-Knot Resolver 1.3.0 ? (2017-05-??)
+Knot Resolver 1.3.0 (2017-06-??)
================================
Security
Improvements
------------
-- allow answering from cache in non-iterative modes (#122)
+- major feature: support for forwarding with validation (#112).
+ The old policy.FORWARD action now does that; the previous non-validating
+ mode is still avaliable as policy.STUB except that also uses caching (#122).
- command line: specify ports via @ but still support # for compatibility
- policy: recognize 100.64.0.0/10 as local addresses
- layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily
.. _mod-policy:
-Query policies
+Query policies
--------------
This module can block, rewrite, or alter inbound queries based on user-defined policies.
* ``DENY`` - return NXDOMAIN answer
* ``DROP`` - terminate query resolution, returns SERVFAIL to requestor
* ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
-* ``FORWARD(ip)`` - forward query to given IP and proxy back response (stub mode);
- it can be a single IP (string) or a list of up to four IPs.
+* ``FORWARD(ip)`` - solve a query via forwarding to an IP while validating and caching locally;
+ the parameter can be a single IP (string) or a lua list of up to four IPs.
+* ``STUB(ip)`` - similar to ``FORWARD(ip)`` but *without* attempting DNSSEC validation.
+ Each request may be either answered from cache or simply sent to one of the IPs with proxying back the answer.
* ``MIRROR(ip)`` - mirror query to given IP and continue solving it (useful for partial snooping)
* ``REROUTE({{subnet,target}, ...})`` - reroute addresses in response matching given subnet to given target, e.g. ``{'192.0.2.0/24', '127.0.0.0'}`` will rewrite '192.0.2.55' to '127.0.0.55', see :ref:`renumber module <mod-renumber>` for more information.
* ``QTRACE`` - pretty-print DNS response packets into the log (useful for debugging weird DNS servers).
* ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear, combined by ``bit.bor`` from ``kres.query.*`` values.
-.. warning:: The policy module only looks at the inbound DNS queries. Thus the ``FORWARD(ip)`` policy does only forward inbound query to the specified IP address(es) and it doesn't and it can't do DNSSEC validation. If you need DNSSEC validation, you either need to disable ``FORWARD(ip)`` policy or use an upstream DNSSEC-validating resolver.
+.. warning:: The policy module currently only looks at whole DNS requests. The rules won't be re-applied e.g. when following CNAMEs.
.. note:: The module (and ``kres``) expects domain names in wire format, not textual representation. So each label in name is prefixed with its length, e.g. "example.com" equals to ``"\7example\3com"``. You can use convenience function ``todname('example.com')`` for automatic conversion.
projects / thirdparty / knot-resolver.git / commitdiff
