Updates (#1432)

* Enable forward

* Regen all docs

man/coredns-rewrite.7

@@ -43,6 +43,200 @@ When the FIELD is \fBedns0\fR an EDNS0 option can be appended to the request as
 .P
 If you specify multiple rules and an incoming query matches on multiple rules, the rewrite will behave as following * \fBcontinue\fR will continue apply the next rule in the rule list\. * \fBstop\fR will consider the current rule is the last rule and will not continue\. Default behaviour for not specifying this rule processing mode is \fBstop\fR
 .
+.SS "NAME FIELD REWRITES"
+The \fBrewrite\fR plugin offers the ability to match on the name in the question section of a DNS request\. The match could be exact, substring, or based on a prefix, suffix, or regular expression\.
+.
+.P
+The syntax for the name re\-writing is as follows:
+.
+.IP "" 4
+.
+.nf
+
+rewrite [continue|stop] name [exact|prefix|suffix|substring|regex] STRING STRING
+.
+.fi
+.
+.IP "" 0
+.
+.P
+The match type, i\.e\. \fBexact\fR, \fBsubstring\fR, etc\., triggers re\-write:
+.
+.IP "\(bu" 4
+\fBexact\fR (default): on exact match of the name in the question section of a request
+.
+.IP "\(bu" 4
+\fBsubstring\fR: on a partial match of the name in the question section of a request
+.
+.IP "\(bu" 4
+\fBprefix\fR: when the name begins with the matching string
+.
+.IP "\(bu" 4
+\fBsuffix\fR: when the name ends with the matching string
+.
+.IP "\(bu" 4
+\fBregex\fR: when the name in the question section of a request matches a regular expression
+.
+.IP "" 0
+.
+.P
+If the match type is omitted, the \fBexact\fR match type is being assumed\.
+.
+.P
+The following instruction allows re\-writing the name in the query that contains \fBservice\.us\-west\-1\.example\.org\fR substring\.
+.
+.IP "" 4
+.
+.nf
+
+rewrite name substring service\.us\-west\-1\.example\.org service\.us\-west\-1\.consul
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Thus:
+.
+.IP "\(bu" 4
+Incoming Request Name: \fBftp\.service\.us\-west\-1\.example\.org\fR
+.
+.IP "\(bu" 4
+Re\-written Request Name: \fBftp\.service\.us\-west\-1\.consul\fR
+.
+.IP "" 0
+.
+.P
+The following instruction uses regular expressions\. The name in a request matching \fB(\.*)\-(us\-west\-1)\e\.example\e\.org\fR regular expression is being replaces with \fB{1}\.service\.{2}\.consul\fR, where \fB{1}\fR and \fB{2}\fR are regular expression match groups\.
+.
+.IP "" 4
+.
+.nf
+
+rewrite name regex (\.*)\-(us\-west\-1)\e\.example\e\.org {1}\.service\.{2}\.consul
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Thus:
+.
+.IP "\(bu" 4
+Incoming Request Name: \fBftp\-us\-west\-1\.example\.org\fR
+.
+.IP "\(bu" 4
+Re\-written Request Name: \fBftp\.service\.us\-west\-1\.consul\fR
+.
+.IP "" 0
+.
+.SS "RESPONSE REWRITES"
+When re\-writing incoming DNS requests\' names, CoreDNS re\-writes the \fBQUESTION SECTION\fR section of the requests\. It may be necessary to re\-write the \fBANSWER SECTION\fR of the requests, because some DNS resolvers would treat the mismatch between \fBQUESTION SECTION\fR and \fBANSWER SECTION\fR as a man\-in\-the\-middle attack (MITM)\.
+.
+.P
+For example, a user tries to resolve \fBftp\-us\-west\-1\.coredns\.rocks\fR\. The CoreDNS configuration file has the following rule:
+.
+.IP "" 4
+.
+.nf
+
+rewrite name regex (\.*)\-(us\-west\-1)\e\.coredns\e\.rocks {1}\.service\.{2}\.consul
+.
+.fi
+.
+.IP "" 0
+.
+.P
+CoreDNS instance re\-wrote the request to \fBftp\-us\-west\-1\.coredns\.rocks\fR with \fBftp\.service\.us\-west\-1\.consul\fR and ultimately resolved it to 3 records\. The resolved records, see \fBANSWER SECTION\fR, were not from \fBcoredns\.rocks\fR, but rather from \fBservice\.us\-west\-1\.consul\fR\.
+.
+.IP "" 4
+.
+.nf
+
+$ dig @10\.1\.1\.1 ftp\-us\-west\-1\.coredns\.rocks
+
+; <<>> DiG 9\.8\.3\-P1 <<>> @10\.1\.1\.1 ftp\-us\-west\-1\.coredns\.rocks
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; \->>HEADER<<\- opcode: QUERY, status: NOERROR, id: 8619
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;ftp\-us\-west\-1\.coredns\.rocks\. IN A
+
+;; ANSWER SECTION:
+ftp\.service\.us\-west\-1\.consul\. 0    IN A    10\.10\.10\.10
+ftp\.service\.us\-west\-1\.consul\. 0    IN A    10\.20\.20\.20
+ftp\.service\.us\-west\-1\.consul\. 0    IN A    10\.30\.30\.30
+.
+.fi
+.
+.IP "" 0
+.
+.P
+The above is the mismatch\.
+.
+.P
+The following configuration snippet allows for the re\-writing of the \fBANSWER SECTION\fR, provided that the \fBQUESTION SECTION\fR was re\-written:
+.
+.IP "" 4
+.
+.nf
+
+    rewrite stop {
+        name regex (\.*)\-(us\-west\-1)\e\.coredns\e\.rocks {1}\.service\.{2}\.consul
+        answer name (\.*)\e\.service\e\.(us\-west\-1)\e\.consul {1}\-{2}\.coredns\.rocks
+    }
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Now, the \fBANSWER SECTION\fR matches the \fBQUESTION SECTION\fR:
+.
+.IP "" 4
+.
+.nf
+
+$ dig @10\.1\.1\.1 ftp\-us\-west\-1\.coredns\.rocks
+
+; <<>> DiG 9\.8\.3\-P1 <<>> @10\.1\.1\.1 ftp\-us\-west\-1\.coredns\.rocks
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; \->>HEADER<<\- opcode: QUERY, status: NOERROR, id: 8619
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;ftp\-us\-west\-1\.coredns\.rocks\. IN A
+
+;; ANSWER SECTION:
+ftp\-us\-west\-1\.coredns\.rocks\. 0    IN A    10\.10\.10\.10
+ftp\-us\-west\-1\.coredns\.rocks\. 0    IN A    10\.20\.20\.20
+ftp\-us\-west\-1\.coredns\.rocks\. 0    IN A    10\.30\.30\.30
+.
+.fi
+.
+.IP "" 0
+.
+.P
+The syntax for the response of DNS request and response is as follows:
+.
+.IP "" 4
+.
+.nf
+
+rewrite [continue|stop] {
+    name regex STRING STRING
+    answer name STRING STRING
+}
+.
+.fi
+.
+.IP "" 0
+.
 .SH "EDNS0 OPTIONS"
 Using FIELD edns0, you can set, append, or replace specific EDNS0 options on the request\.
 .
@@ -138,91 +332,4 @@ If the query has source IP as IPv4, the first 24 bits in the IP will be the netw
 If the query has source IP as IPv6, the first 56 bits in the IP will be the network subnet\.
 .
 .IP "" 0
-.
-.SS "NAME FIELD REWRITES"
-The \fBrewrite\fR plugin offers the ability to match on the name in the question section of a DNS request\. The match could be exact, substring, or based on a prefix, suffix, or regular expression\.
-.
-.P
-The syntax for the name re\-writing is as follows:
-.
-.IP "" 4
-.
-.nf
-
-rewrite [continue|stop] name [exact|prefix|suffix|substring|regex] STRING STRING
-.
-.fi
-.
-.IP "" 0
-.
-.P
-The match type, i\.e\. \fBexact\fR, \fBsubstring\fR, etc\., triggers re\-write:
-.
-.IP "\(bu" 4
-\fBexact\fR (default): on exact match of the name in the question section of a request
-.
-.IP "\(bu" 4
-\fBsubstring\fR: on a partial match of the name in the question section of a request
-.
-.IP "\(bu" 4
-\fBprefix\fR: when the name begins with the matching string
-.
-.IP "\(bu" 4
-\fBsuffix\fR: when the name ends with the matching string
-.
-.IP "\(bu" 4
-\fBregex\fR: when the name in the question section of a request matches a regular expression
-.
-.IP "" 0
-.
-.P
-If the match type is omitted, the \fBexact\fR match type is being assumed\.
-.
-.P
-The following instruction allows re\-writing the name in the query that contains \fBservice\.us\-west\-1\.example\.org\fR substring\.
-.
-.IP "" 4
-.
-.nf
-
-rewrite name substring service\.us\-west\-1\.example\.org service\.us\-west\-1\.consul
-.
-.fi
-.
-.IP "" 0
-.
-.P
-Thus:
-.
-.IP "\(bu" 4
-Incoming Request Name: \fBftp\.service\.us\-west\-1\.example\.org\fR
-.
-.IP "\(bu" 4
-Re\-written Request Name: \fBftp\.service\.us\-west\-1\.consul\fR
-.
-.IP "" 0
-.
-.P
-The following instruction uses regular expressions\. The name in a request matching \fB(\.*)\-(us\-west\-1)\e\.example\e\.org\fR regular expression is being replaces with \fB{1}\.service\.{2}\.consul\fR, where \fB{1}\fR and \fB{2}\fR are regular expression match groups\.
-.
-.IP "" 4
-.
-.nf
-
-rewrite name regex (\.*)\-(us\-west\-1)\e\.example\e\.org {1}\.service\.{2}\.consul
-.
-.fi
-.
-.IP "" 0
-.
-.P
-Thus:
-.
-.IP "\(bu" 4
-Incoming Request Name: \fBftp\-us\-west\-1\.example\.org\fR
-.
-.IP "\(bu" 4
-Re\-written Request Name: \fBftp\.service\.us\-west\-1\.consul\fR
-.
-.IP "" 0