- knot-resolver-users - lists.nic.cz

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.3.2 has been released! Security -------- - validator: fix 5.3.1 regression on over-limit NSEC3 edge case (!1169) Assertion might be triggered by query/answer, potentially DoS. Improvements ------------ - cache: improve handling write errors from LMDB (!1159) - doh2: improve handling of stream errors (!1164) Bugfixes -------- - dnstap module: fix repeated configuration (!1168) - validator: fix SERVFAIL for some rare dynamic proofs (!1166) - fix SIGBUS on uncommon ARM machines (unaligned access; !1167, #426) - cache: better resilience on abnormal termination/restarts (!1172) - doh2: fix memleak on stream write failures (!1161) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.3.2/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.2.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.2.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.3.2/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

4 roky, 5 měsíců

1
0
0 0

Disable qname minimization

by Bjoern Franke

Hi, I recently stumbled about the following issue with postfix: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.smtp-relay-in-s1.neusta.de type=TLSA: Host not found, try again Postfix uses knot-resolver and I found [1] as a possible similar issue with unbound. I would like to test if the issue persists with disabled qname minimization, but it seems to be no configurale option. Kind Regards Bjoern [1] http://postfix.1071664.n5.nabble.com/Mail-deferred-TLSA-lookup-error-td1074…

4 roky, 5 měsíců

2
3
0 0

Writing a module to forward a query to another nameserver if recursive resolution fails

by Paul Furtado

Hello, We operate recursive resolvers in our network in AWS and from within the AWS network there are certain authoritative nameservers that block large swaths of the AWS IP range, causing resolution to fail for us. So I'm attempting to write a module that will handle failures reaching external resolvers and retry the query by forwarding it to a major resolver like cloudflare DNS. We push a ton of DNS query traffic so we do not want to simply forward to a public resolver, we only want to forward if recursion doesn't work for some reason. I've poured through the documentation and source code and tried to hook a variety of places, but I can't seem to find a good spot to hook the request failure. The finish layer allows me to hook the SERVFAIL, but by then it is too late to do anything. Using a simple policy, I was actually able to do something close by calling ensure_answer(), clearing the answer, setting the same forwarding flags as the forward policy, and then calling ensure_answer() again and I could see the query getting sent to cloudflare, so it seems like this is possible, but at the policy level it's too early to know if a query will result in a SERVFAIL. Could anyone point me in the right direction here? Thank you! Paul

4 roky, 5 měsíců

2
3
0 0

Any "gothcas" going from 2.65 to 3.04 I should know about?

by Chris

Hi. Moving a couple of our servers to new hardware, and taking that opportunity to upgrade some of the services at the same time. The main one being knot. Moving from a 2.65 context to 3.04. I've read the upgrade doc, and while there isn't a 2.65 --> 3.04. It appears for our environment that the changed/removed stanzas won't have much of an impact *except* as they relate to the database. That is; it appears that it isn't going to be a smooth transition, as they appear to be incompatible. Is that right? Do I need to rewrite all the keys && serials, and start from scratch? If so, as we have a huge number of domains, this will be an enormous task. Is this avoidable? Thank you for any and all insight into this transition. --Chris

4 roky, 6 měsíců

1
0
0 0

stats.upstreams() metrics in prometheus /metrics http output?

by Roman Kuzmitskii

hello, is there a way to output metrics about requests sent to upstreams and their information in prometheus /metrics output? been trying to find info and there seem to be no documentation about that functionality. sources mention dedicated /upstreams endpoint https://gitlab.nic.cz/knot/knot-resolver/-/blob/master/modules/http/prometh… but /upstreams returns empty list. currently trying to run this config: modules = { 'hints > iterate', 'stats', 'predict', 'http', } net.listen('0.0.0.0', 53, { kind = 'dns' }) net.listen('0.0.0.0', 9053, { kind = ‘webmgmt' }) cache.size = 256 * MB cache.storage = "lmdb:///dev/shm/knot-resolver” policy.add( policy.all( policy.TLS_FORWARD({ {'1.1.1.1', hostname='cloudflare-dns.com' }, {'1.0.0.1', hostname='cloudflare-dns.com' }, }) ) ) is there a way to get upstreams info? running modules.load('stats’) and then stats.upstreams() from ‘runtime’ configuration returns upstream request details like described here https://knot-resolver.readthedocs.io/en/stable/modules-stats.html thanks

4 roky, 6 měsíců

3
3
0 0

Knot Resolver 5.3.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.3.1 has been released! Improvements ------------ - policy.STUB: try to avoid TCP (compared to 5.3.0; !1155) - validator: downgrade NSEC3 records with too many iterations (>150; !1160) - additional improvements to nameserver selection algorithm (!1154, !1150) Bugfixes -------- - dnstap module: don't break request resolution on dnstap errors (!1147) - cache garbage collector: fix crashes introduced in 5.3.0 (!1153) - policy.TLS_FORWARD: better avoid dead addresses (#671, !1156) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.3.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.3.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

4 roky, 6 měsíců

1
0
0 0

Knot Resolver in front of Knot DNS

by Alex JOST

Apologies if this has been asked before, but I was unable to find informative resources about this topic except this[1]. What are the downsides of having a recursive DNS server in front of an authoritative DNS Server? I'm wondering if all the points listed in the linked article are relevant for small scale installations. Is anyone running such a setup and can share some advice with regards to rate limiting? [1]: https://www.whalebone.io/separate-dns-servers/ -- Alex JOST

4 roky, 7 měsíců

5
14
0 0

The "better" algorithm for choosing nameservers explained?

by Josef Vybíhal

Hey list, new here. Could someone please try explain to me, what's better about the new algorithm for choosing nameservers? I feel like it totally broke my use case. I use knot-resolver as local resolver and have configured this: acme = policy.todnames({'acme.cz', 'acme2.cz'}) policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), acme)) policy.add(policy.suffix(policy.STUB({'172.16.21.93','172.16.21.94','8.8.8.8'}), acme)) Until the "better" algo, it worked exactly as I wanted it to. When I was in the network where the 172.16.21.9{3,4} DNS servers were available, they were selected. And when they were not available, google DNS was used to resolve those domains. Now, even when the internal nameservers are available, they are rarely used: $ for i in `seq 1 20`; do dig intranet.acme.cz +short; done 193.165.208.153 172.16.21.1 172.16.21.1 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 $ for i in `seq 1 20`; do dig intranet.acme.cz +short; done 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 193.165.208.153 172.16.21.1 193.165.208.153 When I remove the google DNS and leave just 172... # systemctl restart kresd@{1..4}.service && for i in `seq 1 20`; do dig intranet.acme.cz +short; done 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 172.16.21.1 Can I somehow switch back to the old algorithm via configuration? Thanks Josef

4 roky, 7 měsíců

2
4
0 0

Knot Resolver 5.3.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.3.0 has been released! Note regarding CentOS 8 packages: Due to the Red Hat's hostile decision to exclude devel packages from their distribution, we won't be providing upstream packages or maintaining knot-resolver package in EPEL8 until libuv-devel has been included in official RHEL8 release [rhbz#1895872]. If you depend on these, we can find a solution for your use-case as part of the paid support we offer [1]. [rhbz#1895872] - https://bugzilla.redhat.com/show_bug.cgi?id=1895872 [1] - https://www.knot-resolver.cz/support/pro/ Improvements ------------ - more consistency in using parent-side records for NS addresses (!1097) - better algorithm for choosing nameservers (!1030, !1126, !1140, !1141, !1143) - daf module: add daf.clear() (!1114) - dnstap module: more features and don't log internal requests (!1103) - dnstap module: include in upstream packages and Docker image (!1110, !1118) - randomize record order by default, i.e. reorder_RR(true) (!1124) - prometheus module: transform graphite tags into prometheus labels (!1109) - avoid excessive logging of UDP replies with sendmmsg (!1138) Bugfixes -------- - view: fail config if bad subnet is specified (!1112) - doh2: fix memory leak (!1117) - policy.ANSWER: minor fixes, mainly around NODATA answers (!1129) - http, watchdog modules: fix stability problems (!1136) Incompatible changes -------------------- - dnstap module: `log_responses` option gets nested under `client`; see new docs for config example (!1103) - libknot >= 2.9 is required Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.3.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.3.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

4 roky, 7 měsíců

1
0
0 0

Knot Resolver: Upcoming Debian 9 & Ubuntu 16.04 EOL

by Tomas Krizek

Dear Knot Resolver users, I have an early notification for those who rely on our upstream package repositories for Debian 9 and Ubuntu 16.04. Ubuntu 16.04: We'll no longer provide packages after April 2021 when the distribution reaches end of life. Debian 9: Knot Resolver 5.x is the last supported major version for Debian 9. Once we release a new major version, we'll no longer provide packages for Debian 9. We expect to release our next major version in the second half of 2021. Packages for other distributions remain unaffected and are supported as usual. Thanks for understanding. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

4 roky, 8 měsíců

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users