Show threadŠtěpán ŠkorpilApr 17, 2025
@openalt Tohle řeším taky. Vodafone modem mám v bridge modu, za ním #turris router s veřejnou statickou IPv4 a s tunelovanou IPv6 od #HurricaneElectric.
Dospěl jsem k tomu, že turris sám resolvuje DNS přes #kresd, a u ručně udržovaného seznamu adres odebírá IPv6 adresy z odpovědi a potlačuje DNSSEC.
Show threadAlexDec 30, 2022

Well looking up the SOA records for ephapay.net yields nothing. From that I'm going to content that #kresd is being super cautious and I'm kinda shocked the other #dns servers are giving responses for the domain. So now all I need to work out is how to notify them of this issue. I think that is the end of todays "problems with DNS" thread.

5/5

Show threadAlexDec 30, 2022

Hmm well the current HEAD of #kresd also fails the lookup but its hard to say from the voluminous debug logs what could the problem be. kresd also fails to resolve the root servers in my local build which could be a problem.

4/x

Show threadAlexDec 30, 2022

One thing that jumps out of the overly voluminous logs is: " mitigation for NXNSAttack CVE-2020-12667". Do I really want to be reading #kresd #dns #CVE reports on my last day of holiday?

3/x

Show threadDoc Edward Morbius ⭕​Feb 19, 2022

@yojimbo That's what's configured.

There's also a specific request to not cache results for the domains in question.

-- Forward archive.is/archive.fo queries as Cloudflare breaks these.
-- Sun Jun 2 00:43:35 CDT 2019

extraTrees = policy.todnames({'archive.is', 'archive.ph', 'archive.vn', 'archive.fo', 'archive.li', 'archive.md', 'archive.today' })

policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees))


policy.add(
policy.suffix(
policy.STUB('192.168.0.1'), {
-- policy.STUB('8.8.8.8'), {
todname('archive.is'),
todname('archive.ph'),
todname('archive.vn'),
todname('archive.fo'),
todname('archive.li'),
todname('archive.md'),
todname('archive.today')
}
)
)

I'm restarting kresd to test (should clear caches), as well as the upstream. And restarting Android networking (clears Android's own DNS cache).

Still naada.

@freakazoid @dch @jpmens

#kresd #KnotResolver #DNS #Networking

Doc Edward Morbius ⭕​Feb 17, 2022

#DearMastomind I am trying to grok kresd, the Knot Resolver (used on the Turris Omnia) ... and ... am encoutering impenetrable documentation.

If there's anyone famiar with it, my current goals:

  • Point specific domains at a specific DNS server.
  • Map one domain to another. E.g., youtube.com -> yewtu.be, reddit.com -> teddit.net, etc.
  • Assign specific IPs to specific hosts.

https://knot-resolver.readthedocs.io/en/stable/config-overview.html

My other option is to redo my DNS configuration using DNSMasq. Which quite frankly is probably preferable as its documentation and configuration are much more sane.

#kresd #KnotResolver #Turris #Omnia #TurrisOmnia #OpenWRT #DNS #dnsmasq

Configuration Overview — Knot Resolver 5.4.4 documentation

LeahApr 27, 2018
Lass uns die Hälfte der Config an Systemd auslagern, damit wir die Permissions direkt droppen können aber lass es uns nicht dokumentieren. :( Och CZ.NIC #kresd
Doc Edward Morbius ❌​Mar 10, 2018

If anyone familiar with OpenWRT / Turris and DNS can tell me simply 1) why kresd/knot-resolver is favoured over dnsmasq, 2) if kresd can do what dnsmasq can (particularly as regards various hostlist and being authoritative for domains), and 3) if there's any harm/risk in making dnsmasq the primary DNS resolver/server, I'd appreciate it.

The documentation is less than clear. Czech mate.

#Turris
#OpenWRT
#Adblock
#dnsmasq
#kresd
#knot-resolver