User Tools

Site Tools


Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:public:dns_knot_misc [2018/12/12 13:53]
phil [Negative trust anchors]
en:public:dns_knot_misc [2020/06/01 09:06] (current)
vcunat [Interactive command console] also Turris OS 3.x is using the new socket location
Line 1: Line 1:
-====== DNS tricks for Omnia and knot-resolver ​======+====== DNS tricks for Omnia and MOX (i.e. kresd) ​======
  
  
Line 10: Line 10:
 into section '​kresd'​ of ///​etc/​config/​resolver//​. into section '​kresd'​ of ///​etc/​config/​resolver//​.
  
 +For details on configuration format see [[https://​knot-resolver.readthedocs.io/​en/​stable/​index.html|upstream documentation]]. ​ //In case of doubt, select your kresd version in bottom-left corner.//
  
-==== Negative trust anchors ==== 
  
-When a domain'​s DNSSEC causes problems, you often want to access it without turning off validation for other domains. ​ At knot-resolver level this is simple config line, e.g.:+==== Negative trust anchors ====
  
-''trust_anchors.negative = { '​mabanque.bnpparibas'​ }''​+When a domain's DNSSEC causes problems, you often want to access it without turning off validation for other domains. ​ At knot-resolver level this is [[https://​knot-resolver.readthedocs.io/​en/​stable/​config-dnssec.html#​c.trust_anchors.set_insecure|simple config line]], e.g.:
  
 +''​trust_anchors.set_insecure({ '​mabanque.bnpparibas'​ })''​
  
 ==== Adding static address records ==== ==== Adding static address records ====
Line 30: Line 31:
  
 ==== Forwarding or not? ==== ==== Forwarding or not? ====
 +//To be clear, this section was written before TLS forwarding was available.//​
  
 Knot-resolver upstream recommends to go without forwarding by default, assuming you want DNSSEC validation. ​ It's more reliable and closer to how the protocol was originally meant. If it's a choice of forwarding to ISP's server or not, both with validation, I can't see a significant difference in security or privacy. Knot-resolver upstream recommends to go without forwarding by default, assuming you want DNSSEC validation. ​ It's more reliable and closer to how the protocol was originally meant. If it's a choice of forwarding to ISP's server or not, both with validation, I can't see a significant difference in security or privacy.
Line 43: Line 45:
 === Setup in Turris OS 3.11 and higher === === Setup in Turris OS 3.11 and higher ===
  
-Turris 3.11 and higher ship several preconfigured DNS over TLS setups, reducing the number of steps required to configure encryption for DNS.  ​+Turris 3.11 and higher ship several preconfigured DNS over TLS setups, reducing the number of steps required to configure encryption for DNS.  ​First of all, you can just choose among them in the Foris and reForis GUIs; otherwise:
  
 **1)** Revert any custom DNS over TLS setup you may have had before Turris OS 3.11. **1)** Revert any custom DNS over TLS setup you may have had before Turris OS 3.11.
Line 64: Line 66:
  
  
-=== Setup in Turris OS 3.9.6 through 3.10.8 ===+=== Setup in Turris OS 3.9.6 through 3.10.8 ​[i.e. very outdated nowadays] ​===
  
 Turris OS 3.9.6 through 3.10.8 introduced knot version >= 2.0.0 with the option to use encryption for DNS queries. This doesnt work well with **Forwarding DNS** option enabled. Related forum thread is [[https://​forum.turris.cz/​t/​using-dns-over-tls-or-https/​6996|here]]. Tutorial shows example with Cloudflare servers. Turris OS 3.9.6 through 3.10.8 introduced knot version >= 2.0.0 with the option to use encryption for DNS queries. This doesnt work well with **Forwarding DNS** option enabled. Related forum thread is [[https://​forum.turris.cz/​t/​using-dns-over-tls-or-https/​6996|here]]. Tutorial shows example with Cloudflare servers.
Line 114: Line 116:
 All "​configuration"​ and other commands can also be entered into knot-resolver'​s interactive read-eval-print-loop console. All "​configuration"​ and other commands can also be entered into knot-resolver'​s interactive read-eval-print-loop console.
   * ssh to the router   * ssh to the router
-  * enter knot-resolver CLI via ''​socat - /​tmp/​kresd/​tty/​*''​ +  * enter knot-resolver CLI via ''​socat - /​tmp/​kresd/​tty/​*'' ​ (on Turris OS 5 or 3.11.(>= 17), use ''​control''​ instead of ''​tty''​) 
-  * enter the "​commands",​ e.g. ''​cache.clear()''​ -- see [[http://​knot-resolver.readthedocs.io/​en/​stable/​daemon.html#​configuration-reference ​| upstream documentation]]+  * enter the "​commands",​ e.g. ''​cache.clear()''​ -- see [[https://​knot-resolver.readthedocs.io/​en/​stable/​index.html | upstream documentation]]
   * ''​ctrl+d''​ to exit the CLI   * ''​ctrl+d''​ to exit the CLI