support RPZ CNAME redirection

Redirection using CNAMEs from RPZ is useful for redirecting blocked domains to an user-controlled domain. The user-controlled domain can e.g. have SPF record which blocks e-mails on SMTP level, which helps with phising and spam domains a lot.

added feature label

added major label

Hi, I just want to let you know that this feature would be highly appreciated.

I assume this would be a new action policy.CNAME('target.name.'), so you can specify it for all kinds of filters, including policy.rpz.

Just a comment that one can implement this feature with a custom response already. There is an example at https://knot-resolver.readthedocs.io/en/stable/modules.html#policy-examples

I use the following (does not handle TXT yet but should be easy to add):

-- RPZ
-- custom response
local function mkauth_soa(answer, dname, mname)
	if mname == nil then
		mname = dname
	end
	return answer:put(dname, 900, answer:qclass(), kres.type.SOA,
		mname .. '\6nobody\7invalid\0\0\0\0\0\0\0\14\16\0\0\3\132\0\9\58\128\0\0\3\132')
end
local ffi = require('ffi')
local function genRR (state, req)
        local answer = req.answer
        local qry = req:current()
        if qry.stype == kres.type.A then
                ffi.C.kr_pkt_make_auth_header(answer)
                answer:rcode(kres.rcode.NOERROR)
                answer:begin(kres.section.ANSWER)
                answer:put(qry.sname, 900, answer:qclass(), kres.type.A, '\192\168\2\1')
                answer:begin(kres.section.AUTHORITY)
                mkauth_soa(answer, '\7blocked\0')
                return kres.DONE
        elseif qry.stype == kres.type.AAAA then
                ffi.C.kr_pkt_make_auth_header(answer)
                answer:rcode(kres.rcode.NOERROR)
                answer:begin(kres.section.ANSWER)
                answer:put(qry.sname, 900, answer:qclass(), kres.type.AAAA, '\032\001\013\184\0\0\0\0\0\0\0\0\0\0\0\1')
                answer:begin(kres.section.AUTHORITY)
                mkauth_soa(answer, '\7blocked\0')
                return kres.DONE
	else
                return state
        end
end
-- rpz policy: respond with custom function genRR
policy.add(policy.rpz(genRR, '/etc/kresd/rpz.custom.zone'))

Note: I use redirect instead of NXDOMAIN because in my experience web browser ad-blocking implemented at the DNS level is faster if the web browser can send the HTTP request somewhere. I typically use an IP address on the local lan.

mentioned in issue #535

assigned to @ljezek

We need this to support use-cases like https://lists.nic.cz/pipermail/knot-resolver-users/2020/000244.html . Let's discuss how to implement this in a near future.

Another "user" interested in this: adblock package. The workaround above won't work in that case, as different names need to be redirected to different targets.

mentioned in merge request !964 (merged)

unassigned @ljezek

Just a comment in support of this feature. An example use case is the redirection of search engines to their safe search flavours (e.g. forcesafesearch.google.com and restrict.youtube.com).

mentioned in issue #195

I believe this can be closed now. See #535 (comment 295494)

closed

RPZ is probably overkill, you can simply

local-data:
  records: |
    www.google.com.  CNAME  forcesafesearch.google.com.