knot-resolver-users Říjen 2021

knot-resolver-users@lists.nic.cz

5 participants
6 discussions

Knot Resolver - redirect wildcard domain

by Milan Jeskynka Kazatel

Hello, could you please help me with knot resolver configuration in the case when I need to redirect each variation for the domain to some address. e.g. www.example.com, m.example.com, domain.example.com ... like wildcard record *.example.com 10.0.0.50 In my configuration is it handeled by file with static records -- load static records hints.add_hosts('/etc/knot-resolver/static_records.txt') which contains address to be redirected and the domain. 10.0.0.50 1xbet.com 10.0.0.50 thelotter.com 10.0.0.50 webmoneycasino.com 10.0.0.50 betworld.com 10.0.0.50 bosscasino.eu 10.0.0.50 sportingbull.com But I´m not able to handle the correct syntax for a wildcard domain redirection. Best regards, -- Smil Milan Jeskyňka Kazatel

1 rok, 4 měsíce

Re: [knot-resolver-users] Error reading TLS certificates

by Vladimír Čunát

On 29/10/2021 16.59, Martin Dosch wrote: > You're right. Although the certs are readable (and other services > successfully read them already) it works after I created a script > which copys the files into kresd's workdir and chowns them to > knot-resolver. Maybe those other services run as root user or something...

3 roky

Error reading TLS certificates

by Martin Dosch

Dear all, I am using knot-resolver for DNS over TLS (DoT) for a while now. So far I let nginx handle the TLS part on port 853 and proxy the requests to 127.0.0.1:53. I wanted to simplify my setup and let knot-resolver do the whole thing. But I am facing problems on my server (Debian Stable Bullseye). I can enable DoT on 853 successfully using without specifying certs but I want to use my TLS certs created by certbot. Once I add the following line kresd fails to start. > net.tls("/etc/letsencrypt/live/mdosch.de/fullchain.pem", > "/etc/letsencrypt/live/mdosch.de/privkey.pem") Systemd shows me the following error: > Oct 28 19:49:41 v220191283267104968 systemd[1]: Starting Knot Resolver daemon... > Oct 28 19:49:41 v220191283267104968 kresd[22488]: [tls] gnutls_certificate_set_x509_key_file(/etc/letsencrypt/live/md> > Oct 28 19:49:41 v220191283267104968 kresd[22488]: [system] error while loading config: error occurred here (config fi> > Oct 28 19:49:41 v220191283267104968 kresd[22488]: stack traceback: > Oct 28 19:49:41 v220191283267104968 kresd[22488]: [C]: in function 'tls' > Oct 28 19:49:41 v220191283267104968 kresd[22488]: /etc/knot-resolver/kresd.conf:3: in main chunk > Oct 28 19:49:41 v220191283267104968 kresd[22488]: ERROR: Invalid argument (workdir '/var/lib/knot-resolver') > Oct 28 19:49:41 v220191283267104968 systemd[1]: kresd(a)1.service: Main process exited, code=exited, status=1/FAILURE > Oct 28 19:49:41 v220191283267104968 systemd[1]: kresd(a)1.service: Failed with result 'exit-code'. > Oct 28 19:49:41 v220191283267104968 systemd[1]: Failed to start Knot > Resolver daemon. The files are world readable so I don't know what's going on: > ll /etc/letsencrypt/live/mdosch.de/ > total 4.0K > -rw-r--r-- 1 certbot prosody 692 Jun 11 00:30 README > lrwxrwxrwx 1 root root 38 Oct 27 22:07 cert.pem -> ../../archive/mdosch.de-0003/cert9.pem > lrwxrwxrwx 1 root root 39 Oct 27 22:07 chain.pem -> ../../archive/mdosch.de-0003/chain9.pem > lrwxrwxrwx 1 root root 43 Oct 27 22:07 fullchain.pem -> ../../archive/mdosch.de-0003/fullchain9.pem > lrwxrwxrwx 1 root root 41 Oct 27 22:07 privkey.pem -> ../../archive/mdosch.de-0003/privkey9.pem Also I don't understand why it complains about the workdir as I didn't change anything regarding workdir but only pointed to the cert and key file. Do you have any idea what I am doing wrong? Best regards, Martin

3 roky

DNSSEC failure on insecure subzone with cold cache

by Matthew Richardson

Whilst setting up Knot Resolver (version 5.4.1 on Rocky 8), it fails to resolve 213-133-203-34.newtel.in-addr.itconsult.net with a cold cache, but succeeds if the cache has been specifically warmed. With the cold cache SERVFAIL is returned and it logs:- >Oct 16 18:40:52 dt05 kresd[36140]: [dnssec] validation failure: 213-133-203-34.newtel.in-addr.itconsult.net. PTR The zone cut is between itconsult.net & newtel.in-addr.itconsult.net. Also whilst itconsult.net is DNSSEC signed, newtel.in-addr.itconsult.net is not. Thus, in-addr.itconsult.net is an empty non-terminal. If one asks for NS for newtel.in-addr.itconsult.net, thereafter resolution of the PTR then succeeds:- >[root@dt05 ~]# dig @dt05 -p 533 -t ptr 213-133-203-34.newtel.in-addr.itconsult.net > >; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @dt05 -p 533 -t ptr 213-133-203-34.newtel.in-addr.itconsult.net >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39692 >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 1232 >;; QUESTION SECTION: >;213-133-203-34.newtel.in-addr.itconsult.net. IN PTR > >;; Query time: 6 msec >;; SERVER: 193.201.42.59#533(193.201.42.59) >;; WHEN: Sat Oct 16 18:40:52 BST 2021 >;; MSG SIZE rcvd: 72 > >[root@dt05 ~]# dig @dt05 -p 533 -t ns newtel.in-addr.itconsult.net > >; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @dt05 -p 533 -t ns newtel.in-addr.itconsult.net >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2636 >;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 1232 >;; QUESTION SECTION: >;newtel.in-addr.itconsult.net. IN NS > >;; ANSWER SECTION: >newtel.in-addr.itconsult.net. 86400 IN NS c.itconsult-dns.je. >newtel.in-addr.itconsult.net. 86400 IN NS d.itconsult-dns.co.uk. >newtel.in-addr.itconsult.net. 86400 IN NS e.itconsult-dns.biz. >newtel.in-addr.itconsult.net. 86400 IN NS a.itconsult-dns.net. >newtel.in-addr.itconsult.net. 86400 IN NS b.itconsult-dns.org. > >;; Query time: 2 msec >;; SERVER: 193.201.42.59#533(193.201.42.59) >;; WHEN: Sat Oct 16 18:41:05 BST 2021 >;; MSG SIZE rcvd: 223 > >[root@dt05 ~]# dig @dt05 -p 533 -t ptr 213-133-203-34.newtel.in-addr.itconsult.net > >; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @dt05 -p 533 -t ptr 213-133-203-34.newtel.in-addr.itconsult.net >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8992 >;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 1232 >;; QUESTION SECTION: >;213-133-203-34.newtel.in-addr.itconsult.net. IN PTR > >;; ANSWER SECTION: >213-133-203-34.newtel.in-addr.itconsult.net. 43200 IN PTR eth0-70.qr-r01a.itconsult.net. > >;; Query time: 1 msec >;; SERVER: 193.201.42.59#533(193.201.42.59) >;; WHEN: Sat Oct 16 18:41:08 BST 2021 >;; MSG SIZE rcvd: 102 My suspicion (being new to Knot Resolver) is that this somehow relates to QNAME minimisation. DNSviz is not reporting any problems:- > https://dnsviz.net/d/213-133-203-34.newtel.in-addr.itconsult.net/dnssec/ Is this a bug, or expected behaviour with a slightly odd setup? Best wishes, Matthew

3 roky, 1 měsíc

Knot Resolver 5.4.2

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.4.2 has been released! Improvements ------------ - dns64 module: also map the reverse (PTR) subtree (#478, !1201) - dns64 module: allow disabling based on client address (#368, !1201) - dns64 module: allow configuring AAAA subnets not allowed in answer (!1201) - nameserver selection algorithm: improve IPv6 avoidance if broken (!1207) Bugfixes -------- - lua: log() output is visible with default log level again (!1208) - build: fix when knot-dns headers are on non-standard location (!1210) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.4.2/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.4.2.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.4.2.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.4.2/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

3 roky, 1 měsíc

Local domain integration

by Günther J. Niederwimmer

Hi there, is it actually possible to import a zone file for a locale zone (yyyyy.xxxx.com.lan) or does it have to be done differently? In any case, I can't figure out how to do it correctly! Can someone help with an example i have had some problems with my local domains since i switched to knot? Can you actually import the domains from knot into the knot resolver? I would like to have a stable DNS system on my servers again with knot & knot- resolver I hope I "think" correctly, a 25 year "bind" damaged person ;-) -- mit freundlichen Grüßen / best regards Günther J. Niederwimmer

3 roky, 1 měsíc

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users Říjen 2021