FreeBSD Knot Resolver - Caching Full Resolver Implementation

Knot Resolver is a DNS caching resolver that can be used on large networks such as ISP providers and is also highly recommended for use on home network routers. Knot Resolver is a modern resolver implementation designed for scalability, robustness, and flexibility. The Knot Resolver design is different from other resolvers. Its core architecture is small and efficient, and most of its features can be implemented as optional modules, which limits the attack surface and improves Knot Resolver's performance.

Knot DNS Resolver includes a full resolver cache implementation application written in LuaJIT and C. In Knot resolver there are many modules that you can use, such as API modules for extensions and others. In general, there are three built-in modules, namely iterator, cache, validator, and many other external modules.

In Lua modules, the Knot resolver cache can be routed and shared, and the fast FFI binding makes it great for leveraging resolution processes, or used for your recursive DNS service. This is the OpenResty of DNS.

Knot resolver DNS server adopts a different scaling strategy than other DNS server recursors, it works without threading, nothing is shared architecture (except shareable MVCC cache). You can start and stop additional nodes depending on their contention without any downtime.

In this article, we will learn how to install, configure and use Knot resolver on a FreeBSD machine.




1. Install

Like most applications running on FreeBSD, it uses PKG and ports for the installation process. Likewise with the Knot resolver, you can use PKG or the ports system. Even though the installation process with the ports system takes a long time, the libraries that are installed are very complete. So we suggest you use the ports system to start installing Knot resolver.

Type the following command to start installing Knot resolver.
root@ns3:~ # cd /usr/ports/dns/knot-resolver
root@ns3:/usr/ports/dns/knot-resolver # make config
root@ns3:/usr/ports/dns/knot-resolver # make install clean
In the command "make config" a menu of options will appear that you must activate. If it has been activated, just press "OK".

After you run the command "make install clean" the FreeBSD ports system automatically carries out the installation process. Wait until the process is complete.

It turns out it's quite easy to install Knot resolver, anyone can do it. It turns out the process doesn't end here. There is still a configuration process and how to use it.


2. Configuration

Configuration is the most important stage, you have to change, add and delete scripts contained in the configuration file. By default the Knot resolver directory is "/usr/local/etc/knot-resolver", and the configuration file is named "kresd.conf".

Open the "kresd.conf" file, edit the script and adapt it to your FreeBSD server specifications. As a guide you can use the "kresd.conf" script as below.

net.listen('192.168.5.2', 53, { kind = 'dns' })


-- Load useful modules
modules = {
	'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
	'stats',            -- Track internal statistics
	'predict',          -- Prefetch expiring/frequent records
}

internal_domains = policy.todnames({
  'datainchi.com.'
})

-- The authoritative server runs on 127.0.0.1, port 2153
policy.add(policy.suffix(policy.STUB({'127.0.0.1@2153'}), internal_domains))

-- Cache size
cache.size = 100 * MB

policy.add(
  policy.all(
    policy.TLS_FORWARD({
      {'8.8.8.8', hostname='dns.google' },
      {'8.8.4.4', hostname='dns.google' },
      {'1.1.1.1', hostname='cloudflare-dns.com' },
      {'1.0.0.1', hostname='cloudflare-dns.com' },
      {'9.9.9.9', hostname='dns.quad9.net' }
    })
))

IP "192.168.5.2" is the local IP of the FreeBSD server, while IP "8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1,9.9.9.9" is the Public DNS IP. So the Knot resolver will "forward" to the Public DNS IP. The local domain name in the script above is "datainchi.com".

After you have configured the "kresd.conf" file, continue by editing the "/etc/resolv.conf" file. Type the script below in the file.
root@ns3:~ # ee /etc/resolv.conf

domain datainchi.com
nameserver 192.168.5.2


3. How to Use Knot Resolver

Even though you have configured the "kresd.conf" file, Knot resolver cannot be used yet, it is installed but not yet running. So that Knot resolver can run automatically, open the "/etc/rc.conf" file and type the script below into the file.

kresd_enable="YES"
kresd_config="/usr/local/etc/knot-resolver/kresd.conf"
kresd_user="kresd"
kresd_group="kresd"
kresd_rundir="/var/run/kresd"

krescachegc_enable="YES"
krescachegc_millis="1000"

After that, you run the "chown" command to give file ownership rights.
root@ns3:~ # chown -R kresd:kresd /usr/local/etc/knot-resolver
Restart Knot resolver.
root@ns3:~ # service kresd restart
root@ns3:~ # service krescachegc restart
Now your Knot resolver is active and can be used. Try doing a test with the "dig" command.
root@ns3:~ # dig google.com

; <<>> DiG 9.18.20 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52479
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             162     IN      A       142.251.10.113
google.com.             162     IN      A       142.251.10.138
google.com.             162     IN      A       142.251.10.139
google.com.             162     IN      A       142.251.10.100
google.com.             162     IN      A       142.251.10.101
google.com.             162     IN      A       142.251.10.102

;; Query time: 94 msec
;; SERVER: 192.168.5.2#53(192.168.5.2) (UDP)
;; WHEN: Mon Jan 29 16:57:48 WIB 2024
;; MSG SIZE  rcvd: 135
Pay attention to the blue script, you have successfully run the Knot resolver, because the one that answers the google.com DNS call is your FreeBSD server's local IP. Perform the test again with the command below.
root@ns3:~ # dig oracle.com +trace
root@ns3:~ # dig -x 108.59.161.1
root@ns3:~ # nslookup facebook.com
root@ns3:~ # dig oracle.com +short
root@ns3:~ # dig NS +short unixwinbsd.site
In this article you have learned how to install the knot-resolver package, configure it and run it on a FreeBSD server. You can change the "kresd.conf" file to get the most out of the Knot resolver application. The content of this article is only limited to the basic theory of the Knot resolver, we will continue in the next discussion, so that you can feel the benefits of all the features of the Knot resolver.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post