Hello Tomas,
You are right, it was just those silly configuration mistakes. Everything works now :)
Thank you so much!
Best regards,
--Manuel
________________________________
De: Tomas Krizek
Enviado: Viernes, 11 de Diciembre de 2020 13:25
Para: Knot Resolver Users List; Urueña-Pascual Manuel
Asunto: Re: [knot-resolver-users] Is policy.rpz a non-chain action?
Hi, the use-case you're trying to achieve is possible, but there are
some issues with your configuration.
On 10/12/2020 17.29, Urueña-Pascual Manuel wrote:>
policy.add(policy.rpz(policy.DENY_MSG('domain blocked'),
'/etc/knot-resolver/blocklist.rpz', true))
policy.add(policy.rpz(policy.PASS(),
'/etc/knot-resolver/allowlist.rpz', true))
You want to specify "policy.PASS" without the brackets.
and these are the RPZ zones:
$ cat '/etc/knot-resolver/allowlist.rpz':
www.google.com<http://www.google.com> 600 IN CNAME rpz-passthrough.
www.bing.com<http://www.bing.com> 600 IN CNAME rpz-passthrough.
When you provide kresd these RPZ zones, it will complain:
[poli] RPZ /tmp/kr_dev/etc/knot-resolver/allowlist.rpz:1: CNAME with
custom target in RPZ is not supported yet (ignored)
It's because you're trying to use unsupported CNAME. See the table in
our docs [1]. What you're probably looking for is "rpz-passthru."
instead. However, if you're using a separate allowlist with policy.PASS
action (which is your case) "." would also work here.
You should also be able to combine the blocklist and allowlist into just
a single rpz file, using policy.DENY_MSG("...") and controlling whether
domain is blocked ("CNAME .") or allowed ("CNAME rpz-passthru.") with
the RPZ rules themselves.
[1] -
https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response…
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869