Commit 0f962b7b authored by Vladimír Čunát's avatar Vladimír Čunát

Merge !764: doc/kresd.systemd: bind to all interfaces with kresd.socket

parents 32f3d9ce c2b3603e
......@@ -413,7 +413,28 @@ To configure kresd to listen on public interface, create a drop-in file:
.. _kresd-socket-override-port:
The default port can also be overriden by using an empty ``ListenDatagram=`` or ``ListenStream=`` directive. This can be useful if you want to use the Knot DNS with the `dnsproxy module`_ to have both resolver and authoritative server running on the same machine.
The default locahost interface/port can also be removed/overriden by using an
empty ``ListenDatagram=`` or ``ListenStream=`` directive. This can be used when
you want to configure kresd to listen on all IPv4/IPv6 network interfaces (if
you've disabled IPv6 support in kernel, use ``0.0.0.0`` instead of ``[::]`` ).
.. code-block:: none
# /etc/systemd/system/kresd.socket.d/override.conf
[Socket]
ListenDatagram=
ListenStream=
ListenDatagram=[::]:53
ListenStream=[::]:53
.. note:: Using IPv6 to bind to IPv4 interfaces is currently not compatible
with IPv4 syntax in ``view:addr()`` when using the ``view`` module. For
possible workarounds, see
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/445
It can also be useful if you want to use the Knot DNS with the `dnsproxy
module`_ to have both resolver and authoritative server running on the same
machine.
.. code-block:: none
......@@ -426,7 +447,8 @@ The default port can also be overriden by using an empty ``ListenDatagram=`` or
ListenDatagram=[::1]:53000
ListenStream=[::1]:53000
The ``kresd-tls.socket`` can also be configured to listen for TLS connections.
The ``kresd-tls.socket`` can also be configured in the same way to listen for
TLS connections.
.. code-block:: bash
......
......@@ -6,6 +6,7 @@ Before=sockets.target
[Socket]
FreeBind=true
BindIPv6Only=both
FileDescriptorName=tls
ListenStream=[::1]:853
ListenStream=127.0.0.1:853
......
......@@ -6,6 +6,7 @@ Before=sockets.target
[Socket]
FreeBind=true
BindIPv6Only=both
ListenDatagram=[::1]:53
ListenStream=[::1]:53
ListenDatagram=127.0.0.1:53
......
.TH "kresd.systemd" "7" "2018-06-04" "CZ.NIC" "Knot Resolver Systemd Units"
.TH "kresd.systemd" "7" "2019-01-28" "CZ.NIC" "Knot Resolver Systemd Units"
.\"
.\" kresd.systemd.7 -- man page for systemd units for kresd
.\"
......@@ -83,6 +83,32 @@ ListenStream=192.0.2.115:853
.RE
.fi
To configure \fBkresd\fR to listen on all IPv4 and IPv6 interfaces, you can
remove the default localhost address by using an empty \fIListenDatagram=\fR,
\fIListenStream=\fR directive and then bind to the [::] address. If you've
disabled IPv6 support in kernel, use the 0.0.0.0 address instead.
.nf
.RS 4n
# /etc/systemd/system/kresd.socket.d/override.conf
[Socket]
ListenDatagram=
ListenStream=
ListenDatagram=[::]:53
ListenStream=[::]:53
# /etc/systemd/system/kresd-tls.socket.d/override.conf
[Socket]
ListenStream=
ListenStream=[::]:853
.RE
.fi
Please note that using IPv6 to bind to IPv4 interfaces is currently not
compatible with IPv4 syntax in \fIview:addr()\fR when using the view module.
For possible workarounds, see
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/445
For more detailed socket configuration, see \fBsystemd.socket\fR(5).
.B Concurrent daemons
......
......@@ -40,8 +40,10 @@ Example configuration
modules = { 'view' }
-- Whitelist queries identified by TSIG key
view:tsig('\5mykey', policy.all(policy.PASS))
-- Block local clients (ACL like)
-- Block local IPv4 clients (ACL like)
view:addr('127.0.0.1', policy.all(policy.DENY))
-- Block local IPv6 clients (ACL like)
view:addr('::1', policy.all(policy.DENY))
-- Drop queries with suffix match for remote client
view:addr('10.0.0.0/8', policy.suffix(policy.DROP, policy.todnames({'xxx'})))
-- RPZ for subset of clients
......@@ -51,6 +53,11 @@ Example configuration
-- Drop everything that hasn't matched
view:addr('0.0.0.0/0', policy.all(policy.DROP))
.. note:: When using systemd socket activation, it's possible to bind to IPv6
socket that also handles IPv4 connections via v4-mapped-on-v6 addresses.
With this setup, using IPv4 syntax in ``view:addr()`` is currently not
supported. Instead, you can use the v4-mapped-on-v6 syntax, e.g.
``::ffff:127.0.0.0/104`` instead of ``127.0.0.0/8``.
Rule order
^^^^^^^^^^
......@@ -74,14 +81,14 @@ Properties
:param subnet: client subnet, i.e. ``10.0.0.1``
:param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')``
Apply rule to clients in given subnet.
.. function:: view:tsig(key, rule)
:param key: client TSIG key domain name, i.e. ``\5mykey``
:param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')``
Apply rule to clients with given TSIG key.
.. warning:: This just selects rule based on the key name, it doesn't verify the key or signature yet.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment