These are chat archives for CZ-NIC/knot-resolver

23rd
Jul 2018
Petr Špaček
@pspacek
Jul 23 2018 08:52
@timp87 Hello! Can you tell us what features are missing and what's tha use-case? It helps with prioritization...
Petr Špaček
@pspacek
Jul 23 2018 09:07
@timp87 I'm reading https://random.re/faq/dns right now and it is really weird code. It randomizes server selection for each query so it in fact makes situation worse (from privacy perspective).
Given that usual web page needs bunch of DNS queries to get load, this will with high probability expose information about sites you visit not only to Quad9/Cloudflare but to both of them. That does not sound like an improvement ...
At the moment the best protection is probably https://blog.cloudflare.com/welcome-hidden-resolver/
Pavel Timofeev
@timp87
Jul 23 2018 09:21

@pspacek hi!
Well, when you read documentation and find several non-working things one after another you just stop looking at the software and go to another.
It's hard to say, I just wiped knot-resolver from my list because I do not know what else is broken.
Several non-working things I can remember now:

  • cache methods like get or clear, for example cache.clear('*.bad.cz')
    The use case is to purge an exact RR from cache during [re]deployments of your components or infrastructure. We have 9 highloaded DCs and it's not appropriate to flush all cache at once.
  • http server option 'cert = false' just doesn't make any difference. It's weird when it works via both http and https no matter what set in 'cert' option.
    I'd like to write an 'API', but I definitely do not want it to be available via plain http
  • reorder_RR is broken.
    I know this is a bad idea to balance traffic. But in general it can make load a bit more smooth.
  • cache hist stats

It would be great if non-working things were marked as not-yet-working in docs.

Petr Špaček
@pspacek
Jul 23 2018 09:29
Thank you for the list!
I'm sorry about that, we will fix these. Cache clear should be fixed in release this or next week (in release 2.5).
Reorder_RR will be fixed in release after that.
I need to look into http server option because nobody reported a problem there.
Speaking of cache hist stats - what do you mean?
Oh, now I can see I made mistake and replied to a wrong person regarding the TLS forwarding ...
@ser Hello!
I'm reading https://random.re/faq/dns right now and it is really weird code. It randomizes server selection for each query so it in fact makes situation worse (from privacy perspective).
Given that usual web page needs bunch of DNS queries to get load, this will with high probability expose information about sites you visit not only to Quad9/Cloudflare but to both of them. That does not sound like an improvement ... At the moment the best protection is probably https://blog.cloudflare.com/welcome-hidden-resolver/
@ser Besides that, the code on the wiki is not good, that's why it is thoring warnings. Fixed version should look like this:
dns_providers = {
        { -- Quad9
                {'9.9.9.9', hostname='dns.quad9.net'},
                {'149.112.112.112', hostname='dns.quad9.net'},
        },
        { -- Cloudflare Resolver
                {'1.1.1.1', hostname='cloudflare-dns.com'},
                {'1.0.0.1', hostname='cloudflare-dns.com'},
        }
}

tls_forwarders = {}
for n, fwdspec in ipairs(dns_providers) do
    table.insert(tls_forwarders, policy.TLS_FORWARD(fwdspec))
end

policy.add(function (request, query)
  return tls_forwarders[math.random(1, #tls_forwarders)]
end)
Petr Špaček
@pspacek
Jul 23 2018 09:37
If you insist on this way of randomization then you should replace tls_forwarders[math.random(1, #tls_forwarders)] with something more clever. For example I can imagine selecting a target server based on hashed domain from right below its public suffix, but this will most likely leak as well because twitter.com a twimg.com might hash to different values and thus leak again.
So in short, I would not recommend this method if you want to improve your privacy. Go for Tor.
Pavel Timofeev
@timp87
Jul 23 2018 09:47

@pspacek than you.
I also remembered that /feed doesn't work in http server

Speaking of cache hist stats - what do you mean?

cache hits stats just always 0

I find knot-resolver very interesting, please, keep going!
I wanted also to check 'serve stale' and predict plugins, but didn't

Petr Špaček
@pspacek
Jul 23 2018 12:14
@timp87 I'm going to submit a patch to fix problems with HTTPS configuration you reported, thank you very much!