- knot-resolver-users - lists.nic.cz

by Bjoern Franke

Hi, I'm trying to build knot-resolver with redis support. I was wondering why the memcache and redis-stuff is commented out within the Makefile, so I uncommented the redis-part, also in modules.mk. Now it fails because it does not find it's own cache.h? modules/redis/redis.c:24:10: fatal error: lib/cache.h: No such file or directory Regards Bjoern

7 let, 3 měsíce

3
3
0 0

Knot resolver module stats - query source ip - knot-resolver-users Digest, Vol 31, Issue 1

by Sýkora Milan

Hello Petr, This a good news, that query source IP would be planned in the future module version. I would like to answer your related notes like: - How many 'most frequent' IP addresses you want to get? - It is better to do the list as variable items, someone needs to list top 10 and someone 1000. - Should the number of addresses be configurable? yes - Do you consider query from the same IP but different port as 'different client' or not? (E.g. clients behind NAT?) In my case, it is not a topic function. - Should IP addresses be somehow tied to most frequent query names or not? yes, it will be better to know frequented queries to domain names. - Do you need a way to flush the table on fly? An option to clear statistic list and count it since a specific time range sound as a good idea. In the case when I´m not so familiar with Lua, where should be added your code part? Best regards, Milan Sýkora -----Original Message----- From: knot-resolver-users [mailto:knot-resolver-users-bounces@lists.nic.cz] On Behalf Of knot-resolver-users-request(a)lists.nic.cz Sent: Tuesday, July 24, 2018 12:00 PM To: knot-resolver-users(a)lists.nic.cz Subject: knot-resolver-users Digest, Vol 31, Issue 1 Send knot-resolver-users mailing list submissions to knot-resolver-users(a)lists.nic.cz To subscribe or unsubscribe via the World Wide Web, visit https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-users or, via email, send a message with subject or body 'help' to knot-resolver-users-request(a)lists.nic.cz You can reach the person managing the list at knot-resolver-users-owner(a)lists.nic.cz When replying, please edit your Subject line so it is more specific than "Re: Contents of knot-resolver-users digest..." Today's Topics: 1. Knot resolver module stats - query source ip (Sýkora Milan) 2. Re: Knot resolver module stats - query source ip (Petr Špaček) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Jul 2018 07:32:52 +0000 From: Sýkora Milan <milan.sykora(a)cetin.cz> To: "knot-resolver-users(a)lists.nic.cz" <knot-resolver-users(a)lists.nic.cz> Subject: [knot-resolver-users] Knot resolver module stats - query source ip Message-ID: <365048c9e5ae48c699c079fee6343a5f(a)cewexch402.ad.cetin> Content-Type: text/plain; charset="iso-8859-2" Hello, I have your cool DNS resolver in version 2.3.0, I know that was released newest version. My question is - is it possible to explore the most frequented IP (queries source) in the module stats? Or exist any other way how to achieve it? Many thanks for your answer in the future, Best regards. Milan Sýkora Obsah této zprávy má výlučně komunikační charakter. Nepředstavuje návrh na uzavření smlouvy či na její změnu ani přijetí případného návrhu. Smlouvy či jejich změny jsou společností Česká telekomunikační infrastruktura a.s. uzavírány v písemné formě nebo v podobě a postupem podle příslušných všeobecných podmínek společnosti Česká telekomunikační infrastruktura a.s., a pokud jsou dohodnuty všechny náležitosti. Smlouvy jsou uzavírány oprávněnou osobou na základě písemného pověření. Smlouvy o smlouvě budoucí jsou uzavírány výhradně v písemné formě, vlastnoručně podepsané nebo s uznávaným elektronickým podpisem. Podmínky, za nichž Česká telekomunikační infrastruktura a.s. přistupuje k jednání o smlouvě a jakými se řídí, jsou dostupné zde<https://www.cetin.cz/cs/jak-cetin-vyjednava-o-smlouve>. The content of this message is intended for communication purposes only. It does neither represent any contract proposal, nor its amendment or acceptance of any potential contract proposal. Česká telekomunikační infrastruktura a.s. concludes contracts or amendments thereto in a written form or in the form and the procedure in accordance with relevant general terms and conditions of Česká telekomunikační infrastruktura a.s., if all requirements are agreed. Contracts are concluded by an authorized person entitled on the basis of a written authorization. Contracts on a future contract are concluded solely in a written form, self-signed or signed by means of an advanced electronic signature. The conditions under which Česká telekomunikační infrastruktura a.s. negotiates contracts and under which it proceeds are available here<https://www.cetin.cz/en/jak-cetin-vyjednava-o-smlouve>. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nic.cz/pipermail/knot-resolver-users/attachments/20180724/cc47…> ------------------------------ Message: 2 Date: Tue, 24 Jul 2018 11:05:51 +0200 From: Petr Špaček <petr.spacek(a)nic.cz> To: knot-resolver-users(a)lists.nic.cz Subject: Re: [knot-resolver-users] Knot resolver module stats - query source ip Message-ID: <2a769de2-3b70-7d6f-5476-4bc7bd48fa8b(a)nic.cz> Content-Type: text/plain; charset=UTF-8 Hello, at the moment there is no built-in module with this statistics but it can be hacked around (see below). BTW we plan to to rework stats so it would be very valuable to get your requirements! To make sure future version contains what you need, can you specify what kind of data + what configuration you want to get? For example: - How many 'most frequent' IP addresses you want to get? - Should the number of addresses be configurable? - Do you consider query from the same IP but different port as 'different client' or not? (E.g. clients behind NAT?) - Should IP addresses be somehow tied to most frequent query names or not? - Do you need a way to flush the table on fly? For now you can use the following Lua config snippet to log client IP addresses. -- start of config snippet function LOG_IP(state, req) req = kres.request_t(req) if req.qsource == nil or req.qsource.addr == nil then -- internal request, no source return state end print('query from IP ' .. tostring(req.qsource.addr)) return -- continue with other policy rules end policy.add(policy.all(LOG_IP)) -- end of config snipper Output looks like this: "query from IP ::1#56927" This can be further processed by your log processing system to get aggregate numbers over all resolvers or alternativelly it can be extended using LRU library in Lua to get stats for single resolver. I hope it helps. Petr Špaček @ CZ.NIC On 24.7.2018 09:32, Sýkora Milan wrote: > Hello, > > > > I have your cool DNS resolver in version 2.3.0, I know that was > released newest version. > > > > My question is – is it possible to explore the most frequented IP > (queries source) in the module stats? Or exist any other way how to > achieve it? > > > > > > Many thanks for your answer in the future, > > Best regards. > > *Milan Sýkora*** ------------------------------ Subject: Digest Footer -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-users Please change Subject line before before you reply to a digest message! ------------------------------ End of knot-resolver-users Digest, Vol 31, Issue 1 ************************************************** Obsah této zprávy má výlučně komunikační charakter. Nepředstavuje návrh na uzavření smlouvy či na její změnu ani přijetí případného návrhu. Smlouvy či jejich změny jsou společností Česká telekomunikační infrastruktura a.s. uzavírány v písemné formě nebo v podobě a postupem podle příslušných všeobecných podmínek společnosti Česká telekomunikační infrastruktura a.s., a pokud jsou dohodnuty všechny náležitosti. Smlouvy jsou uzavírány oprávněnou osobou na základě písemného pověření. Smlouvy o smlouvě budoucí jsou uzavírány výhradně v písemné formě, vlastnoručně podepsané nebo s uznávaným elektronickým podpisem. Podmínky, za nichž Česká telekomunikační infrastruktura a.s. přistupuje k jednání o smlouvě a jakými se řídí, jsou dostupné zde<https://www.cetin.cz/cs/jak-cetin-vyjednava-o-smlouve>. The content of this message is intended for communication purposes only. It does neither represent any contract proposal, nor its amendment or acceptance of any potential contract proposal. Česká telekomunikační infrastruktura a.s. concludes contracts or amendments thereto in a written form or in the form and the procedure in accordance with relevant general terms and conditions of Česká telekomunikační infrastruktura a.s., if all requirements are agreed. Contracts are concluded by an authorized person entitled on the basis of a written authorization. Contracts on a future contract are concluded solely in a written form, self-signed or signed by means of an advanced electronic signature. The conditions under which Česká telekomunikační infrastruktura a.s. negotiates contracts and under which it proceeds are available here<https://www.cetin.cz/en/jak-cetin-vyjednava-o-smlouve>.

7 let, 3 měsíce

2
1
0 0

Knot resolver module stats - query source ip

by Sýkora Milan

Hello, I have your cool DNS resolver in version 2.3.0, I know that was released newest version. My question is - is it possible to explore the most frequented IP (queries source) in the module stats? Or exist any other way how to achieve it? Many thanks for your answer in the future, Best regards. Milan Sýkora Obsah této zprávy má výlučně komunikační charakter. Nepředstavuje návrh na uzavření smlouvy či na její změnu ani přijetí případného návrhu. Smlouvy či jejich změny jsou společností Česká telekomunikační infrastruktura a.s. uzavírány v písemné formě nebo v podobě a postupem podle příslušných všeobecných podmínek společnosti Česká telekomunikační infrastruktura a.s., a pokud jsou dohodnuty všechny náležitosti. Smlouvy jsou uzavírány oprávněnou osobou na základě písemného pověření. Smlouvy o smlouvě budoucí jsou uzavírány výhradně v písemné formě, vlastnoručně podepsané nebo s uznávaným elektronickým podpisem. Podmínky, za nichž Česká telekomunikační infrastruktura a.s. přistupuje k jednání o smlouvě a jakými se řídí, jsou dostupné zde<https://www.cetin.cz/cs/jak-cetin-vyjednava-o-smlouve>. The content of this message is intended for communication purposes only. It does neither represent any contract proposal, nor its amendment or acceptance of any potential contract proposal. Česká telekomunikační infrastruktura a.s. concludes contracts or amendments thereto in a written form or in the form and the procedure in accordance with relevant general terms and conditions of Česká telekomunikační infrastruktura a.s., if all requirements are agreed. Contracts are concluded by an authorized person entitled on the basis of a written authorization. Contracts on a future contract are concluded solely in a written form, self-signed or signed by means of an advanced electronic signature. The conditions under which Česká telekomunikační infrastruktura a.s. negotiates contracts and under which it proceeds are available here<https://www.cetin.cz/en/jak-cetin-vyjednava-o-smlouve>.

7 let, 3 měsíce

2
1
0 0

can not download a normal root.zone with Cache prefilling

by Yoshi Horigome

Hello, When Cache prefilling added from 2.3.0 is enabled, the following error occurs. https://knot-resolver.readthedocs.io/en/stable/modules.html#cache-prefilling /etc/knot-resolver # kresd -V Knot DNS Resolver, version 2.4.0 [prefill] downloading root zone... [prefill] saving root zone... [ 0][zimport] [zscanner] started; zone file `root.zone` [zscanner] line: 1: parse error; code: -986 ('owner is invalid') Segmentation fault (core dumped) If you check the contents of the downloaded file, it seems that something different file is being downloaded. /etc/knot-resolver # ls -l total 8704 -rw------- 1 root root 12533760 Jul 8 00:24 core.64 -rw-r----- 1 root root 3221225472 Jul 8 00:23 data.mdb -rw-r--r-- 1 1001 1001 2944 Jul 8 00:23 kresd.conf -rw-r----- 1 root root 8192 Jul 8 00:23 lock.mdb -rw-r--r-- 1 root root 832 Jul 7 07:35 root.keys -rw-r--r-- 1 root root 249 Jul 8 00:24 root.zone drwxr-x--- 2 root root 4096 Jun 13 12:56 tty /etc/knot-resolver # cat root.zone <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.internic.net/domain/root.zone">here</a>.</p> </body></html> Is this supposed behavior? Best regards.

7 let, 3 měsíce

3
5
0 0

Knot Resolver 2.4.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 2.4.0 has been released. Incompatible changes -------------------- - minimal libknot version is now 2.6.7 to pull in latest fixes (#366) Security -------- - fix a rare case of zones incorrectly downgraded to insecure status (!576) New features ------------ - TLS session resumption (RFC 5077), both server and client (!585, #105) (disabled when compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log to log DNSSEC bogus queries without verbose logging (!613) Bugfixes -------- - prefill: fix ability to read certificate bundle (!578) - avoid turning off qname minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit wildcard queries (#274) - dns64 module: more properties from the RFC implemented (incl. bug #375) Improvements ------------ - systemd: multiple enabled kresd instances can now be started using kresd.target - ta_sentinel: switch to version 14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel (!588) - support per-request variables for Lua modules (!533) - support custom HTTP endpoints for Lua modules (!527) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v2.4.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

7 let, 4 měsíce

1
0
0 0

documentation of implemented DNS features / RFCs

by nusenu

Hi, is there somewhere a comprehensive list of implemented DNS protocol features / RFCs for knot-resolver? thanks, nusenu -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu

7 let, 4 měsíce

2
2
0 0

TA Sentinel

by Ulrich Wisser

Hi, today I wanted to try the ta sentinel functionality. Unfortunately do I not get the expected results. Maybe somebody could show me some example querries? I tried: dig +dnssec kskroll-sentinel-is-ta-20326.iis.se dig +dnssec kskroll-sentinel-not-ta-20326.iis.se dig +dnssec kskroll-sentinel-is-ta-19036.iis.se dig +dnssec kskroll-sentinel-not-ta-19036.iis.se All with the same result. No answer section. dig +dnssec iis.se iis.se. 60 IN A 91.226.37.214 iis.se. 60 IN RRSIG A 5 2 60 20180615103001 20180605103001 6150 iis.se. XAbt3nM5DmpsDsvZN6gRW94mGwTsCYpAQxurTJYp4FHZXaXt82o+3SMD ZEZjWsDswy3WsYp087Wx7Y4sH6HbuP0VYuwg1yLsBegrj6xNlcd5JarN wi8ZGbTytnDBG5rvpqwUp8fat3ZZ6kko4t7BtsD4cFzdL2xpw4MPbBKz p0s= What am I doing wrong? /Ulrich -- Ulrich Wisser ulrich(a)wisser.se

7 let, 5 měsíců

2
3
0 0

Statistics

by Ulrich Wisser

Hi, over the last weekend I did configure knot resolver on Turris Omnia to write statistics to my influxdb instance. Now that I have statistics, I am not entirely sure what all the data means. Everything under answer is easy to understand. But all data under cache is only 0, although answer.cached is not 0. Please find some stats below. I would be very grateful for some explanation what the data means. My next step would be to try to use RPZ funtionality. is there statistics for RPZ too? /Ulrich > stats.list() [answer.nxdomain] => 360546 [answer.100ms] => 64682 [answer.1500ms] => 2740 [answer.slow] => 12137 [answer.servfail] => 204137 [answer.250ms] => 84208 [answer.cached] => 430091 [answer.nodata] => 1533 [answer.1ms] => 462921 [answer.total] => 922236 [answer.10ms] => 58963 [answer.noerror] => 356015 [answer.50ms] => 195917 [answer.500ms] => 29794 [answer.1000ms] => 7525 [predict.learned] => 54 [predict.epoch] => 19 [predict.queue] => 520 [query.edns] => 152223 [query.dnssec] => 211 > cache.stats() [hit] => 0 [delete] => 0 [miss] => 0 [insert] => 0 -- Ulrich Wisser ulrich(a)wisser.se

7 let, 5 měsíců

2
5
0 0

Running systemd service and binding to privileged ports

by Ondrej Vaško

Hello knot-resolver users, I have a question about design of systemd service for knot-resolver. I installed knot from repository OpenSuse repository <https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-r…> on Ubuntu 16 and 18. The systemd service uses user *knot-resolver*. But this user cannot bind to unprivileged ports, so when I have configuration like below where I bind to network interface on privileged port and change user context, it fails with "*[system] bind to '10.20.30.118@853' Permission denied*": ``` net.listen({'10.20.30.118'}, 853, { tls = true }) user('knot-resolver', 'knot-resolver') ``` To fix this I changed User *knot-resolver* to *root* in systemd service. Now service starts to run as root, binds to network interface and then changes context. My question is, is this solution security wise fine? Why is the systemd service designed to run as user knot-resolver, when I guess many people will need to override this in order to use knot-resolver properly? What is the main idea? Or is there a different approach to overcome this (Such as linux capabilities)? Thank you for responses and please correct me in anything if I am wrong. Ondrej Vaško

7 let, 5 měsíců

2
1
0 0

Modifying policy rules of a running resolver instance

by Martin Sehnoutka

Hi, I would like to run Knot Resolver with DNS-over-TLS on my laptop, but I need to configure 'policy.FORWARD' whenever I connect to our corporate network. The information about new connection is provided by the Network Manager, that is not a problem, but then I need to configure the resolver somehow. I was thinking about creating a new configuration file and simply restarting the server, but it fails with "Start request repeated too quickly". Is there a way to add/remove policy rules "on the fly"? The HTTP/2 module seems like a good candidate for doing this. Can this module be used to accomplish this task? Best regards, Martin Sehnoutka PS: If there is anyone using dnssec-trigger, this would be similar, but less complicated. -- Martin Sehnoutka | Associate Software Engineer PGP: 5FD64AF5 UTC+1 (CET) RED HAT | TRIED. TESTED. TRUSTED.

7 let, 5 měsíců

3
7
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users