I have a multi-homed file server on my home network which I use for SMB/NFS and similar, and I wanted to avoid routing due to reasons so multi-homing it was.

However, now I had issues using my internal DNS records. Luckily this was fairly simple to solve with knot-resolver and it’s built-in DNS application firewall (daf)!

First thing first, enable the module by adding it to your modules. Then just add rules as you see fit. Below is an example.

modules = {
  -- whatever you have here, then add:
  'daf'
}

-- Rewrite NAS IP depending on query source network
daf.add('qname ~ nas.home.arpa AND src = 192.168.10.0/24 rewrite nas.home.arpa A 192.168.10.128')
daf.add('qname ~ nas.home.arpa AND src = 192.168.20.0/24 rewrite nas.home.arpa A 192.168.20.128')

For my needs, this was very simple and does exactly what I need. Now, if I ask for nas.home.arpa from 192.168.10.0/24 it will reply 192.168.10.128.