- knot-resolver-users - lists.nic.cz

by Mike Michalakis

Hi, I’ve stumbled across knot-resolver because I have an issue with my current DNS solution. What is the best way to block a large number of domains. I’ve trying to work with the below by it’s not functioning Part of /etc/knot-resolver/kresd.conf -- Domain Blocking policy.add( policy.rpz(policy.DENY_MSG('domain blocked by your IT department'),'/etc/knot-resolver/blacklist.rpz', true)) policy.add ( policy.rpz(policy.DENY, '/etc/knot-resolver/blacklist.rpz')) /etc/knot-resolver/backlist.rpz 007bets.com, Rrds, Mike

5 let, 1 měsíc

1
0
0 0

knot-resolver 5.2.0 - metrics issue - map() error while connecting to control socket

by Petr Kyselák

Hello, recently we upgraded from 5.1 to 5.2 few servers (CentOS7 and Raspbian) and all seems to be working fine, but I can see on (yes I know, not recommend and supported) rasbian issue with metrics and in the log I can issue this error: Nov 13 10:21:33 dns-cache-2 kresd[15232]: map() error while connecting to control socket /run/knot-resolver/control/H#003: socket:connect: No such file or directory (ignoring this socket) Nov 13 10:21:33 dns-cache-2 kresd[15232]: map() error while connecting to control socket /run/knot-resolver/control/H: socket:connect: No such file or directory (ignoring this socket) Nov 13 10:21:33 dns-cache-2 kresd[15232]: map() error while connecting to control socket /run/knot-resolver/control/: socket:connect: Connection refused (ignoring this socket) the error is triggered by opening "ip:8453/metrics" and it show almost empty response: # TYPE resolver_latency histogram resolver_latency_count 0.000000 resolver_latency_sum 0.000000 root@dns-cache-2:/# apt -qq list knot* --installed knot-resolver-module-http/unknown,now 5.2.0-1 all [installed] knot-resolver-release/unknown,now 1.7-1 all [installed] knot-resolver/unknown,now 5.2.0-1 armhf [installed] root@dns-cache-2:/# root@dns-cache-2:/# uname -a Linux dns-cache-2 4.19.97-v7l+ #1294 SMP Thu Jan 30 13:21:14 GMT 2020 armv7l GNU/Linux Could it be a bug or something related to mix armv7l and armhf? I know of the limitation as we discussed this setup on raspberry some time ago. I just want to share my experience as it can be useful and if you will have any tip I will appreciate it.

5 let, 1 měsíc

4
6
0 0

Knot Resolver 5.2.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.2.0 has been released! One of the notable features is a new DNS-over-HTTTPS implementation which is more scalable and stable than the old one. It also has less dependencies and simpler configuration. Another new feature is experimental eXpress Data Path (XDP) support for UDP. With support from both the network card and the kernel, it can provide superior performance and lower latency for UDP answers. Some of the improvements and bugfixes required a few backward incompatible changes, mainly regarding control sockets or module API. Please refer to our upgrading guide for details: https://knot-resolver.readthedocs.io/en/v5.2.0/upgrading.html#to-5-2 Improvements ------------ - doh2: add native C module for DNS-over-HTTPS (#600, !997) - xdp: add server-side XDP support for higher UDP performance (#533, !1083) - lower default EDNS buffer size to 1232 bytes (#538, #300, !920); see https://dnsflagday.net/2020/ - net: split the EDNS buffer size into upstream and downstream (!1026) - lua-http doh: answer to /dns-query endpoint as well as /doh (!1069) - improve resiliency against UDP fragmentation attacks (disable PMTUD) (!1061) - ta_update: warn if there are differences between statically configured keys and upstream (#251, !1051) - human readable output in interactive mode was improved (!1020) - doc: generate info page (!1079) - packaging: improve sysusers and tmpfiles support (!1080) Bugfixes -------- - avoid an assert() error in stash_rrset() (!1072) - fix emergency cache locking bug introduced in 5.1.3 (!1078) - migrate map() command to control sockets; fix systemd integration (!1000) - fix crash when sending back errors over control socket (!1000) - fix SERVFAIL while processing forwarded CNAME to a sibling zone (#614, !1070) Incompatible changes -------------------- - see upgrading guide: https://knot-resolver.readthedocs.io/en/v5.2.0/upgrading.html#to-5-2 - minor changes in module API - control socket API commands have to be terminated by "\n" - graphite: default prefix now contains instance identifier (!1000) - build: meson >= 0.49 is required (!1082) - planned changes in future versions: https://knot-resolver.readthedocs.io/en/v5.2.0/upgrading.html#upcoming-chan… Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.2.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.2.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.2.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.2.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 1 měsíc

1
0
0 0

5.2.0 - release date - fix SERVFAIL in *FORWARD modes with certain CNAME setup

by Petr Kyselák

Hello team, most probably we hit the issue !1070 "fix SERVFAIL in *FORWARD modes with certain CNAME setup" and I would like to ask when we can expect release of knot-resolver 5.2.0 (with the fix) or if there will be "hot fix" in 5.1.x? example of affected domain: www.action.foundation.total Thank you.

5 let, 2 měsíce

2
2
0 0

[PATCH 0/2] Generate Info manual

by Simon South

These two patches modify Knot Resolver's build process to check for Texinfo utilities during configuration and, if they're found, to build and install documentation in Info format (the standard for GNU distributions such as Guix[0]) as well as HTML. (If the Texinfo utilities aren't found, the build works as before.) The first patch implements these changes and additionally updates the manual to list Texinfo as an optional dependency. The second patch isn't required but genericizes a few references within the manual to documentation in specific formats, in the interest of readability. Note I've left unchanged the "build-html-doc" ref-ID to help ensure external links to the documentation continue to function. [0] https://guix.gnu.org/ ---------- With these patches applied you'll find makeinfo generates a large number of warnings of the form knotresolver.texi:11811: warning: @anchor should not appear in @deffn These warnings are harmless but result from the way Breathe processes C declarations. It generates output with this structure (here for the "kr_request_selected" macro): <desc_signature ids="c.kr_request_selected" is_multiline="True"> <desc_signature_line add_permalink="True" xml:space="preserve"> <target ids="resolve_8h_1a9ba8c6cef807cdf580e3249675a2589c" names="resolve_8h_1a9ba8c6cef807cdf580e3249675a2589c"></target> <desc_name xml:space="preserve">kr_request_selected</desc_name> <desc_parameterlist xml:space="preserve"> <desc_parameter noemph="True" xml:space="preserve"><emphasis>req</emphasis></desc_parameter> </desc_parameterlist> </desc_signature_line> </desc_signature> The issue is the "target" node's being placed within desc_signature_line. I assume this is done for convenience when generating HTML, but it also leads to this Texinfo output: @deffn {Define} @anchor{lib resolve_8h_1a9ba8c6cef807cdf580e3249675a2589c}@anchor{25f}kr_request_selected (req) which is invalid, since (as the warning says) @anchor is not supposed to appear within @deffn. Sphinx's Texinfo writer doesn't account for this, since there's no way (that I can see) for normal ReST input to generate a "target" tag in this position. However it's not clear Breathe is at fault here either, since I can't find anything that defines where target is allowed to appear or which tags desc_signature_line is meant to contain. A straightforward approach to fixing this is implemented by this patch to Sphinx, which causes its Texinfo writer to reorder target nodes embedded within function descriptions: diff --git a/sphinx/writers/texinfo.py b/sphinx/writers/texinfo.py index 5ad2831dd..bd76acdc3 100644 --- a/sphinx/writers/texinfo.py +++ b/sphinx/writers/texinfo.py @@ -1383,6 +1383,11 @@ class TexinfoTranslator(SphinxTranslator): if objtype != 'describe': for id in node.get('ids'): self.add_anchor(id, node) + # embedded anchors need to go in front + for n in node.traverse(nodes.target, include_self=False): + if isinstance(n, nodes.target): + n.walkabout(self) + n.parent.remove(n) # use the full name of the objtype for the category try: domain = self.builder.env.get_domain(node.parent['domain']) However, whether this is the correct approach or if a fix would better be applied to Breathe isn't clear to me. Engaging with the community of either project means signing up for services I'd rather not use, so there's little I can do to carry this forward. Perhaps someone else is interested? --- Simon South simon(a)simonsouth.net Simon South (2): doc: generate Info manual doc: use non-format-specific references to documentation doc/build.rst | 11 +++++++---- doc/meson.build | 7 +++++++ scripts/install-doc-info.sh | 8 ++++++++ scripts/make-doc.sh | 6 ++++++ 4 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 scripts/install-doc-info.sh -- 2.28.0

5 let, 2 měsíce

2
13
0 0

Unable to resolve some domains

by Balakrishnan Balasubramanian

Hi, I am using knot-resolver with default configuration in arch linux. I am not able to resolve some domains (like costco.ca). It works fine with other resolvers like cloudflare/google. Is there way to debug this? Thanks, Bala

5 let, 2 měsíce

3
8
0 0

socat stats in shell script

by pioruns2019＠gmx.com

Hello, I'd like to have output of socat commands in my shell script. Currently, I log in to socat by using, for example: socat - UNIX-CONNECT:/run/knot-resolver/control/1 There, I can issue cache.stats() and read it. How can I have output these commands in shell script? Appreciate your help.

5 let, 2 měsíce

2
2
0 0

Upcoming changes in Knot Resolver 5.2.0

by Petr Špaček

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Knot Resolver users, we would like to inform you about certain changes in upcoming Knot Resolver 5.2.0: - - Users of Control sockets API need to terminate each command sent to resolver with newline character (ASCII \n). Correct usage: "cache.stats()\n". Newline terminated commands are accepted by all resolver versions >= 1.0.0. - - Human readable output from Control sockets is not stable and changes from time to time. Users who need machine readable output for scripts should use Lua function "tojson()" to convert Lua values into standard JSON format instead of attempting to parse the human readable output. For example API call "tojson(cache.stats())\n" will return JSON string with "cache.stats()" results represented as dictionary. Function "tojson()" is available in all resolver versions >= 1.0.0. - - DoH served with http module DNS-over-HTTP (DoH) will be marked as legacy and won’t receive any more bugfixes. A more reliable and scalable DoH module will be available instead. The new DoH module will only support HTTP/2 over TLS. - - New releases since October 2020 will contain changes for DNS Flag Day 2020. Please double-check your firewall, it has to allow DNS traffic on UDP and also TCP port 53. See https://dnsflagday.net/2020/ for more information. This text with links to further documentation can be found here: https://knot-resolver.readthedocs.io/en/latest/upgrading.html#upcoming-chan… We plan to use the same URL to publish planned changes in not-yet-released versions. To make our version numbers easier to understand we have documented how we version new releases: https://knot-resolver.readthedocs.io/en/latest/NEWS.html#version-numbering Feedback is more than welcome. Do not hesitate to reach out on the usual channels: https://www.knot-resolver.cz/support/ - -- Petr Špaček @ CZ.NIC -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl9+9kcACgkQzo3WoaUK IeR7Jg/5AT4QLP1ZJBR8Vkoa5DirCnTBrBx3GPkiW+hVEXZPl55AXWMu54i9ZTuY 4R38+I1PypAM924n5xk98AaX7iRbISVZ87kOEfeJOKR2tzB8TiYwzufl2Y3PUYo8 IlazzcUyNFcQw4ARE3BqiQF6DLKl/s8U812XMEUlRdryE7lURWVEJyo711XNLPPy 6PWuGpsNboMR2V6z/7yrX/i+/0XGpxoSL8S9Fv4hQrOJB3c0lIZNSfaj23GywDao ZgkqlxwBgPkOGAhSIq3r5Xqitl9fTh2Gb1565Lrbj+4OY5WbL8YqaNArZMp3poUD T2QCH1bUypa0EP+smzdcriuFDWwl3L0zwODsnH2ofLAnosWeGfxtHXHI5W7rwskF gAAZJJe+UhxSeBzwr01r6YwZbDYlHiDA9+AkGkYGjYwQmfLCTftXRhlqmJ3BvpeR Nr97D8lSuct9XugIN2pUJfR1cVIr40ViiO3TG4m2eL2dHExELB4OOf/ZCOTX5dQk KJuQSspz5zQvVFWZZh17L6iT9WUdgwmi0TkvR8aMmPlr75vokFvioQMAOHfHgGtq 7s10W9TtRGX5o9ioHtTLrDaqEC/0P79bMTVU5HCap1dSCzgk1AYXtUDu4AVc0pWC Aui8tih9ykESC8rPUaEBc6wpR3wgKSPclfIWgiJira4xB8eRCUs= =9lwy -----END PGP SIGNATURE-----

5 let, 2 měsíce

1
0
0 0

Set default domain suffix

by Ken Moini

Trying to use Knot DNS + Knot Resolver for a small business network. So far it's working great, however there's one function that's still needed: short hostname resolution suffixing. Meaning for 'server.example.com' I can `dig server.example.com` and get the desired result, but wondering how to attach the 'example.com' suffix so I can simply query `dig server` and have Knot auto-append 'example.com' suffix. I believe I saw it in the documentation but I can't find it again for the life of me... Thanks in advance, -KM

5 let, 3 měsíce

3
3
0 0

Knot Resolver 5.1.3

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 5.1.3 has been released! Improvements ------------ - capabilities are no longer constrained when running as root (!1012) - cache: add percentage usage to cache.stats() (#580, !1025) - cache: add number of cache entries to cache.stats() (#510, !1028) - aarch64 support again, as some systems still didn't work (!1033) - support building against Knot DNS 3.0 (!1053) Bugfixes -------- - tls: fix compilation to support net.tls_sticket_secret() (!1021) - validator: ignore bogus RRSIGs present in insecure domains (!1022, #587) - build if libsystemd version isn't detected as integer (#592, !1029) - validator: more robust reaction on missing RRSIGs (#390, !1020) - ta_update module: fix broken RFC5011 rollover (!1035) - garbage collector: avoid keeping multiple copies of cache (!1042) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.1.3/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.3.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.3.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.1.3/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

5 let, 3 měsíce

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users