You are not logged in.

#1 2018-11-08 22:13:25

jancici
Member
From: svk
Registered: 2011-12-04
Posts: 152

knot-resolver :: not able to configure

I would like to used knot-resolver on my router. At this moment I have dnsmasq as dhcp and dns cache. My idea is to use knot as dns cache resolver for my local network

as first step I did change port for dns in dnsmasq to 5353, for future I want to use dnsmasq to resolve local network names.

I did install knot-resolver and follow https://wiki.archlinux.org/index.php/Knot_Resolver

here is my config:

cat /etc/resolv.conf  
nameserver 127.0.0.1
cat /etc/knot-resolver/kresd.conf 
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration

-- Load useful modules
modules = {
	'policy',           -- Block queries to local zones/bad sites
	'hints > iterate',  -- Load /etc/hosts and allow custom root hints
	'stats',            -- Track internal statistics
	'predict',          -- Prefetch expiring/frequent records
}

-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1'}

-- Enable DNSSEC validation
-- trust_anchors.file = '/etc/knot-resolver/root.keys'

hints.root_file = '/etc/knot-resolver/root.hints'

-- Cache size
cache.size = 100 * MB
cat /etc/knot-resolver/root.hints 
;       This file holds the information on root name servers needed to 
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers). 
; 
;       This file is made available by InterNIC 
;       under anonymous FTP as
;           file                /domain/named.cache 
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
; 
;       last update:     October 24, 2017 
;       related version of root zone:     2017102400
; 
; FORMERLY NS.INTERNIC.NET 
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
; 
; FORMERLY NS1.ISI.EDU 
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
...
...
...

starting knot resolver

sudo systemctl start kresd@1.service

I can see that it is running

ps axf
/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf

and I did change configuration that it listen on 127.0.0.1 and another two local interfaces


here is output from journal

Nov 08 22:49:43 skriatok systemd[1]: Starting Knot Resolver daemon...
Nov 08 22:49:43 skriatok systemd[1]: Started Knot Resolver daemon.
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'b.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'm.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'l.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'j.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'i.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'g.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'd.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'a.root-servers.net.', type: 28
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'h.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'c.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'k.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'e.root-servers.net.', type: 1
Nov 08 22:49:53 skriatok kresd[9012]: [priming] cannot resolve address 'f.root-servers.net.', type: 1
...
...

please, can someone help?
thank you

Offline

#2 2018-11-08 23:24:37

theburritoeater
Member
Registered: 2018-03-21
Posts: 9

Re: knot-resolver :: not able to configure

Here are some things you can try doing and checking:

1.) Check out the Knot Resolver documentation to make sure your config files are right.  One thing you might want to manually check that it is connecting to right network is to uncomment (remove "--") from the "net" option.

2.) dmasq and KnotResolver will both try and use port 53.  You mentioned you changed it, so that's good, maybe worth another check.

3.) add "workarounds" to your conf.  Perhaps these nameservers are having compatibility issues with you?  The workarounds module contains a set of hotfixes to ensure compatibility with DNS servers with known compatibility problems with modern DNS standards.

4.) Make sure you have the right modules in that will listen to the root.hints file:

-- Load hints after iterator (so hints take precedence before caches)
modules = { 'hints > iterate' }
-- Add a custom hosts file
hints.add_hosts('hosts.custom')
-- Override the root hints
hints.root({
  ['j.root-servers.net.'] = { '2001:503:c27::2:30', '192.58.128.30' }
})
-- Add a custom hint
hints['foo.bar'] = '127.0.0.1'

5.) I am not clear on how knot resolver receives packets from the WAN, but maybe you need to set it up to listen on your gateway address for incoming packets from TLD?

Offline

#3 2018-11-09 07:20:06

jancici
Member
From: svk
Registered: 2011-12-04
Posts: 152

Re: knot-resolver :: not able to configure

1) yes, I am trying to find help there
2) yes, checking that with ss command
3) 4)  it is not clear what you mean
5) do you think that forwarder should listen on wan side?

Offline

#4 2018-11-09 20:03:56

jancici
Member
From: svk
Registered: 2011-12-04
Posts: 152

Re: knot-resolver :: not able to configure

I find out that that probably ISP is doing something with DSN request. Knot does get incorrect answer from root dns servers.

checking this https://dnsleaktest.com and https://www.perfect-privacy.com/dns-leaktest/
using working config with dnsmasq, which is asking 1.1.1.1 in case it doesn't know answer

I see opendns or google resolvers in results.

Offline

Board footer

Powered by FluxBB