- knot-resolver-users - lists.nic.cz

by Blažej Krajňák

Hello, it's me again :) I just want to make sure if behaviour of Knot Resolver is correct. I implemented DDR mechanism to discover DoH / DoT DNS servers. My Macbook with Ventura successfully discovered DoH server and started to use it. But: Knot Resolver sends 10 seconds after establishing FIN,ACK packet and connection is correctly closed. From this moment, Macbook starts to use DNS over UDP again and will retry DoH connection after 10-30s later. Then it uses DoH server again for 10 seconds .... Is this behaviour correct? Should Macbook sends some keepalive messages to prevent connection closing? Or should Macbook reopen DoH connection more quickly? Thanks, Blažej

2 roky, 1 měsíc

2
3
0 0

Policy based on destination IP

by Blažej Krajňák

Hello, is there any correct way how to do query policy based on destination IP (IP which processed the query)? Like view:addr but on the dst address. I found that function view.addr(_, subnet, rules, dst) contains DST parameter but I'm not sure how to use it. I also found function view.rule_dst(action, subnet) but still get errors: error: /usr/lib/knot-resolver/kres_modules/view.lua:103: attempt to index local 'req' (a number value) Thanks Blažej

2 roky, 1 měsíc

2
3
0 0

Implementing DDR SVCB record

by Blažej Krajňák

Hi there, I'm trying to implement SVCB record "_dns.resolver.arpa" for DDR mechanism for our AS50242 recursive resolvers. When I look on Cloudflare or Google implementation, they answer with "ADDITIONAL SECTION" also. kdig _dns.resolver.arpa @8.8.8.8 type64 ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61402 ;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 4 ;; QUESTION SECTION: ;; _dns.resolver.arpa. IN SVCB ;; ANSWER SECTION: _dns.resolver.arpa. 86400 IN SVCB 1 dns.google. alpn=dot _dns.resolver.arpa. 86400 IN SVCB 2 dns.google. alpn=h2,h3 key7="/dns-query{?dns}" ;; ADDITIONAL SECTION: dns.google. 86400 IN A 8.8.8.8 dns.google. 86400 IN A 8.8.4.4 dns.google. 86400 IN AAAA 2001:4860:4860::8888 dns.google. 86400 IN AAAA 2001:4860:4860::8844 In Knot Resolver documentation is an example how to answer for SVCB request but without addition section. policy.add( policy.domains( policy.ANSWER( { [kres.type.SVCB] = { rdata=kres.parse_rdata({ 'SVCB 1 resolver.example. alpn=dot ipv4hint=192.0.2.1 ipv6hint=2001:db8::1', 'SVCB 2 resolver.example. mandatory=key65380 alpn=h2 key65380=/dns-query{?dns}', }), ttl=5 } } ), { todname('_testing.domain') })) Can anyone help me, how to add additional section to answer? Do we need to use policy.custom_action(state, request)? Thanks! Blažej

2 roky, 1 měsíc

3
5
0 0

Knot Resolver 5.6.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.6.0 has been released! Security - avoid excessive TCP reconnections in some cases (!1380) For example, a DNS server that just closes connections without answer could cause lots of work for the resolver (and itself, too). The number of connections could be up to around 100 per client's query. We thank Xiang Li from NISL Lab, Tsinghua University, and Xuesong Bai and Qifan Zhang from DSP Lab, UCI. Improvements - daemon: feed server selection with more kinds of bad-answer events (!1380) - cache.max_ttl(): lower the default from six days to one day and apply both limits to the first uncached answer already (!1323 #127) - depend on jemalloc, preferably, to improve memory usage (!1353) - no longer accept DNS messages with trailing data (!1365) - policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364) - policy.STUB: avoid copying +dnssec flag from client to upstream (!1364) Bugfixes - policy.DEBUG_IF: don't print client's packet unconditionally (!1366) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.6.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.6.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.6.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.6.0/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 roky, 2 měsíce

1
0
0 0

Knot Resolver 5.5.3

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.3 has been released! Security - fix CPU-expensive DoS by malicious domains - CVE-2022-40188 Improvements - fix config_tests on macOS (both HW variants) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.3/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.3.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.3.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.3/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 roky, 6 měsíců

1
0
0 0

Resolving problem connectivity.samsung.com.cn even on dual-stack

by Blažej Krajňák

Hello everyone, at AS50242 we experience problem with resolving connectivity.samsung.com.cn We run two servers, each with 4 instances. Both servers have working dual-stack (v4/v6). knot-dnsutils/unknown,now 3.1.1-cznic.1 amd64 [installed] knot-resolver-module-http/unknown,now 5.5.0-cznic.1 all [installed,automatic] knot-resolver-release/unknown,now 1.9-1 all [installed] knot-resolver/unknown,now 5.5.0-cznic.1 amd64 [installed] Dnsviz shows problem reaching few IPv6 servers of .cn TLD via UDP. I can not understand, why both of our servers response with SERVFAIL. Any ideas how to troubleshoot more? Thank you, Blažej

2 roky, 6 měsíců

3
7
0 0

not resolving CNAME

by Mike Wright

Hello, I am a user, not a developer, of knot-resolver, on ubuntu groovy. When I look up something that has a CNAME and ask for an A record I get a SERVFAIL. If I ask for the CNAME I get the correct answer but then I have to do another search for the A record for that. #------------- # using knot-resolver kdig @127.0.53.1 www.cdc.gov. ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 44868 #------------- # using google dns kdig 8.8.8.8 www.cdc.gov. www.cdc.gov. 126 IN CNAME www.akam.cdc.gov. www.akam.cdc.gov. 20 IN A 104.100.61.241 #------------- My guess is I don't have a complete configuration. Here's my very simple knot-resolver.conf #------------ -- SPDX-License-Identifier: CC0-1.0 -- Network interface configuration net.listen('127.0.53.1') -- Load useful modules modules = { 'hints > iterate', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Cache size cache.size = 100 * MB -- -- MY STUFF -- internalDomains = policy.todnames({ 'main', '0.1.10.in-addr.arpa', '1.10.in-addr.arpa', '10.in-addr.arpa' }) policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains)) policy.add(policy.suffix(policy.STUB({'127.53.0.1'}), internalDomains)) #------------- How do I fix this? Thank you, Mike Wright

2 roky, 7 měsíců

2
2
0 0

When knot delete old ksk key ?

by support＠profiwh.eu

Hello, I have problem with ksk rotation keys. I've rotated shared KEY, submit by hand and rotate the key. I did setting of delete-delay, but after reaching time nothing happends. keymgr profivh.cz list 4a32ef440c27342c1aca748e0ff3236c41c9dff0 ksk=yes zsk=no tag=11739 algorithm=13 size=256 public-only=no pre-active=0 publish=1660242640 ready=1660246540 active=1660587842 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 55c0eb5bbc46ffc5b0355311384e32957f369bf3 ksk=no zsk=yes tag=51831 algorithm=13 size=256 public-only=no pre-active=0 publish=1659353890 ready=0 active=1659357790 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 a85ffe2752572a3e057c1dca6f1173e2d4f4a6b7 ksk=yes zsk=no tag=14655 algorithm=13 size=256 public-only=no pre-active=0 publish=1641666021 ready=1641666021 active=1655760727 retire-active=1660587842 retire=0 post-active=0 revoke=0 remove=1660587842 but time is over and knot didnt remove the key, list at current time : date +%s 1660838273 with policy setting : policy: - id: "signing_policy_prod" manual: "off" single-type-signing: "off" algorithm: "ecdsap256sha256" ksk-size: "256" zsk-size: "256" ksk-shared: "on" dnskey-ttl: "7200" ksk-lifetime: "0" zsk-lifetime: "2592000" delete-delay: "86400" propagation-delay: "14400" rrsig-lifetime: "1209600" rrsig-refresh: "604800" rrsig-pre-refresh: "3600" nsec3: "on" cds-cdnskey-publish: "none" with template : - id: "signed-zones" storage: "/var/lib/knot/szones" file: "%s" notify: [ "XXX.XXX.cz", "XXX.XXX.cz" ] acl: [ "sec1-transfer", "sec2-transfer" ] zonefile-sync: "0" zonefile-load: "whole" journal-content: "changes" dnssec-signing: "on" dnssec-policy: "signing_policy_prod" serial-policy: "unixtime" it is any normal behavior or is something wrong ? knotc (Knot DNS), version 3.1.9 Thanks for help.

2 roky, 7 měsíců

2
2
0 0

Knot Resolver 5.5.1

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.1 has been released! Improvements - daemon/tls: disable TLS resumption via tickets for TLS <= 1.2 (#742, !1295) - daemon/http: DoH now responds with proper HTTP codes (#728, !1279) - renumber module: allow rewriting subnet to a single IP (!1302) - renumber module: allow arbitrary netmask (!1306) - nameserver selection algorithm: improve IPv6 avoidance if broken (!1298) Bugfixes - modules/dns64: fix incorrect packet writes for cached packets (#727, !1275) - xdp: make it work also with libknot 3.1 (#735, !1276) - prefill module: fix lockup when starting multiple idle instances (!1285) - validator: fix some failing negative NSEC proofs (!1294, #738, #443) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.1/ Donation: https://donations.nic.cz/en/donate/?project=knot-resolver -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

2 roky, 7 měsíců

1
1
0 0

new user - issues with one domain

by Jürgen Echter

Hi, i installed knot-resolver on my mail server and i see a issue with a specific domain, dovecot.org. Everything is working as expected but this single domain doesn't always resolve. After some time postfix cannot check the domain where mails coming from and doesn't accept them. If i do dig dovecot.org, i get this (SERVFAIL): dig dovecot.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> dovecot.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27594 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;dovecot.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fr Apr 29 08:34:55 CEST 2022 ;; MSG SIZE rcvd: 40 it starts working again if do dig +cd, like this: dig +cd dovecot.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> +cd dovecot.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56130 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;dovecot.org. IN A ;; ANSWER SECTION: dovecot.org. 300 IN A 94.237.12.234 ;; Query time: 245 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fr Apr 29 08:34:59 CEST 2022 ;; MSG SIZE rcvd: 56 i didn't have this kind of issue using unbound before i switched, so i think here would be the right place to ask. i'm using the knot-resolver 5.5.0 package from epel on rockylinux 8.5 and my kresd config is very simple: net.listen('127.0.0.1', 53, { kind = 'dns' }) net.listen('127.0.0.1', 853, { kind = 'tls' }) --net.listen('127.0.0.1', 443, { kind = 'doh2' }) net.listen('::1', 53, { kind = 'dns', freebind = true }) net.listen('::1', 853, { kind = 'tls', freebind = true }) --net.listen('::1', 443, { kind = 'doh2' }) -- Load useful modules modules = { 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- Cache size cache.size = 100 * MB -- use /etc/hosts entries -- hints.add_hosts() net.ipv6 = false Anything i can do to track this down? Thanks in advance for your help. Juergen

2 roky, 10 měsíců

2
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users