hblock-resolver icon indicating copy to clipboard operation
hblock-resolver copied to clipboard

Published 20 hours ago verified publisher icon hectorm

forward to internal private server?

Open bcookatpcsd opened this issue 1 year ago • 5 comments

I wanted to try and get started working with grafana.. and your knot-resolver docker image looks great.

I wanted to get some internal usage here at work, without changing too much in your image..

I see the 090-policy-forward.conf but that seems to be only DoT forwarding..

To be clear, there is not currently a non DoT forward presently?

(just wanted to make sure that I didn't miss it.. )

Thank you in advance.

bcookatpcsd avatar Jul 14 '23 15:07 bcookatpcsd

--mount type=bind,src=/etc/knot-resolver/local.conf,dst=/etc/knot-resolver/kresd.conf.d/090-policy-forward.conf \

cat local.conf

policy.add( policy.all( policy.FORWARD( {'99.88.77.66@53'})))

I tried to work out the lua code to parse the env.. (not knowing lua..)

Stopped the timer at :30.. here we are..

bcookatpcsd avatar Jul 14 '23 16:07 bcookatpcsd

This project is currently set up to forward queries to DoT servers.

But you can easily change this by replacing the 090-policy-forward.conf file as you are doing now. I see the change you made to that file is correct. It doesn't work?

By the way, I just replaced my custom Caddy fork with the official Traefik image in the deployment examples.

hectorm avatar Jul 15 '23 11:07 hectorm

Not the base way to do it i bet but it works.

mount in docker compose

  • ./kresd4.conf.d/065-local-domains.conf:/etc/knot-resolver/kresd.conf.d/065-local-forward.conf

-- Forward local DNS queries to local domain server.

internalDomains = policy.todnames( {'your.domain.local', '10.in-addr.arpa', '172.in-addr.arpa', '168.192.in-addr.arpa', '0.0.f.f.c.1.4.2.5.d.1.9.d.f.ip6.arpa'} ) policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains)) policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), internalDomains)) policy.add(policy.suffix(policy.STUB({'192.168.91.50'}), internalDomains))

-- needed to allow internal domains modules.unload('rebinding')

zleppy avatar Jul 18 '23 18:07 zleppy

Thank you .. that looks better than mine..

Also..

-- turns off DNSSEC validation
trust_anchors.remove('.')

Usually I do this as I'm using NextDNS upstream and they do dnssec..

will test but:

trust_anchors.remove('your.domain.local.', '10.in-addr.arpa.', 'etc..' )

I never found the rebinding.. I wonder if that was other problems I was having..

Thank you..

bcookatpcsd avatar Jul 21 '23 13:07 bcookatpcsd

Ah i use the knot DNS inside a container along side this one to host my own internal zones. Knot DNS fixes the DNSSEC part.

zleppy avatar Jul 29 '23 23:07 zleppy