[knot-resolver-users] trying to use resolver on lan

I'm new to knot resolver (krsed). Running kresd in runit and logging via svlogd. I'm trying to run kresd on a lan with internal ip addresses and internal domains. I can currently do this with dnsmasq and unbound, but I wanted to see how kresd would do on the client facing edge. I have an Active Directory domain which I've inherited (domain.local) and I've made a building.domain dns infrastructure for the different buildings. (building-red.domain, building-orange.domain, building-green.domain, etc..) There were two AD dns servers doing all the DNS.. There is now a pihole server and dnsmasq helping to offset the queries. I'm looking to put up a kresd on the :53 and move the current dnsmasq installs to :57 and have kresd forward to them. When I do this my building.domain and domain.local are not resolvable. What am I missing? Unbound has a private-address and private-domain which handles this. Does knot resolver have something similar? egrep -v "\-\-" /etc/knot-resolver/config <code> net.listen('10.20.0.43', 53) trust_anchors.remove('.') modules = { 'policy', 'stats', 'predict' } cache.size = 100*MB cache.storage = 'lmdb:///var/cache/knot-resolver/' user( 'knot-resolver', 'knot-resolver' ) predict.config({ window = 20, period = 72 }) policy.add( policy.all( policy.FORWARD( { '10.20.0.43@57', '10.20.0.53@57' } ))) </code> Below is an excerpt from the kresd logs captured via svlogd showing the nxdomain return.. 2019-05-22_18:19:53.06750 [00000.00][plan] plan 'squid.tech.pcsd.' type 'A' uid [35568.00] 2019-05-22_18:19:53.06756 [35568.00][iter] 'squid.tech.pcsd.' type 'A' new uid was assigned .01, parent uid .00 2019-05-22_18:19:53.06758 [35568.01][cach] => trying zone: ., NSEC, hash 0 2019-05-22_18:19:53.06759 [35568.01][cach] => NSEC sname: covered by: pccw. -> pe., new TTL 83379 2019-05-22_18:19:53.06760 [35568.01][cach] => NSEC wildcard: covered by: . -> aaa., new TTL 84454 2019-05-22_18:19:53.06761 [35568.01][cach] => writing RRsets: +++ 2019-05-22_18:19:53.06762 [35568.01][iter] <= rcode: NXDOMAIN 2019-05-22_18:19:53.06768 [35568.01][resl] AD: request NOT classified as SECURE 2019-05-22_18:19:53.06773 [35568.01][resl] finished: 0, queries: 1, mempool: 16400 B and this is another request that worked successfully 2019-05-22_18:19:53.07382 [00000.00][plan] plan 'r6---sn-8xgp1vo-2iae.googlevideo.com.' type 'A' uid [24882.00] 2019-05-22_18:19:53.07384 [24882.00][iter] 'r6---sn-8xgp1vo-2iae.googlevideo.com.' type 'A' new uid was assigned .01, parent uid .00 2019-05-22_18:19:53.07388 [24882.01][cach] => skipping unfit CNAME RR: rank 020, new TTL -144 2019-05-22_18:19:53.07389 [24882.01][cach] => no NSEC* cached for zone: googlevideo.com. 2019-05-22_18:19:53.07389 [24882.01][cach] => skipping zone: googlevideo.com., NSEC, hash 0;new TTL -123456789, ret -2 2019-05-22_18:19:53.07389 [24882.01][cach] => skipping zone: googlevideo.com., NSEC, hash 0;new TTL -123456789, ret -2 2019-05-22_18:19:53.07390 [ ][nsre] score 21 for 10.20.0.43#00057; cached RTT: 19 2019-05-22_18:19:53.07391 [ ][nsre] score 40001 for 10.20.0.53#00057; cached RTT: 12666 2019-05-22_18:19:53.07391 [24882.01][resl] => id: '07414' querying: '10.20.0.43#00057' score: 21 zone cut: '.' qname: 'R6---sN-8Xgp1VO-2iae.goOgLeVIDeO.CoM.' qtype: 'A' proto: 'udp' here is dig showing that the entry does exist.. ; <<>> DiG 9.14.2 <<>> @10.20.0.43 -p 53 -t any squid.tech.pcsd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17967 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;squid.tech.pcsd. IN ANY ;; ANSWER SECTION: squid.tech.pcsd. 300 IN A 10.20.0.69 ;; Query time: 3 msec ;; SERVER: 10.20.0.43#53(10.20.0.43) ;; MSG SIZE rcvd: 60 As I said I'm still new to kresd and it's logging format so please excuse my ignorance if the answer is obvious.. I've been reading all that I can, and I couldn't find a use case that was like mine in the documentation.. (I did find two things that were causing me problems with upstream providers in unbound because of the docs.. which is why I'm looking to try it on the lan and see what happens.. ) Thank you for taking the time to read this. I'm looking to fortify and make things more resilient with the network so that I can focus on finishing other projects.. and from what I can see.. knot will totally help me with that. Again, thanks for this piece of software - greatly appreciated. After squidguard and pihole this is what I'm sending to the outiside world (thanks to krsed.. https://imgur.com/a/tlcC6Jx -- This message may contain confidential information and is intended only for the individual(s) named. If you are not an intended recipient you are not authorized to disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system.