Hello all,
I am trying to configure my local PC (always on server), to serve DNS
resolving all other computers in my LAN. I installed and enabled the
service. I've attempted configuration. Knot-resolver correctly resolves
DNS querier on localhost machine, but fails to reply to queries from
other LAN machines.
Can someone please share configuration which I should use to have LAN
resolving?
I've tried various net.listen(), net() in config file, to no avail. I've
studied this page
https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_server.h…
but I have no idea which option I should put in config to enable my
server PC (192.168.1.44) to allow all PCs in LAN (192.168.1.xxx) to use
knot-resolver.
I'd appreciate if someone with knowledge would help a newbie like me.
Thank you!
pioruns
Hi all,
Is there a way to reload dynamically the knot-resolver configuration
without stopping knot-resolver ?
e.g I have to add this in the config file
extraTrees = policy.todnames({'foo.example.net'})
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees))
policy.add(policy.suffix(policy.FORWARD({'192.168.0.15'}), extraTrees))
Is there a sort of CLI command to take it in account ?
Regards
______________________________
*Pierrick CHOVELON I *Ingénieur système
*Advanced Software I IT*
+33 4 77 43 27 05
pierrick.chovelon(a)savoye.com
*SAVOYE - 8, rue de la Richelandière - 42100 - Saint-Etienne - France*
*Savoye recrute ! <https://careers.savoye.com/#!/fr/index> - *www.savoye.com
Dear Knot Resolver users,
Knot Resolver 5.1.0 has been released!
We also have two important announcements:
1) Ubuntu and Debian repositories
Ubuntu and Debian users have to manually set up the upstream repository
once again by following the instructions at:
https://www.knot-resolver.cz/download/
We apologize for the inconvenience, tests are now in place to prevent
this from happening again.
2) The upcoming major version will contain reworked
hints/policy/prefill/rebinding/view modules and related functionalities.
Please participate in the following survey to ensure we do not forget
about your particular use-case:
https://www.knot-resolver.cz/survey/
It will help us to improve Knot Resolver. Thank you!
Our upstream repositories now also provide packages for CentOS 8,
Ubuntu 20.04 and Fedora 32.
And finally, the release notes for version 5.1.0:
Improvements
------------
- cache garbage collector: reduce filesystem operations when idle (!946)
- policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging
(!957)
- daemon: improve TCP query latency under heavy TCP load (!968)
- add policy.ANSWER action (!964, #192)
- policy.rpz support fake A/AAAA (!964, #194)
Bugfixes
--------
- cache: missing filesystem support for pre-allocation is no longer
fatal (#549)
- lua: policy.rpz() no longer watches the file when watch is set to
false (!954)
- fix a strict aliasing problem that might've lead to "miscompilation"
(!962)
- fix handling of DNAMEs, especially signed ones (#234, !965)
- lua resolve(): correctly include EDNS0 in the virtual packet (!963)
Custom modules might have been confused by that.
- do not leak bogus data into SERVFAIL answers (#396)
- improve random Lua number generator initialization (!979)
- cache: fix CNAME caching when validation is disabled (#472, !974)
- cache: fix CNAME caching in policy.STUB mode (!974)
- prefill: fix crash caused by race condition with resolver startup
(!983)
- webmgmt: use javascript scheme detection for websockets' protocol
(#546)
- daf module: fix del(), deny(), drop(), tc(), pass() functions
(#553, !966)
- policy and daf modules: expose initial query when evaluating
postrules (#556)
- cache: fix some cases of caching answers over 4 KiB (!976)
- docs: support sphinx 3.0.0+ (!978)
Incompatible changes
--------------------
- minor changes in module API; see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.1.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.1.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dobrý den,
dnes po mnoha dnech (měsíců) bezproblémového provozu knot-resolveru
4.2.2 najednou přestal vracet odpovědi na dotazy.
Využívá jej několik tisíc klientů, tak nebyl moc čas na experimerny a
reboot celého stroje pomohl... Ale jen asi na 15min. Pak opět přestal
vracet záznamy, jako by je neměl. Opět reboot a to vydrželo fungovat asi
1.5h a opt přestal komunikovat. To už začalo být vážné, takže jsme
spoustu DNS dotazů na routrech přesměrovali na 8.8.8.8. Mezi tím opět
restart a nyní to již téměř 2h funguje bez problémů.
Vím, že nyní již existuje knot-resolver verze 5.0.1, ale zajímá mě, zda
uvedený problém je známy, jen jsem se sním do dnes nesetkal a v další
verzi opraven, nebo se jedná o neevidovanou anomálii. V logách jsem
totiž našel jen toto:
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Watchdog
timeout (limit 10s)!
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Killing
process 382 (kresd) with signal SIGABRT.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Main process
exited, code=killed, status=6/ABRT
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Failed with
result 'watchdog'.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Service
RestartSec=100ms expired, scheduling restart.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Scheduled
restart job, restart counter is at 1.
Předpokládám, že tato nemilá reakce knot-resolveru byla způsobena
nějakým "spatným" dotazem, ať náhodným nebo záměrným.
Nyní jsme opět zrušili přesměrovaní na 8.8.8.8 a téměř okamžitě přestal
odpovídat:
dig @192.168.100.100 -t AAAA www.seZNAm.cz
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @192.168.100.100 -t AAAA www.seZNAm.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64547
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.seZNAm.cz. IN AAAA
;; Query time: 0 msec
;; SERVER: 192.168.100.100#53(192.168.100.100)
;; WHEN: Po dub 27 22:32:04 CEST 2020
;; MSG SIZE rcvd: 42
Děkuji za pomoc
Zdeněk Janiš
Hi,
the package signing key for our upstream repositories has expired and
Debian and Ubuntu users with existing installation need to manually
update the knot-resolver-release package to fix the issue:
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update
Otherwise, apt update will report following errors and no new updates
will be installed.
W: GPG error:
http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-lates…
InRelease: The following signatures were invalid: EXPKEYSIG
74062DB36A1F4009 home:CZ-NIC OBS Project <home:CZ-NIC@build.opensuse.org>
E: The repository
'http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-lates…
InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is
therefore disabled by default.
I apologize for the inconvenience.
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Hello,
Would it be possible to maintain the Fedora 29 knot-resolver repo for a few
more months? It recently dropped off the mirrors and it's unclear if some
F29 machines will be updated for a few more months.
Thanks!
R
Dear Knot Resolver users,
Knot Resolver 5.0.0 has been released!
This version has a few backward incompatible changes. Most notably, the
network interface configuration has been moved back to the configuration
file and configuration via systemd sockets is no longer supported.
Unfortunately, this change requires a manual modification of your
configuration file if you've previously configured your network
interfaces via systemd sockets. Please follow the instructions printed
out during package upgrade and check out our upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
We apologize for the inconvenience.
Incompatible changes
--------------------
- see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
- systemd sockets are no longer supported (#485)
- net.listen() throws an error if it fails to bind; use freebind option
if needed
- control socket location has changed (!922)
- -f/--forks is deprecated (#529, !919)
Improvements
------------
- logging: control-socket commands don't log unless --verbose (#528)
- use SO_REUSEPORT_LB if available (FreeBSD 12.0+)
- lua: remove dependency on lua-socket and lua-sec, used lua-http and
cqueues (#512, #521, !894)
- lua: remove dependency on lua-filesystem (#520, !912)
- net.listen(): allow binding to non-local address with freebind
option (!898)
- cache: pre-allocate the file to avoid SIGBUS later (not macOS;
!917, #525)
- lua: be stricter around nonsense returned from modules (!901)
- user documentation was reorganized and extended (!900, !867)
- multiple config files can be used with --config/-c option (!909)
- lua: stop trying to tweak lua's GC (!201)
- systemd: add SYSTEMD_INSTANCE env variable to identify different
instances (!906)
Bugfixes
--------
- correctly use EDNS(0) padding in failed answers (!921)
- policy and daf modules: fix postrules and reroute rules (!901)
- renumber module: don't accidentally zero-out request's .state (!901)
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.0.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.0.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.0.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.0.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
