is refusing certain queries because
of enabled DNS rebinding protection to subdomains beneath apple.com.
IMHO there is no reason for that - they are not pointing to a private
addres range. For instance:
Unbound:
dig init.ess.apple.com @127.0.0.1 -p 53
; <<>> DiG 9.18.24-1-Debian <<>> init.ess.apple.com @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38044
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;init.ess.apple.com. IN A
;; ANSWER SECTION:
init.ess.apple.com. 81 IN CNAME
init-cdn-lb.ess-apple.com.akadns.net.
init-cdn-lb.ess-apple.com.akadns.net. 27 IN CNAME init.ess.g.aaplimg.com.
init.ess.g.aaplimg.com. 12 IN A 17.253.73.204
init.ess.g.aaplimg.com. 12 IN A 17.253.73.205
init.ess.g.aaplimg.com. 12 IN A 17.253.73.203
init.ess.g.aaplimg.com. 12 IN A 17.253.73.201
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Sep 18 10:42:46 CEST 2024
;; MSG SIZE rcvd: 194
Knot-resolver 5.7.4-cznic.1 freshly re-installed:
dig init.ess.apple.com @127.0.0.1 -p 2053
; <<>> DiG 9.18.24-1-Debian <<>> init.ess.apple.com @127.0.0.1 -p 2053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 17074
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 18 (Prohibited): (EIM4)
;; QUESTION SECTION:
;init.ess.apple.com. IN A
;; ADDITIONAL SECTION:
explanation.invalid. 10800 IN TXT "blocked by DNS
rebinding protection"
;; Query time: 8 msec
;; SERVER: 127.0.0.1#2053(127.0.0.1) (UDP)
;; WHEN: Wed Sep 18 10:45:40 CEST 2024
;; MSG SIZE rcvd: 124
I have also tried to remove the cache under /var/cache/knot-resolver but
without any effect. There are more domain names with this beavior:
query.ess.apple.comcomm-cohort.ess.apple.comkt-prod.ess.apple.com
Thanks.
Ales Rygl
