Package: knot-resolver
Version: 5.3.1-1+deb11u1
Severity: normal
X-Debbugs-Cc: and...@lists.savchenko.net
Dear Maintainer,
HTTP module in knot-resolver can't be enabled by adding `http` directive
in its config file.
I have tried the separate `modules.load('http')` statement via
config and control socket / `kresc`, but to no avail.
`kresd.conf` attached below. While `kresc` reports that the module is
loaded, no new port is opened and stats can't be fetched via `curl`.
`stats.list()` works as expected, this confirms that there is a valid
data to expose via http.
-- System Information:
Debian Release: 11.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-20-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages knot-resolver depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.77
ii dns-root-data 2021011101
ii libc6 2.31-13+deb11u5
ii libdnssec8 3.0.5-1+deb11u1
ii libedit2 3.1-20191231-2+b1
ii libfstrm0 0.6.0-1+b1
ii libgcc-s1 10.2.1-6
ii libgnutls30 3.7.1-5+deb11u3
ii libknot11 3.0.5-1+deb11u1
ii liblmdb0 0.9.24-1
ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.3
ii libnghttp2-14 1.43.0-1
ii libprotobuf-c1 1.3.3-1+b2
ii libstdc++6 10.2.1-6
ii libsystemd0 247.3-7+deb11u1
ii libuv1 1.40.0-2
ii libzscanner3 3.0.5-1+deb11u1
ii lua-sec 1.0-1
ii lua-socket 3.0~rc1+git+ac3201d-4
Versions of packages knot-resolver recommends:
ii knot-resolver-module-http 5.3.1-1+deb11u1
ii lua-basexx 0.3-2.1
ii lua-cqueues 20200726-1
knot-resolver suggests no packages.
-- Configuration Files:
/etc/default/kresd [Errno 13] Permission denied: '/etc/default/kresd'
/etc/knot-resolver/kresd.conf changed:
-- Listen locally, ipv4-only
net = { '127.0.0.1' }
net.ipv6 = false
-- Enable optional modules
modules = {
'policy', -- NXDOMAIN "bad" queries
'hints', -- read /etc/hosts and whatever is defined below
'stats', -- internal statistics
'serve_stale < cache', -- serve stale record if parent NS is unreachable
'rebinding < iterate', -- prevent rebinding attack, TODO: Remove?..
'prefill',
'predict',
'view',
http = {
host = '127.0.0.1',
port = 8053
}
}
-- Accept exclusively from localhost
view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
-- Block Firefox DoH
policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net')}))
-- Add blocked hosts, reload on file change
-- MUST be in a special .RPZ format
-- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#policy.rpz
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/black.rpz'))
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/blacklist-fgs.txt'))
-- DNS-over-TLS
policy.add(policy.all(policy.TLS_FORWARD({
{'9.9.9.9', hostname='dns.quad9.net'},
{'149.112.112.112', hostname='dns.quad9.net'},
{'1.1.1.1', hostname='1dot1dot1dot1.cloudflare-dns.com'},
{'1.0.0.1', hostname='one.one.one.one'}
})))
-- DNS-over-UDP
-- policy.add(policy.all(policy.FORWARD({'9.9.9.9', '1.1.1.1'})))
--- Root zone preload
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
ca_file = '/etc/ssl/certs/ca-certificates.crt',
interval = 86400 -- 24h
}
})
-- Cache config
cache.size = 32 * MB
cache.max_ttl(172800) -- 48h
cache.min_ttl(60) -- 1m
--- Prefetch learning (15-minute blocks over 24 hours)
predict.config({
window = 15, -- 15 minutes sampling window
period = 24*(60/15) -- track last 24 hours
})
-- debconf-show failed
