Skip to content

Specifying port for authoritative DNS causes Knot resolver to fail to start

Just installed Knot 6.x, trying to configure it with internal DNS server (PowerDNS) running on the same server on port 5353.

This configuration works just fine: (does not translate addresses but besides the point - Knot resolver starts)

rundir: /run/knot-resolver
workers: 2
cache:
  storage: /var/cache/knot-resolver
logging:
  level: info
network:
  listen:
    - interface: 1.2.3.4@53
management:
  unix-socket: /run/knot-resolver/manager.sock

forward:
  - subtree: .
    servers:
      - address: [ 8.8.8.8, 1.1.1.1 ]

  - subtree:
      - internaldomain.com
      - veryinternaldomain.eu
      - in-addr.arpa
    servers: [ 127.0.0.1 ]
    options:
      authoritative: true
      dnssec: false

This configuration fails to start:

rundir: /run/knot-resolver
workers: 2
cache:
  storage: /var/cache/knot-resolver
logging:
  level: info
network:
  listen:
    - interface: 1.2.3.4@53
management:
  unix-socket: /run/knot-resolver/manager.sock

forward:
  - subtree: .
    servers:
      - address: [ 8.8.8.8, 1.1.1.1 ]

  - subtree:
      - internaldomain.com
      - veryinternaldomain.eu
      - in-addr.arpa
    servers: [ 127.0.0.1@5353 ]
    options:
      authoritative: true
      dnssec: false

Error message

2024-02-22 18:10:39,660 manager[1073498]: [ERROR] knot_resolver_manager.kres_manager: Kresd with the new config failed to start, rejecting config
2024-02-22 18:10:39,660 manager[1073498]: [ERROR] knot_resolver_manager.server: Initial config verification failed with error: canary kresd process failed to start. Config might be invalid.

Yet running kresctl validate config.yaml yields no error messages and returns code = 0

[root@cradns02 knot-resolver]# kresctl validate config.yaml
[root@cradns02 knot-resolver]# echo $?
0

kresctl convert config.yaml, comparing them afterwards yields differences only on below lines which seem very compatible to me:

[root@cradns02 knot-resolver]# diff broken.lua ok.lua
159,161c159,161
< policy.rule_forward_add('internaldomain.com',{dnssec=false,auth=true},{{'127.0.0.1@5353'},})
< policy.rule_forward_add('veryinternaldomain.eu',{dnssec=false,auth=true},{{'127.0.0.1@5353'},})
< policy.rule_forward_add('in-addr.arpa',{dnssec=false,auth=true},{{'127.0.0.1@5353'},})
---
> policy.rule_forward_add('internaldomain.com',{dnssec=false,auth=true},{{'127.0.0.1'},})
> policy.rule_forward_add('veryinternaldomain.eu',{dnssec=false,auth=true},{{'127.0.0.1'},})
> policy.rule_forward_add('in-addr.arpa',{dnssec=false,auth=true},{{'127.0.0.1'},})

Based on https://knot.pages.nic.cz/knot-resolver/config-forward.html, forwarder should support custom port numbers?

Anyway, if anyone would struggle with same problem I was able to workaround the problem using iptables -t nat -A OUTPUT -o lo -s 127.0.0.1 -p tcp --dport 53 -j REDIRECT --to-ports 5353 - the idea is to use NAT to change destination port to 5353 whenever request for DNS translation comes from localhost (= Knot resolver in our case). Not ideal solution but seems to work for now.

Edited by Pavel Švec
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information