I have a RPZ configuration with positive answers. I redirect RPZ hits to a landing page. I also wanted the DNS response to be verbose (SOA in additional section) so that in case I forget about it, a DNS lookup makes it obvious what's going on. This page
https://knot-resolver.readthedocs.io/en/stable/modules.html?highlight=genRR#query-policies helped me coming up with the following solution:
-- RPZ
-- custom response
local function mkauth_soa(answer, dname, mname)
if mname == nil then
mname = dname
end
return answer:put(dname, 900, answer:qclass(), kres.type.SOA,
mname .. '\6daniel\10stirnimann\5gmail\3com\0\0\0\0\0\0\0\14\16\0\0\3\132\0\9\58\128\0\0\3\132')
end
local ffi = require('ffi')
local function genRR (state, req)
local answer = req.answer
local qry = req:current()
if qry.stype == kres.type.A then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
answer:begin(kres.section.ANSWER)
answer:put(qry.sname, 900, answer:qclass(), kres.type.A, '\192\168\2\1')
answer:begin(kres.section.ADDITIONAL)
mkauth_soa(answer, '\3rpz\3int\6seckle\2ch\0')
return kres.DONE
elseif qry.stype == kres.type.AAAA then
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
answer:begin(kres.section.ANSWER)
answer:put(qry.sname, 900, answer:qclass(), kres.type.AAAA, '\042\002\001\104\064\036\0\0\0\0\0\0\0\0\0\1')
answer:begin(kres.section.ADDITIONAL)
mkauth_soa(answer, '\3rpz\3int\6seckle\2ch\0')
return kres.DONE
else
return state
end
end
-- rpz policy: respond with custom function genRR
policy.add(policy.rpz(genRR, '/etc/kresd/rpz.int.seckle.ch.zone'))
Daniel
On 7/29/19 10:20 AM, Balakrishnan B wrote:
I am trying to add wildcard static hints to catch all local domains like
below. But does not seem to work.
hints['nextcloud.local'] = '127.0.0.1' # This works fine
hints['*.local'] = '127.0.0.1'
hints['.local'] = '127.0.0.1'
DNSMasq supports this like https://stackoverflow.com/a/22551303
Is there way to do this in knot?
No, I don't think there's a good way currently. The hints module only supports exact names with A and AAAA and corresponding PTR, like in /etc/hosts files. With our [RPZ] you can do wildcards, but there's no support for positive answers (so you need to
do NXDOMAIN or similar denials).