Knot policies and ipset

Leonardo · December 9, 2022, 3:50am

I have TOS 6.0.3 and I’m trying to setup Knot with ipset to forward specific traffic to a Wireguard peer.
I found these 2 entries to guide me:

I have ipset running on port 53000:

root@turris:~# ipset-dns itv4 itv6 53000 1.1.1.1

Include to /etc/kresd/custom.conf

...
ITTVService = { 'rai.it','raiuno1-live.akamaized.net'}
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), ITTVService))
policy.add(policy.suffix(policy.STUB({'127.0.0.1@53000'}), policy.todnames(ITTVService)))
...

In one console I executed these commands:

/etc/init.d/resolver restart
ipset flush ipv4
ping -c 1 rai.it
ping -c 1 rai.it
ping -c 1 raiuno1-live.akamaized.net
ping -4 -c 1 raiuno1-live.akamaized.net

In the ipset, I can only find the IP of the first site.
In another console I have:

tcpdump -i lo dst port 53 or dst port 53000

I can see all the requests to port 53.

19:31:45.572895 IP localhost.56831 > localhost.53: 16563+ A? rai.it. (24)
19:31:45.573749 IP localhost.58538 > localhost.53000: UDP, length 35
19:32:08.067394 IP localhost.55639 > localhost.53: 51428+ A? rai.it. (24)
19:32:39.344919 IP localhost.39082 > localhost.53: 39576+ AAAA? raiuno1-live.akamaized.net. (44)
19:32:45.887395 IP localhost.35609 > localhost.53: 12801+ A? raiuno1-live.akamaized.net. (44)

But only on request was forwarded to ipset-dns on port 53000, and the IP added to the ipset.
I am thinking that Knot is still caching some requests and the policy is not processing them properly.

Does anyone have a working ipset-dns instance with knot?

I have all the routing work for IPv4, but I have issues with IPv6.
Is there a way to force Knot to return only A requests for a specify domains?

vcunat · December 9, 2022, 8:21am

Your config line with NO_CACHE is buggy. You need to apply .todnames. Perhaps already on the line above, so that you don’t need to repeat it.

Leonardo · December 11, 2022, 5:05am

Thank you.
I fixed that line, but ultimately removed.
I tried several combination STUB/FORWARD and pattern/suffix:

policy.add(policy.pattern(policy.STUB({‘127.0.0.1@53000’}), ‘raiuno1-live.akamaized.net’))
policy.add(policy.pattern(policy.FORWARD({‘127.0.0.1@53000’}), ‘raiuno1-live.akamaized.net’))

‘raiuno1-live.akamaized.net’ won’t get forwarded.
‘rai.it’ seems to work.

vcunat · December 11, 2022, 7:44am

I don’t recommend .pattern. It very often gets misunderstood. Lua patterns are basically unknown and quite different from what people are familiar with (e.g. posix regular expressions).

vcunat · December 11, 2022, 7:46am

And .FORWARD probably isn’t suitable for your purpose either, though I haven’t looked into ipset-dns much.

Leonardo · December 12, 2022, 4:16am

Ipset-dns just a DNS forwarder, that save IP addresses into an ipset.
I was able to configure the “NO_CACHE” correctly.
Every request for “rai.it”, get forwarded to port 53000 (verify with tcpdump).

extraTrees = policy.todnames(
    {'rai.it',
     'raiuno1-live.akamaized.net'
     })
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_IPV6','AWAIT_IPV4'}), extraTrees))
policy.add(policy.suffix(policy.STUB({'127.0.0.1@53000'}), extraTrees))

The other address is never forwarded (even with FORWARD), no packet is sent to port 53000).
Is possible that having CNAME on it, makes it resolve differently?

If I add the Canonical name, it seems to be working (request is forwarded to port 53000), but the returned IP addresses are different.

vcunat · December 12, 2022, 7:03am

It can’t discover whether there’s a CNAME or not until it gets back an answer.

vcunat · December 12, 2022, 7:15am

Trying to set these flags doesn’t make any sense to me at all, but even with them it seems to work correctly for me and simply proxy both queries.