Knot Resolver: how to return a specific IP for a query?

einar · October 31, 2018, 2:56pm

By “query”, I mean a FQDN: the idea would be to resolve a public record with an internal IP (domains I own) to make Let’s Encrypt workable from inside the LAN.

My current config uses the hints from /etc/config/dhcp, and this custom snippet:

local ffi = require('ffi')
local function genRR (state, req)
        local answer = req.answer
        local qry = req:current()
        if qry.stype ~= kres.type.A then
                return state
        end
        ffi.C.kr_pkt_make_auth_header(answer)
        answer:rcode(kres.rcode.NOERROR)
        answer:begin(kres.section.ANSWER)
        answer:put(qry.sname, 900, answer:qclass(), kres.type.A, '\192\168\10\67')
        return kres.DONE
end

policy.add(policy.suffix(genRR, { todname('palver.lan.') }))
policy.add(policy.suffix(policy.STUB('10.64.0.2'), {todname('home.')}))
policy.add(policy.suffix(policy.STUB('10.64.0.2'), {todname('20.168.192.in-addr.arpa.')}))
policy.add(policy.suffix(policy.PASS, { todname('20.168.192.in-addr.arpa') }))
policy.add(policy.all(
      policy.TLS_FORWARD({
          {'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
          {'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
      })
))

Setting hints['foo.blabla.com'] = 'my.internal.ip' in the custom configuration doesn’t seem to work (nslookup returns the external IP). Any hint (no pun intended)?

einar · November 2, 2018, 8:52am

Funny, this works (domain names redacted, but it’s the same stuff):

socat - /tmp/kresd/tty/*
> hints["test.example.com"] = "192.168.20.98"
[...]
# On LAN machine
host test.example.com
test.example.com has address 192.168.20.98

Setting it in the custom configuration doesn’t, for example:

# Before the policy.add lines in the top post
hints["test.example.com"] = "192.168.20.98"

@vcunat, am I doing something wrong?

einar · November 3, 2018, 11:47pm

It looks like the init scripts wipe the hints configuration (extra_hosts.conf is something I set myself):

2018-11-04 00:45:12 info kresd[18053]: [    0][hint] reading '/tmp/kresd/hints.tmp'
2018-11-04 00:45:12 info kresd[18053]: [    0][hint] loaded 18 hints
2018-11-04 00:45:12 info kresd[18053]: [    0][hint] reading '/etc/kresd/extra_hosts.conf'
2018-11-04 00:45:12 info kresd[18053]: [    0][hint] loaded 1 hints
2018-11-04 00:45:13 info kresd[18053]: [    0][hint] reading '/tmp/dhcp.empty'
2018-11-04 00:45:13 info kresd[18053]: [    0][hint] loaded 0 hints
2018-11-04 00:45:13 info kresd[18053]: hints.config('/tmp/dhcp.empty')
2018-11-04 00:45:13 info kresd[18053]: > [    0][hint] reading '/tmp/kresd/hints.tmp'
2018-11-04 00:45:13 info kresd[18053]: [    0][hint] loaded 18 hints
2018-11-04 00:45:13 info kresd[18053]: hints.add_hosts('/tmp/kresd/hints.tmp')
2018-11-04 00:45:13 info kresd[18053]: > [    0][hint] reading '/tmp/dhcp.leases.dynamic'
2018-11-04 00:45:13 info kresd[18053]: [    0][hint] loaded 5 hints
2018-11-04 00:45:13 info kresd[18053]: hints.add_hosts('/tmp/dhcp.leases.dynamic')

Bug or feature?

einar · November 3, 2018, 11:59pm

Bug. Filed as https://gitlab.labs.nic.cz/turris/openwrt/issues/214.