Deny existence of names matching filter, i.e. reply NXDOMAIN authoritatively.
-.. function:: DENY_MSG(message)
-
- Deny existence of a given domain and add explanatory message. NXDOMAIN reply contains an additional explanatory message as TXT record in the additional section.
+.. function:: DENY_MSG(message, [extended_error=kres.extended_error.BLOCKED])
+
+ Deny existence of a given domain and add explanatory message. NXDOMAIN reply
+ contains an additional explanatory message as TXT record in the additional
+ section.
+
+ You may override the extended DNS error to provide the user with more
+ information. By default, ``BLOCKED`` is returned to indicate the domain is
+ blocked due to the internal policy of the operator. Other suitable error
+ codes are ``CENSORED`` (for externally imposed policy reasons) or
+ ``FILTERED`` (for blocking requested by the client). For more information,
+ please refer to :rfc:`8914`.
.. py:attribute:: DROP
ffi.C.kr_pkt_make_auth_header(answer)
local ttl = (data or {}).ttl or 1
answer:rcode(kres.rcode.NOERROR)
+ ffi.C.kr_request_set_extended_error(req, kres.extended_error.FORGED, nil)
if data == nil then -- want NODATA, i.e. just a SOA
answer:begin(kres.section.AUTHORITY)
return pkt
end
-function policy.DENY_MSG(msg)
+function policy.DENY_MSG(msg, extended_error)
if msg and (type(msg) ~= 'string' or #msg >= 255) then
error('DENY_MSG: optional msg must be string shorter than 256 characters')
end
+ if extended_error == nil then
+ extended_error = kres.extended_error.BLOCKED
+ end
return function (_, req)
-- Write authority information
string.char(#msg) .. msg)
end
+ ffi.C.kr_request_set_extended_error(req, extended_error, nil)
return kres.DONE
end
end
function policy.DROP(_, req)
local answer = answer_clear(req)
if answer == nil then return nil end
+ ffi.C.kr_request_set_extended_error(req, kres.extended_error.PROHIBITED, nil)
return kres.FAIL
end
if answer == nil then return nil end
answer:rcode(kres.rcode.REFUSED)
answer:ad(false)
+ ffi.C.kr_request_set_extended_error(req, kres.extended_error.PROHIBITED, nil)
return kres.DONE
end
cb=policy.suffix_common(policy.DENY_MSG(
'Blocking is mandated by standards, see references on '
.. 'https://www.iana.org/assignments/'
- .. 'locally-served-dns-zones/locally-served-dns-zones.xhtml'),
+ .. 'locally-served-dns-zones/locally-served-dns-zones.xhtml',
+ kres.extended_error.NOTSUP),
private_zones, todname('arpa.')),
count=0
},
cb=policy.suffix(policy.DENY_MSG(
'Blocking is mandated by standards, see references on '
.. 'https://www.iana.org/assignments/'
- .. 'special-use-domain-names/special-use-domain-names.xhtml'),
+ .. 'special-use-domain-names/special-use-domain-names.xhtml',
+ kres.extended_error.NOTSUP),
{
todname('test.'),
todname('onion.'),
projects / thirdparty / knot-resolver.git / commitdiff
