Forwarding implementation in Knot Resolver has following properties:
- Answers from *upstream* servers are cached.
- - Answers from *upstream* servers are locally DNSSEC-validated, unless ``policy.STUB`` is used.
+ - Answers from *upstream* servers are locally DNSSEC-validated, unless :func:`policy.STUB` is used.
- Resolver automatically selects which IP address from given set of IP addresses will be used (based on performance characteristics).
- Forwarding can use either unencrypted DNS protocol, or :ref:`tls-forwarding`.
The module for :rfc:`6147` DNS64 AAAA-from-A record synthesis, it is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written `introduction`_ in the PowerDNS documentation.
If no address is passed (i.e. ``nil``), the well-known prefix ``64:ff9b::`` is used.
-.. warning:: The module currently won't work well with :ref:`policy.STUB <mod-policy>`.
+.. warning:: The module currently won't work well with :func:`policy.STUB`.
Also, the IPv6 passed in configuration is assumed to be ``/96``, and
PTR synthesis and "exclusion prefixes" aren't implemented.
-------------------------------------------
.. function:: TLS_FORWARD( { {ip_address, authentication}, [...] } )
- Same as :func:`FORWARD` but send query over DNS-over-TLS protocol (encrypted).
+ Same as :func:`policy.FORWARD` but send query over DNS-over-TLS protocol (encrypted).
Each target IP address needs explicit configuration how to validate
TLS certificate so each IP address is configured by pair:
``{ip_address, authentication}``. See sections below for more details.
Policy :func:`policy.TLS_FORWARD` allows you to forward queries using `Transport Layer Security`_ protocol, which hides the content of your queries from an attacker observing the network traffic. Further details about this protocol can be found in :rfc:`7858` and `IETF draft dprive-dtls-and-tls-profiles`_.
-Queries affected by `TLS_FORWARD` policy will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail.
+Queries affected by :func:`policy.TLS_FORWARD` will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail.
To test this feature you need to either :ref:`configure Knot Resolver as DNS-over-TLS server <tls-server-config>`, or pick some public DNS-over-TLS server. Please see `DNS Privacy Project`_ homepage for list of public servers.
'internal.example.com.',
'2.0.192.in-addr.arpa.' -- this applies to reverse DNS tree as well
})
- -- Beware: the rule order is important, as STUB is not a chain action.
+ -- Beware: the rule order is important, as policy.STUB is not a chain action.
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees))
policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees))
projects / thirdparty / knot-resolver.git / commitdiff
