These are chat archives for CZ-NIC/knot-resolver

18th
Oct 2018
Robert Šefr
@robcza
Oct 18 2018 15:03

I'm trying to achieve this (kres 2.4.1):

  • allow everyone to resolve google.com
  • refuse queries from 127.0.0.1

I would expect this policy and view to do the trick:

modules = {'policy', 'view'}
policy.add(policy.suffix(policy.PASS, {todname('google.com.')}))
view:addr('127.0.0.1/32', policy.all(policy.REFUSE))

However I receive REFUSED on dig google.com @127.0.0.1
What am I doing wrong?

Vladimír Čunát
@vcunat
Oct 18 2018 15:19
policy and view currently act "independently", so PASS for one won't affect the other.
I think this will work the way you want if you wrap the policy rule with view:addr('0.0.0.0/0' and use this patch https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/678
Robert Šefr
@robcza
Oct 18 2018 19:22
Will I get the same behavior through daf? Seems more readable to me and I'd like to make use of the rewrite action in some cases