Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Petr Špaček
@pspacek
Even more interesting. I have no idea what is going on. This error likely comes from kernel so we would have to go dig into kernel sources :-(
pguizeline
@pguizeline
Hi! I'm trying to use the resolver with RPZ and I'm getting the following error:
[poli] RPZ /etc/knot-resolver/blocklist.rpz:95939: invalid number
Maybe it's a parsing error on the file I'm generating? I've looked at the affected line an it looks okay, like the rest of the file. I can't find anything on the docs about this error. Thanks in advance for any help!
Vladimír Čunát
@vcunat
I can't remember seeing such an error. Can you post the problematic DNS record? (a single line probably)
pguizeline
@pguizeline
Sure!
line 95939:
55 broadcasthost CNAME .
There it is, there's a dot missing :P
It should read "55.broadcasthost" I guess
pguizeline
@pguizeline
It's actually a parsing error from:
255.255.255.255 broadcasthost
Used on hosts type lists
Vladimír Čunát
@vcunat
:-)
pguizeline
@pguizeline
One last question, do I need to stop && start the kresd serviced after updating the rpz file?
And thanks for your fast reply as always! I just love this software!
Vladimír Čunát
@vcunat
Depending on packaging, it should auto-reload on file change already.
Well, the default depends on whether lua-cqueues is available during runtime.
Most packages have it as dependency nowadays, I think.
pguizeline
@pguizeline
I'm using the latest Debian package from your repos, so I guess it's perfect! :)
Vladimír Čunát
@vcunat
With verbose logging it should report [poli] RPZ reloading: filename
pguizeline
@pguizeline
I'll look it up! Thanks again!
pguizeline
@pguizeline
Hi! Sorry to bother you guys again, I've managed to fix everything and now knot-resolver is working perfectly! Regarding the control socket interaction, If I don't use verbose logging it's impossible to list the servfail responses right? I mean domain by domain, not just the amount
Vladimír Čunát
@vcunat
Right. Perhaps you want (mainly) DNSSEC failures? https://knot-resolver.readthedocs.io/en/stable/modules-bogus_log.html
pguizeline
@pguizeline
Not exactly, I would like to list the servfail responses, domains and all, but that's just too specific, I'll turn on verbose logging and parse it I guess :). As always, thanks for the help!
Vladimír Čunát
@vcunat
I'd rather use something based on tcpdump than on verbose logging, but if it works for you...
Petr Špaček
@pspacek
@pguizeline It depends on what you want to log. Various configurations of https://knot-resolver.readthedocs.io/en/v5.1.2/modules-policy.html can produce different logs. It is possible to print verbose log ex-post for failed requests, or to only log query domain + query type for failed requests etc.
tobiww
@tobiww

I replaced a complicated setup on my laptop with dnsmasq, stubby, and resolvconf with kroot-resolver. It's so much simpler! The only thing missing is that there used to be a resolver hook that changed dns server if I'm on the vpn.

Here's my first attempt that seems to work:

-- relevant parts of kresd.conf
function vpn_aware_forward (request, query)
  local ni = net.interfaces()
  if ni.tun0 == nil then
      print("non-vpn answer")
      return policy.TLS_FORWARD({
        {'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/pki/ca-trust/extracted/tls-ca-bundle.pem'},
        {'2620:fe::fe', hostname='dns.quad9.net', ca_file='/etc/pki/ca-trust/extracted/tls-ca-bundle.pem'},
      })
  else
      print("VPN answer")
      return policy.FORWARD({'10.64.0.1'})
  end
end

-- Forward all queries for 'mydomain.net' to given resolver
policy.add(policy.suffix(policy.FORWARD('10.10.1.1'), {todname('mydomain.net')}))

-- Forward everything else to quad9, or vpn server if vpn is active
policy.add(vpn_aware_forward)

I don't want to restart kresd every time the vpn connects or disconnects, because the cache gets zeroed each time.

I haven't used lua before so it took a bit of stumbling around to get this far. I figured out how to do a mini-benchmark and found that net.interfaces() takes less than 1ms on my machine, so as long as it doesn't take long to update the policy table, I'm not worried about the time delay imposed by the dynamic function in every dns lookup.

I suspect that a more efficient implementation would send a script to the /run/kroot-resolver/controller/n socket, upon every network change, that removes and replaces the policy-forwarder list. That should allow the server to be better at figuring out which forwarders have better response time, for example. I made some attempts but got stuck by the fact that I don't know lua. (why don't the # or __len functions work on net.interfaces()?)

I'd appreciate any suggestions. I searched web and github for quite a while but found only one example of a dynamic resolver function - a 2018 article by @da2x

Vladimír Čunát
@vcunat

I don't want to restart kresd every time the vpn connects or disconnects, because the cache gets zeroed each time.

Cache does not get zeroed (by default) in kresd.

It's stored in /var/cache/knot-resolver/ which is usually even persistent across system restarts, though some set it up in a tmpfs instead.
Vladimír Čunát
@vcunat
Therefore, it's usually much easier to do the restarts instead of some dynamic reconfiguration.
Vladimír Čunát
@vcunat

(why don't the # or __len functions work on net.interfaces()?)

That's property of lua. It's not a "list table" (indices 1, 2, ...) but a table indexed by strings (the interface names).

tobiww
@tobiww
Good to know. I had timed 4 queries (lookup (uncached), lookup(cached), restart, lookup, lookup). The second and fourth were 0ms, as expected. The third one, right after restart, was 123ms, which was on the order of the first uncached lookup, but maybe the time was due to loading the cache file. I repeated the experiment with two different domains, using domain A to "reload" the cache. The first lookup of domain B after that was as fast as a cached lookup, confirming that the cache persists across restarts.
Petr Špaček
@pspacek
@tobiww Hi. In general you can keep intermediate results and modify internal state of functions in so-called "upvalues", which is yet another feature of Lua.
I suggest approach like this:
local fwd_public = policy.TLS_FORWARD({...})
local fwd_vpn = policy.FORWARD({...})
function vpn_aware_forward (request, query)
    if ( im on VPN )
        return fwd_vpn
    else
        return fwd_public    
    end
end
Every call to policy.TLS_FORWARD has some cost because it has to load TLS certificates etc. so it is better to avoid repeating it.
Fred
@Fred81_gitlab
Is there a way to use TLS_FORWARD for all domains except for uribl.com, which I want to recurse?
Petr Špaček
@pspacek
Yes there is - policy is an ordered list so you can combine policy.PASS and put policy.TLS_FORWARD afterwards.
Fred
@Fred81_gitlab
thanks for the pointer!
stevelr
@stevelr

This list was really helpful for me getting started and learning about
knot-resolver. I want to say thanks,
and return the favor by open-sourcing the config files
and scripts I ended up with.

https://github.com/stevelr/knot-resolver-config

  • kresd.conf
    serves as an other example of a working configuration, with
    some additional capabilities:

    • dynamic vpn switching
    • support for the bash scripts:(below)
  • knot_resolver.sh
    contains a few useful bash/zsh functions
    (clear cache, override forwarding, reset forwarding, dump stats, ...)

  • README.md has
    installation instructions with a little more detail than I found
    elsewhere, including how to find/update the URLhaus abuse.ch database,
    how to generate the certificate file, and a couple tricks for
    dealing with captive portals

Please check it out! Feedback and suggestions are most welcome!
Vladimír Čunát
@vcunat
  • knot_resolver.sh: I would avoid screen-scraping and suggest e.g. tojson(stats.list()) instead (you should be able to apply it to anything).
Petr Špaček
@pspacek
Yeah, screen scraping is a terrible idea. The human-readable format is not stable.
stevelr
@stevelr
Agreed - fixed!
mrvne
@mrvne

Hello guys,

Im wondering if its possible to blackhole AAAA records or return NXDOMAIN? I want to keep A records working, but blackhole some selected AAAA's.

Petr Špaček
@pspacek
Blackhole, i.e. dropping DNS answers is intentionally not supported. DNS is query-response protocol and so not answering is not legal.
It is possible to replace answer with something else. What exactly are you trying to achieve?
mrvne
@mrvne
Replacing the answer would probably help too.
Robert Šefr
@robcza
Thank you for the release of Knot Resolver 5.1.3
I'm wondering whether this point "support building against Knot DNS 3.0 (!1053)" also somehow enables the performance enhancement from Knot DNS 3.0 "High-performance networking mode using XDP sockets (requires Linux 4.18+)" or not.