I have TOS 6.0.3 and I’m trying to setup Knot with ipset to forward specific traffic to a Wireguard peer.
I found these 2 entries to guide me:
I have ipset running on port 53000:
root@turris:~# ipset-dns itv4 itv6 53000 1.1.1.1
Include to /etc/kresd/custom.conf
...
ITTVService = { 'rai.it','raiuno1-live.akamaized.net'}
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), ITTVService))
policy.add(policy.suffix(policy.STUB({'127.0.0.1@53000'}), policy.todnames(ITTVService)))
...
In one console I executed these commands:
/etc/init.d/resolver restart
ipset flush ipv4
ping -c 1 rai.it
ping -c 1 rai.it
ping -c 1 raiuno1-live.akamaized.net
ping -4 -c 1 raiuno1-live.akamaized.net
In the ipset, I can only find the IP of the first site.
In another console I have:
tcpdump -i lo dst port 53 or dst port 53000
I can see all the requests to port 53.
19:31:45.572895 IP localhost.56831 > localhost.53: 16563+ A? rai.it. (24)
19:31:45.573749 IP localhost.58538 > localhost.53000: UDP, length 35
19:32:08.067394 IP localhost.55639 > localhost.53: 51428+ A? rai.it. (24)
19:32:39.344919 IP localhost.39082 > localhost.53: 39576+ AAAA? raiuno1-live.akamaized.net. (44)
19:32:45.887395 IP localhost.35609 > localhost.53: 12801+ A? raiuno1-live.akamaized.net. (44)
But only on request was forwarded to ipset-dns on port 53000, and the IP added to the ipset.
I am thinking that Knot is still caching some requests and the policy is not processing them properly.
Does anyone have a working ipset-dns instance with knot?
I have all the routing work for IPv4, but I have issues with IPv6.
Is there a way to force Knot to return only A requests for a specify domains?