Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Vladimír Čunát
@vcunat:matrix.org
[m]
Usually the order of modules doesn't matter.
Yann-Kaelig
@Yann-Kaelig
Hello
I'm noob and it's a first time on Knot. I'm testing knot-resolver in my local network. I would like to use DoT but it doesn't work because I do not have any default self-signed certificates generated as it is explained in the documentation. "A self-signed certificate is generated by default.
Yann-Kaelig
@Yann-Kaelig
I tried to find if any certificate has been generated somewhere on my system, but it seems there is nothing. Any idea how I can manually generate this certificate and also why it is not generated by default ?
Vladimír Čunát
@vcunat:matrix.org
[m]
It is generated, but I don't think it's saved into a file anywhere.
If you need the certificate in a file, I'd probably use some generic way how to get them from TLS servers, e.g. one of those suggested on https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
Vladimír Čunát
@vcunat:matrix.org
[m]
The default cert is mainly meant for cases where the client won't authenticate and will just encrypt.
libDarkstreet
@libDarkstreet
Thanks. The 'view < policy' option helped!
Yann-Kaelig
@Yann-Kaelig
Well, I don't understand what I'm doing wrong. I'm running Ubuntu, there is no firewall, ss -ltn output is fine IP:853 but an nmap doesn't show the port 853 as open
libDarkstreet
@libDarkstreet
okay. Try nmap -sV -p 853 127.0.0.1
on the same system that runs knot.
Yann-Kaelig
@Yann-Kaelig
well. I found that networkmanager need systemd-resolved to work on port 583 and I do not use systemd at all, so I have installed unbound on my Desktop, configured networkmanager nameserver on localhost and forward "." to Knot-Resolver Server and it's working now.
libDarkstreet
@libDarkstreet
but, DNS over TLS is on 853
Yann-Kaelig
@Yann-Kaelig
oups sry typo, yes :)
Yann-Kaelig
@Yann-Kaelig
Ho! that really interesting I didn't know about that until now, from a fresh firefox installation, each entry in the default home page query are making a request to the outside, facebook, wiki and more
1 reply
Yann-Kaelig
@Yann-Kaelig
Thank you, have a good day/night
Vitaliy Vasilenko
@vitalvas:matrix.org
[m]

Hello. I have issue with run http module on ubuntu-20.04/aarch64

kresd[2042963]: [system] error: /usr/lib/knot-resolver/kres_modules/http.lua:8: loop or previous error loading module 'cqueues'
kresd[2042963]: [system] failed to load module 'http'
kresd[2042963]: [system] error while loading config: error occurred here (config filename:lineno is at the bottom, if config is involved):
                        stack traceback:
                                [C]: in function 'load'
                                /usr/lib/knot-resolver/sandbox.lua:227: in function '__newindex'
                                /usr/lib/knot-resolver/sandbox.lua:487: in function '__newindex'
                                /etc/knot-resolver/kresd.conf:18: in main chunk
                        ERROR: No such file or directory (workdir '/var/lib/knot-resolver')

Does anyone know how to fix this?

Vladimír Čunát
@vcunat
@Yann-Kaelig: "not overwriting" logs are completely unrelated to overriding root hints.
Yann-Kaelig
@Yann-Kaelig
hello
Yann-Kaelig
@Yann-Kaelig
Well, What I'm trying to do is to resolve the Standard TLD and the alternative Opennic TLD. My first thought is to use the default root.hints files available with knot-resolve and forward the Opennic Alt. root TLD to my Knot-DNS secondary Server with a list of Opennic zone. A second idea is to use a custom root.hint with a list of Opennic Root Server like that https://dpaste.com/BJXBKKLNQ because they also provide standard TLD in addition to their alternative TLD. But it doesn't work and maybe it's not the best choice.
Vladimír Čunát
@vcunat:matrix.org
[m]
The second approach sounds OK.
In any case, you need to disable DNSSEC validation.
Oh, or configure their root key.
Anyway, my knowledge around using alt roots is basically nonexistent. The whole concept feels weird to me.
Yann-Kaelig
@Yann-Kaelig
good I found an old thread here about Opennic TLD :)
libDarkstreet
@libDarkstreet
Hello. How can I speed up propagation? I've tried the "predict" module and it didn't really help. The problem is that when I update a record for a domain name on cloudflare, the change appears slower on our servers than on the dns server given by another ISP.
Vladimír Čunát
@vcunat:matrix.org
[m]
Set up shorter TTL on cloudflare? Then it will be faster everywhere, not just for your resolver.
On a resolver you could
libDarkstreet
@libDarkstreet
Thanks. Well, the problem is that I set the TTL to 5 minutes and our server updates it after 5 minutes as expected. But the other ISP's server refreshes after maybe 30sec.
Vladimír Čunát
@vcunat:matrix.org
[m]
Well, that's everyone's choice. Freshness vs. amount of work.
(so I personally don't see it as a "problem")
libDarkstreet
@libDarkstreet
thanks for your help!
libDarkstreet
@libDarkstreet
So we experienced quite interesting things. The knot resolver is producing some strange things. After each DNS request the TTL size decreases. Is this normal?
Oto Šťáva
@Spiffyk_gitlab
That is intentional, the returned TTL is the remaining time for which the resolver is going to keep the relevant record in cache. The one time that is not the case is when the record is newly being introduced into the cache, but that is something we probably want to change sometime in the future (see https://gitlab.nic.cz/knot/knot-resolver/-/issues/127)
git-ed
@ookangzheng
On debian unstable branch, I try to update knot-resolver to the lastet version, I still stucked at 5.4.0...
4 replies
belekasenelyzai123
@belekasenelyzai123
Hey guys, would it be possible to change reroute.rpz on the fly without needing to reconnect to a VPN for changes to take effect?
1 reply
walexero
@walexero:matrix.org
[m]
hey guys, i'm getting this error, is there anyone who has encountered it before [taupd ] active refresh failed, update your trust anchors in "/usr/share/dns/root.key"
3 replies
libDarkstreet
@libDarkstreet
Hello. It seems that the configured cache size is ignored. All our servers have 32gb of ram, the configuration is set to 16gb cache size. However, after some time the knot resolver uses 30gb ram and the server starts using swap memory.
...
modules.load('cache')

cache.size = 16384 * MB
...
Vladimír Čunát
@vcunat:matrix.org
[m]
A memory leak seems way more likely than ignoring cache size.
Either way, you can inspect the file. It can't fit more data than its size.
Vladimír Čunát
@vcunat:matrix.org
[m]
:point_up: Edit: Either way, you can inspect the cache file. It can't fit more data than its size.
libDarkstreet
@libDarkstreet
It could be. The file size is what I specified in the configuration. But what should I do in this situation? The htop shows exactly that the knot resolver process uses the most ram.
Michael Braunöder
@MikeAT
Hi, how can I configure some kind of rate limiting for the knot-resolver? Did I miss something in the documentation?
2 replies
poentodewo
@poentodewo:matrix.org
[m]
Hello first time in here installing knot resolver 3 days ago all runing fine until got servfail with this domain jd.id any wrong with my config or smthing I dont know ? this my config and my debug log https://paste.debian.net/1249434/ debug https://paste.debian.net/1249433 when I adding this policy policy.add(policy.suffix(policy.FLAGS('NO_MINIMIZE'), policy.todnames({'jd.id.'}))) web load fine but still broken with function like when try to login in log showing much servfail
poentodewo
@poentodewo:matrix.org
[m]
I got servfail too when query with odvr public dns
kdig  @193.17.47.1 m.jd.id
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 725
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; m.jd.id.                     IN      A

;; ANSWER SECTION:
m.jd.id.                676     IN      CNAME   m.jd.id.gslb.qianxun.com.

;; Received 63 B
;; Time 2022-08-06 09:43:27 WIB
;; From 193.17.47.1@53(UDP) in 2459.3 ms
9.9.9.9 and 1.1.1.1 no error
kdig  @1.1.1.1 m.jd.id
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10981
;; Flags: qr rd ra; QUERY: 1; ANSWER: 7; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; m.jd.id.                     IN      A

;; ANSWER SECTION:
m.jd.id.                705     IN      CNAME   m.jd.id.gslb.qianxun.com.
m.jd.id.gslb.qianxun.com.       45      IN      CNAME   cdn.jd.id.
cdn.jd.id.              705     IN      CNAME   cdn.jd.id.gslb.qianxun.com.
cdn.jd.id.gslb.qianxun.com.     45      IN      CNAME   jddisplay.com.edgesuite.net.
jddisplay.com.edgesuite.net.    21585   IN      CNAME   a1836.r.akamai.net.
a1836.r.akamai.net.     5       IN      A       173.222.148.43
a1836.r.akamai.net.     5       IN      A       23.49.60.41

;; Received 201 B
;; Time 2022-08-06 09:43:42 WIB
kdig  @9.9.9.9 m.jd.id
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7162
;; Flags: qr rd ra; QUERY: 1; ANSWER: 7; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; m.jd.id.                     IN      A

;; ANSWER SECTION:
m.jd.id.                692     IN      CNAME   m.jd.id.gslb.qianxun.com.
m.jd.id.gslb.qianxun.com.       33      IN      CNAME   cdn.jd.id.
cdn.jd.id.              693     IN      CNAME   cdn.jd.id.gslb.qianxun.com.
cdn.jd.id.gslb.qianxun.com.     33      IN      CNAME   jddisplay.com.edgesuite.net.
jddisplay.com.edgesuite.net.    14751   IN      CNAME   a1836.r.akamai.net.
a1836.r.akamai.net.     20      IN      A       23.221.50.90
a1836.r.akamai.net.     20      IN      A       23.221.50.16

;; Received 201 B
;; Time 2022-08-06 09:43:51 WIB
;; From 9.9.9.9@53(UDP) in 5.4 m
vecinohk
@vecinohk
I have been encountering this a lot in recent days. What does that mean please? Thanks
19 replies