Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Petr Špaček
@pspacek
Sorry for inconvenience!
Kris von Mach
@krismach_gitlab
thank you for your help @pspacek
mrvne
@mrvne
Hello, is knot-resolver debian repo currently down? Failed to fetch http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_10/InRelease Could not connect to download.opensuse.org:80 (2001:67c:2178:8::13), connection timed out same for IPv4
matrixbot
@matrixbot
tkrizek Seems like it - someone hinted about an outage of Nurnberg openSUSE datacenter in #opensuse-buildservice an hour ago
Vladimír Čunát
@vcunat
I confirm download.opensuse.org appears to be down from my point as well.
matrixbot
@matrixbot
mrvne
@mrvne
sad :/
Jörg Thalheim
@Mic92
How does one create acme certificates for doh2? https://github.com/NixOS/nixpkgs/pull/103633#issuecomment-732082513 Before I had nginx running in front of kresd
cc @vcunat
Should I open a ticket for this? I see this as a major issue when deploying kresd with http2.
matrixbot
@matrixbot
tkrizek kresd doesn't handle ACME, you must use some external client for it and then either a) restart kresd, or b) call net.tls() again to reload certificates (via control sockets)
mrvne
@mrvne
Is it somehow possible to log blocked queries for each source IP? I know that you can lookup total "answer.nxdomain" stats from control socket, but I want to get it for each user.
Vladimír Čunát
@vcunat
@mrvne: there's nothing ready for that.
but it's lua, so you can e.g. wrap the blocking function by one that adds counts into some global table or something.
(not every nxdomain will be from a block)
Policy rules have a counter for each rule (not per-user).
mrvne
@mrvne
where can I list/view the policy rule counter?
Vladimír Čunát
@vcunat
policy.rules[1].count (for the first rule)
The callbacks of rules are general lua functions, so you can't introspect them... so this way it isn't very user-friendly.
But policy.add() returns reference to the added rule, so you can track it that way.
mrvne
@mrvne
i see.. by wrapping the blocking function you mean wrapping the policy rule? because I'm not using any blocking function. Its just the policy with an .rpz file full of domains
Vladimír Čunát
@vcunat
Well... yes, it's a little mind-bending perhaps, but you can make a wrapper for the function returned from the blocking action that you use inside - probably the one returned from policy.DENY_MSG() call - it will only get called when that blocking happens.
The function takes two parameters (which you'd better pass through) and the second one is of type kr_request, so it contains e.g. .qsource.addr which is the requestor's address (as C structure; == nil for internal ones)
mrvne
@mrvne
I've found something similar, but thats not working due to changes in newer version of knot.
-- start of config snippet
function LOG_IP(state, req)
    req = kres.request_t(req)
    if req.qsource == nil or req.qsource.addr == nil then
        -- internal request, no source
        return state end
    print('query from IP ' .. tostring(req.qsource.addr))
    return -- continue with other policy rules
end

policy.add(policy.all(LOG_IP))
-- end of config snipper
Petr Špaček
@pspacek
What specifically does not work? It works for me on version 5.2.0.
mrvne
@mrvne
Thats veeeery strange. It did spit errors before, do not remember them now but just tested it again and this snippet worked now :))) haha
Okei thats a step forward. What should I modify in this snippet to get the blocked domain next to the IP?
Vladimír Čunát
@vcunat
req:initial():name()
mrvne
@mrvne
works great, will try to expand it more to my needs. thanks so far!
Vladimír Čunát
@vcunat
:-)
Petr Špaček
@pspacek
@mrvne Once you are done please share the final solution so everyone can learn something.
mrvne
@mrvne
sure! :)
mrvne
@mrvne
i've added DENY_MSG to my policy, but how can I read the TXT record after? I'm trying to check if it has the specified value
Vladimír Čunát
@vcunat
Read? You mean like this?
$ kdig @odvr.nic.cz -x 10.0.0.1
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 1538
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 1

;; QUESTION SECTION:
;; 1.0.0.10.in-addr.arpa.               IN      PTR

;; AUTHORITY SECTION:
1.0.0.10.in-addr.arpa.  10800   IN      SOA     1.0.0.10.in-addr.arpa. nobody.invalid. 1 3600 1200 604800 10800

;; ADDITIONAL SECTION:
explanation.invalid.    10800   IN      TXT     "Blocking is mandated by standards, see references on https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml"

;; Received 262 B
;; Time 2020-11-24 18:39:07 CET
;; From 2001:148f:fffe::1@53(UDP) in 20.6 ms
mrvne
@mrvne
No no :) I mean read it afterwards with LUA. I'm trying to print only domains that are "blocked". That means I could check if they have the specified TXT record and print them, if not just do nothing.
Vladimír Čunát
@vcunat
If you're calling/inside DENY_MSG, you always block.
If you don't block, you don't get that far.
mrvne
@mrvne
policy.DENY_MSG only accepts a string, no action. How should I run it inside it? Or do I misunderstand something here?
Vladimír Čunát
@vcunat
Perhaps paste your current state here? I suspect that will be easiest.
It's possible I misunderstand how you're using the parts at this moment.
mrvne
@mrvne
modules = {
        'policy',
        'view',
        'hints > iterate',
        'stats',
}

function LOG_IP(state, req)
        req = kres.request_t(req)
        if req.qsource == nil or req.qsource.addr == nil then
                -- internal request, no source
                return state 
        end
        print('query from IP ' .. tostring(req.qsource.addr) .. tostring(req:initial():name()))
        return -- continue with other policy rules
end

view:addr('127.0.0.1', function (req, qry) return policy.PASS end)
policy.add(policy.rpz(policy.DENY_MSG('blocked'), '/etc/knot-resolver/blocked.rpz',true))
view:addr('127.0.0.1', policy.rpz(policy.DROP, '/etc/knot-resolver/blocked.rpz'))

policy.add(policy.all(LOG_IP))

-- Drop everything that hasn't matched
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
this logs everything now, but what I'm trying to achieve is, printing only the blocked ones.
Vladimír Čunát
@vcunat

For example

policy.add(policy.rpz(LOG_IP, '/etc/knot-resolver/blocked.rpz',true))

(before the one with DENY_MSG)

As an optimization you can do DENY_MSG('blocked')(state, req) at the return line of LOG_IP to combine those two into one.
mrvne
@mrvne
Oh okei, I get it now...
mrvne
@mrvne
Somehow its printing the output in a strange syntax:
query from IP 127.0.0.1#54600#005stats#001g#013doubleclick#003net
any idea how to fix this?
Vladimír Čunát
@vcunat
The name is in wire-format. You can transform it by the kres.dname2str() function.
mrvne
@mrvne

The name is in wire-format. You can transform it by the kres.dname2str() function.

Awesome

Petr Špaček
@pspacek
With probability on the edge of certainity it is a bug in your new module. I suggest you to copy its pieces into config file and test it one by one.