Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Elctro
@Elctro
Hello. I am having difficulties with dnstap module, specifically with grpc endpoint, which requires "The unix socket and the socket reader must be present before starting resolver instances.". When my socket reader crashes and is restarted, it no longer receives data. Do you have any recommendation how to approach this problem? I'd like to avoid resolver restarts.
Vladimír Čunát
@vcunat
Maybe some utility like socat could solve this... but I'd expect that just unloading and reloading the module is enough.
Elctro
@Elctro
Thanks
Petr Špaček
@pspacek
In any case resolver restart can be made zero-downtime: https://knot-resolver.readthedocs.io/en/latest/systemd-multiinst.html#zero-downtime-restarts
Kris von Mach
@krismach_gitlab

I'm having trouble resolving spam.molax.co.kr but it works with 1.1.1.1. Any ideas as to what might be an issue?

kdig spam.molax.co.kr
;; WARNING: response timeout for 127.0.0.1@53(UDP)
;; WARNING: response timeout for 127.0.0.1@53(UDP)

kdig spam.molax.co.kr @193.17.47.1
;; WARNING: response timeout for 193.17.47.1@53(UDP)
;; WARNING: response timeout for 193.17.47.1@53(UDP)

kdig spam.molax.co.kr @1.1.1.1
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 23320
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; spam.molax.co.kr. IN A

;; ANSWER SECTION:
spam.molax.co.kr. 1024 IN A 211.105.253.26

;; Received 50 B
;; Time 2020-11-16 13:23:19 EST
;; From 1.1.1.1@53(UDP) in 2.2 ms

Petr Špaček
@pspacek
Their authoritative servers seem to be broken: 
[65536.17][resl]   => id: '26902' querying: '211.105.253.20#00053' score: 10 zone cut: 'molax.co.kr.' qname: 'SPAM.mOLaX.CO.kR.' qtype: 'A' proto: 'udp'
[65536.17][iter]   <= answer received: 
;; ->>HEADER<<- opcode: QUERY; status: FORMERR; id: 26902
;; Flags: qr cd  QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused

;; QUESTION SECTION
spam.molax.co.kr.        A

;; ADDITIONAL SECTION
[65536.17][iter]   <= rcode: FORMERR
Interesting, maybe they just do not support EDNS or something like that.
Petr Špaček
@pspacek
Ah right, dig @211.105.253.20 SPAM.mOLaX.CO.kR. explodes with FORMERR but dig +noedns @211.105.253.20 SPAM.mOLaX.CO.kR. actually works.
Maybe we have a bug in FORMERR fallback when EDNS is not supported. Thank you for reporting this!
@krismach_gitlab As a workaround for now you can put this line into your config file: 
policy.add(policy.suffix(policy.FLAGS({'SAFEMODE'}), {todname('spam.molax.co.kr.')}))
Sorry for inconvenience!
Kris von Mach
@krismach_gitlab
thank you for your help @pspacek
mrvne
@mrvne
Hello, is knot-resolver debian repo currently down? Failed to fetch http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_10/InRelease Could not connect to download.opensuse.org:80 (2001:67c:2178:8::13), connection timed out same for IPv4
matrixbot
@matrixbot
tkrizek Seems like it - someone hinted about an outage of Nurnberg openSUSE datacenter in #opensuse-buildservice an hour ago
Vladimír Čunát
@vcunat
I confirm download.opensuse.org appears to be down from my point as well.
matrixbot
@matrixbot
tkrizek https://status2.opensuse.org/
mrvne
@mrvne
sad :/
Jörg Thalheim
@Mic92
How does one create acme certificates for doh2? https://github.com/NixOS/nixpkgs/pull/103633#issuecomment-732082513 Before I had nginx running in front of kresd
cc @vcunat
Should I open a ticket for this? I see this as a major issue when deploying kresd with http2.
matrixbot
@matrixbot
tkrizek kresd doesn't handle ACME, you must use some external client for it and then either a) restart kresd, or b) call net.tls() again to reload certificates (via control sockets)
mrvne
@mrvne
Is it somehow possible to log blocked queries for each source IP? I know that you can lookup total "answer.nxdomain" stats from control socket, but I want to get it for each user.
Vladimír Čunát
@vcunat
@mrvne: there's nothing ready for that.
but it's lua, so you can e.g. wrap the blocking function by one that adds counts into some global table or something.
(not every nxdomain will be from a block)
Policy rules have a counter for each rule (not per-user).
mrvne
@mrvne
where can I list/view the policy rule counter?
Vladimír Čunát
@vcunat
policy.rules[1].count (for the first rule)
The callbacks of rules are general lua functions, so you can't introspect them... so this way it isn't very user-friendly.
But policy.add() returns reference to the added rule, so you can track it that way.
mrvne
@mrvne
i see.. by wrapping the blocking function you mean wrapping the policy rule? because I'm not using any blocking function. Its just the policy with an .rpz file full of domains
Vladimír Čunát
@vcunat
Well... yes, it's a little mind-bending perhaps, but you can make a wrapper for the function returned from the blocking action that you use inside - probably the one returned from policy.DENY_MSG() call - it will only get called when that blocking happens.
The function takes two parameters (which you'd better pass through) and the second one is of type kr_request, so it contains e.g. .qsource.addr which is the requestor's address (as C structure; == nil for internal ones)
mrvne
@mrvne
I've found something similar, but thats not working due to changes in newer version of knot.
-- start of config snippet
function LOG_IP(state, req)
    req = kres.request_t(req)
    if req.qsource == nil or req.qsource.addr == nil then
        -- internal request, no source
        return state end
    print('query from IP ' .. tostring(req.qsource.addr))
    return -- continue with other policy rules
end

policy.add(policy.all(LOG_IP))
-- end of config snipper
Petr Špaček
@pspacek
What specifically does not work? It works for me on version 5.2.0.
mrvne
@mrvne
Thats veeeery strange. It did spit errors before, do not remember them now but just tested it again and this snippet worked now :))) haha
Okei thats a step forward. What should I modify in this snippet to get the blocked domain next to the IP?
Vladimír Čunát
@vcunat
req:initial():name()
mrvne
@mrvne
works great, will try to expand it more to my needs. thanks so far!
Vladimír Čunát
@vcunat
:-)
Petr Špaček
@pspacek
@mrvne Once you are done please share the final solution so everyone can learn something.
mrvne
@mrvne
sure! :)
mrvne
@mrvne
i've added DENY_MSG to my policy, but how can I read the TXT record after? I'm trying to check if it has the specified value
Vladimír Čunát
@vcunat
Read? You mean like this?
$ kdig @odvr.nic.cz -x 10.0.0.1
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 1538
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 1

;; QUESTION SECTION:
;; 1.0.0.10.in-addr.arpa.               IN      PTR

;; AUTHORITY SECTION:
1.0.0.10.in-addr.arpa.  10800   IN      SOA     1.0.0.10.in-addr.arpa. nobody.invalid. 1 3600 1200 604800 10800

;; ADDITIONAL SECTION:
explanation.invalid.    10800   IN      TXT     "Blocking is mandated by standards, see references on https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml"

;; Received 262 B
;; Time 2020-11-24 18:39:07 CET
;; From 2001:148f:fffe::1@53(UDP) in 20.6 ms
mrvne
@mrvne
No no :) I mean read it afterwards with LUA. I'm trying to print only domains that are "blocked". That means I could check if they have the specified TXT record and print them, if not just do nothing.
Vladimír Čunát
@vcunat
If you're calling/inside DENY_MSG, you always block.
If you don't block, you don't get that far.
mrvne
@mrvne
policy.DENY_MSG only accepts a string, no action. How should I run it inside it? Or do I misunderstand something here?