Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Petr Špaček
@pspacek
Beware of https://knot-resolver.readthedocs.io/en/stable/modules-view.html#rule-order
Adam
@Ahuren_gitlab

Beware of https://knot-resolver.readthedocs.io/en/stable/modules-view.html#rule-order

learned this from the first test setup, now thoroughly going through the documentation. the doc is so well maintained and updated and appreciate the effort you guys put into this.

Petr Špaček
@pspacek
It needs to be said that we are not happy with this configuration format. It would be great if you can share your thoughts in https://www.knot-resolver.cz/survey/ (once you finish your experiments). The survey is open until end of June 2020.
We have a project underway to redesign this policy thing and at the moment we would appreciate feedback to see if we should change only the internals to make it faster, or if should also overhaul user interface/config format.
Adam
@Ahuren_gitlab
@pspacek of course, I will submit my feedback after these tests :)
Petr Špaček
@pspacek
Thanks - and have a nice weekend!
Adam
@Ahuren_gitlab
can the graphite module be used for InfluxDB? I'm not seeing any influxDB modules
Vladimír Čunát
@vcunat
I have no personal experience, but docs says so: https://knot-resolver.readthedocs.io/en/stable/modules-stats.html#graphite-influxdb-metronome
Adam
@Ahuren_gitlab
with BIND we can log queries to a file. how can I do a similar function with knot resolver? the documentation does mention of stats.frequent() function. when I run the function in interactive mode doesn't show anything. this is after loading the module stats. I have the stats module loaded in the config as well.
Vladimír Čunát
@vcunat
At that point you most likely don't have any frequent queries yet. In any case, it's not a suitable function to see all queries.
Adam
@Ahuren_gitlab
@vcunat when i use log(table_print(stats.frequent())) inside the config, I am able to see the json list. if the function is not the best method, any idea how I can log the most frequent queries? the function in documentation table.sort(stats.frequent(), function (a, b) return a.count > b.count end) thrown an error saying (string expected, got nil
Vladimír Čunát
@vcunat
For logging most frequent queries it does seem suitable (but not for logging all queries).
Adam
@Ahuren_gitlab
yes i want to log the most frequent queries. in BIND this is how it's done. But unsure how to achieve such a method using knot 
logging {
        channel queries_log {
                file "/var/log/query.log" versions 3 size 1m;
                severity dynamic;
                print-time yes;
        };
        category queries {
                queries_log;
        };
};`
Vladimír Čunát
@vcunat
table.sort function returns nil (always)
Vladimír Čunát
@vcunat
Well, stats.frequent() is "suitable" in the sense that you can program your own logging (or anything) based on it, e.g. this demo (loaded as config):
modules.load('stats')

function log_frequent()
    local f = stats.frequent()
    log("%d elements", #f)
    stats.clear_frequent()
    table.sort(f, function (a, b) return a.count > b.count end)
    for _, item in ipairs(f) do
        log("%s %s", item.name, item.type)
    end
end

event.recurrent(10*min, log_frequent)
Vladimír Čunát
@vcunat
It might be more practical to write into a file to separate from normal logs and many other considerations. For advanced usage I expect it's typically better to switch to more specialized tools, e.g. https://www.dns-oarc.net/tools/dsc
Adam
@Ahuren_gitlab
thanks for the input. that looks like a great starting point. once I know how the function can operation, I can hack away to writing to a file. ill test this :)
Adam
@Ahuren_gitlab
@vcunat the frequent function does not list TLD part of query yes?
Vladimír Čunát
@vcunat
item.name in there is the whole name, e.g. github.com. (as lua string)
git-ed
@ookangzheng
on Debian 10 64bit, I do apt update and apt upgrade got this error 
Get:1 http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_10  lua-cqueues 20190813-1 [192 kB]
Err:1 http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_10  lua-cqueues 20190813-1
  File has unexpected size (192160 != 191928). Mirror sync in progress? [IP: 130.57.72.10 80]
  Hashes of expected file:
   - SHA256:902d332c7f7b9d8ece5610a4af6aa543fc8140b7e6423f563481c6214f1b1580
   - SHA1:c162b1633f56982069ebd9e517ea503b6986c743 [weak]
   - MD5Sum:e0b0aebb49604dbe4c419effa4a83cfe [weak]
   - Filesize:191928 [weak]
E: Failed to fetch http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_10/./amd64/lua-cqueues_20190813-1_amd64.deb  File has unexpected size (192160 != 191928). Mirror sync in progress? [IP: 130.57.72.10 80]

E: Failed to fetch http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_10/./amd64/lua-cqueues_20190813-1_amd64.deb  File has unexpected size (192160 != 191928). Mirror sync in progress? [IP: 130.57.72.10 80]
   Hashes of expected file:
    - SHA256:902d332c7f7b9d8ece5610a4af6aa543fc8140b7e6423f563481c6214f1b1580
    - SHA1:c162b1633f56982069ebd9e517ea503b6986c743 [weak]
    - MD5Sum:e0b0aebb49604dbe4c419effa4a83cfe [weak]
    - Filesize:191928 [weak]
Adam
@Ahuren_gitlab
@ookangzheng try this steps from documentation: https://knot-resolver.readthedocs.io/en/stable/quickstart-install.html
Vladimír Čunát
@vcunat
I expect it's "Mirror sync in progress?" and will go away soon.
matrixbot
@matrixbot
tkrizek I don't have any such issue on Debian 10, but I might be hitting different mirrors. In any case, it's probably a transient issue with some mirror of Open Build Service
matrixbot
@matrixbot
tkrizek Confirmed - OBS got a big rollback and now it has old packages in the repositories. Folks from #opensuse-buildservice IRC said it should be fixed in a few hours.
Adam
@Ahuren_gitlab

Well, stats.frequent() is "suitable" in the sense that you can program your own logging (or anything) based on it, e.g. this demo (loaded as config):

modules.load('stats')

function log_frequent()
    local f = stats.frequent()
    log("%d elements", #f)
    stats.clear_frequent()
    table.sort(f, function (a, b) return a.count > b.count end)
    for _, item in ipairs(f) do
        log("%s %s", item.name, item.type)
    end
end

event.recurrent(10*min, log_frequent)

@vcunat This is working great along with file write capability. Question: since this is giving me the frequent list of domains per given interval, how can i get hit count for those domains that get listed.? I tried with item.count, item.name but it simply displays all counts instead of frequency. any idea?

Robert Šefr
@robcza

can I somehow remove the .local from special names in policies? https://github.com/CZ-NIC/knot-resolver/blob/eb2b03df5d63c7141bda461c7a5ac7eabb8c630b/modules/policy/policy.lua#L923

I don't want to unload the whole policy module and I have to apply view:addr rules on the .local. That seems impossible in case the policy rule kicks in first and triggers the non-chain action.

Vladimír Čunát
@vcunat
Unless you want to change the order of policy and view modules, I believe you can use a policy.PASS action (within policy rules) to skip over other processing by that module.
@robcza ^^
Robert Šefr
@robcza
@vcunat in case I apply pass to policy will the view:addr be still applied?
Vladimír Čunát
@vcunat
Yes, I believe so. And it's also a confusing aspect. Overall, policy-like config and local data are scattered among multiple modules, and they don't really interact ideally with each other. That's why we're working on a new overall design, making a survey, etc.
Robert Šefr
@robcza
Thanks, will test it out. Survey already sent! :)
@vcunat it works! the view:addr is processed even though I break the chain in policy. Thank you
Georg
@teadur
vcunat: "How frequently do you need to modify configuration? " by that you mean actual configration not zone right ?
matrixbot
@matrixbot
tkrizek Either configuration or something like RPZ updates (for blocklist)
Vladimír Čunát
@vcunat
I'm not sure what other zones you have in a resolver, but I would most likely also count them like RPZ (say, if you serve them authoritatively from the resolver).
Georg
@teadur
k
Kris von Mach
@krismach_gitlab

I'm having an issue looking up certain .mil MX records. I would get SERVFAIL. However looking them up through other resolvers works. And also if I do a NS lookup before MX lookup, then it works too. For example:

kdig us.af.mil @127.0.0.1 MX
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 7115
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; us.af.mil. IN MX

;; Received 27 B
;; Time 2020-06-25 23:32:07 EDT
;; From 127.0.0.1@53(UDP) in 126.0 ms

kdig us.af.mil @127.0.0.1 NS
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 63682
;; Flags: qr rd ra; QUERY: 1; ANSWER: 6; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; us.af.mil. IN NS

;; ANSWER SECTION:
us.af.mil. 5 IN NS osan-ns10.afnoc.af.mil.
us.af.mil. 5 IN NS scott-ns10.afnoc.af.mil.
us.af.mil. 5 IN NS wpafb-ns10.afnoc.af.mil.
us.af.mil. 5 IN NS hickam-ns10.afnoc.af.mil.
us.af.mil. 5 IN NS langley-ns10.afnoc.af.mil.
us.af.mil. 5 IN NS peterson-ns10.afnoc.af.mil.

;; Received 188 B
;; Time 2020-06-25 23:32:09 EDT
;; From 127.0.0.1@53(UDP) in 156.9 ms

kdig us.af.mil @127.0.0.1 MX
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 55917
;; Flags: qr rd ra; QUERY: 1; ANSWER: 11; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; us.af.mil. IN MX

;; ANSWER SECTION:
us.af.mil. 39 IN MX 10 pri-usaf-eemsg.eemsg.mail.mil.
us.af.mil. 39 IN MX 20 scott-mail4.afnoc.af.mil.
us.af.mil. 39 IN MX 20 scott-mail5.afnoc.af.mil.
us.af.mil. 39 IN MX 20 scott-mail6.afnoc.af.mil.
us.af.mil. 39 IN MX 20 scott-mail7.afnoc.af.mil.
us.af.mil. 39 IN MX 20 scott-mail8.afnoc.af.mil.
us.af.mil. 39 IN MX 20 wpafb-mail4.afnoc.af.mil.
us.af.mil. 39 IN MX 20 wpafb-mail5.afnoc.af.mil.
us.af.mil. 39 IN MX 20 wpafb-mail6.afnoc.af.mil.
us.af.mil. 39 IN MX 20 wpafb-mail7.afnoc.af.mil.
us.af.mil. 39 IN MX 20 wpafb-mail8.afnoc.af.mil.

;; Received 358 B
;; Time 2020-06-25 23:32:12 EDT
;; From 127.0.0.1@53(UDP) in 47.7 ms

Kris von Mach
@krismach_gitlab
This is default install of Knot Resolver 5.1.1 from opensuse depo on latest debian
Vladimír Čunát
@vcunat
Thanks, that seems to be a bug on our side.
Vladimír Čunát
@vcunat
@krismach_gitlab: I'm sorry, this bug won't be solved in this week's release. I'm tracking it in this issue. I posted two possible work-arounds there, too.
Kris von Mach
@krismach_gitlab
@vcunat: Thank you, I'll use the workaround for now
waclaw66
@waclaw66
Ahoj. Mám problém s Knot Resolverem 5.1.1 na FC32, nepřekládá některé wilcard subdomény (CNAME) třetího řádu pokud se použije resolver od Cloudflare, vrací SERVFAIL. Ostatní resolvery fungují bez problému, nezdá se mi, že by to bylo nastavením doménového záznamu. https://pastebin.com/qxGCCdWc Předem díky za pomoc!
Vladimír Čunát
@vcunat

@waclaw66: řádka

kresd[1985961]: [64036.16][iter]   <= rcode: SERVFAIL

říká že SERVFAIL přišel od 1.1.1.1.

waclaw66
@waclaw66
@vcunat příkaz nslookup sub.domena.com 1.1.1.1 ale vždy vrací adresu správně :/
Vladimír Čunát
@vcunat
Mně se to neděje vůbec.
waclaw66
@waclaw66
jde ještě nějak jinak ověřit, že problém není v kresd ale u Cloudflare?
Vladimír Čunát
@vcunat
Provoz z kresd k 1.1.1.1 lze zachytit přes tcpdump/wireshark.
waclaw66
@waclaw66
hláška range search found stale or insecure entry se mi moc nezdá
Vladimír Čunát
@vcunat
To je normální stav.
Ne vždy se v cachi najde vhodný záznam.