diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 20:37:50 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 20:37:50 +0000 |
commit | c1f743ab2e4a7046d5500875a47d1f62c8624603 (patch) | |
tree | 709946d52f5f3bbaeb38be9e3f1d56d11f058237 /modules/renumber/README.rst | |
parent | Initial commit. (diff) | |
download | knot-resolver-c1f743ab2e4a7046d5500875a47d1f62c8624603.tar.xz knot-resolver-c1f743ab2e4a7046d5500875a47d1f62c8624603.zip |
Adding upstream version 5.7.1.upstream/5.7.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/renumber/README.rst')
-rw-r--r-- | modules/renumber/README.rst | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/modules/renumber/README.rst b/modules/renumber/README.rst new file mode 100644 index 0000000..2e68991 --- /dev/null +++ b/modules/renumber/README.rst @@ -0,0 +1,36 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +.. _mod-renumber: + +IP address renumbering +====================== + +The module renumbers addresses in answers to different address space. +e.g. you can redirect malicious addresses to a blackhole, or use private address ranges +in local zones, that will be remapped to real addresses by the resolver. + + +.. warning:: While requests are still validated using DNSSEC, the signatures + are stripped from final answer. The reason is that the address synthesis + breaks signatures. You can see whether an answer was valid or not based on + the AD flag. + +Example configuration +--------------------- + +.. code-block:: lua + + modules = { + renumber = { + -- Source subnet, destination subnet + {'10.10.10.0/24', '192.168.1.0'}, + -- Remap /16 block to localhost address range + {'166.66.0.0/16', '127.0.0.0'}, + -- Remap /26 subnet (64 ip addresses) + {'166.55.77.128/26', '127.0.0.192'}, + -- Remap a /32 block to a single address + {'2001:db8::/32', '::1!'}, + } + } + +.. TODO: renumber.name() hangs in vacuum, kind of. No occurrences in code or docs, and probably bad UX. |