Re: [knot-dns-users] is there a out-of-the-box receipt to use knot as a DNS cache for a Tor exit relay ?

2016-10-16 Thread Toralf Förster
On 10/15/2016 11:28 PM, Ondřej Surý wrote:
> you need knot-resolver (knot-resolver.cz) and not knot-dns (this is the 
> authoritative-only part).
> 
> Cheers,

Ough - sry for stupidity

-- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
___
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users


Re: [knot-dns-users] is there a out-of-the-box receipt to use knot as a DNS cache for a Tor exit relay ?

2016-10-15 Thread Ondřej Surý
Toralf,

you need knot-resolver (knot-resolver.cz) and not knot-dns (this is the 
authoritative-only part).

Cheers,
Ondrej

--
 Ondřej Surý -- Technical Fellow
 
 CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.s...@nic.czhttps://nic.cz/
 

- Original Message -
> From: "Toralf Förster" 
> To: "Marek Vavruša" 
> Cc: "Ondřej Surý" , "knot-dns-users" 
> 
> Sent: Saturday, 15 October, 2016 22:19:27
> Subject: Re: [knot-dns-users] is there a out-of-the-box receipt to use knot 
> as a DNS cache for a Tor exit relay ?

> On 10/15/2016 08:58 PM, Marek Vavruša wrote:
>> As in your 5-step list: you have to install it, modify /etc/resolv.conf
>> as in step 2, and then start it (kresd -k /var/something/root.keys).
> Hhm, not as easy as dnsmasq I must admit.
> 
> The emerged package under Gentoo:
> 
> net-dns/knot-2.3.1::gentoo was built with the following:
> USE="fastparser -caps -debug -dnstap -doc -idn -systemd" ABI_X86="64"
> 
> doesn't have a kresd installed anywhere. After renaming the config file here
> under Gentoo and adding few remote DNS servers:
> 
> remote:
>  - id: n1
>address: 2a01:4f8:0:a0a1::add@1010
> 
>  - id: n2
>address: 2a01:4f8:0:a102::add@
> 
>  - id: n3
>address: 2a01:4f8:0:a111::add@9898
> 
>  - id: n4
>address: 213.133.98.98@53
> 
>  - id: n5
>address: 213.133.99.99@53
> 
>  - id: n6
>address: 213.133.100.100@53
> 
> I still get:
> 
> mr-fox knot # dig com. any +dnssec
> 
> ; <<>> DiG 9.10.4-P3 <<>> com. any +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 64152
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;com.   IN  ANY
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Oct 15 22:11:51 CEST 2016
> ;; MSG SIZE  rcvd: 32
> 
> 
> So I do wonder how to convince knot to resolve the name ?
> 
> 
> 
> BTW adding this :
> 
> 
> modules = { 'daf' }
> daf.add 'forward 2a01:4f8:0:a0a1::add'
> daf.add 'forward 2a01:4f8:0:a102::add'
> daf.add 'forward 2a01:4f8:0:a111::add'
> 
> 
> gives :
> 
> Oct 15 22:18:06 mr-fox knot[4363]: error: config, file '/etc/knot/knot.conf',
> line 39, item 'modules', value '' (parser failed)
> Oct 15 22:18:06 mr-fox knot[4363]: critical: failed to load configuration file
> '/etc/knot/knot.conf' (parser failed)
> 
> 
> --
> Toralf
> PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
___
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users


Re: [knot-dns-users] is there a out-of-the-box receipt to use knot as a DNS cache for a Tor exit relay ?

2016-10-15 Thread Toralf Förster
On 10/15/2016 08:58 PM, Marek Vavruša wrote:
> As in your 5-step list: you have to install it, modify /etc/resolv.conf
> as in step 2, and then start it (kresd -k /var/something/root.keys).
Hhm, not as easy as dnsmasq I must admit.

The emerged package under Gentoo:

net-dns/knot-2.3.1::gentoo was built with the following:
USE="fastparser -caps -debug -dnstap -doc -idn -systemd" ABI_X86="64"

doesn't have a kresd installed anywhere. After renaming the config file here 
under Gentoo and adding few remote DNS servers:

remote:
  - id: n1
address: 2a01:4f8:0:a0a1::add@1010

  - id: n2
address: 2a01:4f8:0:a102::add@

  - id: n3
address: 2a01:4f8:0:a111::add@9898

  - id: n4
address: 213.133.98.98@53

  - id: n5
address: 213.133.99.99@53

  - id: n6
address: 213.133.100.100@53

I still get:

mr-fox knot # dig com. any +dnssec

; <<>> DiG 9.10.4-P3 <<>> com. any +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 64152
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.   IN  ANY

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 15 22:11:51 CEST 2016
;; MSG SIZE  rcvd: 32


So I do wonder how to convince knot to resolve the name ?



BTW adding this :


modules = { 'daf' }
daf.add 'forward 2a01:4f8:0:a0a1::add'
daf.add 'forward 2a01:4f8:0:a102::add'
daf.add 'forward 2a01:4f8:0:a111::add'


gives :

Oct 15 22:18:06 mr-fox knot[4363]: error: config, file '/etc/knot/knot.conf', 
line 39, item 'modules', value '' (parser failed)
Oct 15 22:18:06 mr-fox knot[4363]: critical: failed to load configuration file 
'/etc/knot/knot.conf' (parser failed)


-- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
___
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users


Re: [knot-dns-users] is there a out-of-the-box receipt to use knot as a DNS cache for a Tor exit relay ?

2016-10-15 Thread Marek Vavruša
Hi,

dnsmasq is caching forwarder, knot resolver is full resolver (but can be
configured as forwarder too).

As in your 5-step list: you have to install it, modify /etc/resolv.conf as
in step 2, and then start it (kresd -k /var/something/root.keys).

If you want to forward to full recursors like 8.8.8.8 then you need to
touch configuration, and do something like:

modules = { 'daf' }
daf.add 'forward 8.8.8.8'

See
http://knot-resolver.readthedocs.io/en/latest/modules.html#dns-application-firewall

Marek


On 15 October 2016 at 11:10, Toralf Förster  wrote:

> On 10/15/2016 07:01 PM, Ondřej Surý wrote:
> > What are the requirements?
> Hi Ondřej,
>
> I'm looking for a short generic description. For dnsmasq I do have a short
> 5-step list compiled in [1] and was wondering, if it would be easy too to
> use knot instead of dnsmasq.
>
> The background is that at the mailing lists and in the Tor wiki a lot was
> written about bind and ubound but I do like diversity and/or lightweight
> solutions.
>
>
> [1] https://zwiebeltoralf.de/torserver.html
> --
> Toralf
> PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
> ___
> knot-dns-users mailing list
> knot-dns-users@lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
>
___
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users


Re: [knot-dns-users] is there a out-of-the-box receipt to use knot as a DNS cache for a Tor exit relay ?

2016-10-15 Thread Toralf Förster
On 10/15/2016 07:01 PM, Ondřej Surý wrote:
> What are the requirements?
Hi Ondřej,

I'm looking for a short generic description. For dnsmasq I do have a short 
5-step list compiled in [1] and was wondering, if it would be easy too to use 
knot instead of dnsmasq.

The background is that at the mailing lists and in the Tor wiki a lot was 
written about bind and ubound but I do like diversity and/or lightweight 
solutions.


[1] https://zwiebeltoralf.de/torserver.html
-- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
___
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users


Re: [knot-dns-users] is there a out-of-the-box receipt to use knot as a DNS cache for a Tor exit relay ?

2016-10-15 Thread Ondřej Surý
I don't know of any, but I would be certainly happy
to help you write such doc.  What are the requirements?

The Debian package might be a good start - it starts
unprivileged (using systemd socket activation) and
it keeps the DNS cache in /run/knot-resolver/, so
themachine restart forgets all the cached records.

O.
--
 Ondřej Surý -- Technical Fellow
 
 CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.s...@nic.czhttps://nic.cz/
 

- Original Message -
> From: "Toralf Förster" 
> To: "knot-dns-users" 
> Sent: Saturday, 15 October, 2016 18:59:00
> Subject: [knot-dns-users] is there a out-of-the-box receipt to use knot as a 
> DNS cache for a Tor exit relay ?

> As a lazy slacker I do wonder about such a
> knot-in-a-nutshell-for-tor-exit-relay-operator-dummies doc ?
> ;)
> 
> --
> Toralf
> PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
> 
> 
> ___
> knot-dns-users mailing list
> knot-dns-users@lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
___
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users