knot-resolver-doc 2.1.1-1 / usr / share / doc / knot-resolver / modules.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Knot DNS Resolver modules &#8212; Knot DNS Resolver 2.1.1 documentation</title>
    <link rel="stylesheet" href="_static/nature.css" type="text/css" />
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    './',
        VERSION:     '2.1.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true,
        SOURCELINK_SUFFIX: '.txt'
      };
    </script>
    <script type="text/javascript" src="_static/jquery.js"></script>
    <script type="text/javascript" src="_static/underscore.js"></script>
    <script type="text/javascript" src="_static/doctools.js"></script>
    <link rel="index" title="Index" href="genindex.html" />
    <link rel="search" title="Search" href="search.html" />
    <link rel="next" title="Building project" href="build.html" />
    <link rel="prev" title="Knot DNS Resolver daemon" href="daemon.html" /> 
  </head>
  <body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="build.html" title="Building project"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="daemon.html" title="Knot DNS Resolver daemon"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">Knot DNS Resolver 2.1.1 documentation</a> &#187;</li> 
      </ul>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="knot-dns-resolver-modules">
<span id="modules-implemented"></span><h1>Knot DNS Resolver modules<a class="headerlink" href="#knot-dns-resolver-modules" title="Permalink to this headline">¶</a></h1>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#static-hints" id="id22">Static hints</a></li>
<li><a class="reference internal" href="#statistics-collector" id="id23">Statistics collector</a></li>
<li><a class="reference internal" href="#query-policies" id="id24">Query policies</a></li>
<li><a class="reference internal" href="#views-and-acls" id="id25">Views and ACLs</a></li>
<li><a class="reference internal" href="#prefetching-records" id="id26">Prefetching records</a></li>
<li><a class="reference internal" href="#http-2-services" id="id27">HTTP/2 services</a></li>
<li><a class="reference internal" href="#dns-application-firewall" id="id28">DNS Application Firewall</a></li>
<li><a class="reference internal" href="#graphite-module" id="id29">Graphite module</a></li>
<li><a class="reference internal" href="#etcd-module" id="id30">Etcd module</a></li>
<li><a class="reference internal" href="#dns64" id="id31">DNS64</a></li>
<li><a class="reference internal" href="#renumber" id="id32">Renumber</a></li>
<li><a class="reference internal" href="#dns-cookies" id="id33">DNS Cookies</a></li>
<li><a class="reference internal" href="#version" id="id34">Version</a></li>
<li><a class="reference internal" href="#workarounds" id="id35">Workarounds</a></li>
<li><a class="reference internal" href="#dnstap" id="id36">Dnstap</a></li>
<li><a class="reference internal" href="#signaling-trust-anchor-knowledge-in-dnssec" id="id37">Signaling Trust Anchor Knowledge in DNSSEC</a></li>
<li><a class="reference internal" href="#sentinel-for-detecting-trusted-keys" id="id38">Sentinel for Detecting Trusted Keys</a></li>
<li><a class="reference internal" href="#priming-module" id="id39">Priming module</a></li>
<li><a class="reference internal" href="#serve-stale" id="id40">Serve stale</a></li>
<li><a class="reference internal" href="#system-time-skew-detector" id="id41">System time skew detector</a></li>
<li><a class="reference internal" href="#detect-discontinuous-jumps-in-the-system-time" id="id42">Detect discontinuous jumps in the system time</a></li>
</ul>
</div>
<div class="section" id="static-hints">
<span id="mod-hints"></span><h2><a class="toc-backref" href="#id22">Static hints</a><a class="headerlink" href="#static-hints" title="Permalink to this headline">¶</a></h2>
<p>This is a module providing static hints for forward records (A/AAAA) and reverse records (PTR).
The records can be loaded from <code class="docutils literal"><span class="pre">/etc/hosts</span></code>-like files and/or added directly.</p>
<p>You can also use the module to change the root hints; they are used as a safety belt or if the root NS
drops out of cache.</p>
<div class="section" id="examples">
<h3>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Load hints after iterator (so hints take precedence before caches)</span>
<span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;hints &gt; iterate&#39;</span> <span class="p">}</span>
<span class="c1">-- Add a custom hosts file</span>
<span class="n">hints</span><span class="p">.</span><span class="n">add_hosts</span><span class="p">(</span><span class="s1">&#39;hosts.custom&#39;</span><span class="p">)</span>
<span class="c1">-- Override the root hints</span>
<span class="n">hints</span><span class="p">.</span><span class="n">root</span><span class="p">({</span>
  <span class="p">[</span><span class="s1">&#39;j.root-servers.net.&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;2001:503:c27::2:30&#39;</span><span class="p">,</span> <span class="s1">&#39;192.58.128.30&#39;</span> <span class="p">}</span>
<span class="p">})</span>
<span class="c1">-- Add a custom hint</span>
<span class="n">hints</span><span class="p">[</span><span class="s1">&#39;foo.bar&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="s1">&#39;127.0.0.1&#39;</span>
</pre></div>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The <code class="docutils literal"><span class="pre">policy</span></code> module applies before <code class="docutils literal"><span class="pre">hints</span></code>, meaning e.g. that hints for special names (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6761.html#section-6"><strong>RFC 6761#section-6</strong></a>) like <code class="docutils literal"><span class="pre">localhost</span></code> or <code class="docutils literal"><span class="pre">test</span></code> will get shadowed by <code class="docutils literal"><span class="pre">policy</span></code> rules by default.
That can be worked around e.g. by explicit <code class="docutils literal"><span class="pre">policy.PASS</span></code> action.</p>
</div>
</div>
<div class="section" id="properties">
<h3>Properties<a class="headerlink" href="#properties" title="Permalink to this headline">¶</a></h3>
<dl class="function">
<dt id="c.hints.config">
<code class="descname">hints.config</code><span class="sig-paren">(</span>[path]<span class="sig-paren">)</span><a class="headerlink" href="#c.hints.config" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>path</strong> (<em>string</em>) – path to hosts-like file, default: no file</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last"><code class="docutils literal"><span class="pre">{</span> <span class="pre">result:</span> <span class="pre">bool</span> <span class="pre">}</span></code></p>
</td>
</tr>
</tbody>
</table>
<p>Clear any configured hints, and optionally load a hosts-like file as in <code class="docutils literal"><span class="pre">hints.add_hosts(path)</span></code>.
(Root hints are not touched.)</p>
</dd></dl>

<dl class="function">
<dt id="c.hints.add_hosts">
<code class="descname">hints.add_hosts</code><span class="sig-paren">(</span>[path]<span class="sig-paren">)</span><a class="headerlink" href="#c.hints.add_hosts" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>path</strong> (<em>string</em>) – path to hosts-like file, default: <code class="docutils literal"><span class="pre">/etc/hosts</span></code></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>Add hints from a host-like file.</p>
</dd></dl>

<dl class="function">
<dt id="c.hints.get">
<code class="descname">hints.get</code><span class="sig-paren">(</span><a class="reference internal" href="daemon.html#c.hostname" title="hostname">hostname</a><span class="sig-paren">)</span><a class="headerlink" href="#c.hints.get" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>hostname</strong> (<em>string</em>) – i.e. <code class="docutils literal"><span class="pre">&quot;localhost&quot;</span></code></li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last"><code class="docutils literal"><span class="pre">{</span> <span class="pre">result:</span> <span class="pre">[address1,</span> <span class="pre">address2,</span> <span class="pre">...]</span> <span class="pre">}</span></code></p>
</td>
</tr>
</tbody>
</table>
<p>Return list of address record matching given name.
If no hostname is specified, all hints are returned in the table format used by <code class="docutils literal"><span class="pre">hints.root()</span></code>.</p>
</dd></dl>

<dl class="function">
<dt id="c.hints.set">
<code class="descname">hints.set</code><span class="sig-paren">(</span>pair<span class="sig-paren">)</span><a class="headerlink" href="#c.hints.set" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>pair</strong> (<em>string</em>) – <code class="docutils literal"><span class="pre">hostname</span> <span class="pre">address</span></code> i.e. <code class="docutils literal"><span class="pre">&quot;localhost</span> <span class="pre">127.0.0.1&quot;</span></code></li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last"><code class="docutils literal"><span class="pre">{</span> <span class="pre">result:</span> <span class="pre">bool</span> <span class="pre">}</span></code></p>
</td>
</tr>
</tbody>
</table>
<p>Add a hostname - address pair hint.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">If multiple addresses have been added for a name, all are returned in a forward query.
If multiple names have been added to an address, the last one defined is returned
in a corresponding PTR query.</p>
</div>
</dd></dl>

<dl class="function">
<dt id="c.hints.del">
<code class="descname">hints.del</code><span class="sig-paren">(</span>pair<span class="sig-paren">)</span><a class="headerlink" href="#c.hints.del" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>pair</strong> (<em>string</em>) – <code class="docutils literal"><span class="pre">hostname</span> <span class="pre">address</span></code> i.e. <code class="docutils literal"><span class="pre">&quot;localhost</span> <span class="pre">127.0.0.1&quot;</span></code>, or just <code class="docutils literal"><span class="pre">hostname</span></code></li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last"><code class="docutils literal"><span class="pre">{</span> <span class="pre">result:</span> <span class="pre">bool</span> <span class="pre">}</span></code></p>
</td>
</tr>
</tbody>
</table>
<p>Remove a hostname - address pair hint.  If address is omitted, all addresses for the given name are deleted.</p>
</dd></dl>

<dl class="function">
<dt id="c.hints.root">
<code class="descname">hints.root</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.hints.root" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Returns:</th><td class="field-body"><code class="docutils literal"><span class="pre">{</span> <span class="pre">['a.root-servers.net.']</span> <span class="pre">=</span> <span class="pre">{</span> <span class="pre">'1.2.3.4',</span> <span class="pre">'5.6.7.8',</span> <span class="pre">...},</span> <span class="pre">...</span> <span class="pre">}</span></code></td>
</tr>
</tbody>
</table>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">If no parameters are passed, returns current root hints set.</p>
</div>
</dd></dl>

<dl class="function">
<dt id="c.hints.root_file">
<code class="descname">hints.root_file</code><span class="sig-paren">(</span>path<span class="sig-paren">)</span><a class="headerlink" href="#c.hints.root_file" title="Permalink to this definition">¶</a></dt>
<dd><p>Replace current root hints from a zonefile.  If the path is omitted, the compiled-in path is used, i.e. the root hints are reset to the default.</p>
</dd></dl>

<dl class="function">
<dt>
<code class="descname">hints.root</code><span class="sig-paren">(</span>root_hints<span class="sig-paren">)</span></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>root_hints</strong> (<em>table</em>) – new set of root hints i.e. <code class="docutils literal"><span class="pre">{['name']</span> <span class="pre">=</span> <span class="pre">'addr',</span> <span class="pre">...}</span></code></li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last"><code class="docutils literal"><span class="pre">{</span> <span class="pre">['a.root-servers.net.']</span> <span class="pre">=</span> <span class="pre">{</span> <span class="pre">'1.2.3.4',</span> <span class="pre">'5.6.7.8',</span> <span class="pre">...},</span> <span class="pre">...</span> <span class="pre">}</span></code></p>
</td>
</tr>
</tbody>
</table>
<p>Replace current root hints and return the current table of root hints.</p>
<p>Example:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">hints</span><span class="p">.</span><span class="n">root</span><span class="p">({</span>
  <span class="p">[</span><span class="s1">&#39;l.root-servers.net.&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="s1">&#39;199.7.83.42&#39;</span><span class="p">,</span>
  <span class="p">[</span><span class="s1">&#39;m.root-servers.net.&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="s1">&#39;202.12.27.33&#39;</span>
<span class="p">})</span>
<span class="p">[</span><span class="n">l</span><span class="p">.</span><span class="n">root</span><span class="o">-</span><span class="n">servers</span><span class="p">.</span><span class="n">net</span><span class="p">.]</span> <span class="o">=&gt;</span> <span class="p">{</span>
  <span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mf">199.7.83.42</span>
<span class="p">}</span>
<span class="p">[</span><span class="n">m</span><span class="p">.</span><span class="n">root</span><span class="o">-</span><span class="n">servers</span><span class="p">.</span><span class="n">net</span><span class="p">.]</span> <span class="o">=&gt;</span> <span class="p">{</span>
  <span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=&gt;</span> <span class="mf">202.12.27.33</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">A good rule of thumb is to select only a few fastest root hints. The server learns RTT and NS quality over time, and thus tries all servers available. You can help it by preselecting the candidates.</p>
</div>
</dd></dl>

</div>
</div>
<div class="section" id="statistics-collector">
<span id="mod-stats"></span><h2><a class="toc-backref" href="#id23">Statistics collector</a><a class="headerlink" href="#statistics-collector" title="Permalink to this headline">¶</a></h2>
<p>This modules gathers various counters from the query resolution and server internals,
and offers them as a key-value storage. Any module may update the metrics or simply hook
in new ones.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>-- Enumerate metrics
&gt; stats.list()
[answer.cached] =&gt; 486178
[iterator.tcp] =&gt; 490
[answer.noerror] =&gt; 507367
[answer.total] =&gt; 618631
[iterator.udp] =&gt; 102408
[query.concurrent] =&gt; 149

-- Query metrics by prefix
&gt; stats.list(&#39;iter&#39;)
[iterator.udp] =&gt; 105104
[iterator.tcp] =&gt; 490

-- Set custom metrics from modules
&gt; stats[&#39;filter.match&#39;] = 5
&gt; stats[&#39;filter.match&#39;]
5

-- Fetch most common queries
&gt; stats.frequent()
[1] =&gt; {
        [type] =&gt; 2
        [count] =&gt; 4
        [name] =&gt; cz.
}

-- Fetch most common queries (sorted by frequency)
&gt; table.sort(stats.frequent(), function (a, b) return a.count &gt; b.count end)

-- Show recently contacted authoritative servers
&gt; stats.upstreams()
[2a01:618:404::1] =&gt; {
    [1] =&gt; 26 -- RTT
}
[128.241.220.33] =&gt; {
    [1] =&gt; 31 - RTT
}
</pre></div>
</div>
<div class="section" id="id1">
<h3>Properties<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h3>
<dl class="function">
<dt id="c.stats.get">
<code class="descname">stats.get</code><span class="sig-paren">(</span>key<span class="sig-paren">)</span><a class="headerlink" href="#c.stats.get" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>key</strong> (<em>string</em>) – i.e. <code class="docutils literal"><span class="pre">&quot;answer.total&quot;</span></code></li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last"><code class="docutils literal"><span class="pre">number</span></code></p>
</td>
</tr>
</tbody>
</table>
</dd></dl>

<p>Return nominal value of given metric.</p>
<dl class="function">
<dt id="c.stats.set">
<code class="descname">stats.set</code><span class="sig-paren">(</span>key, val<span class="sig-paren">)</span><a class="headerlink" href="#c.stats.set" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>key</strong> (<em>string</em>) – i.e. <code class="docutils literal"><span class="pre">&quot;answer.total&quot;</span></code></li>
<li><strong>val</strong> (<em>number</em>) – i.e. <code class="docutils literal"><span class="pre">5</span></code></li>
</ul>
</td>
</tr>
</tbody>
</table>
</dd></dl>

<p>Set nominal value of given metric.</p>
<dl class="function">
<dt id="c.stats.list">
<code class="descname">stats.list</code><span class="sig-paren">(</span>[prefix]<span class="sig-paren">)</span><a class="headerlink" href="#c.stats.list" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>prefix</strong> (<em>string</em>) – optional metric prefix, i.e. <code class="docutils literal"><span class="pre">&quot;answer&quot;</span></code> shows only metrics beginning with “answer”</li>
</ul>
</td>
</tr>
</tbody>
</table>
</dd></dl>

<p>Outputs collected metrics as a JSON dictionary.</p>
<dl class="function">
<dt id="c.stats.upstreams">
<code class="descname">stats.upstreams</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.stats.upstreams" title="Permalink to this definition">¶</a></dt>
<dd></dd></dl>

<p>Outputs a list of recent upstreams and their RTT. It is sorted by time and stored in a ring buffer of
a fixed size. This means it’s not aggregated and readable by multiple consumers, but also that
you may lose entries if you don’t read quickly enough. The default ring size is 512 entries, and may be overriden on compile time by <code class="docutils literal"><span class="pre">-DUPSTREAMS_COUNT=X</span></code>.</p>
<dl class="function">
<dt id="c.stats.frequent">
<code class="descname">stats.frequent</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.stats.frequent" title="Permalink to this definition">¶</a></dt>
<dd></dd></dl>

<p>Outputs list of most frequent iterative queries as a JSON array. The queries are sampled probabilistically,
and include subrequests. The list maximum size is 5000 entries, make diffs if you want to track it over time.</p>
<dl class="function">
<dt id="c.stats.clear_frequent">
<code class="descname">stats.clear_frequent</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#c.stats.clear_frequent" title="Permalink to this definition">¶</a></dt>
<dd></dd></dl>

<p>Clear the list of most frequent iterative queries.</p>
</div>
<div class="section" id="built-in-statistics">
<h3>Built-in statistics<a class="headerlink" href="#built-in-statistics" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">answer.total</span></code> - total number of answered queries</li>
<li><code class="docutils literal"><span class="pre">answer.cached</span></code> - number of queries answered from cache</li>
<li><code class="docutils literal"><span class="pre">answer.noerror</span></code> - number of <strong>NOERROR</strong> answers</li>
<li><code class="docutils literal"><span class="pre">answer.nodata</span></code> - number of <strong>NOERROR</strong>, but empty answers</li>
<li><code class="docutils literal"><span class="pre">answer.nxdomain</span></code> - number of <strong>NXDOMAIN</strong> answers</li>
<li><code class="docutils literal"><span class="pre">answer.servfail</span></code> - number of <strong>SERVFAIL</strong> answers</li>
<li><code class="docutils literal"><span class="pre">answer.1ms</span></code> - number of answers completed in 1ms</li>
<li><code class="docutils literal"><span class="pre">answer.10ms</span></code> - number of answers completed in 10ms</li>
<li><code class="docutils literal"><span class="pre">answer.50ms</span></code> - number of answers completed in 50ms</li>
<li><code class="docutils literal"><span class="pre">answer.100ms</span></code> - number of answers completed in 100ms</li>
<li><code class="docutils literal"><span class="pre">answer.250ms</span></code> - number of answers completed in 250ms</li>
<li><code class="docutils literal"><span class="pre">answer.500ms</span></code> - number of answers completed in 500ms</li>
<li><code class="docutils literal"><span class="pre">answer.1000ms</span></code> - number of answers completed in 1000ms</li>
<li><code class="docutils literal"><span class="pre">answer.1500ms</span></code> - number of answers completed in 1500ms</li>
<li><code class="docutils literal"><span class="pre">answer.slow</span></code> - number of answers that took more than 1500ms</li>
<li><code class="docutils literal"><span class="pre">query.edns</span></code> - number of queries with EDNS</li>
<li><code class="docutils literal"><span class="pre">query.dnssec</span></code> - number of queries with DNSSEC DO=1</li>
</ul>
</div>
</div>
<div class="section" id="query-policies">
<span id="mod-policy"></span><h2><a class="toc-backref" href="#id24">Query policies</a><a class="headerlink" href="#query-policies" title="Permalink to this headline">¶</a></h2>
<p>This module can block, rewrite, or alter inbound queries based on user-defined policies.</p>
<p>Each policy <em>rule</em> has two parts: a <em>filter</em> and an <em>action</em>. A <em>filter</em> selects which queries will be affected by the policy, and <em>action</em> which modifies queries matching the associated filter. Typically a rule is defined as follows: <code class="docutils literal"><span class="pre">filter(action(action</span> <span class="pre">parameters),</span> <span class="pre">filter</span> <span class="pre">parameters)</span></code>. For example, a filter can be <code class="docutils literal"><span class="pre">suffix</span></code> which matches queries whose suffix part is in specified set, and one of possible actions is <code class="docutils literal"><span class="pre">DENY</span></code>, which denies resolution. These are combined together into <code class="docutils literal"><span class="pre">policy.suffix(policy.DENY,</span> <span class="pre">{todname('badguy.example.')})</span></code>. The rule is effective when it is added into rule table using <code class="docutils literal"><span class="pre">policy.add()</span></code>, please see <a class="reference internal" href="#id2">Policy examples</a>.</p>
<p>By default, if no rule applies to a query, built-in rules for <a class="reference external" href="https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml">special-use</a> and <a class="reference external" href="http://www.iana.org/assignments/locally-served-dns-zone">locally-served</a> domain names are applied. These built-in rules can be overriden using action <code class="docutils literal"><span class="pre">PASS</span></code>, see <a class="reference internal" href="#id2">Policy examples</a> below.</p>
<div class="section" id="filters">
<h3>Filters<a class="headerlink" href="#filters" title="Permalink to this headline">¶</a></h3>
<p>A <em>filter</em> selects which queries will be affected by specified <em>action</em>. There are several policy filters available in the <code class="docutils literal"><span class="pre">policy.</span></code> table:</p>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">all(action)</span></code>
- always applies the action</li>
<li><code class="docutils literal"><span class="pre">pattern(action,</span> <span class="pre">pattern)</span></code>
- applies the action if QNAME matches a <a class="reference external" href="http://lua-users.org/wiki/PatternsTutorial">regular expression</a></li>
<li><code class="docutils literal"><span class="pre">suffix(action,</span> <span class="pre">table)</span></code>
- applies the action if QNAME suffix matches one of suffixes in the table (useful for “is domain in zone” rules),
uses <a class="reference external" href="https://en.wikipedia.org/wiki/Aho%E2%80%93Corasick_string_matching_algorithm">Aho-Corasick</a> string matching algorithm <a class="reference external" href="https://github.com/cloudflare/lua-aho-corasick">from CloudFlare</a> (BSD 3-clause)</li>
<li><a class="reference internal" href="#c.policy.suffix_common" title="policy.suffix_common"><code class="xref any c c-func docutils literal"><span class="pre">policy.suffix_common</span></code></a></li>
<li><code class="docutils literal"><span class="pre">rpz</span></code>
- implements a subset of <a class="reference external" href="https://dnsrpz.info/">RPZ</a> in zonefile format.  See below for details: <a class="reference internal" href="#c.policy.rpz" title="policy.rpz"><code class="xref any c c-func docutils literal"><span class="pre">policy.rpz</span></code></a>.</li>
<li>custom filter function</li>
</ul>
</div>
<div class="section" id="actions">
<h3>Actions<a class="headerlink" href="#actions" title="Permalink to this headline">¶</a></h3>
<p>An <em>action</em> is function which modifies DNS query. There are several actions available in the <code class="docutils literal"><span class="pre">policy.</span></code> table:</p>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">PASS</span></code> - let the query pass through; it’s useful to make exceptions before wider rules</li>
<li><code class="docutils literal"><span class="pre">DENY</span></code> - reply NXDOMAIN authoritatively</li>
<li><code class="docutils literal"><span class="pre">DENY_MSG(msg)</span></code> - reply NXDOMAIN authoritatively and add explanatory message to additional section</li>
<li><code class="docutils literal"><span class="pre">DROP</span></code> - terminate query resolution and return SERVFAIL to the requestor</li>
<li><code class="docutils literal"><span class="pre">TC</span></code> - set TC=1 if the request came through UDP, forcing client to retry with TCP</li>
<li><code class="docutils literal"><span class="pre">FORWARD(ip)</span></code> - resolve a query via forwarding to an IP while validating and caching locally;</li>
<li><code class="docutils literal"><span class="pre">TLS_FORWARD({{ip,</span> <span class="pre">authentication}})</span></code> - resolve a query via TLS connection forwarding to an IP while validating and caching locally;
the parameter can be a single IP (string) or a lua list of up to four IPs.</li>
<li><code class="docutils literal"><span class="pre">STUB(ip)</span></code> - similar to <code class="docutils literal"><span class="pre">FORWARD(ip)</span></code> but <em>without</em> attempting DNSSEC validation.
Each request may be either answered from cache or simply sent to one of the IPs with proxying back the answer.</li>
<li><code class="docutils literal"><span class="pre">MIRROR(ip)</span></code> - mirror query to given IP and continue solving it (useful for partial snooping); it’s a chain action</li>
<li><code class="docutils literal"><span class="pre">REROUTE({{subnet,target},</span> <span class="pre">...})</span></code> - reroute addresses in response matching given subnet to given target, e.g. <code class="docutils literal"><span class="pre">{'192.0.2.0/24',</span> <span class="pre">'127.0.0.0'}</span></code> will rewrite ‘192.0.2.55’ to ‘127.0.0.55’, see <a class="reference internal" href="#mod-renumber"><span class="std std-ref">renumber module</span></a> for more information.</li>
<li><code class="docutils literal"><span class="pre">QTRACE</span></code> - pretty-print DNS response packets into the log for the query and its sub-queries.  It’s useful for debugging weird DNS servers.  It’s a chain action.</li>
<li><code class="docutils literal"><span class="pre">FLAGS(set,</span> <span class="pre">clear)</span></code> - set and/or clear some flags for the query.  There can be multiple flags to set/clear.  You can just pass a single flag name (string) or a set of names.  It’s a chain action.</li>
</ul>
<p>Most actions stop the policy matching on the query, but “chain actions” allow to keep trying to match other rules, until a non-chain action is triggered.</p>
<p>Also, it is possible to write your own action (i.e. Lua function). It is possible to implement complex heuristics, e.g. to deflect <a class="reference external" href="https://secure64.com/water-torture-slow-drip-dns-ddos-attack">Slow drip DNS attacks</a> or gray-list resolution of misbehaving zones.</p>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">The policy module currently only looks at whole DNS requests.  The rules won’t be re-applied e.g. when following CNAMEs.</p>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The module (and <code class="docutils literal"><span class="pre">kres</span></code>) expects domain names in wire format, not textual representation. So each label in name is prefixed with its length, e.g. “example.com” equals to <code class="docutils literal"><span class="pre">&quot;\7example\3com&quot;</span></code>. You can use convenience function <code class="docutils literal"><span class="pre">todname('example.com')</span></code> for automatic conversion.</p>
</div>
</div>
<div class="section" id="forwarding-over-tls-protocol-dns-over-tls">
<h3>Forwarding over TLS protocol (DNS-over-TLS)<a class="headerlink" href="#forwarding-over-tls-protocol-dns-over-tls" title="Permalink to this headline">¶</a></h3>
<p>Policy <cite>TLS_FORWARD</cite> allows you to forward queries using <a class="reference external" href="https://en.wikipedia.org/wiki/Transport_Layer_Security">Transport Layer Security</a> protocol, which hides the content of your queries from an attacker observing the network traffic. Further details about this protocol can be found in <a class="reference external" href="https://tools.ietf.org/html/rfc7858">RFC 7858</a> and <a class="reference external" href="https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles">IETF draft dprive-dtls-and-tls-profiles</a>.</p>
<p>Queries affected by <cite>TLS_FORWARD</cite> policy will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail.</p>
<p>To test this feature you need to either <a class="reference internal" href="daemon.html#tls-server-config"><span class="std std-ref">configure Knot Resolver as DNS-over-TLS server</span></a>, or pick some public DNS-over-TLS server. Please see <a class="reference external" href="https://dnsprivacy.org/">DNS Privacy Project</a> homepage for list of public servers.</p>
<p>When multiple servers are specified, the one with the lowest round-trip time is used.</p>
<div class="section" id="tls-examples">
<h4>TLS Examples<a class="headerlink" href="#tls-examples" title="Permalink to this headline">¶</a></h4>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;policy&#39;</span> <span class="p">}</span>
<span class="c1">-- forward all queries over TLS to the specified server</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">all</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">TLS_FORWARD</span><span class="p">({{</span><span class="s1">&#39;192.0.2.1&#39;</span><span class="p">,</span> <span class="n">pin_sha256</span><span class="o">=</span><span class="s1">&#39;YQ==&#39;</span><span class="p">}})))</span>
<span class="c1">-- for brevity, other TLS examples omit policy.add(policy.all())</span>
<span class="c1">-- single server authenticated using its certificate pin_sha256</span>
  <span class="n">policy</span><span class="p">.</span><span class="n">TLS_FORWARD</span><span class="p">({{</span><span class="s1">&#39;192.0.2.1&#39;</span><span class="p">,</span> <span class="n">pin_sha256</span><span class="o">=</span><span class="s1">&#39;YQ==&#39;</span><span class="p">}})</span>  <span class="c1">-- pin_sha256 is base64-encoded</span>
<span class="c1">-- single server using non-standard port</span>
  <span class="n">policy</span><span class="p">.</span><span class="n">TLS_FORWARD</span><span class="p">({{</span><span class="s1">&#39;192.0.2.1@443&#39;</span><span class="p">,</span> <span class="n">pin_sha256</span><span class="o">=</span><span class="s1">&#39;YQ==&#39;</span><span class="p">}})</span>  <span class="c1">-- use @ or # to specify port</span>
<span class="c1">-- single server with multiple valid pins (e.g. anycast)</span>
  <span class="n">policy</span><span class="p">.</span><span class="n">TLS_FORWARD</span><span class="p">({{</span><span class="s1">&#39;192.0.2.1&#39;</span><span class="p">,</span> <span class="n">pin_sha256</span><span class="o">=</span><span class="p">{</span><span class="s1">&#39;YQ==&#39;</span><span class="p">,</span> <span class="s1">&#39;Wg==&#39;</span><span class="p">}})</span>
<span class="c1">-- multiple servers, each with own authenticator</span>
  <span class="n">policy</span><span class="p">.</span><span class="n">TLS_FORWARD</span><span class="p">({</span> <span class="c1">-- please note that { here starts list of servers</span>
        <span class="p">{</span><span class="s1">&#39;192.0.2.1&#39;</span><span class="p">,</span> <span class="n">pin_sha256</span><span class="o">=</span><span class="s1">&#39;Wg==&#39;</span><span class="p">},</span>
        <span class="c1">-- server must present certificate issued by specified CA and hostname must match</span>
        <span class="p">{</span><span class="s1">&#39;2001:DB8::d0c&#39;</span><span class="p">,</span> <span class="n">hostname</span><span class="o">=</span><span class="s1">&#39;res.example.&#39;</span><span class="p">,</span> <span class="n">ca_file</span><span class="o">=</span><span class="s1">&#39;/etc/knot-resolver/tlsca.crt&#39;</span><span class="p">}</span>
<span class="p">})</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="policy-examples">
<span id="id2"></span><h3>Policy examples<a class="headerlink" href="#policy-examples" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Whitelist &#39;www[0-9].badboy.cz&#39;</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">pattern</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">PASS</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\4</span><span class="s1">www[0-9]</span><span class="se">\6</span><span class="s1">badboy</span><span class="se">\2</span><span class="s1">cz&#39;</span><span class="p">))</span>
<span class="c1">-- Block all names below badboy.cz</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">suffix</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">DENY</span><span class="p">,</span> <span class="p">{</span><span class="n">todname</span><span class="p">(</span><span class="s1">&#39;badboy.cz.&#39;</span><span class="p">)}))</span>
<span class="c1">-- Custom rule</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="kr">function</span> <span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">query</span><span class="p">)</span>
        <span class="kr">if</span> <span class="n">query</span><span class="p">:</span><span class="n">qname</span><span class="p">():</span><span class="n">find</span><span class="p">(</span><span class="s1">&#39;%d.%d.%d.224</span><span class="se">\7</span><span class="s1">in-addr</span><span class="se">\4</span><span class="s1">arpa&#39;</span><span class="p">)</span> <span class="kr">then</span>
                <span class="kr">return</span> <span class="n">policy</span><span class="p">.</span><span class="n">DENY</span>
        <span class="kr">end</span>
<span class="kr">end</span><span class="p">)</span>
<span class="c1">-- Disallow ANY queries</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="kr">function</span> <span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">query</span><span class="p">)</span>
        <span class="kr">if</span> <span class="n">query</span><span class="p">.</span><span class="n">stype</span> <span class="o">==</span> <span class="n">kres</span><span class="p">.</span><span class="n">type</span><span class="p">.</span><span class="n">ANY</span> <span class="kr">then</span>
                <span class="kr">return</span> <span class="n">policy</span><span class="p">.</span><span class="n">DROP</span>
        <span class="kr">end</span>
<span class="kr">end</span><span class="p">)</span>
<span class="c1">-- Enforce local RPZ</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">rpz</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">DENY</span><span class="p">,</span> <span class="s1">&#39;blacklist.rpz&#39;</span><span class="p">))</span>
<span class="c1">-- Forward all queries below &#39;company.se&#39; to given resolver</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">suffix</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">FORWARD</span><span class="p">(</span><span class="s1">&#39;192.168.1.1&#39;</span><span class="p">),</span> <span class="p">{</span><span class="n">todname</span><span class="p">(</span><span class="s1">&#39;company.se&#39;</span><span class="p">)}))</span>
<span class="c1">-- Forward all queries matching pattern</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">pattern</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">FORWARD</span><span class="p">(</span><span class="s1">&#39;2001:DB8::1&#39;</span><span class="p">),</span> <span class="s1">&#39;</span><span class="se">\4</span><span class="s1">bad[0-9]</span><span class="se">\2</span><span class="s1">cz&#39;</span><span class="p">))</span>
<span class="c1">-- Forward all queries (to public resolvers https://www.nic.cz/odvr)</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">all</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">FORWARD</span><span class="p">({</span><span class="s1">&#39;2001:678:1::206&#39;</span><span class="p">,</span> <span class="s1">&#39;193.29.206.206&#39;</span><span class="p">})))</span>
<span class="c1">-- Print all responses with matching suffix</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">suffix</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">QTRACE</span><span class="p">,</span> <span class="p">{</span><span class="n">todname</span><span class="p">(</span><span class="s1">&#39;rhybar.cz.&#39;</span><span class="p">)}))</span>
<span class="c1">-- Print all responses</span>
<span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">all</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">QTRACE</span><span class="p">))</span>
<span class="c1">-- Mirror all queries and retrieve information</span>
<span class="kd">local</span> <span class="n">rule</span> <span class="o">=</span> <span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">all</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">MIRROR</span><span class="p">(</span><span class="s1">&#39;127.0.0.2&#39;</span><span class="p">)))</span>
<span class="c1">-- Print information about the rule</span>
<span class="nb">print</span><span class="p">(</span><span class="nb">string.format</span><span class="p">(</span><span class="s1">&#39;id: %d, matched queries: %d&#39;</span><span class="p">,</span> <span class="n">rule</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">rule</span><span class="p">.</span><span class="n">count</span><span class="p">)</span>
<span class="c1">-- Reroute all addresses found in answer from 192.0.2.0/24 to 127.0.0.x</span>
<span class="c1">-- this policy is enforced on answers, therefore &#39;postrule&#39;</span>
<span class="kd">local</span> <span class="n">rule</span> <span class="o">=</span> <span class="n">policy</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">REROUTE</span><span class="p">({</span><span class="s1">&#39;192.0.2.0/24&#39;</span><span class="p">,</span> <span class="s1">&#39;127.0.0.0&#39;</span><span class="p">}),</span> <span class="kc">true</span><span class="p">)</span>
<span class="c1">-- Delete rule that we just created</span>
<span class="n">policy</span><span class="p">.</span><span class="n">del</span><span class="p">(</span><span class="n">rule</span><span class="p">.</span><span class="n">id</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="additional-properties">
<h3>Additional properties<a class="headerlink" href="#additional-properties" title="Permalink to this headline">¶</a></h3>
<p>Most properties (actions, filters) are described above.</p>
<dl class="function">
<dt id="c.policy.add">
<code class="descname">policy.add</code><span class="sig-paren">(</span>rule, postrule<span class="sig-paren">)</span><a class="headerlink" href="#c.policy.add" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>rule</strong> – added rule, i.e. <code class="docutils literal"><span class="pre">policy.pattern(policy.DENY,</span> <span class="pre">'[0-9]+\2cz')</span></code></li>
<li><strong>postrule</strong> – boolean, if true the rule will be evaluated on answer instead of query</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">rule description</p>
</td>
</tr>
</tbody>
</table>
<p>Add a new policy rule that is executed either or queries or answers, depending on the <code class="docutils literal"><span class="pre">postrule</span></code> parameter. You can then use the returned rule description to get information and unique identifier for the rule, as well as match count.</p>
</dd></dl>

<dl class="function">
<dt id="c.policy.del">
<code class="descname">policy.del</code><span class="sig-paren">(</span>id<span class="sig-paren">)</span><a class="headerlink" href="#c.policy.del" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>id</strong> – identifier of a given rule</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">boolean</p>
</td>
</tr>
</tbody>
</table>
<p>Remove a rule from policy list.</p>
</dd></dl>

<dl class="function">
<dt id="c.policy.suffix_common">
<code class="descname">policy.suffix_common</code><span class="sig-paren">(</span>action, suffix_table[, common_suffix]<span class="sig-paren">)</span><a class="headerlink" href="#c.policy.suffix_common" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>action</strong> – action if the pattern matches QNAME</li>
<li><strong>suffix_table</strong> – table of valid suffixes</li>
<li><strong>common_suffix</strong> – common suffix of entries in suffix_table</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>Like suffix match, but you can also provide a common suffix of all matches for faster processing (nil otherwise).
This function is faster for small suffix tables (in the order of “hundreds”).</p>
</dd></dl>

<dl class="function">
<dt id="c.policy.rpz">
<code class="descname">policy.rpz</code><span class="sig-paren">(</span>action, path[, format]<span class="sig-paren">)</span><a class="headerlink" href="#c.policy.rpz" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>action</strong> – the default action for match in the zone (e.g. RH-value <cite>.</cite>)</li>
<li><strong>path</strong> – path to zone file | database</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>Enforce <a class="reference external" href="https://dnsrpz.info/">RPZ</a> rules. This can be used in conjunction with published blocklist feeds.
The <a class="reference external" href="https://dnsrpz.info/">RPZ</a> operation is well described in this <a class="reference external" href="http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/">Jan-Piet Mens’s post</a>,
or the <a class="reference external" href="http://www.zytrax.com/books/dns/ch7/rpz.html">Pro DNS and BIND</a> book. Here’s compatibility table:</p>
<table border="1" class="docutils">
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Policy Action</th>
<th class="head">RH Value</th>
<th class="head">Support</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>NXDOMAIN</td>
<td><code class="docutils literal"><span class="pre">.</span></code></td>
<td><strong>yes</strong></td>
</tr>
<tr class="row-odd"><td>NODATA</td>
<td><code class="docutils literal"><span class="pre">*.</span></code></td>
<td><em>partial</em>, implemented as NXDOMAIN</td>
</tr>
<tr class="row-even"><td>Unchanged</td>
<td><code class="docutils literal"><span class="pre">rpz-passthru.</span></code></td>
<td><strong>yes</strong></td>
</tr>
<tr class="row-odd"><td>Nothing</td>
<td><code class="docutils literal"><span class="pre">rpz-drop.</span></code></td>
<td><strong>yes</strong></td>
</tr>
<tr class="row-even"><td>Truncated</td>
<td><code class="docutils literal"><span class="pre">rpz-tcp-only.</span></code></td>
<td><strong>yes</strong></td>
</tr>
<tr class="row-odd"><td>Modified</td>
<td>anything</td>
<td>no</td>
</tr>
</tbody>
</table>
<table border="1" class="docutils">
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Policy Trigger</th>
<th class="head">Support</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>QNAME</td>
<td><strong>yes</strong></td>
</tr>
<tr class="row-odd"><td>CLIENT-IP</td>
<td><em>partial</em>, may be done with <a class="reference internal" href="#mod-view"><span class="std std-ref">views</span></a></td>
</tr>
<tr class="row-even"><td>IP</td>
<td>no</td>
</tr>
<tr class="row-odd"><td>NSDNAME</td>
<td>no</td>
</tr>
<tr class="row-even"><td>NS-IP</td>
<td>no</td>
</tr>
</tbody>
</table>
</dd></dl>

<dl class="function">
<dt id="c.policy.todnames">
<code class="descname">policy.todnames</code><span class="sig-paren">(</span>{name, ...}<span class="sig-paren">)</span><a class="headerlink" href="#c.policy.todnames" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Param:</th><td class="field-body">names table of domain names in textual format</td>
</tr>
</tbody>
</table>
<p>Returns table of domain names in wire format converted from strings.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Convert single name</span>
<span class="nb">assert</span><span class="p">(</span><span class="n">todname</span><span class="p">(</span><span class="s1">&#39;example.com&#39;</span><span class="p">)</span> <span class="o">==</span> <span class="s1">&#39;</span><span class="se">\7</span><span class="s1">example</span><span class="se">\3</span><span class="s1">com</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">)</span>
<span class="c1">-- Convert table of names</span>
<span class="n">policy</span><span class="p">.</span><span class="n">todnames</span><span class="p">({</span><span class="s1">&#39;example.com&#39;</span><span class="p">,</span> <span class="s1">&#39;me.cz&#39;</span><span class="p">})</span>
<span class="p">{</span> <span class="s1">&#39;</span><span class="se">\7</span><span class="s1">example</span><span class="se">\3</span><span class="s1">com</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\2</span><span class="s1">me</span><span class="se">\2</span><span class="s1">cz</span><span class="se">\0</span><span class="s1">&#39;</span> <span class="p">}</span>
</pre></div>
</div>
</dd></dl>

<p>This module is enabled by default because it implements mandatory <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6761.html"><strong>RFC 6761</strong></a> logic. For debugging purposes you can add <code class="docutils literal"><span class="pre">modules.unload('policy')</span></code> to your config to unload the module.</p>
</div>
</div>
<div class="section" id="views-and-acls">
<span id="mod-view"></span><h2><a class="toc-backref" href="#id25">Views and ACLs</a><a class="headerlink" href="#views-and-acls" title="Permalink to this headline">¶</a></h2>
<p>The <a class="reference internal" href="#mod-policy"><span class="std std-ref">policy</span></a> module implements policies for global query matching, e.g. solves “how to react to certain query”.
This module combines it with query source matching, e.g. “who asked the query”. This allows you to create personalized blacklists,
filters and ACLs, sort of like ISC BIND views.</p>
<p>There are two identification mechanisms:</p>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">subnet</span></code>
- identifies the client based on his subnet</li>
<li><code class="docutils literal"><span class="pre">tsig</span></code>
- identifies the client based on a TSIG key</li>
</ul>
<p>You can combine this information with <a class="reference internal" href="#mod-policy"><span class="std std-ref">policy</span></a> rules.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">view</span><span class="p">:</span><span class="n">addr</span><span class="p">(</span><span class="s1">&#39;10.0.0.1&#39;</span><span class="p">,</span> <span class="n">policy</span><span class="p">.</span><span class="n">suffix</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">TC</span><span class="p">,</span> <span class="p">{</span><span class="s1">&#39;</span><span class="se">\7</span><span class="s1">example</span><span class="se">\3</span><span class="s1">com&#39;</span><span class="p">}))</span>
</pre></div>
</div>
<p>This fill force given client subnet to TCP for names in <code class="docutils literal"><span class="pre">example.com</span></code>.
You can combine view selectors with <a class="reference external" href="https://dnsrpz.info/">RPZ</a> to create personalized filters for example.</p>
<div class="section" id="example-configuration">
<h3>Example configuration<a class="headerlink" href="#example-configuration" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Load modules</span>
<span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;policy&#39;</span><span class="p">,</span> <span class="s1">&#39;view&#39;</span> <span class="p">}</span>
<span class="c1">-- Whitelist queries identified by TSIG key</span>
<span class="n">view</span><span class="p">:</span><span class="n">tsig</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\5</span><span class="s1">mykey&#39;</span><span class="p">,</span> <span class="kr">function</span> <span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">qry</span><span class="p">)</span> <span class="kr">return</span> <span class="n">policy</span><span class="p">.</span><span class="n">PASS</span> <span class="kr">end</span><span class="p">)</span>
<span class="c1">-- Block local clients (ACL like)</span>
<span class="n">view</span><span class="p">:</span><span class="n">addr</span><span class="p">(</span><span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="kr">function</span> <span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">qry</span><span class="p">)</span> <span class="kr">return</span> <span class="n">policy</span><span class="p">.</span><span class="n">DENY</span> <span class="kr">end</span><span class="p">))</span>
<span class="c1">-- Drop queries with suffix match for remote client</span>
<span class="n">view</span><span class="p">:</span><span class="n">addr</span><span class="p">(</span><span class="s1">&#39;10.0.0.0/8&#39;</span><span class="p">,</span> <span class="n">policy</span><span class="p">.</span><span class="n">suffix</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">DROP</span><span class="p">,</span> <span class="p">{</span><span class="s1">&#39;</span><span class="se">\3</span><span class="s1">xxx&#39;</span><span class="p">}))</span>
<span class="c1">-- RPZ for subset of clients</span>
<span class="n">view</span><span class="p">:</span><span class="n">addr</span><span class="p">(</span><span class="s1">&#39;192.168.1.0/24&#39;</span><span class="p">,</span> <span class="n">policy</span><span class="p">.</span><span class="n">rpz</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">PASS</span><span class="p">,</span> <span class="s1">&#39;whitelist.rpz&#39;</span><span class="p">))</span>
<span class="c1">-- Forward all queries from given subnet to proxy</span>
<span class="n">view</span><span class="p">:</span><span class="n">addr</span><span class="p">(</span><span class="s1">&#39;10.0.0.0/8&#39;</span><span class="p">,</span> <span class="n">policy</span><span class="p">.</span><span class="n">all</span><span class="p">(</span><span class="n">policy</span><span class="p">.</span><span class="n">FORWARD</span><span class="p">(</span><span class="s1">&#39;2001:DB8::1&#39;</span><span class="p">)))</span>
<span class="c1">-- Drop everything that hasn&#39;t matched</span>
<span class="n">view</span><span class="p">:</span><span class="n">addr</span><span class="p">(</span><span class="s1">&#39;0.0.0.0/0&#39;</span><span class="p">,</span> <span class="kr">function</span> <span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">qry</span><span class="p">)</span> <span class="kr">return</span> <span class="n">policy</span><span class="p">.</span><span class="n">DROP</span> <span class="kr">end</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="id3">
<h3>Properties<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
<dl class="function">
<dt id="c.view:addr">
<code class="descname">view:addr</code><span class="sig-paren">(</span>subnet, rule<span class="sig-paren">)</span><a class="headerlink" href="#c.view:addr" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>subnet</strong> – client subnet, i.e. <code class="docutils literal"><span class="pre">10.0.0.1</span></code></li>
<li><strong>rule</strong> – added rule, i.e. <code class="docutils literal"><span class="pre">policy.pattern(policy.DENY,</span> <span class="pre">'[0-9]+\2cz')</span></code></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>Apply rule to clients in given subnet.</p>
</dd></dl>

<dl class="function">
<dt id="c.view:tsig">
<code class="descname">view:tsig</code><span class="sig-paren">(</span>key, rule<span class="sig-paren">)</span><a class="headerlink" href="#c.view:tsig" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>key</strong> – client TSIG key domain name, i.e. <code class="docutils literal"><span class="pre">\5mykey</span></code></li>
<li><strong>rule</strong> – added rule, i.e. <code class="docutils literal"><span class="pre">policy.pattern(policy.DENY,</span> <span class="pre">'[0-9]+\2cz')</span></code></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>Apply rule to clients with given TSIG key.</p>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">This just selects rule based on the key name, it doesn’t verify the key or signature yet.</p>
</div>
</dd></dl>

</div>
</div>
<div class="section" id="prefetching-records">
<span id="mod-predict"></span><h2><a class="toc-backref" href="#id26">Prefetching records</a><a class="headerlink" href="#prefetching-records" title="Permalink to this headline">¶</a></h2>
<p>The module refreshes records that are about to expire when they’re used (having less than 1% of original TTL).
This improves latency for frequently used records, as they are fetched in advance.</p>
<p>It is also able to learn usage patterns and repetitive queries that the server makes. For example, if
it makes a query every day at 18:00, the resolver expects that it is needed by that time and prefetches it
ahead of time. This is helpful to minimize the perceived latency and keeps the cache hot.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">The tracking window and period length determine memory requirements. If you have a server with relatively fast query turnover, keep the period low (hour for start) and shorter tracking window (5 minutes). For personal slower resolver, keep the tracking window longer (i.e. 30 minutes) and period longer (a day), as the habitual queries occur daily. Experiment to get the best results.</p>
</div>
<div class="section" id="id5">
<h3>Example configuration<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h3>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">This module requires ‘stats’ module to be present and loaded.</p>
</div>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">predict</span> <span class="o">=</span> <span class="p">{</span>
                <span class="n">window</span> <span class="o">=</span> <span class="mi">15</span><span class="p">,</span> <span class="c1">-- 15 minutes sampling window</span>
                <span class="n">period</span> <span class="o">=</span> <span class="mi">6</span><span class="o">*</span><span class="p">(</span><span class="mi">60</span><span class="o">/</span><span class="mi">15</span><span class="p">)</span> <span class="c1">-- track last 6 hours</span>
        <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Defaults are 15 minutes window, 6 hours period.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">Use period 0 to turn off prediction and just do prefetching of expiring records.
That works even without the ‘stats’ module.</p>
</div>
</div>
<div class="section" id="exported-metrics">
<h3>Exported metrics<a class="headerlink" href="#exported-metrics" title="Permalink to this headline">¶</a></h3>
<p>To visualize the efficiency of the predictions, the module exports following statistics.</p>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">predict.epoch</span></code> - current prediction epoch (based on time of day and sampling window)</li>
<li><code class="docutils literal"><span class="pre">predict.queue</span></code> - number of queued queries in current window</li>
<li><code class="docutils literal"><span class="pre">predict.learned</span></code> - number of learned queries in current window</li>
</ul>
</div>
<div class="section" id="id6">
<h3>Properties<a class="headerlink" href="#id6" title="Permalink to this headline">¶</a></h3>
<dl class="function">
<dt id="c.predict.config">
<code class="descname">predict.config</code><span class="sig-paren">(</span>{ window =<em>&nbsp;15</em>, period =<em>&nbsp;24}</em><span class="sig-paren">)</span><a class="headerlink" href="#c.predict.config" title="Permalink to this definition">¶</a></dt>
<dd><p>Reconfigure the predictor to given tracking window and period length. Both parameters are optional.
Window length is in minutes, period is a number of windows that can be kept in memory.
e.g. if a <code class="docutils literal"><span class="pre">window</span></code> is 15 minutes, a <code class="docutils literal"><span class="pre">period</span></code> of “24” means 6 hours.</p>
</dd></dl>

</div>
</div>
<div class="section" id="http-2-services">
<span id="mod-http"></span><h2><a class="toc-backref" href="#id27">HTTP/2 services</a><a class="headerlink" href="#http-2-services" title="Permalink to this headline">¶</a></h2>
<p>This is a module that does the heavy lifting to provide an HTTP/2 enabled
server that supports TLS by default and provides endpoint for other modules
in order to enable them to export restful APIs and websocket streams.
One example is statistics module that can stream live metrics on the website,
or publish metrics on request for Prometheus scraper.</p>
<p>The server allows other modules to either use default endpoint that provides
built-in webpage, restful APIs and websocket streams, or create new endpoints.</p>
<div class="section" id="id7">
<h3>Example configuration<a class="headerlink" href="#id7" title="Permalink to this headline">¶</a></h3>
<p>By default, the web interface starts HTTPS/2 on port 8053 using an ephemeral
certificate that is valid for 90 days and is automatically renewed. It is of
course self-signed, so you should use your own judgement before exposing it
to the outside world. Why not use something like <a class="reference external" href="https://letsencrypt.org">Let’s Encrypt</a>
for starters?</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Load HTTP module with defaults</span>
<span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">http</span> <span class="o">=</span> <span class="p">{</span>
                <span class="n">host</span> <span class="o">=</span> <span class="s1">&#39;localhost&#39;</span><span class="p">,</span>
                <span class="n">port</span> <span class="o">=</span> <span class="mi">8053</span><span class="p">,</span>
                <span class="n">geoip</span> <span class="o">=</span> <span class="s1">&#39;GeoLite2-City.mmdb&#39;</span> <span class="c1">-- Optional, see</span>
                <span class="c1">-- e.g. https://dev.maxmind.com/geoip/geoip2/geolite2/</span>
                <span class="c1">-- and install mmdblua library</span>
        <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Now you can reach the web services and APIs, done!</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ curl -k https://localhost:8053
$ curl -k https://localhost:8053/stats
</pre></div>
</div>
<p>It is possible to disable HTTPS altogether by passing <code class="docutils literal"><span class="pre">cert</span> <span class="pre">=</span> <span class="pre">false</span></code> option.
While it’s not recommended, it could be fine for localhost tests as, for example,
Safari doesn’t allow WebSockets over HTTPS with a self-signed certificate.
Major drawback is that current browsers won’t do HTTP/2 over insecure connection.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">host</span> <span class="o">=</span> <span class="s1">&#39;localhost&#39;</span><span class="p">,</span>
        <span class="n">port</span> <span class="o">=</span> <span class="mi">8053</span><span class="p">,</span>
        <span class="n">cert</span> <span class="o">=</span> <span class="kc">false</span><span class="p">,</span>
<span class="p">}</span>
</pre></div>
</div>
<p>If you want to provide your own certificate and key, you’re welcome to do so:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">host</span> <span class="o">=</span> <span class="s1">&#39;localhost&#39;</span><span class="p">,</span>
        <span class="n">port</span> <span class="o">=</span> <span class="mi">8053</span><span class="p">,</span>
        <span class="n">cert</span> <span class="o">=</span> <span class="s1">&#39;mycert.crt&#39;</span><span class="p">,</span>
        <span class="n">key</span>  <span class="o">=</span> <span class="s1">&#39;mykey.key&#39;</span><span class="p">,</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The format of both certificate and key is expected to be PEM, e.g. equivallent to
the outputs of following:</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>openssl ecparam -genkey -name prime256v1 -out mykey.key
openssl req -new -key mykey.key -out csr.pem
openssl req -x509 -days <span class="m">90</span> -key mykey.key -in csr.pem -out mycert.crt
</pre></div>
</div>
</div>
<div class="section" id="built-in-services">
<h3>Built-in services<a class="headerlink" href="#built-in-services" title="Permalink to this headline">¶</a></h3>
<p>The HTTP module has several built-in services to use.</p>
<table border="1" class="docutils">
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Endpoint</th>
<th class="head">Service</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal"><span class="pre">/stats</span></code></td>
<td>Statistics/metrics</td>
<td>Exported metrics in JSON.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">/metrics</span></code></td>
<td>Prometheus metrics</td>
<td>Exported metrics for <a class="reference external" href="https://prometheus.io">Prometheus</a></td>
</tr>
<tr class="row-even"><td><code class="docutils literal"><span class="pre">/feed</span></code></td>
<td>Most frequent queries</td>
<td>List of most frequent queries in JSON.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">/trace/:name/:type</span></code></td>
<td>Tracking</td>
<td>Trace resolution of the query and return the verbose logs.</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="enabling-prometheus-metrics-endpoint">
<h3>Enabling Prometheus metrics endpoint<a class="headerlink" href="#enabling-prometheus-metrics-endpoint" title="Permalink to this headline">¶</a></h3>
<p>The module exposes <code class="docutils literal"><span class="pre">/metrics</span></code> endpoint that serves internal metrics in <a class="reference external" href="https://prometheus.io">Prometheus</a> text format.
You can use it out of the box:</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ curl -k https://localhost:8053/metrics <span class="p">|</span> tail
<span class="c1"># TYPE latency histogram</span>
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span><span class="m">10</span><span class="o">}</span> <span class="m">2</span>.000000
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span><span class="m">50</span><span class="o">}</span> <span class="m">2</span>.000000
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span><span class="m">100</span><span class="o">}</span> <span class="m">2</span>.000000
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span><span class="m">250</span><span class="o">}</span> <span class="m">2</span>.000000
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span><span class="m">500</span><span class="o">}</span> <span class="m">2</span>.000000
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span><span class="m">1000</span><span class="o">}</span> <span class="m">2</span>.000000
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span><span class="m">1500</span><span class="o">}</span> <span class="m">2</span>.000000
latency_bucket<span class="o">{</span><span class="nv">le</span><span class="o">=</span>+Inf<span class="o">}</span> <span class="m">2</span>.000000
latency_count <span class="m">2</span>.000000
latency_sum <span class="m">11</span>.000000
</pre></div>
</div>
</div>
<div class="section" id="tracing-requests">
<h3>Tracing requests<a class="headerlink" href="#tracing-requests" title="Permalink to this headline">¶</a></h3>
<p>With the <code class="docutils literal"><span class="pre">/trace</span></code> endpoint you can trace various aspects of the request execution.
The basic mode allows you to resolve a query and trace verbose logs (and messages received):</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ curl http://localhost:8053/trace/e.root-servers.net
<span class="o">[</span> <span class="m">8138</span><span class="o">]</span> <span class="o">[</span>iter<span class="o">]</span> <span class="s1">&#39;e.root-servers.net.&#39;</span> <span class="nb">type</span> <span class="s1">&#39;A&#39;</span> created outbound query, parent id <span class="m">0</span>
<span class="o">[</span> <span class="m">8138</span><span class="o">]</span> <span class="o">[</span> rc <span class="o">]</span> <span class="o">=</span>&gt; rank: <span class="m">020</span>, lowest <span class="m">020</span>, e.root-servers.net. A
<span class="o">[</span> <span class="m">8138</span><span class="o">]</span> <span class="o">[</span> rc <span class="o">]</span> <span class="o">=</span>&gt; satisfied from cache
<span class="o">[</span> <span class="m">8138</span><span class="o">]</span> <span class="o">[</span>iter<span class="o">]</span> &lt;<span class="o">=</span> answer received:
<span class="p">;;</span> -&gt;&gt;HEADER<span class="s">&lt;&lt;- opco</span>de: QUERY<span class="p">;</span> status: NOERROR<span class="p">;</span> id: <span class="m">8138</span>
<span class="p">;;</span> Flags: qr aa  QUERY: <span class="m">1</span><span class="p">;</span> ANSWER: <span class="m">0</span><span class="p">;</span> AUTHORITY: <span class="m">0</span><span class="p">;</span> ADDITIONAL: <span class="m">0</span>

<span class="p">;;</span> QUESTION SECTION
e.root-servers.net.          A

<span class="p">;;</span> ANSWER SECTION
e.root-servers.net.  <span class="m">3556353</span> A       <span class="m">192</span>.203.230.10

<span class="o">[</span> <span class="m">8138</span><span class="o">]</span> <span class="o">[</span>iter<span class="o">]</span> &lt;<span class="o">=</span> rcode: NOERROR
<span class="o">[</span> <span class="m">8138</span><span class="o">]</span> <span class="o">[</span>resl<span class="o">]</span> finished: <span class="m">4</span>, queries: <span class="m">1</span>, mempool: <span class="m">81952</span> B
</pre></div>
</div>
</div>
<div class="section" id="how-to-expose-services-over-http">
<h3>How to expose services over HTTP<a class="headerlink" href="#how-to-expose-services-over-http" title="Permalink to this headline">¶</a></h3>
<p>The module provides a table <code class="docutils literal"><span class="pre">endpoints</span></code> of already existing endpoints, it is free for reading and
writing. It contains tables describing a triplet - <code class="docutils literal"><span class="pre">{mime,</span> <span class="pre">on_serve,</span> <span class="pre">on_websocket}</span></code>.
In order to register a new service, simply add it to the table:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">http</span><span class="p">.</span><span class="n">endpoints</span><span class="p">[</span><span class="s1">&#39;/health&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="s1">&#39;application/json&#39;</span><span class="p">,</span>
<span class="kr">function</span> <span class="p">(</span><span class="n">h</span><span class="p">,</span> <span class="n">stream</span><span class="p">)</span>
        <span class="c1">-- API call, return a JSON table</span>
        <span class="kr">return</span> <span class="p">{</span><span class="n">state</span> <span class="o">=</span> <span class="s1">&#39;up&#39;</span><span class="p">,</span> <span class="n">uptime</span> <span class="o">=</span> <span class="mi">0</span><span class="p">}</span>
<span class="kr">end</span><span class="p">,</span>
<span class="kr">function</span> <span class="p">(</span><span class="n">h</span><span class="p">,</span> <span class="n">ws</span><span class="p">)</span>
        <span class="c1">-- Stream current status every second</span>
        <span class="kd">local</span> <span class="n">ok</span> <span class="o">=</span> <span class="kc">true</span>
        <span class="kr">while</span> <span class="n">ok</span> <span class="kr">do</span>
                <span class="kd">local</span> <span class="n">push</span> <span class="o">=</span> <span class="n">tojson</span><span class="p">(</span><span class="s1">&#39;up&#39;</span><span class="p">)</span>
                <span class="n">ok</span> <span class="o">=</span> <span class="n">ws</span><span class="p">:</span><span class="n">send</span><span class="p">(</span><span class="n">tojson</span><span class="p">({</span><span class="s1">&#39;up&#39;</span><span class="p">}))</span>
                <span class="nb">require</span><span class="p">(</span><span class="s1">&#39;cqueues&#39;</span><span class="p">).</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
        <span class="kr">end</span>
        <span class="c1">-- Finalize the WebSocket</span>
        <span class="n">ws</span><span class="p">:</span><span class="n">close</span><span class="p">()</span>
<span class="kr">end</span><span class="p">}</span>
</pre></div>
</div>
<p>Then you can query the API endpoint, or tail the WebSocket using curl.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ curl -k http://localhost:8053/health
<span class="o">{</span><span class="s2">&quot;state&quot;</span>:<span class="s2">&quot;up&quot;</span>,<span class="s2">&quot;uptime&quot;</span>:0<span class="o">}</span>
$ curl -k -i -N -H <span class="s2">&quot;Connection: Upgrade&quot;</span> -H <span class="s2">&quot;Upgrade: websocket&quot;</span> -H <span class="s2">&quot;Host: localhost:8053/health&quot;</span>  -H <span class="s2">&quot;Sec-Websocket-Key: nope&quot;</span> -H <span class="s2">&quot;Sec-Websocket-Version: 13&quot;</span> https://localhost:8053/health
HTTP/1.1 <span class="m">101</span> Switching Protocols
upgrade: websocket
sec-websocket-accept: eg18mwU7CDRGUF1Q+EJwPM335eM<span class="o">=</span>
connection: upgrade

?<span class="o">[</span><span class="s2">&quot;up&quot;</span><span class="o">]</span>?<span class="o">[</span><span class="s2">&quot;up&quot;</span><span class="o">]</span>?<span class="o">[</span><span class="s2">&quot;up&quot;</span><span class="o">]</span>
</pre></div>
</div>
<p>Since the stream handlers are effectively coroutines, you are free to keep state and yield using cqueues.
This is especially useful for WebSockets, as you can stream content in a simple loop instead of
chains of callbacks.</p>
<p>Last thing you can publish from modules are <em>“snippets”</em>. Snippets are plain pieces of HTML code that are rendered at the end of the built-in webpage. The snippets can be extended with JS code to talk to already
exported restful APIs and subscribe to WebSockets.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">http</span><span class="p">.</span><span class="n">snippets</span><span class="p">[</span><span class="s1">&#39;/health&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="s1">&#39;Health service&#39;</span><span class="p">,</span> <span class="s1">&#39;&lt;p&gt;UP!&lt;/p&gt;&#39;</span><span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="how-to-expose-restful-services">
<h3>How to expose RESTful services<a class="headerlink" href="#how-to-expose-restful-services" title="Permalink to this headline">¶</a></h3>
<p>A RESTful service is likely to respond differently to different type of methods and requests,
there are three things that you can do in a service handler to send back results.
First is to just send whatever you want to send back, it has to respect MIME type that the service
declared in the endpoint definition. The response code would then be <code class="docutils literal"><span class="pre">200</span> <span class="pre">OK</span></code>, any non-string
responses will be packed to JSON. Alternatively, you can respond with a number corresponding to
the HTTP response code or send headers and body yourself.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Our upvalue</span>
<span class="kd">local</span> <span class="n">value</span> <span class="o">=</span> <span class="mi">42</span>

<span class="c1">-- Expose the service</span>
<span class="n">http</span><span class="p">.</span><span class="n">endpoints</span><span class="p">[</span><span class="s1">&#39;/service&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="s1">&#39;application/json&#39;</span><span class="p">,</span>
<span class="kr">function</span> <span class="p">(</span><span class="n">h</span><span class="p">,</span> <span class="n">stream</span><span class="p">)</span>
        <span class="c1">-- Get request method and deal with it properly</span>
        <span class="kd">local</span> <span class="n">m</span> <span class="o">=</span> <span class="n">h</span><span class="p">:</span><span class="n">get</span><span class="p">(</span><span class="s1">&#39;:method&#39;</span><span class="p">)</span>
        <span class="kd">local</span> <span class="n">path</span> <span class="o">=</span> <span class="n">h</span><span class="p">:</span><span class="n">get</span><span class="p">(</span><span class="s1">&#39;:path&#39;</span><span class="p">)</span>
        <span class="n">log</span><span class="p">(</span><span class="s1">&#39;[service] method %s path %s&#39;</span><span class="p">,</span> <span class="n">m</span><span class="p">,</span> <span class="n">path</span><span class="p">)</span>
        <span class="c1">-- Return table, response code will be &#39;200 OK&#39;</span>
        <span class="kr">if</span> <span class="n">m</span> <span class="o">==</span> <span class="s1">&#39;GET&#39;</span> <span class="kr">then</span>
                <span class="kr">return</span> <span class="p">{</span><span class="n">key</span> <span class="o">=</span> <span class="n">path</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">value</span><span class="p">}</span>
        <span class="c1">-- Save body, perform check and either respond with 505 or 200 OK</span>
        <span class="kr">elseif</span> <span class="n">m</span> <span class="o">==</span> <span class="s1">&#39;POST&#39;</span> <span class="kr">then</span>
                <span class="kd">local</span> <span class="n">data</span> <span class="o">=</span> <span class="n">stream</span><span class="p">:</span><span class="n">get_body_as_string</span><span class="p">()</span>
                <span class="kr">if</span> <span class="ow">not</span> <span class="nb">tonumber</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="kr">then</span>
                        <span class="kr">return</span> <span class="mi">500</span><span class="p">,</span> <span class="s1">&#39;Not a good request&#39;</span>
                <span class="kr">end</span>
                <span class="n">value</span> <span class="o">=</span> <span class="nb">tonumber</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
        <span class="c1">-- Unsupported method, return 405 Method not allowed</span>
        <span class="kr">else</span>
                <span class="kr">return</span> <span class="mi">405</span><span class="p">,</span> <span class="s1">&#39;Cannot do that&#39;</span>
        <span class="kr">end</span>
<span class="kr">end</span><span class="p">}</span>
</pre></div>
</div>
<p>In some cases you might need to send back your own headers instead of default provided by HTTP handler,
you can do this, but then you have to return <code class="docutils literal"><span class="pre">false</span></code> to notify handler that it shouldn’t try to generate
a response.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="kd">local</span> <span class="n">headers</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s1">&#39;http.headers&#39;</span><span class="p">)</span>
<span class="kr">function</span> <span class="p">(</span><span class="n">h</span><span class="p">,</span> <span class="n">stream</span><span class="p">)</span>
        <span class="c1">-- Send back headers</span>
        <span class="kd">local</span> <span class="n">hsend</span> <span class="o">=</span> <span class="n">headers</span><span class="p">.</span><span class="n">new</span><span class="p">()</span>
        <span class="n">hsend</span><span class="p">:</span><span class="n">append</span><span class="p">(</span><span class="s1">&#39;:status&#39;</span><span class="p">,</span> <span class="s1">&#39;200&#39;</span><span class="p">)</span>
        <span class="n">hsend</span><span class="p">:</span><span class="n">append</span><span class="p">(</span><span class="s1">&#39;content-type&#39;</span><span class="p">,</span> <span class="s1">&#39;binary/octet-stream&#39;</span><span class="p">)</span>
        <span class="nb">assert</span><span class="p">(</span><span class="n">stream</span><span class="p">:</span><span class="n">write_headers</span><span class="p">(</span><span class="n">hsend</span><span class="p">,</span> <span class="kc">false</span><span class="p">))</span>
        <span class="c1">-- Send back data</span>
        <span class="kd">local</span> <span class="n">data</span> <span class="o">=</span> <span class="s1">&#39;binary-data&#39;</span>
        <span class="nb">assert</span><span class="p">(</span><span class="n">stream</span><span class="p">:</span><span class="n">write_chunk</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="kc">true</span><span class="p">))</span>
        <span class="c1">-- Disable default handler action</span>
        <span class="kr">return</span> <span class="kc">false</span>
<span class="kr">end</span>
</pre></div>
</div>
</div>
<div class="section" id="how-to-expose-more-interfaces">
<h3>How to expose more interfaces<a class="headerlink" href="#how-to-expose-more-interfaces" title="Permalink to this headline">¶</a></h3>
<p>Services exposed in the previous part share the same external interface. This means that it’s either accessible to the outside world or internally, but not one or another. This is not always desired, i.e. you might want to offer DNS/HTTPS to everyone, but allow application firewall configuration only on localhost. <code class="docutils literal"><span class="pre">http</span></code> module allows you to create additional interfaces with custom endpoints for this purpose.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">http</span><span class="p">.</span><span class="n">interface</span><span class="p">(</span><span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="mi">8080</span><span class="p">,</span> <span class="p">{</span>
        <span class="p">[</span><span class="s1">&#39;/conf&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="s1">&#39;application/json&#39;</span><span class="p">,</span> <span class="kr">function</span> <span class="p">(</span><span class="n">h</span><span class="p">,</span> <span class="n">stream</span><span class="p">)</span> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;configuration API&#39;</span><span class="p">)</span> <span class="kr">end</span><span class="p">},</span>
        <span class="p">[</span><span class="s1">&#39;/private&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="s1">&#39;text/html&#39;</span><span class="p">,</span> <span class="n">static_page</span><span class="p">},</span>
<span class="p">})</span>
</pre></div>
</div>
<p>This way you can have different internal-facing and external-facing services at the same time.</p>
</div>
<div class="section" id="dependencies">
<h3>Dependencies<a class="headerlink" href="#dependencies" title="Permalink to this headline">¶</a></h3>
<ul>
<li><p class="first"><a class="reference external" href="https://github.com/daurnimator/lua-http">lua-http</a> (&gt;= 0.1) available in LuaRocks</p>
<blockquote>
<div><p>If you’re installing via Homebrew on OS X, you need OpenSSL too.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ brew update
$ brew install openssl
$ brew link openssl --force <span class="c1"># Override system OpenSSL</span>
</pre></div>
</div>
<p>Any other system can install from LuaRocks directly:</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ luarocks install http
</pre></div>
</div>
</div></blockquote>
</li>
<li><p class="first"><a class="reference external" href="https://github.com/daurnimator/mmdblua">mmdblua</a> available in LuaRocks</p>
<blockquote>
<div><div class="highlight-bash"><div class="highlight"><pre><span></span>$ luarocks install --server<span class="o">=</span>https://luarocks.org/dev mmdblua
$ curl -O https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
$ gzip -d GeoLite2-City.mmdb.gz
</pre></div>
</div>
</div></blockquote>
</li>
</ul>
</div>
</div>
<div class="section" id="dns-application-firewall">
<span id="mod-daf"></span><h2><a class="toc-backref" href="#id28">DNS Application Firewall</a><a class="headerlink" href="#dns-application-firewall" title="Permalink to this headline">¶</a></h2>
<p>This module is a high-level interface for other powerful filtering modules and DNS views. It provides an easy interface to apply and monitor DNS filtering rules and a persistent memory for them. It also provides a restful service interface and an HTTP interface.</p>
<div class="section" id="id8">
<h3>Example configuration<a class="headerlink" href="#id8" title="Permalink to this headline">¶</a></h3>
<p>Firewall rules are declarative and consist of filters and actions. Filters have <code class="docutils literal"><span class="pre">field</span> <span class="pre">operator</span> <span class="pre">operand</span></code> notation (e.g. <code class="docutils literal"><span class="pre">qname</span> <span class="pre">=</span> <span class="pre">example.com</span></code>), and may be chained using AND/OR keywords. Actions may or may not have parameters after the action name.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Let&#39;s write some daft rules!</span>
<span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;daf&#39;</span> <span class="p">}</span>

<span class="c1">-- Block all queries with QNAME = example.com</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;qname = example.com deny&#39;</span>

<span class="c1">-- Filters can be combined using AND/OR...</span>
<span class="c1">-- Block all queries with QNAME match regex and coming from given subnet</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;qname ~ %w+.example.com AND src = 192.0.2.0/24 deny&#39;</span>

<span class="c1">-- We also can reroute addresses in response to alternate target</span>
<span class="c1">-- This reroutes 1.2.3.4 to localhost</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;src = 127.0.0.0/8 reroute 192.0.2.1-127.0.0.1&#39;</span>

<span class="c1">-- Subnets work too, this reroutes a whole subnet</span>
<span class="c1">-- e.g. 192.0.2.55 to 127.0.0.55</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;src = 127.0.0.0/8 reroute 192.0.2.0/24-127.0.0.0&#39;</span>

<span class="c1">-- This rewrites all A answers for &#39;example.com&#39; from</span>
<span class="c1">-- whatever the original address was to 127.0.0.2</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;src = 127.0.0.0/8 rewrite example.com A 127.0.0.2&#39;</span>

<span class="c1">-- Mirror queries matching given name to DNS logger</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;qname ~ %w+.example.com mirror 127.0.0.2&#39;</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;qname ~ example-%d.com mirror 127.0.0.3@5353&#39;</span>

<span class="c1">-- Forward queries from subnet</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;src = 127.0.0.1/8 forward 127.0.0.1@5353&#39;</span>
<span class="c1">-- Forward to multiple targets</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;src = 127.0.0.1/8 forward 127.0.0.1@5353,127.0.0.2@5353&#39;</span>

<span class="c1">-- Truncate queries based on destination IPs</span>
<span class="n">daf</span><span class="p">.</span><span class="n">add</span> <span class="s1">&#39;dst = 192.0.2.51 truncate&#39;</span>

<span class="c1">-- Disable a rule</span>
<span class="n">daf</span><span class="p">.</span><span class="n">disable</span> <span class="mi">2</span>
<span class="c1">-- Enable a rule</span>
<span class="n">daf</span><span class="p">.</span><span class="n">enable</span> <span class="mi">2</span>
<span class="c1">-- Delete a rule</span>
<span class="n">daf</span><span class="p">.</span><span class="n">del</span> <span class="mi">2</span>
</pre></div>
</div>
<p>If you’re not sure what firewall rules are in effect, see <code class="docutils literal"><span class="pre">daf.rules</span></code>:</p>
<div class="highlight-text"><div class="highlight"><pre><span></span>-- Show active rules
&gt; daf.rules
[1] =&gt; {
    [rule] =&gt; {
        [count] =&gt; 42
        [id] =&gt; 1
        [cb] =&gt; function: 0x1a3eda38
    }
    [info] =&gt; qname = example.com AND src = 127.0.0.1/8 deny
    [policy] =&gt; function: 0x1a3eda38
}
[2] =&gt; {
    [rule] =&gt; {
        [suspended] =&gt; true
        [count] =&gt; 123522
        [id] =&gt; 2
        [cb] =&gt; function: 0x1a3ede88
    }
    [info] =&gt; qname ~ %w+.facebook.com AND src = 127.0.0.1/8 deny...
    [policy] =&gt; function: 0x1a3ede88
}
</pre></div>
</div>
</div>
<div class="section" id="web-interface">
<h3>Web interface<a class="headerlink" href="#web-interface" title="Permalink to this headline">¶</a></h3>
<p>If you have <a class="reference internal" href="#mod-http"><span class="std std-ref">HTTP/2</span></a> loaded, the firewall automatically loads as a snippet.
You can create, track, suspend and remove firewall rules from the web interface.
If you load both modules, you have to load <cite>daf</cite> after <cite>http</cite>.</p>
</div>
<div class="section" id="restful-interface">
<h3>RESTful interface<a class="headerlink" href="#restful-interface" title="Permalink to this headline">¶</a></h3>
<p>The module also exports a RESTful API for operations over rule chains.</p>
<table border="1" class="docutils">
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">URL</th>
<th class="head">HTTP Verb</th>
<th class="head">Action</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>/daf</td>
<td>GET</td>
<td>Return JSON list of active rules.</td>
</tr>
<tr class="row-odd"><td>/daf</td>
<td>POST</td>
<td>Insert new rule, rule string is expected in body. Returns rule information in JSON.</td>
</tr>
<tr class="row-even"><td>/daf/&lt;id&gt;</td>
<td>GET</td>
<td>Retrieve a rule matching given ID.</td>
</tr>
<tr class="row-odd"><td>/daf/&lt;id&gt;</td>
<td>DELETE</td>
<td>Delete a rule matching given ID.</td>
</tr>
<tr class="row-even"><td>/daf/&lt;id&gt;/&lt;prop&gt;/&lt;val&gt;</td>
<td>PATCH</td>
<td>Modify given rule, for example /daf/3/active/false suspends rule 3.</td>
</tr>
</tbody>
</table>
<p>This interface is used by the web interface for all operations, but you can also use it directly
for testing.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span><span class="c1"># Get current rule set</span>
$ curl -s -X GET http://localhost:8053/daf <span class="p">|</span> jq .
<span class="o">{}</span>

<span class="c1"># Create new rule</span>
$ curl -s -X POST -d <span class="s2">&quot;src = 127.0.0.1 pass&quot;</span> http://localhost:8053/daf <span class="p">|</span> jq .
<span class="o">{</span>
  <span class="s2">&quot;count&quot;</span>: <span class="m">0</span>,
  <span class="s2">&quot;active&quot;</span>: true,
  <span class="s2">&quot;info&quot;</span>: <span class="s2">&quot;src = 127.0.0.1 pass&quot;</span>,
  <span class="s2">&quot;id&quot;</span>: <span class="m">1</span>
<span class="o">}</span>

<span class="c1"># Disable rule</span>
$ curl -s -X PATCH http://localhost:8053/daf/1/active/false <span class="p">|</span> jq .
<span class="nb">true</span>

<span class="c1"># Retrieve a rule information</span>
$ curl -s -X GET http://localhost:8053/daf/1 <span class="p">|</span> jq .
<span class="o">{</span>
  <span class="s2">&quot;count&quot;</span>: <span class="m">4</span>,
  <span class="s2">&quot;active&quot;</span>: true,
  <span class="s2">&quot;info&quot;</span>: <span class="s2">&quot;src = 127.0.0.1 pass&quot;</span>,
  <span class="s2">&quot;id&quot;</span>: <span class="m">1</span>
<span class="o">}</span>

<span class="c1"># Delete a rule</span>
$ curl -s -X DELETE http://localhost:8053/daf/1 <span class="p">|</span> jq .
<span class="nb">true</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="graphite-module">
<span id="mod-graphite"></span><h2><a class="toc-backref" href="#id29">Graphite module</a><a class="headerlink" href="#graphite-module" title="Permalink to this headline">¶</a></h2>
<p>The module sends statistics over the <a class="reference external" href="https://graphite.readthedocs.io/en/latest/feeding-carbon.html">Graphite</a> protocol to either <a class="reference external" href="https://graphite.readthedocs.io/en/latest/feeding-carbon.html">Graphite</a>, <a class="reference external" href="https://github.com/ahuPowerDNS/metronome">Metronome</a>, <a class="reference external" href="https://influxdb.com/">InfluxDB</a> or any compatible storage. This allows powerful visualization over metrics collected by Knot DNS Resolver.</p>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">The Graphite server is challenging to get up and running, <a class="reference external" href="https://influxdb.com/">InfluxDB</a> combined with <a class="reference external" href="http://grafana.org/">Grafana</a> are much easier, and provide richer set of options and available front-ends. <a class="reference external" href="https://github.com/ahuPowerDNS/metronome">Metronome</a> by PowerDNS alternatively provides a mini-graphite server for much simpler setups.</p>
</div>
<div class="section" id="id9">
<h3>Example configuration<a class="headerlink" href="#id9" title="Permalink to this headline">¶</a></h3>
<p>Only the <code class="docutils literal"><span class="pre">host</span></code> parameter is mandatory.</p>
<p>By default the module uses UDP so it doesn’t guarantee the delivery, set <code class="docutils literal"><span class="pre">tcp</span> <span class="pre">=</span> <span class="pre">true</span></code> to enable Graphite over TCP. If the TCP consumer goes down or the connection with Graphite is lost, resolver will periodically attempt to reconnect with it.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">graphite</span> <span class="o">=</span> <span class="p">{</span>
                <span class="n">prefix</span> <span class="o">=</span> <span class="n">hostname</span><span class="p">(),</span> <span class="c1">-- optional metric prefix</span>
                <span class="n">host</span> <span class="o">=</span> <span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span>  <span class="c1">-- graphite server address</span>
                <span class="n">port</span> <span class="o">=</span> <span class="mi">2003</span><span class="p">,</span>         <span class="c1">-- graphite server port</span>
                <span class="n">interval</span> <span class="o">=</span> <span class="mi">5</span> <span class="o">*</span> <span class="n">sec</span><span class="p">,</span>  <span class="c1">-- publish interval</span>
                <span class="n">tcp</span> <span class="o">=</span> <span class="kc">false</span>          <span class="c1">-- set to true if want TCP mode</span>
        <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The module supports sending data to multiple servers at once.</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">graphite</span> <span class="o">=</span> <span class="p">{</span>
                <span class="n">host</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="s1">&#39;1.2.3.4&#39;</span><span class="p">,</span> <span class="s1">&#39;::1&#39;</span> <span class="p">},</span>
        <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="id10">
<h3>Dependencies<a class="headerlink" href="#id10" title="Permalink to this headline">¶</a></h3>
<ul>
<li><p class="first"><a class="reference external" href="http://w3.impa.br/~diego/software/luasocket/">luasocket</a> available in LuaRocks</p>
<blockquote>
<div><p><code class="docutils literal"><span class="pre">$</span> <span class="pre">luarocks</span> <span class="pre">install</span> <span class="pre">luasocket</span></code></p>
</div></blockquote>
</li>
</ul>
</div>
</div>
<div class="section" id="etcd-module">
<span id="mod-etcd"></span><h2><a class="toc-backref" href="#id30">Etcd module</a><a class="headerlink" href="#etcd-module" title="Permalink to this headline">¶</a></h2>
<p>The module connects to Etcd peers and watches for configuration change.
By default, the module looks for the subtree under <code class="docutils literal"><span class="pre">/knot-resolver</span></code> directory,
but you can change this <a class="reference external" href="https://github.com/mah0x211/lua-etcd#cli-err--etcdnew-optiontable-">in the configuration</a>.</p>
<p>The subtree structure corresponds to the configuration variables in the declarative style.</p>
<div class="highlight-bash"><div class="highlight"><pre><span></span>$ etcdctl <span class="nb">set</span> /knot-resolvevr/net/127.0.0.1 <span class="m">53</span>
$ etcdctl <span class="nb">set</span> /knot-resolver/cache/size <span class="m">10000000</span>
</pre></div>
</div>
<p>Configures all listening nodes to following configuration:</p>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">net</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;127.0.0.1&#39;</span> <span class="p">}</span>
<span class="n">cache</span><span class="p">.</span><span class="n">size</span> <span class="o">=</span> <span class="mi">10000000</span>
</pre></div>
</div>
<div class="section" id="id11">
<h3>Example configuration<a class="headerlink" href="#id11" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">etcd</span> <span class="o">=</span> <span class="p">{</span>
                <span class="n">prefix</span> <span class="o">=</span> <span class="s1">&#39;/knot-resolver&#39;</span><span class="p">,</span>
                <span class="n">peer</span> <span class="o">=</span> <span class="s1">&#39;http://127.0.0.1:7001&#39;</span>
        <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">Work in progress!</p>
</div>
</div>
<div class="section" id="id12">
<h3>Dependencies<a class="headerlink" href="#id12" title="Permalink to this headline">¶</a></h3>
<ul>
<li><p class="first"><a class="reference external" href="https://github.com/mah0x211/lua-etcd">lua-etcd</a> available in LuaRocks</p>
<blockquote>
<div><p><code class="docutils literal"><span class="pre">$</span> <span class="pre">luarocks</span> <span class="pre">install</span> <span class="pre">etcd</span> <span class="pre">--from=https://mah0x211.github.io/rocks/</span></code></p>
</div></blockquote>
</li>
</ul>
</div>
</div>
<div class="section" id="dns64">
<span id="mod-dns64"></span><h2><a class="toc-backref" href="#id31">DNS64</a><a class="headerlink" href="#dns64" title="Permalink to this headline">¶</a></h2>
<p>The module for <span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6147.html"><strong>RFC 6147</strong></a> DNS64 AAAA-from-A record synthesis, it is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written <a class="reference external" href="https://doc.powerdns.com/md/recursor/dns64">introduction</a> in the PowerDNS documentation.</p>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">The module currently won’t work well with policy.STUB.</p>
</div>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">The A record sub-requests will be DNSSEC secured, but the synthetic AAAA records can’t be. Make sure the last mile between stub and resolver is secure to avoid spoofing.</p>
</div>
<div class="section" id="id13">
<h3>Example configuration<a class="headerlink" href="#id13" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Load the module with a NAT64 address</span>
<span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="n">dns64</span> <span class="o">=</span> <span class="s1">&#39;fe80::21b:77ff:0:0&#39;</span> <span class="p">}</span>
<span class="c1">-- Reconfigure later</span>
<span class="n">dns64</span><span class="p">.</span><span class="n">config</span><span class="p">(</span><span class="s1">&#39;fe80::21b:aabb:0:0&#39;</span><span class="p">)</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="renumber">
<span id="mod-renumber"></span><h2><a class="toc-backref" href="#id32">Renumber</a><a class="headerlink" href="#renumber" title="Permalink to this headline">¶</a></h2>
<p>The module renumbers addresses in answers to different address space.
e.g. you can redirect malicious addresses to a blackhole, or use private address ranges
in local zones, that will be remapped to real addresses by the resolver.</p>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">While requests are still validated using DNSSEC, the signatures are stripped from final answer. The reason is that the address synthesis breaks signatures. You can see whether an answer was valid or not based on the AD flag.</p>
</div>
<div class="section" id="id15">
<h3>Example configuration<a class="headerlink" href="#id15" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">renumber</span> <span class="o">=</span> <span class="p">{</span>
                <span class="c1">-- Source subnet, destination subnet</span>
                <span class="p">{</span><span class="s1">&#39;10.10.10.0/24&#39;</span><span class="p">,</span> <span class="s1">&#39;192.168.1.0&#39;</span><span class="p">},</span>
                <span class="c1">-- Remap /16 block to localhost address range</span>
                <span class="p">{</span><span class="s1">&#39;166.66.0.0/16&#39;</span><span class="p">,</span> <span class="s1">&#39;127.0.0.0&#39;</span><span class="p">}</span>
        <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="dns-cookies">
<span id="mod-cookies"></span><h2><a class="toc-backref" href="#id33">DNS Cookies</a><a class="headerlink" href="#dns-cookies" title="Permalink to this headline">¶</a></h2>
<p>The module performs most of the <span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7873.html"><strong>RFC 7873</strong></a> DNS cookies functionality. Its main purpose is to check the cookies of inbound queries and responses. It is also used to alter the behaviour of the cookie functionality.</p>
<div class="section" id="id16">
<h3>Example Configuration<a class="headerlink" href="#id16" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="c1">-- Load the module before the &#39;iterate&#39; layer.</span>
<span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
        <span class="s1">&#39;cookies &lt; iterate&#39;</span>
<span class="p">}</span>

<span class="c1">-- Configure the client part of the resolver. Set 8 bytes of the client</span>
<span class="c1">-- secret and choose the hashing algorithm to be used.</span>
<span class="c1">-- Use a string composed of hexadecimal digits to set the secret.</span>
<span class="n">cookies</span><span class="p">.</span><span class="n">config</span> <span class="p">{</span> <span class="n">client_secret</span> <span class="o">=</span> <span class="s1">&#39;0123456789ABCDEF&#39;</span><span class="p">,</span>
                 <span class="n">client_cookie_alg</span> <span class="o">=</span> <span class="s1">&#39;FNV-64&#39;</span> <span class="p">}</span>

<span class="c1">-- Configure the server part of the resolver.</span>
<span class="n">cookies</span><span class="p">.</span><span class="n">config</span> <span class="p">{</span> <span class="n">server_secret</span> <span class="o">=</span> <span class="s1">&#39;FEDCBA9876543210&#39;</span><span class="p">,</span>
                  <span class="n">server_cookie_alg</span> <span class="o">=</span> <span class="s1">&#39;FNV-64&#39;</span> <span class="p">}</span>

<span class="c1">-- Enable client cookie functionality. (Add cookies into outbound</span>
<span class="c1">-- queries.)</span>
<span class="n">cookies</span><span class="p">.</span><span class="n">config</span> <span class="p">{</span> <span class="n">client_enabled</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">}</span>

<span class="c1">-- Enable server cookie functionality. (Handle cookies in inbound</span>
<span class="c1">-- requests.)</span>
<span class="n">cookies</span><span class="p">.</span><span class="n">config</span> <span class="p">{</span> <span class="n">server_enabled</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">}</span>
</pre></div>
</div>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">If you want to change several parameters regarding the client or server configuration then do it within a single <code class="docutils literal"><span class="pre">cookies.config()</span></code> invocation.</p>
</div>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">The module must be loaded before any other module that has direct influence on query processing and response generation. The module must be able to intercept an incoming query before the processing of the actual query starts. It must also be able to check the cookies of inbound responses and eventually discard them before they are handled by other functional units.</p>
</div>
</div>
<div class="section" id="id17">
<h3>Properties<a class="headerlink" href="#id17" title="Permalink to this headline">¶</a></h3>
<dl class="function">
<dt id="c.cookies.config">
<code class="descname">cookies.config</code><span class="sig-paren">(</span>configuration<span class="sig-paren">)</span><a class="headerlink" href="#c.cookies.config" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>configuration</strong> (<em>table</em>) – part of cookie configuration to be changed, may be called without parameter</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body"><p class="first last">JSON dictionary containing current configuration</p>
</td>
</tr>
</tbody>
</table>
<p>The function may be called without any parameter. In such case it only returns current configuration. The returned JSON also contains available algorithm choices.</p>
</dd></dl>

</div>
<div class="section" id="id18">
<h3>Dependencies<a class="headerlink" href="#id18" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li><a class="reference external" href="https://www.lysator.liu.se/~nisse/nettle/">Nettle</a> required for HMAC-SHA256</li>
</ul>
</div>
</div>
<div class="section" id="version">
<span id="mod-version"></span><h2><a class="toc-backref" href="#id34">Version</a><a class="headerlink" href="#version" title="Permalink to this headline">¶</a></h2>
<p>Module checks for new version and <a class="reference external" href="https://cve.mitre.org/">CVE</a>, and issues warning messages.</p>
<div class="section" id="configuration">
<h3>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span>    <span class="n">version</span><span class="p">.</span><span class="n">config</span><span class="p">(</span><span class="mi">2</span><span class="o">*</span><span class="n">day</span><span class="p">)</span>
<span class="c1">-- configure period of check (defaults to 1*day)</span>
</pre></div>
</div>
</div>
<div class="section" id="running">
<h3>Running<a class="headerlink" href="#running" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span><span class="p">.</span><span class="n">load</span><span class="p">(</span><span class="s2">&quot;version&quot;</span><span class="p">)</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="workarounds">
<span id="mod-workarounds"></span><h2><a class="toc-backref" href="#id35">Workarounds</a><a class="headerlink" href="#workarounds" title="Permalink to this headline">¶</a></h2>
<p>A simple module that alters resolver behavior on specific broken sub-domains.
Currently it mainly disables case randomization on them.</p>
<div class="section" id="id19">
<h3>Running<a class="headerlink" href="#id19" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;workarounds &lt; iterate&#39;</span> <span class="p">}</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="dnstap">
<span id="mod-dnstap"></span><h2><a class="toc-backref" href="#id36">Dnstap</a><a class="headerlink" href="#dnstap" title="Permalink to this headline">¶</a></h2>
<p>Dnstap module currently supports logging dns responses to a unix socket
in dnstap format using fstrm framing library.  The unix socket and the
socket reader should be present before starting kresd.</p>
<div class="section" id="id20">
<h3>Configuration<a class="headerlink" href="#id20" title="Permalink to this headline">¶</a></h3>
<p>Tunables:</p>
<ul class="simple">
<li><code class="docutils literal"><span class="pre">socket_path</span></code>: the the unix socket file where dnstap messages will be sent</li>
<li><code class="docutils literal"><span class="pre">log_responses</span></code>: if true responses in wire format will be logged</li>
</ul>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span>
    <span class="n">dnstap</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">socket_path</span> <span class="o">=</span> <span class="s2">&quot;/tmp/dnstap.sock&quot;</span><span class="p">,</span>
        <span class="n">log_responses</span> <span class="o">=</span> <span class="kc">true</span>
    <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="signaling-trust-anchor-knowledge-in-dnssec">
<span id="mod-ta-signal-query"></span><h2><a class="toc-backref" href="#id37">Signaling Trust Anchor Knowledge in DNSSEC</a><a class="headerlink" href="#signaling-trust-anchor-knowledge-in-dnssec" title="Permalink to this headline">¶</a></h2>
<p>The module for Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query,
implemented according to RFC 8145 section 5.</p>
<p>This feature allows validating resolvers to signal to authoritative servers
which keys are referenced in their chain of trust. The data from such
signaling allow zone administrators to monitor the progress of rollovers
in a DNSSEC-signed zone.</p>
<p>This mechanism serve to measure the acceptance and use of new DNSSEC
trust anchors and key signing keys (KSKs). This signaling data can be
used by zone administrators as a gauge to measure the successful deployment
of new keys. This is of particular interest for the DNS root zone in the event
of key and/or algorithm rollovers that rely on RFC 5011 to automatically
update a validating DNS resolver’s trust anchor.</p>
<p>This module is enabled by default. You may use modules.unload(‘ta_signal_query’)
in your configuration.</p>
</div>
<div class="section" id="sentinel-for-detecting-trusted-keys">
<span id="mod-ta-sentinel"></span><h2><a class="toc-backref" href="#id38">Sentinel for Detecting Trusted Keys</a><a class="headerlink" href="#sentinel-for-detecting-trusted-keys" title="Permalink to this headline">¶</a></h2>
<p>The module implementing Sentinel for Detecting Trusted Keys in DNSSEC
according to <a class="reference external" href="https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-00">draft-ietf-dnsop-kskroll-sentinel-00</a>.</p>
<p>This feature allows users of validating resolver to detect which root keys
are configured in their chain of trust. The data from such
signaling are necessary to monitor the progress of the DNSSEC root key rollover.</p>
<p>This module is enabled by default and we urge users not to disable it.
If it is absolutely necessary you may add <code class="docutils literal"><span class="pre">modules.unload('ta_sentinel')</span></code>
to your configuration to disable it.</p>
</div>
<div class="section" id="priming-module">
<span id="mod-priming"></span><h2><a class="toc-backref" href="#id39">Priming module</a><a class="headerlink" href="#priming-module" title="Permalink to this headline">¶</a></h2>
<p>The module for Initializing a DNS Resolver with Priming Queries implemented
according to RFC 8109. Purpose of the module is to keep up-to-date list of
root DNS servers and associated IP addresses.</p>
<p>Result of successful priming query replaces root hints distributed with
the resolver software. Unlike other DNS resolvers, Knot Resolver caches
result of priming query on disk and keeps the data between restarts until
TTL expires.</p>
<p>This module is enabled by default and it is not recommended to disable it.
For debugging purposes you may disable the module by appending
<code class="docutils literal"><span class="pre">modules.unload('priming')</span></code> to your configuration.</p>
</div>
<div class="section" id="serve-stale">
<span id="mod-serve-stale"></span><h2><a class="toc-backref" href="#id40">Serve stale</a><a class="headerlink" href="#serve-stale" title="Permalink to this headline">¶</a></h2>
<p>Demo module that allows using timed-out records in case kresd is
unable to contact upstream servers.</p>
<p>By default it allows stale-ness by up to one day,
after roughly four seconds trying to contact the servers.
It’s quite configurable/flexible; see the beginning of the module source for details.
See also the RFC <a class="reference external" href="https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-00">draft</a> (not fully followed).</p>
<div class="section" id="id21">
<h3>Running<a class="headerlink" href="#id21" title="Permalink to this headline">¶</a></h3>
<div class="highlight-lua"><div class="highlight"><pre><span></span><span class="n">modules</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;serve_stale &lt; cache&#39;</span> <span class="p">}</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="system-time-skew-detector">
<span id="mod-detect-time-skew"></span><h2><a class="toc-backref" href="#id41">System time skew detector</a><a class="headerlink" href="#system-time-skew-detector" title="Permalink to this headline">¶</a></h2>
<p>This module compares local system time with inception and expiration time
bounds in DNSSEC signatures for <code class="docutils literal"><span class="pre">.</span> <span class="pre">NS</span></code> records. If the local system time is
outside of these bounds, it is likely a misconfiguration which will cause
all DNSSEC validation (and resolution) to fail.</p>
<p>In case of mismatch, a warning message will be logged to help with
further diagnostics.</p>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">Information printed by this module can be forged by a network attacker!
System administrator MUST verify values printed by this module and
fix local system time using a trusted source.</p>
</div>
<p>This module is useful for debugging purposes. It runs only once during resolver
start does not anything after that. It is enabled by default.
You may disable the module by appending
<code class="docutils literal"><span class="pre">modules.unload('detect_time_skew')</span></code> to your configuration.</p>
</div>
<div class="section" id="detect-discontinuous-jumps-in-the-system-time">
<span id="mod-detect-time-jump"></span><h2><a class="toc-backref" href="#id42">Detect discontinuous jumps in the system time</a><a class="headerlink" href="#detect-discontinuous-jumps-in-the-system-time" title="Permalink to this headline">¶</a></h2>
<p>This module detect discontinuous jumps in the system time when resolver
is running.  It clears cache when a significant backward time jumps occurs.</p>
<p>Time jumps are usually created by NTP time change or by admin intervention.
These change can affect cache records as they store timestamp and TTL in real
time.</p>
<p>If you want to preserve cache during time travel you should disable
this module by <code class="docutils literal"><span class="pre">modules.unload('detect_time_jump')</span></code>.</p>
<p>Due to the way monotonic system time works on typical systems,
suspend-resume cycles will be perceived as forward time jumps,
but this direction of shift does not have the risk of using records
beyond their intended TTL, so forward jumps do not cause erasing the cache.</p>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Knot DNS Resolver modules</a><ul>
<li><a class="reference internal" href="#static-hints">Static hints</a><ul>
<li><a class="reference internal" href="#examples">Examples</a></li>
<li><a class="reference internal" href="#properties">Properties</a></li>
</ul>
</li>
<li><a class="reference internal" href="#statistics-collector">Statistics collector</a><ul>
<li><a class="reference internal" href="#id1">Properties</a></li>
<li><a class="reference internal" href="#built-in-statistics">Built-in statistics</a></li>
</ul>
</li>
<li><a class="reference internal" href="#query-policies">Query policies</a><ul>
<li><a class="reference internal" href="#filters">Filters</a></li>
<li><a class="reference internal" href="#actions">Actions</a></li>
<li><a class="reference internal" href="#forwarding-over-tls-protocol-dns-over-tls">Forwarding over TLS protocol (DNS-over-TLS)</a><ul>
<li><a class="reference internal" href="#tls-examples">TLS Examples</a></li>
</ul>
</li>
<li><a class="reference internal" href="#policy-examples">Policy examples</a></li>
<li><a class="reference internal" href="#additional-properties">Additional properties</a></li>
</ul>
</li>
<li><a class="reference internal" href="#views-and-acls">Views and ACLs</a><ul>
<li><a class="reference internal" href="#example-configuration">Example configuration</a></li>
<li><a class="reference internal" href="#id3">Properties</a></li>
</ul>
</li>
<li><a class="reference internal" href="#prefetching-records">Prefetching records</a><ul>
<li><a class="reference internal" href="#id5">Example configuration</a></li>
<li><a class="reference internal" href="#exported-metrics">Exported metrics</a></li>
<li><a class="reference internal" href="#id6">Properties</a></li>
</ul>
</li>
<li><a class="reference internal" href="#http-2-services">HTTP/2 services</a><ul>
<li><a class="reference internal" href="#id7">Example configuration</a></li>
<li><a class="reference internal" href="#built-in-services">Built-in services</a></li>
<li><a class="reference internal" href="#enabling-prometheus-metrics-endpoint">Enabling Prometheus metrics endpoint</a></li>
<li><a class="reference internal" href="#tracing-requests">Tracing requests</a></li>
<li><a class="reference internal" href="#how-to-expose-services-over-http">How to expose services over HTTP</a></li>
<li><a class="reference internal" href="#how-to-expose-restful-services">How to expose RESTful services</a></li>
<li><a class="reference internal" href="#how-to-expose-more-interfaces">How to expose more interfaces</a></li>
<li><a class="reference internal" href="#dependencies">Dependencies</a></li>
</ul>
</li>
<li><a class="reference internal" href="#dns-application-firewall">DNS Application Firewall</a><ul>
<li><a class="reference internal" href="#id8">Example configuration</a></li>
<li><a class="reference internal" href="#web-interface">Web interface</a></li>
<li><a class="reference internal" href="#restful-interface">RESTful interface</a></li>
</ul>
</li>
<li><a class="reference internal" href="#graphite-module">Graphite module</a><ul>
<li><a class="reference internal" href="#id9">Example configuration</a></li>
<li><a class="reference internal" href="#id10">Dependencies</a></li>
</ul>
</li>
<li><a class="reference internal" href="#etcd-module">Etcd module</a><ul>
<li><a class="reference internal" href="#id11">Example configuration</a></li>
<li><a class="reference internal" href="#id12">Dependencies</a></li>
</ul>
</li>
<li><a class="reference internal" href="#dns64">DNS64</a><ul>
<li><a class="reference internal" href="#id13">Example configuration</a></li>
</ul>
</li>
<li><a class="reference internal" href="#renumber">Renumber</a><ul>
<li><a class="reference internal" href="#id15">Example configuration</a></li>
</ul>
</li>
<li><a class="reference internal" href="#dns-cookies">DNS Cookies</a><ul>
<li><a class="reference internal" href="#id16">Example Configuration</a></li>
<li><a class="reference internal" href="#id17">Properties</a></li>
<li><a class="reference internal" href="#id18">Dependencies</a></li>
</ul>
</li>
<li><a class="reference internal" href="#version">Version</a><ul>
<li><a class="reference internal" href="#configuration">Configuration</a></li>
<li><a class="reference internal" href="#running">Running</a></li>
</ul>
</li>
<li><a class="reference internal" href="#workarounds">Workarounds</a><ul>
<li><a class="reference internal" href="#id19">Running</a></li>
</ul>
</li>
<li><a class="reference internal" href="#dnstap">Dnstap</a><ul>
<li><a class="reference internal" href="#id20">Configuration</a></li>
</ul>
</li>
<li><a class="reference internal" href="#signaling-trust-anchor-knowledge-in-dnssec">Signaling Trust Anchor Knowledge in DNSSEC</a></li>
<li><a class="reference internal" href="#sentinel-for-detecting-trusted-keys">Sentinel for Detecting Trusted Keys</a></li>
<li><a class="reference internal" href="#priming-module">Priming module</a></li>
<li><a class="reference internal" href="#serve-stale">Serve stale</a><ul>
<li><a class="reference internal" href="#id21">Running</a></li>
</ul>
</li>
<li><a class="reference internal" href="#system-time-skew-detector">System time skew detector</a></li>
<li><a class="reference internal" href="#detect-discontinuous-jumps-in-the-system-time">Detect discontinuous jumps in the system time</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="daemon.html"
                        title="previous chapter">Knot DNS Resolver daemon</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="build.html"
                        title="next chapter">Building project</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="_sources/modules.rst.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="build.html" title="Building project"
             >next</a> |</li>
        <li class="right" >
          <a href="daemon.html" title="Knot DNS Resolver daemon"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">Knot DNS Resolver 2.1.1 documentation</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2014-2018 CZ.NIC labs.
      Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.7.
    </div>
  </body>
</html>