hi
My idea is to use knot resolver as dns forwarder / cache instead using
dnsmasq. I am using old PC with archlinux as router.
I did change dnsmasq config so it listen on port 5353.
following steps here
https://wiki.archlinux.org/index.php/Knot_Resolver
I did change systemd unit so my kresd is listening on both local interfaces. I
am checking that with ss command and it is ok.
here is my config of kresd
cat /etc/knot-resolver/kresd.conf
-- vim:syntax=lua:
-- Refer to manual:
http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1'}
-- Enable DNSSEC validation
-- trust_anchors.file = '/etc/knot-resolver/root.keys'
hints.root_file = '/etc/knot-resolver/root.hints'
-- Cache size
cache.size = 100 * MB
After start I can see following errors in journal
Nov 08 22:49:43 skriatok systemd[1]: Starting Knot Resolver daemon...
Nov 08 22:49:43 skriatok systemd[1]: Started Knot Resolver daemon.
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'm.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'l.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'i.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'g.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'd.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'a.root-
servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'c.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'k.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root-
servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root-
servers.net.', type: 1
...
thank you for help
Hi,
I am not able to force knot-resolver to forward some queries.
I have real DNS zone and in internal network I have few 3rd level subzones.
For them I would like to make my kresd forward queries to our internal DNS
server (bind9).
My computer is not inside company nework - connected via openvpn.
System is ubuntu 18.04.1 (up-to-date) and knot-resolver 3.0.0.
Relevant part of kresd.conf is:
policy.add(policy.suffix(
policy.FORWARD('10.0.0.1'),{
todname('sub1.company.cz'),
todname('sub2.company.cz')
}
))
dig machine.sub1.company.cz @127.0.0.53 does NOT work,
dig machine.sub1.company.cz @10.0.0.1 DOES work
I have set verbose(true) but with no help.
kresd queries 10.0.0.1 for 'company.cz' only, but that's all.
I am just working on it on my ubuntu workstation,
but real target will be turris omnia with its kresd,
which connects via openvpn to company network.
--
Sincerely
Ivo Panacek
Dear Knot Resolver users,
Is it possible to create a view with more than one policie?
If I do for example something like this:
view:addr('192.168.1.0/24',
policy.suffix(
policy.PASS,
policy.todnames({'good.com','better.com','best.com'})
)
)
view:addr('192.168.1.0/24',
policy.suffix(
policy.REFUSE,{todname('bad.com')}
)
)
Knot resolver will obey only the first view and users will be able to resolve the bad.com domain ... obviously the first view is the match and no other views are considered afterwards ...
Without multiple policies views are pretty much useless so I believe that I must be doing something wrong here so could anybody help me on this ...
Best regards,
Bratislav ILIC
Dear Knot Resolver users,
Knot Resolver 3.0.0 has been released.
Incompatible changes
--------------------
- cache: fail lua operations if cache isn't open yet (!639)
By default cache is opened *after* reading the configuration,
and older versions were silently ignoring cache operations.
Valid configuration must open cache using `cache.open()` or
`cache.size =` before executing cache operations like `cache.clear()`.
- libknot >= 2.7.1 is required, which brings also larger API changes
- in case you wrote custom Lua modules, please consult
https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-change…
- in case you wrote custom C modules, please see compile against
Knot DNS 2.7 and adjust your module according to messages from C
compiler
- DNS cookie module (RFC 7873) is not available in this release,
it will be later reworked to reflect development in IEFT dnsop working
group
- version module was permanently removed because it was not really used
by users; if you want to receive notifications about new releases
please subscribe to
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce
Bugfixes
--------
- fix multi-process race condition in trust anchor maintenance (!643)
- ta_sentinel: also consider static trust anchors not managed via
RFC 5011
Improvements
------------
- reorder_RR() implementation is brought back
- bring in performace improvements provided by libknot 2.7
- cache.clear() has a new, more powerful API
- cache documentation was improved
- old name "Knot DNS Resolver" is replaced by unambiguous "Knot
Resolver" to prevent confusion with "Knot DNS" authoritative server
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.0.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v3.0.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Hello,
I set config as below, but an error is output at some timing.
Although it is an error message related to policy.lua, reading the document does not know the cause.
"""
error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value)
error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value)
error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value)
error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value)
"""
"""
net.listen(net.eth0, 53, false)
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'view', -- Views for certain clients
'hints > iterate', -- Hints AFTER iterate
'priming', -- Initializing a DNS Resolver with Priming Queries implemented according.
'detect_time_skew', -- System time skew detector
'detect_time_jump', -- Detect discontinuous jumps in the system time
'daf',
predict = {
window = 180, -- 180 minutes sampling window
period = 24*(60/15) -- track last 24 hours
},
'bogus_log',
}
modules.list() -- Check module call order
-- stub forward
policy.add(policy.suffix(policy.PASS({'192.168.1.3@10053', '192.168.1.4@10053'}), {todname('kometch.private')}))
policy.add(policy.suffix(policy.PASS({'192.168.1.3@10053', '192.168.1.4@10053'}), {todname('168.192.in-addr.arpa') }))
--forward policy
policy.add(policy.all(policy.FORWARD({'1.1.1.1', '1.0.0.1'})))
policy.del(0)
"""
Would you please advise me?
Best regards.
Hello,
Since version 2.4.1, have the version module been deleted?
I confirmed NEWS, but I could not find a sentence to mention that the "version" module was deleted.
https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/NEWS
I have confirmed that it has been deleted from Gitlab.
Best regards.
Hi,
I'm trying to build knot-resolver with redis support. I was wondering
why the memcache and redis-stuff is commented out within the Makefile,
so I uncommented the redis-part, also in modules.mk.
Now it fails because it does not find it's own cache.h?
modules/redis/redis.c:24:10: fatal error: lib/cache.h: No such file or
directory
Regards
Bjoern