These are chat archives for CZ-NIC/knot-resolver

7th
Nov 2018
Vladimír Čunát
@vcunat
Nov 07 2018 12:18
The minimization test works now for us, and some of those DnsViz errors also went away.
Robert Šefr
@robcza
Nov 07 2018 12:32

I'm stil confused with the policy/view logic. The use case I want to achieve (in this sequence):

  • FORWARD all queries (from any source IP) for domain example.com to 10.10.10.1
  • accept queries from network 10.0.0.0/8
  • REFUSE queries from all other networks

This is the configuration I expect to do the job

modules = {'policy', 'view'}
policy.add(policy.suffix(policy.FORWARD('10.10.10.1@53'), {todname('example.com.')}))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.REFUSE))

But the result is, that even the queries for example.com are REFUSEd if queried from network other than 10.0.0.0/8

Tried also

modules = {'policy', 'view'}
view:addr('0.0.0.0/0', policy.suffix(policy.FORWARD('10.10.10.1@53'), {todname('example.com.')}))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.REFUSE))

That is also weird, because this one accepts any query for any domain

edoo
@ookangzheng
Nov 07 2018 19:21
@robcza I think try like this?
modules = {'policy', 'view   < cache' }
view:addr('0.0.0.0/0', policy.suffix(policy.FORWARD('10.10.10.1'), {todname('example.com')}))
view:addr('10.0.0.0/8', policy.all(policy.PASS))
view:addr(‘0.0.0.0/0', function (req, qry) return policy.DENY end))