1. Knot Resolver
Ubuntu 16.04ではKnot DNS (libknot)をインストールして、ほぼ動いた。/ubuntu
Contents
https://knot-resolver.readthedocs.io/en/stable/
https://knot-resolver.readthedocs.io/en/stable/config-overview.html
https://knot-resolver.readthedocs.io/en/stable/quickstart-config.html
Building from sources https://knot-resolver.readthedocs.io/en/latest/build.html
1.1. Mandatory domain blocking
Some jurisdictions mandate blocking access to certain domains. This can be achieved using following policy rule:
policy.add( policy.suffix(policy.DENY, policy.todnames({'example.com.', 'blocked.example.net.'})))
1.2. 版
https://twitter.com/KnotDNS/status/988385821052030976
Knot Resolver 2.3.0 has been released!
It is a security release that fixes CVE-2018-1110. https://lists.nic.cz/pipermail/knot-re
/NEWS より /lib/layer/interate.c
https://lists.nic.cz/pipermail/knot-dns-users/2017-October/001239.html Knot Resolver experimental release
- negative answers from validated NSEC (NXDOMAIN, NODATA)
- caching doesn't yet work for various cases:
- negative answers without NSEC (i.e. with NSEC3 or insecure)
https://www.knot-resolver.cz/ http://knot-resolver.readthedocs.io/en/latest/index.html
https://gitlab.labs.nic.cz/knot/resolver
users: https://lists.nic.cz/pipermail/knot-dns-users/
<< < 2024 / 1 > >> | ||||||
---|---|---|---|---|---|---|
Mon | Tue | Wed | Thu | Fri | Sat | Sun |
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
GitHub: https://github.com/CZ-NIC/knot-resolver
daemon/worker: deduplicate outbound queries
web command center (Golang module) sample: http://resolver.vavrusa.com/
1.3. make
http://knot-resolver.readthedocs.io/en/latest/build.html#platform-considerations
- Building project;
Building from sources
The Knot DNS Resolver depends on the the Knot DNS library, recent version of libuv, and LuaJIT. $ make info # See what's missing When you have all the dependencies ready, you can build and install. $ make PREFIX="/usr/local" $ make install PREFIX="/usr/local"
knot-resolver-master/ で make infoを実行する。
前提:
Dependencies ------------ [no] libknot (lib) [no] LuaJIT (daemon) [no] libuv (daemon)
http://knot-resolver.readthedocs.org/en/latest/build.html
https://gitlab.labs.nic.cz/labs/knot DNS/Knot-DNS libknotを含んでいる。
https://github.com/libuv/libuv /libuv
64bit環境でのmakeは完了か。/install-log
ldconfigもやっておく。
1.4. conf
/usr/local/bin/kresd: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
ldconfigで解消した。-- ToshinoriMaeno 2015-11-28 05:34:38
1.5. CNAME
/CNAMEpatch done. Thanks.
1.6. TCP query
/TCPquery patch for non-minimized query
/TCPonly patch
-- ToshinoriMaeno 2015-10-22 14:33:25
1.7. NODATA processing
for minimized query answer /vavrusa
[/d.qmail.jp]] /nodata
1.8. Authority Section
Accepting the authority section data is risky. (cache poisoning)
- How Knot resolver works.
https://github.com/CZ-NIC/knot-resolver/commit/a2b9d06ddb930e9183ec30f6e8d33daec89a4516
lib/cache: more granular control for rank check on insertion for pktcache same or better rank is required (because it’s a direct answer) for rrcache better rank is required (unless doing write-through) for both cases, no cache rank check is needed when inserting secure data security note: this mitigates possible non-auth NS hijacking
enum kr_cache_rank { KR_RANK_BAD = 0, /* BAD cache, do not use. */ KR_RANK_INSECURE = 1, /* Entry is DNSSEC insecure (e.g. RRSIG not exists). */ KR_RANK_NONAUTH = 8, /* Entry from authority section (i.e. parent-side) */ KR_RANK_AUTH = 16, /* Entry from answer (authoritative data) */ KR_RANK_SECURE = 256, /* Entry is DNSSEC valid (e.g. RRSIG exists). */ };
1.9. rrcache.c
/* Cache authority only if chasing referral/cname chain */ if (!is_auth || qry != TAIL(req->rplan.pending)) { ret = stash_authority(qry, pkt, &stash, &req->pool); }
委譲された側の(権威)サーバが付けてくるNSレコード(Authority Section)は捨てられる。
その方が安全だ。 -- ToshinoriMaeno 2015-10-25 00:02:02
1.10. To do
poison in delegation response /delegation
/d.qmail.jp poisoning /d.qmail.jp/2 /d.qmail.jp/3
-- ToshinoriMaeno 2015-10-24 06:49:23