Configuring kresd to query multiple nameservers and return the first affirmative response?
1 Pro
2019
1 Pro
'19
5:31
I wonder if this is possible. The Knot Resolver certainly looks
powerful, and I use it on my Omnia Router of course. But the
documentation
<https://knot-resolver.readthedocs.io/en/stable/index.html>which I have
perused and read quickly, hasn't helped me understand this alas.
It leaves me with a couple of interesting questions:
1. How are nameservers configured? Interestingly my running instance of
kresd is on the Omnia and it receives nameservers via a dhcp request
on my ISP I imagine, though I don't see them in /etc/resolv.conf
2. Is it possible configure a number of nameservers on a the basis of
query them all (akin to dnsmasq's --all-servers) and return the
first affirmative response?
My interest is acutely related to:
https://superuser.com/questions/1505755/can-one-configure-name-resolution-t…
And I'd happily use kresd on my local machine(s) as well as on my LAN
DNS (The Omnia) to help resolve names on my .lan while on a VPN!
Regards,
Bernd.
2 Pro
2 Pro
19:45
On 01/12/2019 05.31, Bernd Wechner wrote:
I wonder if this is possible. The Knot Resolver
certainly looks
powerful, and I use it on my Omnia Router of course. But the
documentation
<https://knot-resolver.readthedocs.io/en/stable/index.html>which I have
perused and read quickly, hasn't helped me understand this alas.
It leaves me with a couple of interesting questions:
1. How are nameservers configured? Interestingly my running instance of
kresd is on the Omnia and it receives nameservers via a dhcp request
on my ISP I imagine, though I don't see them in /etc/resolv.conf
Hi.
Knot Resolver itself doesn't configure forwarding or any resolvers to
forward to. If you want to configure forwarding, you have to provide
Knot Resolver with IP address for the policy.FORWARD() or
policy.TLS_FORWARD() function in kresd.conf. See policy module
documentation for details [1].
Are you asking how does Turris configure Knot Resolver with the ISP's
DNS resolver as a forwarder? That, I don't know, but a proper place to
ask would probably be the Turris forum [2] or support.
2. Is it possible configure a number of nameservers on
a the basis of
query them all (akin to dnsmasq's --all-servers) and return the
first affirmative response?
No.
My interest is acutely related to:
https://superuser.com/questions/1505755/can-one-configure-name-resolution-t…
And I'd happily use kresd on my local machine(s) as well as on my LAN
DNS (The Omnia) to help resolve names on my .lan while on a VPN!
Do you need to use the VPN's DNS resolvers? If so, why? Are there some
zones that can be resolved only on their DNS resolver? Are you concerned
about "DNS leak" when using VPN?
If you don't actually need to use the VPN's DNS resolvers, your problems
could be solved by configuring your VPN software not to change your
default local resolver (in /etc/resolv.conf). In that case, you'll use
the Turris Omnia's resolver (configured by DHCP) which is able to
resolve you local .lan addresses.
[1] -
https://knot-resolver.readthedocs.io/en/stable/modules.html#query-policies
[2] - https://forum.turris.cz/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
3 Pro
3 Pro
15:06
On 12/2/19 7:45 PM, Tomas Krizek wrote:
Are you asking how does Turris configure Knot Resolver
with the ISP's
DNS resolver as a forwarder? That, I don't know, but a proper place to
ask would probably be the Turris forum [2] or support.
I believe that's the default - in any case, you can switch off the
generated forwarding rules by ticking a checkbox in Foris GUI - in DNS tab.
If you uncheck those, you can add your own forwarding; Omnia-specific step:
https://doc.turris.cz/doc/en/public/dns_knot_misc#adding_custom_configurati…
With the policy rules it's e.g. possible to configure kresd to use
policy.PASS on everything in .lan and policy.FORWARD the rest
https://knot-resolver.readthedocs.io/en/stable/modules.html#policy-examples
... but I can't say if such a setup is optimal for you, and it doesn't
address things like reconfiguration when VPN (dis)connects. Generally
I'd say that DNS is best to take from the point where routing happens,
for example prefer local DNS server if the traffic goes without VPN by
default. Otherwise you might e.g. be prone to get sub-optimal
performance of some CDNs.
--Vladimir
21:13
On 4/12/19 1:06 am, Vladim??r ??un??t wrote:
On 12/2/19 7:45 PM, Tomas Krizek wrote:
Thank you so so much for these useful pointers and links. It's looking
like with selective filters an foreknowledge of suffixes and given that
non-overlapping suffixes are used in a pattern like:
policy.add(policy.suffix(policy.FORWARD('...'), {todname('suffix on
LAN')}))
policy.add(policy.suffix(policy.FORWARD('...'), {todname('suffix on
VPN')}))
policy.add(policy.FORWARD('...'))
Alas it doesn't seem like kresd can do a FORWARD then act based on the
result. It would be so lovely if it could. That is if we could specify a
policy for each of three FOWARD results:
1) No response
2) Negative response
3) Resolved name
but it seems we can't as FORWARD in Non-chained.
Re: the strategy on VPN connect and disconnect I have no problem driving
my connections from custom scripts if I need to that doctor resolv.conf
or any other configs and do any resolver restarts needed just after
connecting and disconnecting. I certainly prefer my local DNS and would
love a strategy that resolves on the local DNS and if response is
negative tries the VPN DNS.
I can see on the Omnia a kresd.config file that contains:
--Automatically generated file; DO NOT EDIT
modules = {
?????? 'hints > iterate'
?? , 'policy'
?? , 'stats'
?? , predict = {
?????????????? window = 30 -- 30 minutes sampling window
?????????? , period = 24*(60/30) -- track last 24 hours
?? }
}
hints.config('/tmp/kresd/hints.tmp')
net.bufsize(4096)
net.ipv4=true
net.ipv6=true
cache.open(20*MB)
cache.clear()
policy.add(policy.all(policy.FORWARD({
?????? '203.12.160.35',
?????? '203.12.160.36',
})))
What I can't see from that is how kresd on the Omnia knows to resolve
.lan names which it does well in practice. The policy encoded there
forwards ALL requests.
Kind regards,
Bernd.
Are you asking how does Turris configure Knot
Resolver with the ISP's
DNS resolver as a forwarder? That, I don't know, but a proper place to
ask would probably be the Turris forum [2] or support.
I believe that's the default - in any case, you can switch off the
generated forwarding rules by ticking a checkbox in Foris GUI - in DNS tab.
If you uncheck those, you can add your own forwarding; Omnia-specific step:
https://doc.turris.cz/doc/en/public/dns_knot_misc#adding_custom_configurati…
With the policy rules it's e.g. possible to configure kresd to use
policy.PASS on everything in .lan and policy.FORWARD the rest
https://knot-resolver.readthedocs.io/en/stable/modules.html#policy-examples
... but I can't say if such a setup is optimal for you, and it doesn't
address things like reconfiguration when VPN (dis)connects.?? Generally
I'd say that DNS is best to take from the point where routing happens,
for example prefer local DNS server if the traffic goes without VPN by
default.?? Otherwise you might e.g. be prone to get sub-optimal
performance of some CDNs.
20:54
Knot Resolver itself doesn't configure forwarding
or any resolvers to
forward to. If you want to configure forwarding, you have to provide
Knot Resolver with IP address for the policy.FORWARD() or
policy.TLS_FORWARD() function in kresd.conf. See policy module
documentation for details [1].
Thanks kindly for the pointer. Indeed with this pointer I could inspect
my Omnia's instance of kresd and find a kresd.config file which contains:
--Automatically generated file; DO NOT EDIT
modules = {
��� 'hints > iterate'
� , 'policy'
� , 'stats'
� , predict = {
������� window = 30 -- 30 minutes sampling window
����� , period = 24*(60/30) -- track last 24 hours
� }
}
hints.config('/tmp/kresd/hints.tmp')
net.bufsize(4096)
net.ipv4=true
net.ipv6=true
cache.open(20*MB)
cache.clear()
policy.add(policy.all(policy.FORWARD({
��� '203.12.160.35',
��� '203.12.160.36',
})))
Where I have a working sample of configuration then and the FORWARD policy.
The follow-on questions then become:
1. Can we configure kresd to selectively apply policy.FORWARD based on
some criteria
2. Can the response from the forward be part of those criteria
On 1. I am not clear on 2. It seems the doc (that you linked to) lists
FORWARD as a Non-chain action meaning once executes no further kresd
rules are evaluated, meaning the answer to 2 seems to be NO.
Are you asking how does Turris configure Knot Resolver
with the ISP's
DNS resolver as a forwarder? That, I don't know, but a proper place to
ask would probably be the Turris forum [2] or support.
Thanks. The primary
objective is not to understand how the Omnia does
it, it just happens to be my in situ working example. I'm asking myself
can kresd be useful to me in other contexts.
2. Is it
possible configure a number of nameservers on a the basis of
�� query them all (akin to dnsmasq's --all-servers) and return the
�� first affirmative response?
No. My interest is
acutely related to:
https://superuser.com/questions/1505755/can-one-configure-name-resolution-t…
And I'd happily use kresd on my local machine(s) as well as on my LAN
DNS (The Omnia) to help resolve names on my .lan while on a VPN!
Do you need to use the VPN's DNS resolvers? If so, why? Are there some
zones that can be resolved only on their DNS resolver? Are you concerned
about "DNS leak" when using VPN?
1846
days inactive
1848
days old
knot-resolver-users@lists.nic.cz
4 comments
3 participants
participants (3)
-
Bernd Wechner -
Tomas Krizek -
Vladimír Čunát