- knot-resolver-users - lists.nic.cz

Rebinding protection - how to suppress additional section

by Aleš Rygl

Hello, We are using Knot-Resolver 5.5.0 with rebinding protection: modules.load('rebinding < iterate') We have some complains about an invalid domain name being returned in the additional section of the response to the blocked request: ;; ADDITIONAL SECTION: explanation.invalid. 10800 IN TXT "blocked by DNS rebinding protection" It looks like some windows domain controllers running DNS clients do not like it and log an error: The DNS server encountered an invalid domain name in a packet from <Knot-Resolver IP> The packet will be rejected. The event data contains the DNS packet. Is there a way how to suppress this? Or even better response with SERVFAIL? Thanks Ales Rygl

3 roky, 6 měsíců

2
1
0 0

Preload module with mutliple instances of kresd

by Aleš Rygl

Hello, I'd would like to ask for help with preload module. The issue is that when running multiple instatnces of kresd under systemd usualy just one of them is able to start correctly. The other hangs and fails to start. The config is just copy/paste from the documentation: modules.load('prefill') prefill.config({ ['.'] = { url = 'https://www.internic.net/domain/root.zone', interval = 86400, -- seconds } }) Starting instances in a sequence does not help, the 2nd one hangs - and only if the 1st one is killed/stopped the 2nd one goes on and processes the root zone. Did I miss something in the documentation? With regards Ales Rygl

3 roky, 6 měsíců

2
2
0 0

Google Chrome not working with Knot Resolver via DoH

by Blažej Krajňák

Hello, at AS50242 we run two recursive resolvers for our ISP customers. Both resolvers are listening for doh2 with ECDSA SSL certs from Letsencrypt. ns1r.levonet.sk ns2r.levonet.sk kdig +https is working correctly, however I'm unable to use these DoH resolvers with Google Chrome (99.0.4844.74) browser on MacOS (12.2.1). In settings I entered "https://ns2r.levonet.sk" as custom DoH resolver and I got error: Please verify that this is a valid provider or try again. I have enabled Knot debugging for doh and tls and log is flooded with messages about "incomplete, refusing". Does anybody have an idea what's wrong? Has Chrome some specific requirements for DoH servers? Thanks Blažej Mar 15 19:47:44 ns2r kresd[1317767]: [doh ] [0x215d1e0] h2 session created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57880 Mar 15 19:47:44 ns2r kresd[1317767]: [tls ] TLS handshake with 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57880 has completed Mar 15 19:47:44 ns2r kresd[1317775]: [doh ] [0x168d620] h2 session created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57881 Mar 15 19:47:44 ns2r kresd[1317775]: [tls ] TLS handshake with 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57881 has completed Mar 15 19:47:45 ns2r kresd[1317771]: [doh ] [0x1016940] h2 session created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57882 Mar 15 19:47:45 ns2r kresd[1317771]: [tls ] TLS handshake with 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57882 has completed Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (begin_headers_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 7 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (begin_headers_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:45 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 15 incomplete, refusing (header_callback) Mar 15 19:47:46 ns2r kresd[1317767]: [doh ] [0x215d1e0] stream 23 incomplete, refusing (begin_headers_callback)

3 roky, 7 měsíců

3
3
0 0

Survey on DNS resolver operations and DNSSEC

by Moritz Müller

Hi everyone, The DNS Security Extensions (DNSSEC) add integrity and authenticity to the Domain Name System (DNS). Now, more than 17 years after their standardization, we would like to hear from DNS recursive resolver operators about their experience with DNSSEC. For this reason, we have set up a short survey. It’s directed mainly towards organisations that run a recursive resolver. Filling out the survey should take roughly 5 to 10 minutes. https://forms.gle/FxTD9FofaogdvLqcA (link directs to Google Forms) This survey is carried out by SIDN Labs (https://sidnlabs.nl) and by the Swedish Internet Foundation (https://internetstiftelsen.se/en/). You can contact us via email: moritz.muller(a)sidn.nl Please excuse us, if you have received this email via different mailing lists. — Moritz Müller Research Engineer at SIDN Labs

3 roky, 7 měsíců

1
0
0 0

Knot Resolver 5.5.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.0 has been released! Improvements - extended_errors: module for extended DNS error support, RFC8914 (!1234) - policy: log policy actions; useful for RPZ debugging (!1239) - policy: new action policy.IPTRACE for logging request origin (!1239) - prefill module: prepare for ZONEMD, improve performance (!1225) - validator: conditionally ignore SHA1 DS, as SHOULD by RFC4509 (!1251) - lib/resolve: use EDNS padding for outgoing TLS queries (!1254) - support for PROXYv2 protocol (!1238) - lib/resolve, policy: new NO_ANSWER flag for not responding to clients (!1257) Incompatible changes - libknot >= 3.0.2 is required Bugfixes - doh2: fix CORS by adding `access-control-allow-origin: *` (!1246) - net: fix listen by interface - add interface suffix to link-local IPv6 (!1253) - daemon/tls: fix resumption for outgoing TLS (e.g. TLS_FORWARD) (!1261) - nameserver selection: fix interaction of timeouts with reboots (#722, !1269) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.0/ Donation: https://donations.nic.cz/en/donate/?project=knot-resolver -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

3 roky, 7 měsíců

1
0
0 0

Knot Resolver 5.5.0.

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.0 has been released! Improvements - extended_errors: module for extended DNS error support, RFC8914 (!1234) - policy: log policy actions; useful for RPZ debugging (!1239) - policy: new action policy.IPTRACE for logging request origin (!1239) - prefill module: prepare for ZONEMD, improve performance (!1225) - validator: conditionally ignore SHA1 DS, as SHOULD by RFC4509 (!1251) - lib/resolve: use EDNS padding for outgoing TLS queries (!1254) - support for PROXYv2 protocol (!1238) - lib/resolve, policy: new NO_ANSWER flag for not responding to clients (!1257) Incompatible changes - libknot >= 3.0.2 is required Bugfixes - doh2: fix CORS by adding `access-control-allow-origin: *` (!1246) - net: fix listen by interface - add interface suffix to link-local IPv6 (!1253) - daemon/tls: fix resumption for outgoing TLS (e.g. TLS_FORWARD) (!1261) - nameserver selection: fix interaction of timeouts with reboots (#722, !1269) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.0/ Donation: https://donations.nic.cz/en/donate/?project=knot-resolver -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

3 roky, 7 měsíců

1
0
0 0

Knot Resolver 5.5.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.0 has been released! Improvements - extended_errors: module for extended DNS error support, RFC8914 (!1234) - policy: log policy actions; useful for RPZ debugging (!1239) - policy: new action policy.IPTRACE for logging request origin (!1239) - prefill module: prepare for ZONEMD, improve performance (!1225) - validator: conditionally ignore SHA1 DS, as SHOULD by RFC4509 (!1251) - lib/resolve: use EDNS padding for outgoing TLS queries (!1254) - support for PROXYv2 protocol (!1238) - lib/resolve, policy: new NO_ANSWER flag for not responding to clients (!1257) Incompatible changes - libknot >= 3.0.2 is required Bugfixes - doh2: fix CORS by adding `access-control-allow-origin: *` (!1246) - net: fix listen by interface - add interface suffix to link-local IPv6 (!1253) - daemon/tls: fix resumption for outgoing TLS (e.g. TLS_FORWARD) (!1261) - nameserver selection: fix interaction of timeouts with reboots (#722, !1269) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.0/ Donation: https://donations.nic.cz/en/donate/?project=knot-resolver -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

3 roky, 7 měsíců

1
0
0 0

Knot Resolver 5.5.0

by Aleš Mrázek

Dear Knot Resolver users, Knot Resolver 5.5.0 has been released! Improvements - extended_errors: module for extended DNS error support, RFC8914 (!1234) - policy: log policy actions; useful for RPZ debugging (!1239) - policy: new action policy.IPTRACE for logging request origin (!1239) - prefill module: prepare for ZONEMD, improve performance (!1225) - validator: conditionally ignore SHA1 DS, as SHOULD by RFC4509 (!1251) - lib/resolve: use EDNS padding for outgoing TLS queries (!1254) - support for PROXYv2 protocol (!1238) - lib/resolve, policy: new NO_ANSWER flag for not responding to clients (!1257) Incompatible changes - libknot >= 3.0.2 is required Bugfixes - doh2: fix CORS by adding `access-control-allow-origin: *` (!1246) - net: fix listen by interface - add interface suffix to link-local IPv6 (!1253) - daemon/tls: fix resumption for outgoing TLS (e.g. TLS_FORWARD) (!1261) - nameserver selection: fix interaction of timeouts with reboots (#722, !1269) Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.5.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.5.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.5.0/ Donation: https://donations.nic.cz/en/donate/?project=knot-resolver -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE

3 roky, 7 měsíců

1
0
0 0

Crashless crash

by Łukasz Jarosz

Hello, I recently deployed knot-resolver as main resolver for my network with following config: -- modules modules = { 'policy', 'view', 'workarounds < iterate', 'stats', -- required by predict module 'predict', 'http', } -- network net.ipv6 = false net.listen('0.0.0.0', 53, { kind = 'dns' }) net.listen('0.0.0.0', 8453, { kind = 'webmgmt' }) -- permissions user('knot-resolver','knot-resolver') -- cache, stats, performance optimizations cache.open(950*MB, 'lmdb:///cache/knot-resolver') cache.min_ttl(600) predict.config({ window = 5, period = 1*(60/5) }) -- limit access with ACLs view:addr('127.0.0.0/8', policy.all(policy.PASS)) view:addr('172.16.0.0/12', policy.all(policy.PASS)) view:addr('10.0.0.0/8', policy.all(policy.PASS)) view:addr('redacted', policy.all(policy.PASS)) view:addr('redacted', policy.all(policy.PASS)) view:addr('redacted', policy.all(policy.PASS)) view:addr('0.0.0.0/0', policy.all(policy.DROP)) -- query resolving policies policy.add(policy.rpz(policy.ANSWER, '/run/knot-resolver/custom.rpz', true)) policy.add(policy.all(policy.FORWARD({ "9.9.9.9", "8.8.8.8", }))) Process is started inside docker container with properly attached tmpfs at /cache mountpoint. Setup is monitored through prometheus and I received notification around 21:55 that exporter is down. To be exact context deadline exceeded (scrape_interval: 15s). I grabbed control socket and dumped following stats: > worker.stats() { ['concurrent'] = 1, ['csw'] = 31436648, ['dropped'] = 16081, ['err_http'] = 0, ['err_tcp'] = 0, ['err_tls'] = 0, ['err_udp'] = 0, ['ipv4'] = 9950850, ['ipv6'] = 0, ['pagefaults'] = 1, ['queries'] = 30978879, ['rss'] = 166846464, ['swaps'] = 0, ['systime'] = 2681.109337, ['tcp'] = 232596, ['timeout'] = 139212, ['tls'] = 0, ['udp'] = 9718254, ['usertime'] = 6298.521581, } > cache.stats() { ['clear'] = 1, ['close'] = 1, ['commit'] = 23279836, ['count'] = 20349, ['count_entries'] = 340222, ['match'] = 0, ['match_miss'] = 0, ['open'] = 2, ['read'] = 144512076, ['read_leq'] = 10170653, ['read_leq_miss'] = 4988410, ['read_miss'] = 25166216, ['remove'] = 0, ['remove_miss'] = 0, ['usage_percent'] = 11.396792763158, ['write'] = 25742556, } When I opened web interface I noticed steady decline in requests. [image: image.png] I think this means that clients mostly moved to secondary DNS resolver. Also when reviewing gathered data in grafana dashboard I noticed that slow (250ms+) queries are prevalent from the fast queries. [image: image.png] Any advice what happened here? Best regards, Łukasz Jarosz

3 roky, 7 měsíců

1
0
0 0

Removing a temporary negative trust anchor

by Matthew Richardson

Running 5.4.4, adding an NTA seems very straightforward:- >> trust_anchors.set_insecure( {"fj"} ) > >> trust_anchors.summary() >'fj. is negative trust anchor >. 172800 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ; Valid: ; KeyTag:20326 >' What is the precise incantation to remove it when it is no longer required? The following do not work:- >> trust_anchors.remove('fj') >false >> trust_anchors.remove('fj.') >false >> trust_anchors.remove( {"fj"} ) >false Any help would be appreciated. Also, does Knot Resolver allow an automatic timeout when setting NTAs as Bind does? --- Best wishes, Matthew

3 roky, 8 měsíců

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

knot-resolver-users