Hello,
could you please help me with knot resolver configuration in the case when I
need to redirect each variation for the domain to some address.
e.g.
www.example.com, m.example.com, domain.example.com ...
like wildcard record
*.example.com 10.0.0.50
In my configuration is it handeled by file with static records
-- load static records
hints.add_hosts('/etc/knot-resolver/static_records.txt')
which contains address to be redirected and the domain.
10.0.0.50 1xbet.com
10.0.0.50 thelotter.com
10.0.0.50 webmoneycasino.com
10.0.0.50 betworld.com
10.0.0.50 bosscasino.eu
10.0.0.50 sportingbull.com
But I´m not able to handle the correct syntax for a wildcard domain
redirection.
Best regards,
--
Smil Milan Jeskyňka Kazatel
Dear Knot Resolver users,
Knot Resolver 5.1.0 has been released!
We also have two important announcements:
1) Ubuntu and Debian repositories
Ubuntu and Debian users have to manually set up the upstream repository
once again by following the instructions at:
https://www.knot-resolver.cz/download/
We apologize for the inconvenience, tests are now in place to prevent
this from happening again.
2) The upcoming major version will contain reworked
hints/policy/prefill/rebinding/view modules and related functionalities.
Please participate in the following survey to ensure we do not forget
about your particular use-case:
https://www.knot-resolver.cz/survey/
It will help us to improve Knot Resolver. Thank you!
Our upstream repositories now also provide packages for CentOS 8,
Ubuntu 20.04 and Fedora 32.
And finally, the release notes for version 5.1.0:
Improvements
------------
- cache garbage collector: reduce filesystem operations when idle (!946)
- policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging
(!957)
- daemon: improve TCP query latency under heavy TCP load (!968)
- add policy.ANSWER action (!964, #192)
- policy.rpz support fake A/AAAA (!964, #194)
Bugfixes
--------
- cache: missing filesystem support for pre-allocation is no longer
fatal (#549)
- lua: policy.rpz() no longer watches the file when watch is set to
false (!954)
- fix a strict aliasing problem that might've lead to "miscompilation"
(!962)
- fix handling of DNAMEs, especially signed ones (#234, !965)
- lua resolve(): correctly include EDNS0 in the virtual packet (!963)
Custom modules might have been confused by that.
- do not leak bogus data into SERVFAIL answers (#396)
- improve random Lua number generator initialization (!979)
- cache: fix CNAME caching when validation is disabled (#472, !974)
- cache: fix CNAME caching in policy.STUB mode (!974)
- prefill: fix crash caused by race condition with resolver startup
(!983)
- webmgmt: use javascript scheme detection for websockets' protocol
(#546)
- daf module: fix del(), deny(), drop(), tc(), pass() functions
(#553, !966)
- policy and daf modules: expose initial query when evaluating
postrules (#556)
- cache: fix some cases of caching answers over 4 KiB (!976)
- docs: support sphinx 3.0.0+ (!978)
Incompatible changes
--------------------
- minor changes in module API; see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.1.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.1.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dobrý den,
dnes po mnoha dnech (měsíců) bezproblémového provozu knot-resolveru
4.2.2 najednou přestal vracet odpovědi na dotazy.
Využívá jej několik tisíc klientů, tak nebyl moc čas na experimerny a
reboot celého stroje pomohl... Ale jen asi na 15min. Pak opět přestal
vracet záznamy, jako by je neměl. Opět reboot a to vydrželo fungovat asi
1.5h a opt přestal komunikovat. To už začalo být vážné, takže jsme
spoustu DNS dotazů na routrech přesměrovali na 8.8.8.8. Mezi tím opět
restart a nyní to již téměř 2h funguje bez problémů.
Vím, že nyní již existuje knot-resolver verze 5.0.1, ale zajímá mě, zda
uvedený problém je známy, jen jsem se sním do dnes nesetkal a v další
verzi opraven, nebo se jedná o neevidovanou anomálii. V logách jsem
totiž našel jen toto:
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Watchdog
timeout (limit 10s)!
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Killing
process 382 (kresd) with signal SIGABRT.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Main process
exited, code=killed, status=6/ABRT
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Failed with
result 'watchdog'.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Service
RestartSec=100ms expired, scheduling restart.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Scheduled
restart job, restart counter is at 1.
Předpokládám, že tato nemilá reakce knot-resolveru byla způsobena
nějakým "spatným" dotazem, ať náhodným nebo záměrným.
Nyní jsme opět zrušili přesměrovaní na 8.8.8.8 a téměř okamžitě přestal
odpovídat:
dig @192.168.100.100 -t AAAA www.seZNAm.cz
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @192.168.100.100 -t AAAA www.seZNAm.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64547
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.seZNAm.cz. IN AAAA
;; Query time: 0 msec
;; SERVER: 192.168.100.100#53(192.168.100.100)
;; WHEN: Po dub 27 22:32:04 CEST 2020
;; MSG SIZE rcvd: 42
Děkuji za pomoc
Zdeněk Janiš
Hi,
the package signing key for our upstream repositories has expired and
Debian and Ubuntu users with existing installation need to manually
update the knot-resolver-release package to fix the issue:
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update
Otherwise, apt update will report following errors and no new updates
will be installed.
W: GPG error:
http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-lates…
InRelease: The following signatures were invalid: EXPKEYSIG
74062DB36A1F4009 home:CZ-NIC OBS Project <home:CZ-NIC@build.opensuse.org>
E: The repository
'http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-lates…
InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is
therefore disabled by default.
I apologize for the inconvenience.
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Hello,
Would it be possible to maintain the Fedora 29 knot-resolver repo for a few
more months? It recently dropped off the mirrors and it's unclear if some
F29 machines will be updated for a few more months.
Thanks!
R
