Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Vladimír Čunát
@vcunat

I don't want to restart kresd every time the vpn connects or disconnects, because the cache gets zeroed each time.

Cache does not get zeroed (by default) in kresd.

It's stored in /var/cache/knot-resolver/ which is usually even persistent across system restarts, though some set it up in a tmpfs instead.
Vladimír Čunát
@vcunat
Therefore, it's usually much easier to do the restarts instead of some dynamic reconfiguration.
Vladimír Čunát
@vcunat

(why don't the # or __len functions work on net.interfaces()?)

That's property of lua. It's not a "list table" (indices 1, 2, ...) but a table indexed by strings (the interface names).

tobiww
@tobiww
Good to know. I had timed 4 queries (lookup (uncached), lookup(cached), restart, lookup, lookup). The second and fourth were 0ms, as expected. The third one, right after restart, was 123ms, which was on the order of the first uncached lookup, but maybe the time was due to loading the cache file. I repeated the experiment with two different domains, using domain A to "reload" the cache. The first lookup of domain B after that was as fast as a cached lookup, confirming that the cache persists across restarts.
Petr Špaček
@pspacek
@tobiww Hi. In general you can keep intermediate results and modify internal state of functions in so-called "upvalues", which is yet another feature of Lua.
I suggest approach like this:
local fwd_public = policy.TLS_FORWARD({...})
local fwd_vpn = policy.FORWARD({...})
function vpn_aware_forward (request, query)
    if ( im on VPN )
        return fwd_vpn
    else
        return fwd_public    
    end
end
Every call to policy.TLS_FORWARD has some cost because it has to load TLS certificates etc. so it is better to avoid repeating it.
Fred
@Fred81_gitlab
Is there a way to use TLS_FORWARD for all domains except for uribl.com, which I want to recurse?
Petr Špaček
@pspacek
Yes there is - policy is an ordered list so you can combine policy.PASS and put policy.TLS_FORWARD afterwards.
Fred
@Fred81_gitlab
thanks for the pointer!
stevelr
@stevelr

This list was really helpful for me getting started and learning about
knot-resolver. I want to say thanks,
and return the favor by open-sourcing the config files
and scripts I ended up with.

https://github.com/stevelr/knot-resolver-config

  • kresd.conf
    serves as an other example of a working configuration, with
    some additional capabilities:

    • dynamic vpn switching
    • support for the bash scripts:(below)
  • knot_resolver.sh
    contains a few useful bash/zsh functions
    (clear cache, override forwarding, reset forwarding, dump stats, ...)

  • README.md has
    installation instructions with a little more detail than I found
    elsewhere, including how to find/update the URLhaus abuse.ch database,
    how to generate the certificate file, and a couple tricks for
    dealing with captive portals

Please check it out! Feedback and suggestions are most welcome!
Vladimír Čunát
@vcunat
  • knot_resolver.sh: I would avoid screen-scraping and suggest e.g. tojson(stats.list()) instead (you should be able to apply it to anything).
Petr Špaček
@pspacek
Yeah, screen scraping is a terrible idea. The human-readable format is not stable.
stevelr
@stevelr
Agreed - fixed!
mrvne
@mrvne

Hello guys,

Im wondering if its possible to blackhole AAAA records or return NXDOMAIN? I want to keep A records working, but blackhole some selected AAAA's.

Petr Špaček
@pspacek
Blackhole, i.e. dropping DNS answers is intentionally not supported. DNS is query-response protocol and so not answering is not legal.
It is possible to replace answer with something else. What exactly are you trying to achieve?
mrvne
@mrvne
Replacing the answer would probably help too.
Robert Šefr
@robcza
Thank you for the release of Knot Resolver 5.1.3
I'm wondering whether this point "support building against Knot DNS 3.0 (!1053)" also somehow enables the performance enhancement from Knot DNS 3.0 "High-performance networking mode using XDP sockets (requires Linux 4.18+)" or not.
Vladimír Čunát
@vcunat
@robcza: it does not.
Robert Šefr
@robcza
understood :)
Vladimír Čunát
@vcunat
The XDP work was originally started for resolver (a year ago), but release-wise it's the other way.
Robert Šefr
@robcza
It just caught my eye. But if I understand it, the XDP support will be added to resolver as well sooner or later
Vladimír Čunát
@vcunat
Yes, certainly. There's mainly configuration interface missing and such details.
I thought you used VM or containers and for now I'm not sure how XDP applies there, though at least in theory the API can be used for significantly decreasing the price paid for passing through such additional layers.
Petr Špaček
@pspacek
@robcza XDP support on our side will require change in API for modules, see https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/985
Vladimír Čunát
@vcunat
(I didn't verify it now, but I can't recall anything relevant changing in the meantime.)
Micah
@micah_gitlab
hello, it seems there is something wrong with the repository for Debian_10. The Packages file lists the size of the package knot-resolver_5.1.3-1_amd64.deb as 293328 bytes but if you download the actual package you find that it is 293436 bytes in size
matrixbot
@matrixbot
tkrizek Hi, does it actually break something?
tkrizek OBS is a huge mess when it comes to details like this. It's the reason their Arch packages are unusable..
tkrizek It might also be some transient artifact caused by out of sync metadata vs published packages.
tkrizek You could report it to OBS, but I doubt they're going to fix it if it doesn't break something. This issue might be related openSUSE/open-build-service#1130
Micah
@micah_gitlab
yes, it does break the ability to install the package
apt will refuse to install a package that does not validate, in this case the size is different from the signed version of the file.
  File has unexpected size (293436 != 293328). Mirror sync in progress? [IP: 198.252.153.38 9999]
  Hashes of expected file:
   - SHA256:68d47a8488987a9da8a3ea89523f92a67415bc8c2f8f3ed2f66817f3f1697a2d
   - SHA1:d272ecc5c32c0e4c1256fa99a63c019a53df8eb9 [weak]
   - MD5Sum:001f79ad908b7b65df715b7cea1d24c0 [weak]
   - Filesize:293328 [weak]
that is what you get and it will fail to proceed. Ignoring this is a security problem.
if the hash of the file differs from the hash that is in the file that has been signed by the archive, that means that the file is different than it should be.
and apt is doing the right thing by refusing to install something that is not cryptographically authenticated
matrixbot
@matrixbot
tkrizek I might be hitting a different mirror, but when I try to install the package for Debian 10 in Docker, it works
look inside of it, and look for the knot-resolver section, and find the Size that is listed
matrixbot
@matrixbot
tkrizek I see the difference there, I'm just trying to figure out if the Packages file that was downloaded in my docker container is the same, or somehow different