forward to internal private server?

Question

forward to internal private server?

bcookatpcsd opened this issue a year ago · comments

B. Cook commented a year ago

I wanted to try and get started working with grafana.. and your knot-resolver docker image looks great.

I wanted to get some internal usage here at work, without changing too much in your image..

I see the 090-policy-forward.conf but that seems to be only DoT forwarding..

To be clear, there is not currently a non DoT forward presently?

(just wanted to make sure that I didn't miss it.. )

Thank you in advance.

B. Cook · Answer 1 · Sat Jul 15 2023 00:13:04 GMT+0800 (China Standard Time)

--mount type=bind,src=/etc/knot-resolver/local.conf,dst=/etc/knot-resolver/kresd.conf.d/090-policy-forward.conf \

cat local.conf

policy.add( policy.all(
policy.FORWARD( {'99.88.77.66@53'})))

I tried to work out the lua code to parse the env.. (not knowing lua..)

Stopped the timer at :30.. here we are..

Héctor Molinero Fernández · Answer 2 · Sat Jul 15 2023 19:47:18 GMT+0800 (China Standard Time)

This project is currently set up to forward queries to DoT servers.

But you can easily change this by replacing the 090-policy-forward.conf file as you are doing now. I see the change you made to that file is correct. It doesn't work?

By the way, I just replaced my custom Caddy fork with the official Traefik image in the deployment examples.

zleppy · Answer 3 · Wed Jul 19 2023 02:56:21 GMT+0800 (China Standard Time)

Not the base way to do it i bet but it works.

mount in docker compose

./kresd4.conf.d/065-local-domains.conf:/etc/knot-resolver/kresd.conf.d/065-local-forward.conf

-- Forward local DNS queries to local domain server.

internalDomains = policy.todnames(
{'your.domain.local',
'10.in-addr.arpa',
'172.in-addr.arpa',
'168.192.in-addr.arpa',
'0.0.f.f.c.1.4.2.5.d.1.9.d.f.ip6.arpa'}
)
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains))
policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), internalDomains))
policy.add(policy.suffix(policy.STUB({'192.168.91.50'}), internalDomains))

-- needed to allow internal domains
modules.unload('rebinding')

B. Cook · Answer 4 · Fri Jul 21 2023 21:59:22 GMT+0800 (China Standard Time)

Thank you .. that looks better than mine..

Also..

-- turns off DNSSEC validation
trust_anchors.remove('.')

Usually I do this as I'm using NextDNS upstream and they do dnssec..

will test but:

trust_anchors.remove('your.domain.local.', '10.in-addr.arpa.', 'etc..' )

I never found the rebinding.. I wonder if that was other problems I was having..

Thank you..

zleppy · Answer 5 · Sun Jul 30 2023 07:45:31 GMT+0800 (China Standard Time)

Ah i use the knot DNS inside a container along side this one to host my own internal zones.
Knot DNS fixes the DNSSEC part.