- knot-resolver-users - lists.nic.cz

knot-resolver 3.1.0 nevrací A záznam pro www.cezdistribuce.cz

by Zdeněk Janiš

Dobrý den, používám knot-resolver ver. 3.1.0 a zjistil, že nevrací A záznamy pro: www.cezdistribuce.cz když vymažu cache: cache.clear('cezdistribuce.cz') tak se knot-resolver na nedefinovanou dobu umoudří a A záznamy normálně vrací. Přitom google DNS 8.8.8.8 záznamy vrací v pořádku. Jinou anomálii jsem nezjistil. V čem může být problém? Konfigurace? Nefunkční výpis: $ dig @192.168.100.100 -t A www.cezdistribuce.cz ; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A www.cezdistribuce.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26696 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cezdistribuce.cz. IN A ;; AUTHORITY SECTION: cezdistribuce.cz. 41952 IN SOA ns10.cez.cz. netmaster.cezdata.cz. 2018112701 28800 7200 864000 86400 ;; Query time: 1 msec ;; SERVER: 192.168.100.100#53(192.168.100.100) ;; WHEN: Po pro 10 07:58:55 CET 2018 ;; MSG SIZE rcvd: 112 Funkční, po vymazaní z cache: $ dig @192.168.100.100 -t A www.cezdistribuce.cz ; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A www.cezdistribuce.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 89 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cezdistribuce.cz. IN A ;; ANSWER SECTION: www.cezdistribuce.cz. 24 IN A 89.111.76.140 ;; Query time: 0 msec ;; SERVER: 192.168.100.100#53(192.168.100.100) ;; WHEN: Po pro 10 08:09:59 CET 2018 ;; MSG SIZE rcvd: 65 Děkuji za pomoc. -- Zdeněk Janiš

7 let, 6 měsíců

3
2
0 0

not able to configure kresd

by Ján Boroš

hi My idea is to use knot resolver as dns forwarder / cache instead using dnsmasq. I am using old PC with archlinux as router. I did change dnsmasq config so it listen on port 5353. following steps here https://wiki.archlinux.org/index.php/Knot_Resolver I did change systemd unit so my kresd is listening on both local interfaces. I am checking that with ss command and it is ok. here is my config of kresd cat /etc/knot-resolver/kresd.conf -- vim:syntax=lua: -- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration -- Load useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'hints > iterate', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } -- See kresd.systemd(7) about configuring network interfaces when using systemd -- Listen on localhost (default) -- net = { '127.0.0.1', '::1'} -- Enable DNSSEC validation -- trust_anchors.file = '/etc/knot-resolver/root.keys' hints.root_file = '/etc/knot-resolver/root.hints' -- Cache size cache.size = 100 * MB After start I can see following errors in journal Nov 08 22:49:43 skriatok systemd[1]: Starting Knot Resolver daemon... Nov 08 22:49:43 skriatok systemd[1]: Started Knot Resolver daemon. Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'm.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'l.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'i.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'g.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'd.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'a.root- servers.net.', type: 28 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'c.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'k.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root- servers.net.', type: 1 Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root- servers.net.', type: 1 ... thank you for help

7 let, 7 měsíců

3
6
0 0

Status of DNS over HTTPS in knot resolver

by Arsen STASIC

Hi, What is the current status for DoH (DNS over HTTPS) in knot resolver? There is an open issue #280 https://gitlab.labs.nic.cz/knot/knot-resolver/issues/280 Marek Vavrusa from Cloudflare offers a patch for this, but I haven't found it so far and dnsprivacy.org also mentions (probably) this patch. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Is this patch available? cheers -arsen

7 let, 7 měsíců

2
1
0 0

forward for given zones

by Ivo Panáček

Hi, I am not able to force knot-resolver to forward some queries. I have real DNS zone and in internal network I have few 3rd level subzones. For them I would like to make my kresd forward queries to our internal DNS server (bind9). My computer is not inside company nework - connected via openvpn. System is ubuntu 18.04.1 (up-to-date) and knot-resolver 3.0.0. Relevant part of kresd.conf is: policy.add(policy.suffix( policy.FORWARD('10.0.0.1'),{ todname('sub1.company.cz'), todname('sub2.company.cz') } )) dig machine.sub1.company.cz @127.0.0.53 does NOT work, dig machine.sub1.company.cz @10.0.0.1 DOES work I have set verbose(true) but with no help. kresd queries 10.0.0.1 for 'company.cz' only, but that's all. I am just working on it on my ubuntu workstation, but real target will be turris omnia with its kresd, which connects via openvpn to company network. -- Sincerely Ivo Panacek

7 let, 7 měsíců

3
8
0 0

Knot Resolver 3.1.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.1.0 has been released. Incompatible changes -------------------- - hints.use_nodata(true) by default; that's what most users want - libknot >= 2.7.2 is required Improvements ------------ - cache: handle out-of-space SIGBUS slightly better (#197) - daemon: improve TCP timeout handling (!686) Bugfixes -------- - cache.clear('name'): fix some edge cases in API (#401) - fix error handling from TLS writes (!669) - avoid SERVFAILs due to certain kind of NS dependency cycles (#374) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.1.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.1.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

7 let, 7 měsíců

1
0
0 0

views with more than one policy

by Bratislav ILIC

Dear Knot Resolver users, Is it possible to create a view with more than one policie? If I do for example something like this: view:addr('192.168.1.0/24', policy.suffix( policy.PASS, policy.todnames({'good.com','better.com','best.com'}) ) ) view:addr('192.168.1.0/24', policy.suffix( policy.REFUSE,{todname('bad.com')} ) ) Knot resolver will obey only the first view and users will be able to resolve the bad.com domain ... obviously the first view is the match and no other views are considered afterwards ... Without multiple policies views are pretty much useless so I believe that I must be doing something wrong here so could anybody help me on this ... Best regards, Bratislav ILIC

7 let, 9 měsíců

3
3
0 0

Knot Resolver 3.0.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.0.0 has been released. Incompatible changes -------------------- - cache: fail lua operations if cache isn't open yet (!639) By default cache is opened *after* reading the configuration, and older versions were silently ignoring cache operations. Valid configuration must open cache using `cache.open()` or `cache.size =` before executing cache operations like `cache.clear()`. - libknot >= 2.7.1 is required, which brings also larger API changes - in case you wrote custom Lua modules, please consult https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-change… - in case you wrote custom C modules, please see compile against Knot DNS 2.7 and adjust your module according to messages from C compiler - DNS cookie module (RFC 7873) is not available in this release, it will be later reworked to reflect development in IEFT dnsop working group - version module was permanently removed because it was not really used by users; if you want to receive notifications about new releases please subscribe to https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce Bugfixes -------- - fix multi-process race condition in trust anchor maintenance (!643) - ta_sentinel: also consider static trust anchors not managed via RFC 5011 Improvements ------------ - reorder_RR() implementation is brought back - bring in performace improvements provided by libknot 2.7 - cache.clear() has a new, more powerful API - cache documentation was improved - old name "Knot DNS Resolver" is replaced by unambiguous "Knot Resolver" to prevent confusion with "Knot DNS" authoritative server Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.0.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.0.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

7 let, 10 měsíců

4
3
0 0

policy.lua error attempt to call local 'action' (a table value)

by Yoshihito Horigome

Hello, I set config as below, but an error is output at some timing. Although it is an error message related to policy.lua, reading the document does not know the cause. """ error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value) error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value) error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value) error: /usr/local/lib/kdns_modules/policy.lua:526: attempt to call local 'action' (a table value) """ """ net.listen(net.eth0, 53, false) -- Load Useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'view', -- Views for certain clients 'hints > iterate', -- Hints AFTER iterate 'priming', -- Initializing a DNS Resolver with Priming Queries implemented according. 'detect_time_skew', -- System time skew detector 'detect_time_jump', -- Detect discontinuous jumps in the system time 'daf', predict = { window = 180, -- 180 minutes sampling window period = 24*(60/15) -- track last 24 hours }, 'bogus_log', } modules.list() -- Check module call order -- stub forward policy.add(policy.suffix(policy.PASS({'192.168.1.3@10053', '192.168.1.4@10053'}), {todname('kometch.private')})) policy.add(policy.suffix(policy.PASS({'192.168.1.3@10053', '192.168.1.4@10053'}), {todname('168.192.in-addr.arpa') })) --forward policy policy.add(policy.all(policy.FORWARD({'1.1.1.1', '1.0.0.1'}))) policy.del(0) """ Would you please advise me? Best regards.

7 let, 10 měsíců

2
2
0 0

version module been deleted?

by Yoshihito Horigome

Hello, Since version 2.4.1, have the version module been deleted? I confirmed NEWS, but I could not find a sentence to mention that the "version" module was deleted. https://gitlab.labs.nic.cz/knot/knot-resolver/blob/master/NEWS I have confirmed that it has been deleted from Gitlab. Best regards.

7 let, 10 měsíců

4
4
0 0

Knot Resolver 2.4.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 2.4.1 has been released. Security -------- - fix CVE-2018-10920: Improper input validation bug in DNS resolver component (security!7, security!9) Bugfixes -------- - cache: fix TTL overflow in packet due to min_ttl (#388, security!8) - TLS session resumption: avoid bad scheduling of rotation (#385) - HTTP module: fix a regression in 2.4.0 which broke custom certs (!632) - cache: NSEC3 negative cache even without NS record (#384) This fixes lower hit rate in NSEC3 zones (since 2.4.0). - minor TCP and TLS fixes (!623, !624, !626) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v2.4.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

7 let, 10 měsíců

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users