diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 10:41:58 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 10:41:58 +0000 |
| commit | 1852910ef0fd7393da62b88aee66ee092208748e (patch) | |
| tree | ad3b659dbbe622b58a5bda4fe0b5e1d80eee9277 /modules/renumber/README.rst | |
| parent | Initial commit. (diff) | |
| download | knot-resolver-1852910ef0fd7393da62b88aee66ee092208748e.tar.xz knot-resolver-1852910ef0fd7393da62b88aee66ee092208748e.zip | |
Adding upstream version 5.3.1.upstream/5.3.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/renumber/README.rst')
| -rw-r--r-- | modules/renumber/README.rst | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/modules/renumber/README.rst b/modules/renumber/README.rst new file mode 100644 index 0000000..ea26eaf --- /dev/null +++ b/modules/renumber/README.rst @@ -0,0 +1,27 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +.. _mod-renumber: + +IP address renumbering +====================== + +The module renumbers addresses in answers to different address space. +e.g. you can redirect malicious addresses to a blackhole, or use private address ranges +in local zones, that will be remapped to real addresses by the resolver. + + +.. warning:: While requests are still validated using DNSSEC, the signatures are stripped from final answer. The reason is that the address synthesis breaks signatures. You can see whether an answer was valid or not based on the AD flag. + +Example configuration +--------------------- + +.. code-block:: lua + + modules = { + renumber = { + -- Source subnet, destination subnet + {'10.10.10.0/24', '192.168.1.0'}, + -- Remap /16 block to localhost address range + {'166.66.0.0/16', '127.0.0.0'} + } + } |