Specifying port for authoritative DNS causes Knot resolver to fail to start
Just installed Knot 6.x, trying to configure it with internal DNS server (PowerDNS) running on the same server on port 5353.
This configuration works just fine: (does not translate addresses but besides the point - Knot resolver starts)
rundir: /run/knot-resolver
workers: 2
cache:
storage: /var/cache/knot-resolver
logging:
level: info
network:
listen:
- interface: 1.2.3.4@53
management:
unix-socket: /run/knot-resolver/manager.sock
forward:
- subtree: .
servers:
- address: [ 8.8.8.8, 1.1.1.1 ]
- subtree:
- internaldomain.com
- veryinternaldomain.eu
- in-addr.arpa
servers: [ 127.0.0.1 ]
options:
authoritative: true
dnssec: false
This configuration fails to start:
rundir: /run/knot-resolver
workers: 2
cache:
storage: /var/cache/knot-resolver
logging:
level: info
network:
listen:
- interface: 1.2.3.4@53
management:
unix-socket: /run/knot-resolver/manager.sock
forward:
- subtree: .
servers:
- address: [ 8.8.8.8, 1.1.1.1 ]
- subtree:
- internaldomain.com
- veryinternaldomain.eu
- in-addr.arpa
servers: [ 127.0.0.1@5353 ]
options:
authoritative: true
dnssec: false
Error message
2024-02-22 18:10:39,660 manager[1073498]: [ERROR] knot_resolver_manager.kres_manager: Kresd with the new config failed to start, rejecting config
2024-02-22 18:10:39,660 manager[1073498]: [ERROR] knot_resolver_manager.server: Initial config verification failed with error: canary kresd process failed to start. Config might be invalid.
Yet running kresctl validate config.yaml
yields no error messages and returns code = 0
[root@cradns02 knot-resolver]# kresctl validate config.yaml
[root@cradns02 knot-resolver]# echo $?
0
kresctl convert config.yaml
, comparing them afterwards yields differences only on below lines which seem very compatible to me:
[root@cradns02 knot-resolver]# diff broken.lua ok.lua
159,161c159,161
< policy.rule_forward_add('internaldomain.com',{dnssec=false,auth=true},{{'127.0.0.1@5353'},})
< policy.rule_forward_add('veryinternaldomain.eu',{dnssec=false,auth=true},{{'127.0.0.1@5353'},})
< policy.rule_forward_add('in-addr.arpa',{dnssec=false,auth=true},{{'127.0.0.1@5353'},})
---
> policy.rule_forward_add('internaldomain.com',{dnssec=false,auth=true},{{'127.0.0.1'},})
> policy.rule_forward_add('veryinternaldomain.eu',{dnssec=false,auth=true},{{'127.0.0.1'},})
> policy.rule_forward_add('in-addr.arpa',{dnssec=false,auth=true},{{'127.0.0.1'},})
Based on https://knot.pages.nic.cz/knot-resolver/config-forward.html, forwarder should support custom port numbers?
Anyway, if anyone would struggle with same problem I was able to workaround the problem using iptables -t nat -A OUTPUT -o lo -s 127.0.0.1 -p tcp --dport 53 -j REDIRECT --to-ports 5353
- the idea is to use NAT to change destination port to 5353 whenever request for DNS translation comes from localhost (= Knot resolver in our case). Not ideal solution but seems to work for now.