- knot-resolver-users - lists.nic.cz

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.3.0 has been released! Security - CVE-2019-19331 ------------------------- - fix speed of processing large RRsets (DoS, #518) - improve CNAME chain length accounting (DoS, !899) Bugfixes -------- - http module: use SO_REUSEPORT (!879) - systemd: kresd@.service now properly starts after network interfaces have been configured with IP addresses after reboot (!884) - sendmmsg: improve reliability (!704) - cache: fix crash on insertion via lua for NS and CNAME (!889) - rpm package: move root.keys to /var/lib/knot-resolver (#513, !888) Improvements ------------ - increase file-descriptor count limit to maximum allowed value (hard limit; !876) - watchdog module: support testing a DNS query (and switch C -> lua; !878, !881) - performance: use sendmmsg syscall towards clients by default (!877) - performance: avoid excessive getsockname() syscalls (!854) - performance: lua-related improvements (!874) - daemon now attempts to drop all capabilities (!896) - reduce CNAME chain length limit - now <= 12 (!899) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.3.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.3.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.3.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.3.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let

1
0
0 0

Configuring kresd to query multiple nameservers and return the first affirmative response?

by Bernd Wechner

I wonder if this is possible. The Knot Resolver certainly looks powerful, and I use it on my Omnia Router of course. But the documentation <https://knot-resolver.readthedocs.io/en/stable/index.html>which I have perused and read quickly, hasn't helped me understand this alas. It leaves me with a couple of interesting questions: 1. How are nameservers configured? Interestingly my running instance of kresd is on the Omnia and it receives nameservers via a dhcp request on my ISP I imagine, though I don't see them in /etc/resolv.conf 2. Is it possible configure a number of nameservers on a the basis of query them all (akin to dnsmasq's --all-servers) and return the first affirmative response? My interest is acutely related to: https://superuser.com/questions/1505755/can-one-configure-name-resolution-t… And I'd happily use kresd on my local machine(s) as well as on my LAN DNS (The Omnia) to help resolve names on my .lan while on a VPN! Regards, Bernd.

5 let

3
4
0 0

policy.DENY during a CNAME chain

by Stephane Bortzmeyer

Now that Firefox blocks 3rd-party cookies by default, many sites try to hide the fact that a cookie is 3rd-party by using CNAMEs. % kdig +short A ftn.fortuneo.fr ftn-fr.eulerian.net. ftn.eulerian.net. 109.232.194.56 I want to block all the requests to *.eulerian.net. policy.add(policy.suffix(policy.DENY, {todname('eulerian.net.')})) Does not work since, to quote the documentation "The policy module currently only looks at whole DNS requests. The rules won’t be re-applied e.g. when following CNAMEs." % kdig A ftn.eulerian.net ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 42477 ... ftn.eulerian.net. 10800 IN SOA ftn.eulerian.net. nobody.invalid. 1 3600 1200 604800 10800 % kdig A ftn.fortuneo.fr ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59262 ... ftn.fortuneo.fr. 600 IN CNAME ftn-fr.eulerian.net. ftn-fr.eulerian.net. 5799 IN CNAME ftn.eulerian.net. ftn.eulerian.net. 5799 IN A 109.232.194.56 This seriously limits the usefulness of policy.DENY. What are the possible solutions?

5 let

3
6
0 0

Re: [knot-resolver-users] DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Team, I found it, it is described in the Upgrading guide, DNSSEC validation is now turned on by default. If you need to disable it, see Trust anchors and DNSSEC (https://knot-resolver.readthedocs.io/en/stable/daemon.html#dnssec-config). *** Since version 4.0, DNSSEC validation is enabled by default. This is secure default and should not be changed unless absolutely necessary. Options in this section are intended only for expert users and normally should not be needed. If you really need to turn DNSSEC off and are okay with lowering security of your system by doing so, add the following snippet to your configuration file. -- turns off DNSSEC validation trust_anchors.remove('.'). *** Anyway, if it is enabled by default, how to prevent the "DNSSEC validation failure" spamming in the log and increasing the I/O operation on the system? For me now is the service in the unstable condition. My kresd@1 is crashing and restarting in the row. Please, any advice? I modify the server name and the domain, but still it is a live log output. Oct 22 14:02:51 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY Oct 22 14:02:58 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY Oct 22 14:03:08 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY Oct 22 14:03:18 dnstestserver systemd[1]: kresd(a)1.service watchdog timeout (limit 10s)! Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service: main process exited, code=killed, status=6/ABRT Oct 22 14:03:22 dnstestserver systemd[1]: Unit kresd(a)1.service entered failed state. Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service failed. Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service holdoff time over, scheduling restart. Oct 22 14:03:22 dnstestserver systemd[1]: Cannot add dependency job for unit kresd.service, ignoring: Unit not found. Oct 22 14:03:22 dnstestserver systemd[1]: Stopped Knot Resolver daemon. Oct 22 14:03:22 dnstestserver systemd[1]: Starting Knot Resolver daemon... Oct 22 14:04:07 dnstestserver kresd[16468]: [http] created new ephemeral TLS certificate Oct 22 14:04:07 dnstestserver systemd[1]: Started Knot Resolver daemon. Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] refreshing TA for . Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] key: 20326 state: Valid Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] next refresh for . in 24 hours Oct 22 14:04:09 dnstestserver kresd[16468]: DNSSEC validation failure example.com DNSKEY ... Best regards. -- Smil Milan Jeskyňka Kazatel ---------- Původní e-mail ---------- Od: Milan Jeskynka Kazatel <KazatelM(a)seznam.cz> Komu: knot-resolver-users(a)lists.nic.cz Datum: 22. 10. 2019 13:33:46 Předmět: DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 "Hello Team, I would like to know if the "DNSSEC validation failure logging" is enabled by DEFAULT in version 4.2.0. on Centos 7. I do not have any explicit call for this module - as is described in the documentation like this: modules.load('bogus_log'), nevertheless, I´m facing a huge report in the system log regarding DNSSEC validation failure somedomainname. DNSKEY In the configuration, I´m using the 'http' module and module 'stats', can it be relevant? kresd.conf -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() How can I disable DNSSEC validation failure logging? best regards, -- Smil Milan Jeskyňka Kazatel "

5 let, 2 měsíce

2
1
0 0

DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Team, I would like to know if the "DNSSEC validation failure logging" is enabled by DEFAULT in version 4.2.0. on Centos 7. I do not have any explicit call for this module - as is described in the documentation like this: modules.load('bogus_log'), nevertheless, I´m facing a huge report in the system log regarding DNSSEC validation failure somedomainname. DNSKEY In the configuration, I´m using the 'http' module and module 'stats', can it be relevant? kresd.conf -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() How can I disable DNSSEC validation failure logging? best regards, -- Smil Milan Jeskyňka Kazatel

5 let, 2 měsíce

1
0
0 0

HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Knot Resolver team, I tried to upgrade to the latest stable version of Knot Resolver on Centos7, where I'm facing with a configuration issue with the module HTTP. I used it in version 2.3.0 with configuration -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver http = { host = '10.0.0.1', port = 8053, cert = false, } } and it works as expected, I reached a /stats/ from the browser. Unfortunately after upgrade to version 4.2.0 I'm not able to correctly start the module even if I follow the migration hints on documentation websites. I still receive a startup fail message Oct 04 11:32:09 dns systemd[1]: Starting Knot Resolver daemon... Oct 04 11:32:54 dns kresd[9540]: error: /usr/lib64/knot-resolver/kres_ modules/http.lua:35: attempt to call global 'moduledir' (a nil value) Oct 04 11:32:54 dns kresd[9540]: [system] failed to load module 'http' Oct 04 11:32:54 dns kresd[9540]: error occured here (config filename:lineno is at the bottom, if config is involved): Oct 04 11:32:54 dns kresd[9540]: stack traceback: Oct 04 11:32:54 dns kresd[9540]: [C]: in function 'load' Oct 04 11:32:54 dns kresd[9540]: /etc/knot-resolver/kresd.conf:14: in main chunk Oct 04 11:32:54 dns kresd[9540]: ERROR: No such file or directory Oct 04 11:32:54 dns systemd[1]: kresd(a)1.service: main process exited, code= exited, status=1/FAILURE Oct 04 11:32:54 dns systemd[1]: Failed to start Knot Resolver daemon. Current configuration is: -- interfaces ... net.listen('10.0.0.1', 8453, { kind = 'webmgmt' }) -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } Where should be written the path to module http? What I did wrong? Regards, -- Smil Milan Jeskyňka Kazatel

5 let, 2 měsíce

2
4
0 0

Knot Resolver 4.2.2

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.2 has been released! Bugfixes -------- - lua bindings: fix a 4.2.1 regression on 32-bit systems (#514) which also fixes libknot 2.9 support on all systems Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.2/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.2.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.2.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.2/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 2 měsíce

1
0
0 0

HTTP module after upgrade from Knot DNS Resolver, version 2.3.0 to Knot Resolver, version 4.2.0

by Milan Jeskynka Kazatel

Hello Knot Resolver team, I tried to upgrade to the latest stable version of Knot Resolver on Centos7, where I'm facing with a configuration issue with the module HTTP. I used it in version 2.3.0 with configuration -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver http = { host = '10.0.0.1', port = 8053, cert = false, } } and it works as expected, I reached a /stats/ from the browser. Unfortunately after upgrade to version 4.2.0 I'm not able to correctly start the module even if I follow the migration hints on documentation websites. I still receive a startup fail message Oct 04 11:32:09 dns systemd[1]: Starting Knot Resolver daemon... Oct 04 11:32:54 dns kresd[9540]: error: /usr/lib64/knot-resolver/kres_ modules/http.lua:35: attempt to call global 'moduledir' (a nil value) Oct 04 11:32:54 dns kresd[9540]: [system] failed to load module 'http' Oct 04 11:32:54 dns kresd[9540]: error occured here (config filename:lineno is at the bottom, if config is involved): Oct 04 11:32:54 dns kresd[9540]: stack traceback: Oct 04 11:32:54 dns kresd[9540]: [C]: in function 'load' Oct 04 11:32:54 dns kresd[9540]: /etc/knot-resolver/kresd.conf:14: in main chunk Oct 04 11:32:54 dns kresd[9540]: ERROR: No such file or directory Oct 04 11:32:54 dns systemd[1]: kresd(a)1.service: main process exited, code= exited, status=1/FAILURE Oct 04 11:32:54 dns systemd[1]: Failed to start Knot Resolver daemon. Current configuration is: -- interfaces ... net.listen('10.0.0.1', 8453, { kind = 'webmgmt' }) -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Handle requests by source IP 'stats', -- Track internal statistics 'hints', -- Add static records to resolver } Where should be written the path to module http? What I did wrong? -- Smil Milan Jeskyňka Kazatel

5 let, 2 měsíce

1
0
0 0

Knot Resolver 4.2.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 4.2.1 has been released! Note for Debian users: If you have previously installed knot-resolver-dbgsym package on Debian, please remove it and install knot-resolver-dbg instead. Bugfixes -------- - rebinding module: fix handling some requests, respect ALLOW_LOCAL flag - fix incorrect SERVFAIL on cached bogus answer for +cd request (!860) (regression since 4.1.0 release, in less common cases) - prefill module: allow a different module-loading style (#506) - validation: trim TTLs by RRSIG's expiration and original TTL (#319, #504) - NS choice algorithm: fix a regression since 4.0.0 (#497, !868) - policy: special domains home.arpa. and local. get NXDOMAIN (!855) Improvements ------------ - add compatibility with (future) libknot 2.9 Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.2.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 2 měsíce

1
0
0 0

CentOS 7 package ships writable /etc/knot-resolver

by Anand Buddhdev

Hello Knot resolver folks, and especially the packagers, I've noticed that the CentOS 7 packages published by CZNIC ship with /etc/knot-resolver writable by the "knot-res" user (the directory mode is 0775). It seems that the directory is writable, because kresd (running as user knot-res) runs a lua script to manage the /etc/knot-resolver/root.keys file. My sysadmin mind is suspicious of this setup. If any other modules of kresd have a bug, they have the potential to modify config files in /etc/knot-resolver. My thinking is that the root.keys file should be installed in /var/cache/knot-resolver, and that is writable by "knot-res". Could someone please explain to me why the config directory is writable by an unprivileged user? Is there a good reason I'm not seeing for this setup? Regards, Anand Buddhdev

5 let, 3 měsíce

2
4
0 0

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users