Mastodawn

Doc Edward Morbius ⭕Feb 18, 2022

@freakazoid And as I've said, repeatedly:

I don't think this is the problem.
The obvious problem is that a configuration in the resolver (kresd) to forward requests for specific domains to specific hosts is not having obvious effect. That is, my DNS caching server configuration is not functioning as expected. Results ... match this hypothesis.
- Specifically: IPv4 DNS queries are returning results to IPv4 addresses that should not be returned, consistent with querying the wrong forwarding server.
The Knot Resolver documentation is at best opaque, and does not offer much by way of recipies for achieving specific routing results that I'm aware or able to suss out.
IPv6 is not served by my ISP. There's no reason I see that my systems are attempting IPv6 traffic. I think this is in fact a false lead and red herring. However, if you can provide specific steps for testing that hypothesis, I'll consider them.

I've got reasonably decent IPv4 chops. IPv6 not quite so much. Good Linux admin / networking skills.

@yojimbo @dch

Configuration — Knot Resolver 5.4.4 documentation

Show thread

CMDR Yojimbosan 🅅⁂Feb 19, 2022

@dredmorbius @freakazoid @dch I can hear a lot of frustration :-| but it also sounds like although you suspect the problem to be kresd's config, you haven't proven that yet (or of course, you have done all that and just haven't told the fediverse that you've done it, because ... well, probably to avoid just the sort of distracting "trying to help without really knowing whats going on" conversations you're actually getting!) I suspect all of us in the conversation at the moment are also not specifically familiar with kresd either ...

Here's some pointers on how to suck eggs ...

Dump 100% of the DNS network traffic while you do an experiment, and analyse it to see if queries went to the places you expected, and had the correct questions & answers.

If the packets are encrypted, then strace the processes that should be handling the data; it won't tell you everything but it can really help.

Increase log levels to the max. Prove that you know why the things that work, work; then move on to the things that don't work.

kresd apparently uses a shared cache by default, which suggests that you can configure it to not do that, so you know every time you restart the process it has no knowledge of previous runs. This makes experiments much more possible.

Get a repeatable proof of the fault (e.g. "kresd config says do X, but observed behaviour is Y"), then you can fiddle with the config.

Show thread

CMDR Yojimbosan 🅅⁂Feb 19, 2022

@dredmorbius @freakazoid @dch Reading the kresd documentation, you are hopefully looking at something like https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#replacing-part-of-the-dns-tree ...

So, you need a DNS server that will return authoritative answers for the domains you wish to remap, let's call that {FakeDNS} ...

policy.add(
policy.suffix(
policy.STUB({FakeDNS}), policy.todnames({"youtube.com."})
)))

I think policy.STUB only works if there's a cache miss; i.e. make sure your cache is cleared before playing with this, otherwise the 'real' answer will arrive and this rule will be bypassed.

policy.FORWARD will be validating DNSSEC and you might not want to play that game. There's also RPZ, which I know too little about, but https://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/ @jpmens post might help you out.

Query policies — Knot Resolver 5.4.4 documentation

Show thread

Doc Edward Morbius ⭕

@yojimbo That's what's configured.

There's also a specific request to not cache results for the domains in question.

-- Forward archive.is/archive.fo queries as Cloudflare breaks these.
-- Sun Jun  2 00:43:35 CDT 2019

extraTrees = policy.todnames({'archive.is', 'archive.ph', 'archive.vn', 'archive.fo', 'archive.li', 'archive.md', 'archive.today' })

policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}),  extraTrees))


policy.add(
    policy.suffix(
    policy.STUB('192.168.0.1'), {
    -- policy.STUB('8.8.8.8'), {
        todname('archive.is'),
        todname('archive.ph'),
        todname('archive.vn'),
        todname('archive.fo'),
        todname('archive.li'),
        todname('archive.md'),
        todname('archive.today')
        }
    )
    )

I'm restarting kresd to test (should clear caches), as well as the upstream. And restarting Android networking (clears Android's own DNS cache).

Still naada.

@freakazoid @dch @jpmens

#kresd #KnotResolver #DNS #Networking

Show thread

CMDR Yojimbosan 🅅⁂Feb 20, 2022

@dredmorbius @freakazoid @dch @jpmens The only difference I can see from here is that in your policy.STUB you're using a comma separated list of todname('domain') values, but when I paraphrased the docs I saw, I used a single call to policy.todnames() with an array? {} of comma separated domain values.
But if that was wrong, you'd hope a syntax check would have signalled it.
There are debug options, the HTTP-exposed /trace part of webmgmt looks interesting, as well as the various policy.DEBUG* functions.

This is the point that I either throw something away, or spend the time trying to find a product-specific support channel, and accept that it might take days to get an answer :-(