Bug#1032049: knot-resolver: Unable to enable HTTP module

[Santiago Ruano Rincón]

Control: tags -1 + moreinfo

Hi,

El 27/02/23 a las 12:19, Andrew escribió:
> Package: knot-resolver
> Version: 5.3.1-1+deb11u1
> Severity: normal
> X-Debbugs-Cc: and...@lists.savchenko.net
> 
> Dear Maintainer,
> 
> HTTP module in knot-resolver can't be enabled by adding `http` directive
> in its config file.
> 
> I have  tried the separate `modules.load('http')` statement via
> config and control socket / `kresc`, but to no avail.
> 
> `kresd.conf` attached below. While `kresc` reports that the module is
> loaded, no new port is opened and stats can't be fetched via `curl`.
> 
> `stats.list()` works as expected, this confirms that there is a valid
> data to expose via http.
> 

[...]

> -- Configuration Files:
> /etc/default/kresd [Errno 13] Permission denied: '/etc/default/kresd'
> /etc/knot-resolver/kresd.conf changed:
> -- Listen locally, ipv4-only
> net = { '127.0.0.1' }
> net.ipv6 = false
> 
> -- Enable optional modules
> modules = {
>   'policy',  -- NXDOMAIN "bad" queries
>   'hints',   -- read /etc/hosts and whatever is defined below
>   'stats',   -- internal statistics
>   'serve_stale < cache', -- serve stale record if parent NS is unreachable
>   'rebinding < iterate', -- prevent rebinding attack, TODO: Remove?..
>   'prefill',
>   'predict',
>   'view',
>   http = {
> host = '127.0.0.1',
> port = 8053
>   }

I am unaware of this kind of configuration is possible. Documentation[1]
rather states addresses and ports should be configured by net.listen().
E.g.:

net.listen('127.0.0.1', 8453, { kind = 'webmgmt' }) -- see http module
net.listen('::1', 8453, { kind = 'webmgmt' }) -- see http module

The above works for me in 5.3.1 and 5.6.0.

[1] 
https://knot-resolver.readthedocs.io/en/v5.3.1/daemon-bindings-net_server.html

Could you please give it a try?

Cheers,

 -- Santiago


signature.asc
Description: PGP signature

Bug#1032049: knot-resolver: Unable to enable HTTP module

[Andrew]

Package: knot-resolver
Version: 5.3.1-1+deb11u1
Severity: normal
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

HTTP module in knot-resolver can't be enabled by adding `http` directive
in its config file.

I have  tried the separate `modules.load('http')` statement via
config and control socket / `kresc`, but to no avail.

`kresd.conf` attached below. While `kresc` reports that the module is
loaded, no new port is opened and stats can't be fetched via `curl`.

`stats.list()` works as expected, this confirms that there is a valid
data to expose via http.


-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-20-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages knot-resolver depends on:
ii  adduser3.118
ii  debconf [debconf-2.0]  1.5.77
ii  dns-root-data  2021011101
ii  libc6  2.31-13+deb11u5
ii  libdnssec8 3.0.5-1+deb11u1
ii  libedit2   3.1-20191231-2+b1
ii  libfstrm0  0.6.0-1+b1
ii  libgcc-s1  10.2.1-6
ii  libgnutls303.7.1-5+deb11u3
ii  libknot11  3.0.5-1+deb11u1
ii  liblmdb0   0.9.24-1
ii  libluajit-5.1-22.1.0~beta3+dfsg-5.3
ii  libnghttp2-14  1.43.0-1
ii  libprotobuf-c1 1.3.3-1+b2
ii  libstdc++6 10.2.1-6
ii  libsystemd0247.3-7+deb11u1
ii  libuv1 1.40.0-2
ii  libzscanner3   3.0.5-1+deb11u1
ii  lua-sec1.0-1
ii  lua-socket 3.0~rc1+git+ac3201d-4

Versions of packages knot-resolver recommends:
ii  knot-resolver-module-http  5.3.1-1+deb11u1
ii  lua-basexx 0.3-2.1
ii  lua-cqueues20200726-1

knot-resolver suggests no packages.

-- Configuration Files:
/etc/default/kresd [Errno 13] Permission denied: '/etc/default/kresd'
/etc/knot-resolver/kresd.conf changed:
-- Listen locally, ipv4-only
net = { '127.0.0.1' }
net.ipv6 = false

-- Enable optional modules
modules = {
  'policy',  -- NXDOMAIN "bad" queries
  'hints',   -- read /etc/hosts and whatever is defined below
  'stats',   -- internal statistics
  'serve_stale < cache', -- serve stale record if parent NS is unreachable
  'rebinding < iterate', -- prevent rebinding attack, TODO: Remove?..
  'prefill',
  'predict',
  'view',
  http = {
host = '127.0.0.1',
port = 8053
  }
}

-- Accept exclusively from localhost
view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)

-- Block Firefox DoH
policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net')}))

-- Add blocked hosts, reload on file change
-- MUST be in a special .RPZ format
-- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#policy.rpz
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/black.rpz'))
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/blacklist-fgs.txt'))

-- DNS-over-TLS
policy.add(policy.all(policy.TLS_FORWARD({
  {'9.9.9.9', hostname='dns.quad9.net'},
  {'149.112.112.112', hostname='dns.quad9.net'},
  {'1.1.1.1', hostname='1dot1dot1dot1.cloudflare-dns.com'},
  {'1.0.0.1', hostname='one.one.one.one'}
})))

-- DNS-over-UDP
-- policy.add(policy.all(policy.FORWARD({'9.9.9.9', '1.1.1.1'})))

--- Root zone preload
prefill.config({
  ['.'] = {
url = 'https://www.internic.net/domain/root.zone',
ca_file = '/etc/ssl/certs/ca-certificates.crt',
interval = 86400  -- 24h
  }
})

-- Cache config
cache.size = 32 * MB
cache.max_ttl(172800) -- 48h
cache.min_ttl(60) -- 1m

--- Prefetch learning (15-minute blocks over 24 hours)
predict.config({
  window = 15, -- 15 minutes sampling window
  period = 24*(60/15)  -- track last 24 hours
})

-- debconf-show failed