turns out powerdns recurser might be faster than knot resolver. it does dnssec validating the fastest in comparison with both unbound and knot resolver, resulting to be faster overall. i highly recommend u guys to try it too. cheers
1 Like
I tried it earlier but at the time it didn't support qname-minimization, I think the master branch might support it now though?
EDIT: Yes, the master branch now supports qname minimization.
Any good tutorials out there for PowerDNS? A quick search came up with some pretty outdated stuff.
Nope, haven't found any recent guides either. All the parameters seem to be included in the config file though, you just have to uncomment and change the ones where you don't like the defaults (like dnssec validation and qname mimimization for example). I'm trying it out right now, tried to change as little as possible at first and then I'll see...
I would say its pretty straight forward guys. Just change yr network subnet to answer to and the interface and u r good to go. Let me know if u cant figure it out. I will be happy to show my config. Its basically. Add the repo, apt install pdns-recursor, change allow from to yr network subnet, and network interface. Then just run service pdns-recursor start. Ur all good!
If you could post your config, that would be great thanks!
sure thang. i just uncommented these and it works perfectly.
allow-from=127.0.0.0/8, 10.0.0.0/24
config-dir=/etc/powerdns
dnssec=validate
edns-outgoing-bufsize=1232
hint-file=/usr/share/dns/root.hints
local-address=127.0.0.1, 10.0.0.14
qname-minimization=yes
quiet=yes
reuseport=yes
setgid=pdns
setuid=pdns
edit:
udp-truncation-threshold=1220
added this after checking dns flag day.
thats pretty much it. More than half of these are already uncommented anyway. cheers.
2 Likes
anyone here successfully get the knot resolver work as tls server?
I gave up on that a long time ago. I use stubby and it has exceeded my expectations. I highly recommend it.
i meant knot resolver as the dns server. not as client. stubby is used to connect to other dns servers via tls right?(eg cloudflare/quad9)
I see. I stupidly assumed you were looking for a client.
Reviving this thread.
I was wondering what config most are using at this point? Seems anything I add to the configuration file knot will not load it just fails for some reason and cannot get much of a log showing the error.
Also what is the proper way to restart knot when you change the kresd.conf file?
Currently just sitting with the standard config which is fine I suppose but I would like to get prefill and prefetch going for my network.
Thanks.
I also had one other question, when you say enable four instances are they only using say 128mb cache total or is it using 128mb of cache per instance started?
-- Uncomment this only if you need to debug problems.
-- verbose(true)
-- Load useful modules
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'predict', -- Prefetch expiring/frequent records
'rebinding < iterate',
'serve_stale < cache',
'stats', -- Track internal statistics
'workarounds < iterate'
}
-- Block Firefox DoH
policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net')}))
-- Cache size
cache.size = 200 * MB
-- disable ipv6
net.ipv6 = false
-- DNS Flag Day 2020
net.bufsize(1232)
-- Import root zone data
modules.load('prefill')
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
ca_file = '/etc/ssl/certs/ca-certificates.crt',
interval = 86400 -- seconds
}
})
-- Prefetch learning
predict.config({
window = 30, -- 30 minutes sampling window
period = 24*(60/15) -- track last 24 hours
})
This should restart the service:
sudo systemctl restart kresd*.service
Check status with:
sudo systemctl status kresd*.service
This part seems to always error out for me, seems after the first root zone it tells me ad is not secure any insight on this? I am guessing this has to do with the clock, since RPi do not have a hardware clock.
Have you set clock and timezone on your Pi? What I noticed when using it with Pihole was that I had trouble downloading the root zone at all because I had Pihole set to Knot and it seems that Knot needs another DNS to download the root zone otherwise it created some sort of loop querying Pihole which then queried Knot. I solved that by using Unbound or PowerDNS recursor as a secondary. I don't use Pihole anymore though so I don't remember all the details...
Just so I understand this correctly if I change pihole to say cloudflare set this up then change back to knot I should be good to go on this?
And yes I have set the clock and timezone on my pi.
So adding prefill this seems to be the error I get, any advice?
I have installed lua 5.1
Dec 23 17:15:40 DietPi kresd[16364]: error: module 'lfs' not found:
Dec 23 17:15:40 DietPi kresd[16364]: no field package.preload['lfs']
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/lib/knot-resolver/lfs.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/lib/knot-resolver/lfs/init.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file './lfs.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/share/luajit-2.1.0-beta3/lfs.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/local/share/lua/5.1/lfs.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/local/share/lua/5.1/lfs/init.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/share/lua/5.1/lfs.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/share/lua/5.1/lfs/init.lua'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/lib/knot-resolver/lfs.so'
Dec 23 17:15:40 DietPi kresd[16364]: no file './lfs.so'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/local/lib/lua/5.1/lfs.so'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/lib/arm-linux-gnueabihf/lua/5.1/lfs.so'
Dec 23 17:15:40 DietPi kresd[16364]: no file '/usr/local/lib/lua/5.1/loadall.so'
Dec 23 17:15:40 DietPi kresd[16364]: error: No such file or directory
Also wanted to add for anyone adding root.hints this is a better place to find the closest servers to you https://root-servers.org/ there are two in my city.
Looks like you are using an older version or something. How are you installing Knot-resolver? Are you using this repo?
I figured it out I needed to install lua-filesystem.