Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
aflox
@aflox:matrix.org
[m]
actually, seems like using overlays in nixops is a bit broken atm
Vladimír Čunát
@vcunat
Ah, my knowledge of nixops in particular is basically none.
aflox
@aflox:matrix.org
[m]
yeah, it's also a new thing on master that I need specifically for flake support, so ... 🤷
aflox
@aflox:matrix.org
[m]
so FYI, this is the only way I could come up with, but it looks way to complicated to be intended
    nixopsConfigurations.default =
      { nixpkgs = nixpkgs // {
        legacyPackages.${builtins.currentSystem} = import nixpkgs { system = builtins.currentSystem; overlays = [( final: prev: { knot-resolver = prev.knot-resolver.override { extraFeatures = true; }; })]; };
      }; }
passing the package into the module would be a simpler option I think
Vladimír Čunát
@vcunat
Perhaps I'll add that. In normal NixOS packageOverrides seem to work fine for this, so the difference in complexity didn't seem so significant there and I didn't expose such option.
aflox
@aflox:matrix.org
[m]
well, given that flakes are quite a new concept and the nixops version that supports them is not even release yet, a few pit falls are to be expected I guess
and the issue is not just with overlays, it also affects cross compiling and similar use cases that are probably not uncommon for nixops to support
aflox
@aflox:matrix.org
[m]
is there any documentation on how kres handles caching of negative results when using STUP of FORWARD if a record is not known by the recursive resolver?
Vladimír Čunát
@vcunat

Probably not. I don't think there's anything special really, except for the case of DNSSEC-validated negative answers, as they may be utilized to answer requests on different names as well.

Perhaps you're running into something like this? https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#replacing-part-of-the-dns-tree

aflox
@aflox:matrix.org
[m]
no, I am actually trying to figure out an issue where the resolver does not follow up on a CNAME, specifically it won't resolve cache.nixos.org beyond the CNAME
Vladimír Čunát
@vcunat
Well, that's weird. I'm using NixOS behind kresd instances all the time and I can't recall experiencing something like that.
aflox
@aflox:matrix.org
[m]
yeah, I threw away the cache and now it resolves properly, hence the question about negative caching
Vladimír Čunát
@vcunat
When it happens again, it would be nice to get verbose logs from some of the failures.
3 replies
aflox
@aflox:matrix.org
[m]
I'll try to get one
Tamás NAGY
@yce_gitlab

Hi, I wanted to enable the http module, but I get a weird error:

stack traceback:
   [C]: in function 'load'
   /usr/lib/knot-resolver/sandbox.lua:165: in function '__newindex'
   /usr/lib/knot-resolver/sandbox.lua:422: in function '__newindex'
   /etc/knot-resolver/kresd.conf:27: in main chunk
 ERROR: No such file or directory (workdir '/var/lib/knot-resolver')

I've also installed lua-http, and the /var/lib/knot-resolver folder exists, I'm using ubuntu 20.04.

Georg
@teadur
whats on line 27 of kresd ?
Tamás NAGY
@yce_gitlab
'http', :) It's in the modules = {} list.
Travis Boss
@travisboss
anyone tried to turn the knot docker in to a compose file? I have most of it the way I want but I cannot get the ports to change to what I want through ports: and I'd like to also mount the /etc/knot-resolver but it says I do not have a valid kresd.conf in there. Thoughts?
Vladimír Čunát
@vcunat
@yce_gitlab: have you installed the knot-resolver-module-http package? It seems not.
That's what should also pull all requirements like lua-http.
Tamás NAGY
@yce_gitlab
Oh, right, I missed that, thanks, it looks okay now!
Georg
@teadur
yeah i was about to say that there were some dep
Julius Schwartzenberg
@jschwartzenberg
hi all, is it possible to do the selective routing trick described here with kresd? https://openwrt.org/docs/guide-user/services/tor/extras#selective_routing
3 replies
CHazz (Difides)
@CHazz
hi, i'm new to Knot-resolver :) and i would like to ask some questions ..
a) is it possible to get allowed / disallowed subnets from a file list?
b) it is possible to use something like in the config: include "subconfig.conf"; ?
thank you for the perfect work, I worked with almost all dns resolvers/servers and the Knot is the best :) thanks for reply
3 replies
Tom Koch
@tomck

Hi, I've used Knot-Resolver for a bit but today we had an interesting issue which I was not able to resolve, wherein cdc.gov worked but www.cdc.gov gave NXDOMAIN. I even ran clear-cache() on kresd command line which seemed to work (to clear) but still the same issue persists. I was using 1.1.1.1 as the upstream resolver in /etc/resolv.conf and tried 8.8.8.8 to no success. I switched off knot and set up bind (which we had used previously), and resolving www.cdc.gov worked there. I would really rather use knot just because it's more "modern" than bind, but I can't argue with results (www.cdc.gov works).

DIG comparison: https://pastebin.com/gSy8pf1h

4 replies
Jörg Thalheim
@Mic92
@vcunat is it actually on purpose that knot-resolver only does http2 for doh? I just noticed it using telegraf for monitoring breaks with it.
2 replies
Jörg Thalheim
@Mic92
I am a lot happier with my setup since I switched for acme dns01 validation: https://github.com/Mic92/dotfiles/blob/b3913d8f8d399625054e662fa4c7fba539ad4ead/nixos/eve/modules/kresd.nix#L39 Than I can get certificates for kresd without having to bother nginx running on the server.
3 replies
CHazz (Difides)
@CHazz
Hi, I have a small problem maybe a bug .. I would like to use Graphite statistics .. when restarting they will remain unchanged that's fine. But when stop / start it is deleted ,, I wanted to solve this with the script stats.set (key, val), but it seems that the command doesn't work at all .. only Nil answers .. example: > stats.set ("answer.total", 12121) Nil
and stats.get still show old data ..
some solution ? Thansks :)
5 replies
Tom Koch
@tomck
Seems to be a typo here, the code does not work unless there's a comma after seconds. https://knot-resolver.readthedocs.io/en/stable/modules-prefill.html#mod-prefill
1 reply
beckhamaaa
@beckhamaaa
what is the meaning of zone cut in kresd?
1 reply
Jessy
@jvttr_gitlab
Hi, sorry if it not the best place for this. There is a typo on the doc
Accessing domains which are not available using recursion (e.g. if internal company servers return different anusers than public ones).
here : https://knot-resolver.readthedocs.io/en/stable/config-network-forwarding.html
1 reply
B. Cook
@bcookatpcsd
Hey all, newish to docker.. I thought I've been doing pretty good until czinc/knot-resolver.. docker run -Pti seems to be the only way it wants to run.. but then I'm dropped into the interactive prompt.. I tried making a docker run to only allow 53, but it still only seems to run via the -Pti..
Pavel Valach
@PaulosV
Hello everyone, I just want to confirm the behavior of Knot Resolver that I am seeing and that it's correct.
When I'm using forwarding (https://knot-resolver.readthedocs.io/en/stable/config-network-forwarding.html) for a certain suffix (e.g. subsub.dom.ain.com) to server 1.2.3.4, then I only expect the queries for that suffix to go through server 1.2.3.4.
But is it correct that if the DS records need to be fetched for the subdomains in between, let's say com, then for ain.com, then for dom.ain.com, that it also forwards those DS queries to the 1.2.3.4 server?
Pavel Valach
@PaulosV
Because I think that this behavior is currently breaking forwarding to purely authoritative nameservers, which only serve some part of the tree, specifically that lower subdomain subsub.dom.ain.com. As far as I understand, the DNSSEC wouldn't have to be broken, but the Knot Resolver forwards these key requests to 1.2.3.4 as well, and if the server refuses to provide them (because it does not serve ain.com, for example), the query is over.
In other words, does policy.FORWARD expect a resolver?
Vladimír Čunát
@vcunat
@PaulosV: yes, policy.FORWARD certainly assumes a resolver.
And what's more, in our current policy framework, you don't forward a subtree. You forward processing for the whole client's request, based on which subtree it belongs to (or based on other conditions). That's why the DS com example.
paulos
@paulos:im.su.cvut.cz
[m]
@vcunat: Ah, okay! Thanks for clarifying, I thought that was the case but wasn't sure. I've seen this happening with some of our internal subtrees, where I've been forwarding using policy.FORWARD, and from time to time, it needed to fetch the DS for one of the subs, probably because the cache has expired, and all the requests suddenly started failing. I'm using STUB now but I'm not too happy about it.
Vladimír Čunát
@vcunat
Technically, STUB is also meant for resolvers, but it should work in more cases than FORWARD.
paulos
@paulos:im.su.cvut.cz
[m]
Gotcha. I'm now thinking about this and I might be able to achieve the desired result using views and ACLs on both authoritative server and resolver. So that the authoritative server does not expose the internal subtree for the clients outside of our network, and the resolver will deny to resolve queries with a suffix...
when the subnet is not appropriate
Robert Šefr
@robcza
Is there any way to get frequent slow queries from the stats module. Would be really helpful in a slow query spike.
Vladimír Čunát
@vcunat
@robcza: no, such information is currently not collected.
Ed
@ookangzheng
Is there any way to totally disable cache? cuz I already have cached on upstream.
Im using policy.add(policy.all(policy.FORWARD({'::1@5353', '127.0.0.1@5353'})))
Robert Šefr
@robcza
@ookangzheng just add the NO_CACHE flag like this (to all or to some specific subset):
policy.add(policy.all(policy.FLAGS({'NO_CACHE'}))
Vladimír Čunát
@vcunat

Yes. Note that you need to put that rule before the FORWARD (which is a non-chain action).

You also want to make the cache small cache.size = 1*MB; if it's in tmpfs, it always consumes its size of RAM, though it's swappable. And I'd consider just leaving cache small without disabling it.

Caching is utilized even within a single client's request, though off the top of my head I can't estimate how often that happens.
Kristian Klausen
@klausenbusk
Knot Resolver only supports HTTP2 for DoH which make it impossible to run behind Nginx (Nginx doesn't supports HTTP2 upstreams). Is running a DoH server (ex: Knot Resolver or Unbound) behind a reverse proxy generally a bad idea?
4 replies
pguizeline
@pguizeline

Hi! Sorry to bother you guys again, but I'm doing a new deploy of a Knot-Resolver and I'm getting a strange error. I'm using:

    policy.slice_randomize_psl(),
    policy.TLS_FORWARD({
        {'91.239.100.100', hostname='anycast.censurfridns.dk'},
    }),
    policy.TLS_FORWARD({
        {'198.251.90.91', hostname='uncensored.any.dns.nixnet.xyz'},
    }),
    policy.TLS_FORWARD({
        {'193.17.47.1', hostname='odvr.nic.cz'},
        {'185.43.135.1', hostname='odvr.nic.cz'},
    }),
    policy.TLS_FORWARD({
        {'95.216.24.230', hostname='fi.dot.dns.snopyta.org'},
    }),
    policy.TLS_FORWARD({
        {'45.90.57.121', hostname='dot-ch.blahdns.com'},
        {'192.53.175.149', hostname='dot-sg.blahdns.com'},
        {'78.46.244.143', hostname='dot-de.blahdns.com'},
        {'95.216.212.177', hostname='dot-fi.blahdns.com'},
    }),
    policy.TLS_FORWARD({
        {'116.202.176.26', hostname='dot.libredns.gr'},
    })

And I'm getting SERVFAIL, with every request. I've already checked my ca-certficates. Normal resolving to the root servers work without a problem. Thanks for any advice!

4 replies