- knot-resolver-users - lists.nic.cz

by Giles Crawford

Hi All, Just wondering how you guys are ingesting RPZ feeds into Knot Resolver. While Knot doesn't natively support zone transfers at this time, it can import the zone files, and then kick the zone if the file changes, so that's what I'm doing. I'm doing the zone transfers (10 zones from ioc2rpz) using BIND for now, and then writing the zone files to storage that Knot Resolver can read. I know that dns4eu uses Knot Resolver for their protective recursor service, so I'd be curious to know how they're doing this. Could be that they're using a custom version of Knot that's zone transfer capable. For context, I run Knot Resolver behind dnsdist, and they're complimentary, offering huge flexibility. Would be great to see rpz-passthru support in the BIND format too (forgive me if that's already possible) so that a traditional white-list-first tiered approach can be followed. (Super impressed with Knot resolver, so hats off to all at CZ). Cheers, GC

2 týdny, 1 den

2
5
0 0

SERVFAIL with Internal Resolver

by Darren Rambaud

Hi knot-resolver-users -- I am looking to install a DNS resolver for my local network and `knot-resolver` seemed to fit the bill. Network is setup like this: VLAN 1 Gateway IP 10.0.0.5 Search Domain Name internal.example.com <http://internal.example.com/> VLAN 2 Gateway IP 10.0.1.1 Search Domain Name research.internal.example.com <http://research.example.com/> ... At the moment, `knot-resolver` deployed to a single server (10.0.1.6) with this configuration: ``` forward: - options: authoritative: true dnssec: false servers: - 10.0.0.5 subtree: - internal.example.com - options: authoritative: true dnssec: false servers: - 10.0.1.1 subtree: - research.internal.example.com logging: level: info network: listen: - freebind: false interface: - 127.0.0.1 - 10.0.1.6 kind: dns port: 53 workers: 1 ``` On another machine (10.0.0.100), public queries resolve correctly: ``` # dig @10.0.1.6 knot-resolver.cz ; <<>> DiG 9.20.17 <<>> @10.0.2.6 knot-resolver.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34301 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;knot-resolver.cz. IN A ;; ANSWER SECTION: knot-resolver.cz. 1800 IN A 217.31.204.96 ;; Query time: 1281 msec ;; SERVER: 10.0.1.6#53(10.0.1.6) (UDP) ;; WHEN: Fri Jan 30 16:19:23 CST 2026 ;; MSG SIZE rcvd: 61 # nslookup knot-resolver.cz 10.0.1.6 Server: 10.0.1.6 Address: 10.0.1.6#53 Non-authoritative answer: Name: knot-resolver.cz Address: 217.31.204.96 Name: knot-resolver.cz Address: 2001:1488:800:400::2:96 ``` Queries within internal network return the correct assigned IP address however report `SERVFAIL`: ``` # nslookup m1.research.internal.example.com 10.0.2.6 Server: 10.0.1.6 Address: 10.0.1.6#53 Non-authoritative answer: Name: m1.research.internal.example.com Address: 10.0.2.6 ;; Got SERVFAIL reply from 10.0.1.6 ** server can't find m1.research.internal.example.com: SERVFAIL ``` Replacing `10.0.2.6` with `10.0.0.5` (gateway IP that normally acts as resolver) does not return `SERVFAIL`: ``` # nslookup obnoxious.research.in.rambaud.dev 10.0.0.5 Server: 10.0.0.5 Address: 10.0.0.5#53 Name: m1.research.internal.example.com Address: 10.0.2.6 ``` Is the SERVFAIL something I should worry about here? Or is there a misconfiguration on my end with `knot-resolver`? Darren

2 týdny, 1 den

3
2
0 0

Knot Resolver 6.2.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.2.0 has been released! Improvements: - DNS-over-QUIC (DoQ) is available for serving (beta, !1747) Bugfixes: - fix UDP answers without sendmmsg, e.g. on non-Linux (!1795) - fix /logging/groups in python 3.8 (!1799) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.2.0.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.2.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 týdny, 2 dny

1
0
0 0

Re: is there a way to force DNS64 synthesis for specific domains that have native AAAA records?

by Vladimír Čunát

On 12/01/2026 00.11, * wrote: > However, I cannot use it in my production environment as this returns > NODATA globally (all views) for security.ubuntu.com. > I have several views not using dns64 for which the AAAA record should > be the existing original answer. While on Lua level it's not ergonomic, tags are supported in these APIs, so you can do a tiny change, e.g.: lua: policy-script: | assert(C.kr_rule_local_data_ins( kres.rrset(kres.str2dname('security.ubuntu.com.'), kres.type.AAAA, nil, C.KR_RULE_TTL_DEFAULT), nil, policy.get_tagset({'myTag'}), C.KR_RULE_OPTS_DEFAULT ) == 0) and then you just need to add myTag to the views where you want to apply this rule (in YAML). You can read more about tags and views in the docs, around page https://www.knot-resolver.cz/documentation/latest/config-policy-new.html

1 měsíc, 1 týden

3
2
0 0

Knot Resolver 6.0.16

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.0.16 (early-access) has been released! Improvements: - reduce validation strictness for domain names (#934, !1727) - manager: force a configuration reload via management HTTP API 'api/reload/force' (#939, !1748) - kresctl: reload: added '--force' flag - /fallback: add this feature/module (!1733) - systemd: do not force-fail knot-resolver.service on OOM (!1724) In basically all cases the OOM killer will kill a kresd process and supervisord will just restart it, and everything will keep working. Bugfixes: - /options/query-case-randomization: respect this even on TCP issues (!1732) - prometheus metrics: make the latency histogram cumulative (!1731, GH#117) - fix file permission checks when running as root (!1741) - /network/address-renumbering: fix conversion to Lua configuration (!1739) - manager: avoid uncommon bugs when starting/quitting policy-loader (!1742) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.16/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.0.16/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 měsíc, 1 týden

3
4
0 0

Knot Resolver 6.0.17

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.0.17 (early-access) has been released! Improvements: - kresctl migrate: new command for migrating the configuration to a newer version (!1672) - manager: basic support for non-Linux systems (macOS, FreeBSD) (!1758) - cache: collect garbage based on usage statistics (!1726) This results in using the cache space better, and in practice it reduces latency especially in case of answers that are *not* fully cached. Incompatible changes: See upgrading guide for incompatible configuration changes: https://www.knot-resolver.cz/documentation/v6.0.17/upgrading.html - Removed options from declarative configuration model (YAML). (!1672, !1754) These are mostly experimental and debugging/testing options that are not useful for general users (remain in Lua): - /dnssec/refresh-time - /dnssec/hold-down-time - /dnssec/time-skew-detection - /dnssec/keep-removed - /local-data/root-fallback-addresses* - /logging/debugging - /max-workers - /network/tls/auto-discovery - /webmgmt - Renamed/moved options in the declarative configuration model (YAML). (!1672) - /cache/garbage-collector -> /cache/garbage-collector/enable - /cache/prefetch/prediction -> /cache/prefetch/prediction/enable - /defer/enabled -> /defer/enable - /dns64: true|false -> /dns64/enable: true|false - /dns64/rev-ttl -> /dns64/reverse-ttl - /dnssec: true|false -> /dnssec/enable: true|false - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query - /logging/dnstap -> /logging/dnstap/enable - /logging/dnssec-bogus -> /dnssec/log-bogus - /monitoring/enabled -> /monitoring/metrics - /monitoring/graphite -> /monitoring/graphite/enable - /network/proxy_protocol -> /network/proxy_protocol/enable - /network/tls/files-watchdog -> /network/tls/watchdog - /rate-limiting -> /rate-limiting/enable - Changed default values in declarative configuration model (YAML). (!1672) - /logging/dnstap/log-queries: true -> false - /logging/dnstap/log-responses: true -> false - /logging/dnstap/log-tcp-rtt: true -> false Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.17/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.17.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.0.17/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 měsíc, 1 týden

5
8
0 0

Knot Resolver 6.1.0 (stable)

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 6.1.0, the first officially stable version 6, has been released! As of this release, version 6 is preferred over version 5. Improvements: - logging: improved logging groups (!1768) - support libdnssec merged into libknot, as planned for knot >= 3.6 (!1769) - support cmocka 2.0.0 (!1772) - avoid AD=1 in reply if ANSWER+AUTHORITY are empty (#914, !1780) - defer: enabled by default in declarative configuration (!1785) - /defer/enable: false -> true - datamodel: lua: added Lua scripts for policy-loader (!1771) Bugfixes: - reload did not apply changes to /fallback (!1763) - fix config.cache.clear test on apple silicon (!1766) - cache: fix wrong TTL in some cases, typically 32768 (!1774) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v6.1.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.1.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-6.1.0.tar.xz.asc Documentation: https://www.knot-resolver.cz/documentation/v6.1.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

1 měsíc, 1 týden

1
0
0 0

kresd 5.7.6, secondary NS-es may not be tried if single auth NS fails

by Paweł Małachowski

There is a domain delegated to 4 NS-es. If I block network connectivity with auth NS 1, kresd sometimes returns and caches SERVFAIL without trying secondary NS-es 2-4. Impact: single faulty auth NS affects multi-NS domain resolvability. How to reproduce: knot-resolver 5.7.6-cznic.1~bookworm amd64 -- Network interface configuration net.listen('127.0.0.1', 53, { kind = 'dns' }) net.listen('::1', 53, { kind = 'dns', freebind = true }) net.listen('127.0.0.1', 8452, { kind = 'webmgmt' }) modules = { 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 'stats', -- Track internal statistics 'http', 'cache', } cache.size = 100 * MB let's use domain: trafficmanager.net name server tm1.dns-tm.com. trafficmanager.net name server tm1.edgedns-tm.info. trafficmanager.net name server tm2.dns-tm.com. trafficmanager.net name server tm2.edgedns-tm.info. Intentionally block communication with tm2.dns-tm.com (tm2.dns-tm.com has address 150.171.16.240): # ip route add blackhole 150.171.16.240 or table inet filter { chain input { type filter hook input priority filter; } chain forward { type filter hook forward priority filter; } chain output { type filter hook output priority filter; ip daddr 150.171.16.240 drop } } Flush kresd cache: # echo 'cache.clear()' | socat - UNIX-CONNECT:/run/knot-resolver/control/1 Query admin.exchange.microsoft.com. Repeat cache.flush and query few times if needed). If kresd tries faulty NS as first, it returns and caches SERVFAIL. All following queries will also return SERVFAIL. Please note, when this happens, other auth NS-es (tm1.dns-tm.com., tm1.edgedns-tm.info., tm2.edgedns-tm.info.) are reachable but not tried. # while sleep 1; do host admin.exchange.microsoft.com 127.0.0.1 | grep admin; done Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) [...] admin.exchange.microsoft.com is an alias for admin.exchange.trafficmanager.net. admin.exchange.trafficmanager.net is an alias for eacafdprod-fzakegfrabbub0ab.z01.azurefd.net. admin.exchange.microsoft.com is an alias for admin.exchange.trafficmanager.net. admin.exchange.trafficmanager.net is an alias for eacafdprod-fzakegfrabbub0ab.z01.azurefd.net. admin.exchange.microsoft.com is an alias for admin.exchange.trafficmanager.net. admin.exchange.trafficmanager.net is an alias for eacafdprod-fzakegfrabbub0ab.z01.azurefd.net. admin.exchange.microsoft.com is an alias for admin.exchange.trafficmanager.net. [...] Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) Host admin.exchange.microsoft.com not found: 2(SERVFAIL) ^C # curl http://localhost:8452/trace/admin.exchange.trafficmanager.net [iterat][66079.00] 'admin.exchange.trafficmanager.net.' type 'A' new uid was assigned .01, parent uid .00 [cache ][66079.01] => no NSEC* cached for zone: trafficmanager.net. [cache ][66079.01] => skipping zone: trafficmanager.net., NSEC, hash 0;new TTL -123456789, ret -2 [cache ][66079.01] => skipping zone: trafficmanager.net., NSEC, hash 0;new TTL -123456789, ret -2 [zoncut][66079.01] found cut: trafficmanager.net. (rank 010 return codes: DS 1, DNSKEY 1) [resolv][66079.01] => NS is provably without DS, going insecure [select][66079.01] => id: '03790' choosing from addresses: 2 v4 + 0 v6; names to resolve: 2 v4 + 4 v6; force_resolve: 0; NO6: IPv6 is KO [select][66079.01] => id: '03790' choosing: 'tm2.dns-tm.com.'@'150.171.16.240#00053' with timeout 400 ms zone cut: 'trafficmanager.net.' [resolv][66079.01] => id: '03790' querying: 'tm2.dns-tm.com.'@'150.171.16.240#00053' zone cut: 'trafficmanager.net.' qname: 'exchange.trafficmanager.net.' qtype: 'NS' proto: 'udp' [resolv][66079.00] request failed, answering with empty SERVFAIL [resolv][66079.01] finished in state: 8, queries: 0, mempool: 81952 B /PM

1 měsíc, 1 týden

2
2
0 0

Introduction and questions about RPZ support

by Francis Turner

HI there, I work for ThreatSTOP, a company that distributes DNS policies using RPZ to our customers. One prospective customer uses knot-resolver and so they have asked us to look at what we can support with respect to importing our data into knot-resolver. I have read the documentation and I have done some testing with 5.7.2 that is the version in Ubuntu 24.04 I have also read some of the documentation for version 6.x I have a few questions The first is fairly basic. What is the status of 6.x? >From what I can see it seems to be undergoing development and not to be considered as stable. Is this correct? And therefore we should not recommend it to our users? Assuming that is the case, it's unfortunate because RPZ support seems to be considerably better in 6.x. however I'm still a bit confused as to the RPZ support and would appreciate being pointed to a spec. The 6.x documentation was not clear to me Also I have questions about policy limitations, which I don't see in the documentation for 5.x How large can an RPZ be? How many policies can you have? For example I'd like an ALLOW, a DENY and perhaps one to three A record rewrite policies. The total across all RPZs would be in the 500k-1M records. Also assuming it is supported, what are the performance impacts of large (say 500k+) RPZ policies? I intend to test some of this, but if there are known limits that can be shown that will help both the testing and the recommendations to our customers Finally is there a place to publicize a script that does a zone transfer of a policy from an external server (e.g. ours) and outputs 3 or 4 zones in the right format for knot-resolver to import? Regards Francis Francis Turner Threat STOP Global SE JP Cell: +81-8080404701 | US Cell: +1-760-402-7676 Office: +1-760-542-1550 | Line: francisturner francis(a)threatstop.com<mailto:francis@threatstop.com> | www.threatstop.com<http://www.threatstop.com/> Weaponize Your Threat Intelligence "If You Don't Build It, They Definitely Will Not Come" - P. Vixie

1 měsíc, 2 týdny

2
8
0 0

Re: Knot Resolver 6.0.17

by Leo Vandewoestijne

Hi, Between countless parcel notifications in my inbox, I suddenly found this message... ...just moments after I posted my modification (which is entirely focussed on setup.py): https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292197 I'm now merging that with what's suggested here. So it's getting further than before, but is not yet completing successfully. Leo. On Fri, 02 Jan 2026, Michael Grimm wrote: > Vladim??r ??un??t via knot-resolver-users <knot-resolver-users(a)lists.nic.cz> wrote: > > On 31/12/2025 13.37, Michael Grimm via knot-resolver-users wrote: > > >> FYI: This is FreeBSD and kresctl tool isn't available here. > > > OK, that's a complication. In 6.0.17 we added FreeBSD support to code added in 6.x, and now we're in contact with the maintainer of the [port], but the last version I saw didn't seem to package all parts needed for YAML (e.g. executables called knot-resolver and kresctl). > > In March 2024 I tried to create a FreeBSD port for knot-resolver-6.0.8. I got it compiled after applying the following changes (see tar file attached). I do remember that I could use kresctl in a poudriere testport jail, only, but I can't reproduce that as of today, sorry. > > (This is intended as a FYI, just in case it helps.) > > 1) files/patch-meson_options.txt > > This adds a manager section to meson_options.txt. > With that I could tell meson to use '-Dmanager=enabled' within the port's Makefile > > This section is missing in 6.0.17 as well. If added meson log file tells me that a manager is enabled. > > I do not have the knowledge if that is necessary at all, though > > > 2) files/patch-controller_supervisord_plugin_notifymodule.c > > This patch addresses: > > #) include sys/ucred.h > #) use LOCAL_PEERCRED instead of SO_PASSCRED > #) use 'struct xucred' instead of 'struct ucred' > #) use SCM_CREDS instead of SCM_CREDENTIALS > #) use cred.cr_pid instead of cred.pid as returned value > > Again, I do not have the knowledge if that is of relevance at all. > > > I applied both patches to Leo's port and modified the Makefile accordingly (see tar), and it compiles successfully; but is still lacking kresctl and knot-resolver. > > > I hope that this might be of interest for you. > > Regards, > Michael >

1 měsíc, 2 týdny

2
1
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users