forked from nycmeshnet/nycmesh-dns
-
Notifications
You must be signed in to change notification settings - Fork 0
/
kresd.conf
48 lines (40 loc) · 2.15 KB
/
kresd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
-- Bind ports as privileged user (root) --
net = { '10.10.10.10', '199.167.59.10', 'fdff:1508:6410::1010' }
-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
cache.open( 100*MB, 'lmdb:///tmp/cache/')
cache.size = 100*MB
verbose(false)
local ffi = require('ffi')
local function AA (next)
return function(state, req)
local answer = req.answer
local qry = req:current()
ffi.C.kr_pkt_make_auth_header(answer)
return next(state, req)
end
end
-- Load modules
modules = { 'policy', 'view' }
-- Delete default private range exclusions
policy.del(0)
-- Allow mesh from internal
view:addr('10.0.0.0/8', policy.suffix(policy.PASS, policy.todnames({'mesh', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
view:addr('127.0.0.0/8', policy.suffix(policy.PASS, policy.todnames({'mesh', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
view:addr('199.167.59.0/24', policy.suffix(policy.PASS, policy.todnames({'mesh', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
view:addr('fdff:1508:6410::/48', policy.suffix(policy.PASS, policy.todnames({'mesh', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
view:addr('0.0.0.0/0', policy.suffix(policy.DROP, policy.todnames({'mesh', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
-- Override allow all
-- view:addr('0.0.0.0/0', policy.suffix(policy.PASS, policy.todnames({'mesh', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
-- Old method, just in case
-- Send mesh request to authorative server
-- Override RFC6761 policies by placing forward rule first
-- local privatenet = policy.add(policy.suffix(policy.FORWARD('10.10.10.11'), policy.todnames({'mesh', 'mesh.nycmesh.net', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
-- policy.del(privatenet)
-- table.insert(policy.rules,1,privatenet)
-- end old method
-- Authoritative response for our zones
-- policy.add(policy.suffix(AA(policy.STUB('10.10.10.11')), policy.todnames({'mesh', 'mesh.nycmesh.net', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))
-- Old non-authoritative response
policy.add(policy.suffix(policy.STUB('10.10.10.11'), policy.todnames({'mesh', 'mesh.nycmesh.net', '10.in-addr.arpa', '59.167.199.in-addr.arpa'})))