These are chat archives for CZ-NIC/knot-resolver

11th
Jul 2018
Robert Šefr
@robcza
Jul 11 2018 12:21

Am I able to avoid/disable any of the default policies? I mean, I would like to forward/stub PTR queries for the local subnets to a particular server. e.g.:
policy.add(policy.pattern(policy.STUB('10.10.0.1'), '[%.%d]+\210\7in-addr\4arpa'))

Even with this rule my query does not go through and is blocked by default policy as defined here https://github.com/CZ-NIC/knot-resolver/blob/master/modules/policy/policy.lua#L707

dig -x 10.10.0.1 @127.0.0.1

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 10.10.0.1 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60774
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.160.10.in-addr.arpa.    IN    PTR

;; AUTHORITY SECTION:
1.0.160.10.in-addr.arpa. 10800    IN    SOA    1.0.160.10.in-addr.arpa. nobody.invalid. 1 3600 1200 604800 10800

;; ADDITIONAL SECTION:
explanation.invalid.    10800    IN    TXT    "Blocking is mandated by standards, see references on https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 11 14:17:27 CEST 2018
;; MSG SIZE  rcvd: 275
Vladimír Čunát
@vcunat
Jul 11 2018 12:23
@robcza are you sure about the setup? Default policies should only apply if no other policy has applied to that request. (for recent knot-resolver versions)
Vladimír Čunát
@vcunat
Jul 11 2018 13:00
One mistake is that "-" is a special character. Another mistake is that "\210" in a lua string is an escape for byte with that value.
@robcza: you probably want '\00210\7in%-addr\4arpa\0'
Vladimír Čunát
@vcunat
Jul 11 2018 13:05
Actually you should prefer
policy.add(policy.suffix(policy.STUB('10.0.0.1'), {todname('10.in-addr.arpa')}))