Knot Resolver: Resolve DNS names like it's 2021! https://www.knot-resolver.cz/support/
nixopsConfigurations.default =
{ nixpkgs = nixpkgs // {
legacyPackages.${builtins.currentSystem} = import nixpkgs { system = builtins.currentSystem; overlays = [( final: prev: { knot-resolver = prev.knot-resolver.override { extraFeatures = true; }; })]; };
}; }
Probably not. I don't think there's anything special really, except for the case of DNSSEC-validated negative answers, as they may be utilized to answer requests on different names as well.
Perhaps you're running into something like this? https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#replacing-part-of-the-dns-tree
Hi, I wanted to enable the http module, but I get a weird error:
stack traceback:
[C]: in function 'load'
/usr/lib/knot-resolver/sandbox.lua:165: in function '__newindex'
/usr/lib/knot-resolver/sandbox.lua:422: in function '__newindex'
/etc/knot-resolver/kresd.conf:27: in main chunk
ERROR: No such file or directory (workdir '/var/lib/knot-resolver')
I've also installed lua-http, and the /var/lib/knot-resolver
folder exists, I'm using ubuntu 20.04.
lua-http
.
Hi, I've used Knot-Resolver for a bit but today we had an interesting issue which I was not able to resolve, wherein cdc.gov worked but www.cdc.gov gave NXDOMAIN. I even ran clear-cache() on kresd command line which seemed to work (to clear) but still the same issue persists. I was using 1.1.1.1 as the upstream resolver in /etc/resolv.conf and tried 8.8.8.8 to no success. I switched off knot and set up bind (which we had used previously), and resolving www.cdc.gov worked there. I would really rather use knot just because it's more "modern" than bind, but I can't argue with results (www.cdc.gov works).
DIG comparison: https://pastebin.com/gSy8pf1h
stats.set (key, val)
, but it seems that the command doesn't work at all .. only Nil answers .. example: > stats.set ("answer.total", 12121)
Nil
stats.get
still show old data ..subsub.dom.ain.com
) to server 1.2.3.4
, then I only expect the queries for that suffix to go through server 1.2.3.4
.DS
records need to be fetched for the subdomains in between, let's say com
, then for ain.com
, then for dom.ain.com
, that it also forwards those DS
queries to the 1.2.3.4
server?
subsub.dom.ain.com
. As far as I understand, the DNSSEC wouldn't have to be broken, but the Knot Resolver forwards these key requests to 1.2.3.4
as well, and if the server refuses to provide them (because it does not serve ain.com
, for example), the query is over.
policy.FORWARD
expect a resolver?
DS com
example.
policy.FORWARD
, and from time to time, it needed to fetch the DS
for one of the subs, probably because the cache has expired, and all the requests suddenly started failing. I'm using STUB now but I'm not too happy about it.
Yes. Note that you need to put that rule before the FORWARD
(which is a non-chain action).
You also want to make the cache small cache.size = 1*MB
; if it's in tmpfs, it always consumes its size of RAM, though it's swappable. And I'd consider just leaving cache small without disabling it.
Hi! Sorry to bother you guys again, but I'm doing a new deploy of a Knot-Resolver and I'm getting a strange error. I'm using:
policy.slice_randomize_psl(),
policy.TLS_FORWARD({
{'91.239.100.100', hostname='anycast.censurfridns.dk'},
}),
policy.TLS_FORWARD({
{'198.251.90.91', hostname='uncensored.any.dns.nixnet.xyz'},
}),
policy.TLS_FORWARD({
{'193.17.47.1', hostname='odvr.nic.cz'},
{'185.43.135.1', hostname='odvr.nic.cz'},
}),
policy.TLS_FORWARD({
{'95.216.24.230', hostname='fi.dot.dns.snopyta.org'},
}),
policy.TLS_FORWARD({
{'45.90.57.121', hostname='dot-ch.blahdns.com'},
{'192.53.175.149', hostname='dot-sg.blahdns.com'},
{'78.46.244.143', hostname='dot-de.blahdns.com'},
{'95.216.212.177', hostname='dot-fi.blahdns.com'},
}),
policy.TLS_FORWARD({
{'116.202.176.26', hostname='dot.libredns.gr'},
})
And I'm getting SERVFAIL
, with every request. I've already checked my ca-certficates. Normal resolving to the root servers work without a problem. Thanks for any advice!