1. Knot Resolver

Ubuntu 16.04ではKnot DNS (libknot)をインストールして、ほぼ動いた。/ubuntu

https://www.knot-dns.cz/download/

https://knot-resolver.readthedocs.io/en/stable/

https://knot-resolver.readthedocs.io/en/stable/config-overview.html

https://knot-resolver.readthedocs.io/en/stable/quickstart-config.html

Building from sources https://knot-resolver.readthedocs.io/en/latest/build.html

1.1. Mandatory domain blocking

Some jurisdictions mandate blocking access to certain domains. This can be achieved using following policy rule:

policy.add(
      policy.suffix(policy.DENY,
              policy.todnames({'example.com.', 'blocked.example.net.'})))

1.2. 版

/3.2.0 /5.1.2

DNS/実装/KnotDNSresolver

https://twitter.com/KnotDNS/status/988385821052030976

Knot Resolver 2.3.0 has been released!


/NEWS より /lib/layer/interate.c

https://lists.nic.cz/pipermail/knot-dns-users/2017-October/001239.html Knot Resolver experimental release

https://www.knot-resolver.cz/ http://knot-resolver.readthedocs.io/en/latest/index.html

https://gitlab.labs.nic.cz/knot/resolver

users: https://lists.nic.cz/pipermail/knot-dns-users/

<< <  2024 / 3 >  >>
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

GitHub: https://github.com/CZ-NIC/knot-resolver

daemon/worker: deduplicate outbound queries

web command center (Golang module) sample: http://resolver.vavrusa.com/

1.3. make

http://knot-resolver.readthedocs.io/en/latest/build.html#platform-considerations

Building from sources

The Knot DNS Resolver depends on the the Knot DNS library, recent version of libuv, and LuaJIT.

$ make info # See what's missing

When you have all the dependencies ready, you can build and install.

$ make PREFIX="/usr/local"
$ make install PREFIX="/usr/local"

knot-resolver-master/ で make infoを実行する。

前提:

Dependencies
------------
[no] libknot (lib)
[no] LuaJIT (daemon)
[no] libuv (daemon)

http://knot-resolver.readthedocs.org/en/latest/build.html

https://gitlab.labs.nic.cz/labs/knot DNS/Knot-DNS libknotを含んでいる。

https://github.com/libuv/libuv /libuv

/LuaJIT

64bit環境でのmakeは完了か。/install-log

ldconfigもやっておく。

1.4. conf

/config

/usr/local/bin/kresd: error while loading shared libraries: libluajit-5.1.so.2:
 cannot open shared object file: No such file or directory

ldconfigで解消した。-- ToshinoriMaeno 2015-11-28 05:34:38

1.5. CNAME

/CNAMEpatch done. Thanks.

/CNAMEpoison

1.6. TCP query

/TCPquery patch for non-minimized query

/TCPonly patch

-- ToshinoriMaeno 2015-10-22 14:33:25

1.7. NODATA processing

for minimized query answer /vavrusa

/patch1

[/d.qmail.jp]] /nodata

/min_ttl-patch

1.8. Authority Section

Accepting the authority section data is risky. (cache poisoning)

https://github.com/CZ-NIC/knot-resolver/commit/a2b9d06ddb930e9183ec30f6e8d33daec89a4516

lib/cache: more granular control for rank check on insertion

for pktcache same or better rank is required (because it’s a direct answer)
for rrcache better rank is required (unless doing write-through)

for both cases, no cache rank check is needed when inserting secure data

security note: this mitigates possible non-auth NS hijacking

enum kr_cache_rank {
        KR_RANK_BAD       = 0,  /* BAD cache, do not use. */ 
        KR_RANK_INSECURE  = 1,  /* Entry is DNSSEC insecure (e.g. RRSIG not exists). */
        KR_RANK_NONAUTH   = 8,  /* Entry from authority section (i.e. parent-side) */
        KR_RANK_AUTH      = 16, /* Entry from answer (authoritative data) */
        KR_RANK_SECURE    = 256,  /* Entry is DNSSEC valid (e.g. RRSIG exists). */
};

1.9. rrcache.c

 /* Cache authority only if chasing referral/cname chain */
        if (!is_auth || qry != TAIL(req->rplan.pending)) {
                ret = stash_authority(qry, pkt, &stash, &req->pool);
        }

委譲された側の(権威)サーバが付けてくるNSレコード(Authority Section)は捨てられる。

1.10. To do

poison in delegation response /delegation

/d.qmail.jp poisoning /d.qmail.jp/2 /d.qmail.jp/3

-- ToshinoriMaeno 2015-10-24 06:49:23

MoinQ: DNS/KnotResolver (last edited 2020-09-14 22:08:33 by ToshinoriMaeno)