Anyone using Knot-resolver?

I added the cache settings to knot resolver because:

  • you were right to add them to knot-resolver, I forgot they also are a part of the unbound configuration.
  • I never had any problems with these cache settings in unbound.
  • I think you can only get in trouble with these cache settings if you visit a site, using a DNS name that depends on dynamic DNS. Apparently, since I have no problems, that's NOT an issue for me.

Thanks, I'll have to do some more testing. :slight_smile:

1 Like

Just a simple question from a rookie: Is there a guide available how to set up PiHole with unbound AND Knot-resolver? Currently I´m running PiHole on an ARMbian/Rock64 platform and it works like a charm. I like the idea of having a backup solution for unbound but my skills are limited how to set up Pihole using both; unbound and knot-resolver. All these different aspects getting me confused: unbound, knot-resolver, cloudflared, stubby, etc...
If someone feels like pointing me to the right direction please don´t hesistate. Thanks in advance.

Use the Pi-Hole unbound guide, and then use whatever knot resolver guides exist on the internet and put knot on a port other than 53 or 5353, and you are set.

Cloudflared and Stubby are different methods of encrypting DNS traffic to an upstream server. Unbound and knot are usually run in recursive mode, doing the same thing as the upstream servers (i.e. directly querying the authoritative name servers).

1 Like

@Gizmo_Ger
Just setup unbound, preferably the compiled version (the instructions don't work if you already installed unbound using apt-get)
Configure unbound to use a unique IP and port, for example IP 127.10.10.1 port 5551.
Look at the configuration example listed earlier in this topic.
After completing the configuration, restart unbound and check if the resolver responds correctly by entering:

dig @127.10.10.1 -p 5551 +dnssec www.raspberrypi.org

Now install knot-resolver, using the instructions here. Select your platform and follow the instructions under Add repository and install manually
Configure knot-resolver to use a unique IP and port, for example IP 127.10.10.2 port 5552.
Again, look at the configuration example listed earlier in this topic.
After completing the configuration, restart knot-resolver and check if the resolver responds by entering:

dig @127.10.10.2 -p 5552 +dnssec www.raspberrypi.org

Edit /etc/dnsmasq.d/01-pihole.conf and remove all server= entries.
Create a new file /etc/dnsmasq.d/04-servers.conf, content (as per provided examples):

server=127.10.10.1#5551
server=127.10.10.2#5552

restart pihole-FTL.

done...

The changes made to /etc/dnsmasq.d/01-pihole.conf will be undone by pihole -up and pihole -r, so ensure the server entries are removed from this file after upgrading or reconfiguring.

1 Like

I run four instances of unbound on four separate Pi/Pi-Hole installs and have not had a problem with unbound on any of them. As a result, I have not found that a backup is necessary.

1 Like

But as a previous commenter noted, unbound was faster for them. So, mileage may vary, But either way, in my opinion no backup is required as either is a reliable DNS server.

Well, if you use the settings page instead of editing the files directly, then subsequent calls to pihole commands will know what you want and won't reset the settings.

I concur. Thanks for pointing this out. Everyone is free to set this up if they feel they need it, but it should be made clear that it is typically not needed. Work that can be avoided, one might say.

1 Like

Don't stop with just Knot and Unbound, try BIND, PowerDNS and the others as well.

1 Like

Like the Pi that Pi-Hole may be running on? Or the Pi-Hole software itself? Or the SD card? If any of those fail, the Pi-Hole is out of business as well.

I'll take my chances.

I forgot I had the "serve-expired: yes" on in my Unbound config, after I switched it off Knot is faster.

I did not turn off 'predict' in Knot because that's more like Unbounds 'prefetch' and not like 'serve-expired', however I do not use Knot's 'serve_stale < cache'.

Current status:

Been trying to set up Knot Resolver while I have Unbound active to test out but I cannot get to start on DietPi with the latest update and PiHole.

● kresd@1.service - Knot Resolver daemon
   Loaded: loaded (/lib/systemd/system/kresd@.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Fri 2019-06-07 17:02:11 CDT; 3h 10min ago
     Docs: man:kresd.systemd(7)
           man:kresd(8)
  Process: 4878 ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf (code=killed,
signal=ILL)
 Main PID: 4878 (code=killed, signal=ILL)

Jun 07 17:02:10 DietPi systemd[1]: kresd@1.service: Unit entered failed state.
Jun 07 17:02:10 DietPi systemd[1]: kresd@1.service: Failed with result 'signal'.
Jun 07 17:02:11 DietPi systemd[1]: kresd@1.service: Service hold-off time over, scheduling restart.
Jun 07 17:02:11 DietPi systemd[1]: Stopped Knot Resolver daemon.
Jun 07 17:02:11 DietPi systemd[1]: kresd@1.service: Start request repeated too quickly.
Jun 07 17:02:11 DietPi systemd[1]: Failed to start Knot Resolver daemon.
Jun 07 17:02:11 DietPi systemd[1]: kresd@1.service: Unit entered failed state.
Jun 07 17:02:11 DietPi systemd[1]: kresd@1.service: Failed with result 'signal'.
Jun 07 17:02:10 DietPi systemd[1]: Failed to listen on kresd.socket.
Jun 07 17:02:11 DietPi systemd[1]: kresd.socket: Socket service kresd.service not loaded, refus
ing.
Jun 07 17:02:11 DietPi systemd[1]: Failed to listen on kresd.socket.

This is what I am getting as an error. Seems to be the socket which I have set as:

[Socket]
ListenDatagram=
ListenStream=
ListenDatagram=127.0.0.1:53000
ListenStream=127.0.0.1:53000

Here is my config which is just copied from here:

-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration

-- Network interface configuration: see kresd.systemd(7)

-- For DNS-over-HTTPS and web management when using http module
-- modules.load('http')
-- http.config({
--      cert = '/etc/knot-resolver/mycert.crt',
--      key = '/etc/knot-resolver/mykey.key',
--      tls = true,
-- })

-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')

-- Load useful modules
modules = {
        'hints > iterate',  -- Load /etc/hosts and allow custom root hints
        'stats',            -- Track internal statistics
        'predict',          -- Prefetch expiring/frequent records
}

-- Cache size
cache.size = 100 * MB

Try adding..

verbose(true)

...and see if you can get more details on what is failing.

Seems to be most of the failure is coming from wanting to listen on 127.0.0.1#53 which I cannot figure out how to change. I do have my socket pointed at 127.0.0.1#53555.

Try doing a "systemctl daemon-reload"?

Same error. For now I'll just put in a pin in it. I am using the latest dietpi and maybe they'll add it as a service in the future.

unbound is working fine it was just to try out. plus I remember using Lua back when I used awesomewm for arch linux.