Knot Resolver

Run Knot Resolver on Edge servers.

Deployed as a local caching DNS resolver, accessible only to localhost connections. Not running as a public open DNS resolver.

Knot Resolver is intended as the backend to DNS-over-HTTPS (DOH). DOH will be exposed by Edge server, proxied via Playdoh middleware (WIP).

DOH avoids the security problem of running a public resolver. Because traffic goes over HTTPS, destination addresses can not be spoofed. This means the usual amplification attacks are impossible.

Knot Resolver uses the SSD as cache (/data/knot-resolver/cache) to avoid trashing the SD card of Odroid PoPs. Default config file shows cache limit of 100 MB but commented out so not sure if that is already the built-in default. If it blows up too much we can set an explicit limit.

Major Ubuntu Upgrade

Ansible upgrades Ubuntu from 16.04 to 18.04 which is tested against Virtualbox (amd64) and Odroid (armhf). This is necessary to get the most recent version of Knot Resolver that runs on a Linux kernel supported by Odroid.

Odroid:

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.14.69-148 armv7l)

Virtualbox:

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.4.0-134-generic x86_64)

We will have to see what to do about Knot Resolver upgrades. Waiting until April 2020, when Ubuntu 20.04 is released, might be problematic. Staying on old version is probably bad for security, standards support, and performance. So far the CZ-NIC creators of Knot Resolver appear reluctant to support armhf (and even arm64).

There are no specific dependencies on Knot Resolver. Switching to another DNS resolver is possible. For example Unbound is a popular choice.

Ubuntu	Knot Resolver	Virtualbox	Odroid
xenial 16.04 LTS	1.0.0~beta3	Yes	Yes
bionic 18.04 LTS	2.1.1	Yes	Yes
cosmic non-LTS	3.0.0	Yes	No

Automation Hurdles

The Odroid-specific packages proved troublesome to deploy automatically.

First, during apt-get dist-upgrade, there is a dialog -msgbox ... that must be manually confirmed by pressing o or enter. The workaround is to symlink /bin/echo as /usr/local/bin/dialog to no-op this step.

┌──────────────────────────────────────────────────────────────────┐
│ A new boot.ini is installed.                                     │  
│ Any changes to boot.ini is lost, such as display configuration   │  
│ Persistent custom settings from /media/boot/boot.ini.default     │  
│ have been restored                                               │  
│ For reference your old boot.ini is saved to                      │  
│ /media/boot/boot.ini.old                                         │  
├──────────────────────────────────────────────────────────────────┤  
│                             <  OK  >                             │  
└──────────────────────────────────────────────────────────────────┘  

Then there was a confirmation screen when removing the currently-in-use (😱) kernel. The debconfig tools are able to pre-configure this option, which skips the screen.

Package configuration

┌───────────────────┤ Configuring linux-image-4.14.5-92 ├───────────────────┐
│                                                                           │ 
│ You are running a kernel (version 4.14.5-92) and attempting to remove     │ 
│ the same version. This is a potentially disastrous action. Not only will  │ 
│ /boot/vmlinuz-4.14.5-92 be removed, making it impossible to boot it,      │ 
│ (you will have to take action to change your boot loader to boot a new    │ 
│ kernel), it will also remove all modules under the directory              │ 
│ /lib/modules/4.14.5-92. Just having a copy of the kernel image is not     │ 
│ enough, you will have to replace the modules too.                         │ 
│                                                                           │ 
│ I repeat, this is very dangerous. If at all in doubt, answer Yes. If you  │ 
│ know exactly what you are doing, and are prepared to hose your system,    │ 
│ then answer No.                                                           │ 
│                                                                           │ 
│  Do you want to abort removal now?                                        │ 
│                                                                           │ 
│                    <Yes>                       <No>                       │ 
│                                                                           │ 
└───────────────────────────────────────────────────────────────────────────┘ 

References

Knot Resolver

• Official Ubuntu packages maintained by CZ-NIC - The normal Canonical Ubuntu package for 16.04 is ancient.
• Ubuntu maintained knot-resolver package for Xenial (v1.x.x), Bionic (v2.x.x), and Cosmic (v3.x.x)
• kresd.systemd(7) man page
• Knot Resolver documentation
• Knot Resolver homepage
• Cloudflare 1.1.1.1 uses Knot Resolver (public info but only found this out after building all this 😬)

DOH

• Lists of public DOH servers:
  • curl
  • DNSCrypt
• How to configure Firefox for DOH
• Firefox Trusted Recursive Resolver network.trr settings documentation
• Mozilla/Cloudflare experiment results; mixed results but somehow still going forward ... smells fishy 🤑
• Request to CZ-NIC for official ARM package (rejected due to performance issues)
• Why more DOH choices are needed: "All your DNS traffic will be sent to Cloudflare"
• CleanBrowsing - Various opt-in filters using DNS (including clever redirect to cleaner Youtube DNS)

Upgrading Odroid Ubuntu 16.04 to 18.04

• Official upgrade script
• dpkg option to always overwrite package configurations
• debconf to preset configuration option and silence installation