A Kresd Journey

With it being the Thanksgiving weekend in the US and me finally getting tired of fighting updates that reset my dnsmasq based setup, I took the time to get kresd, dnsmasq and dhcp provided addresses all playing nice, “Simple” IOT devices getting directed to Google’s name servers and persistent-across-reboot dhcp addresses all working correctly. Below are the steps I took and some config file sections. This all kicked off with me installing the Suricata based ‘new device on network’ feature ( which in it’s basic form looks like it could have just been done with writing new dhcp requests to the user alerts message function. I guess that wouldn’t catch hard coded address clients… maybe the Turris guys are going to make the full IDS services configurable soon to make this worth while) which wasn’t initially finding host names because it contains a hard coded file location for dhcp.leases.

Why do I need persistant DHCP allocations across reboots? I use Icinga in my house to monitor the place and don’t want a whole bunch of emails stating a service is down while waiting for the devices to renew their IPs and therefore I write the dhcp.leases to an mSata device. I read that KNOT can persist the cache so maybe that’s an option.

Setup based on 3.8.6

Knot, resolver, dnsmasq all set to start at boot. In Foris, enable DNSSEC and 'Enable DHCP clients in DNS. Add whatever you like to the Domain field since we’re going to change it later ( OR… Foris could allow the use of domain.root entries).

Then we go edit files.

/etc/config/dhcp key settings:

option domain ‘REDACTED.com’ ( no need to share my domain so substitute yours here)
option local ‘/REDACTED.com/’ ( Note, the field in Foris won’t let you add the .com so edit the file directly. Everything works fine. )

option port ‘0’ ( necessary to prevent port conflicts - disables dnsmasq’s DNS service)
option leasefile ‘/mnt/sda1/dhcp.leases’ ( for persistent storage of dhcp allocated addresses)

config dhcp 'WLAN’
option start '100’
option interface 'WLAN’
option limit '140’
option leasetime '6h’
list dhcp_option '6,192.XX.XX.1’
list dhcp_option ‘set:googledns,option:dns-server,8.8.8.8’

(The last line allows me to then give certain devices access directly to the external DNS, working around the KNOT issue of vending unusuable domain names. )

and any device that needs this external DNS gets:

config host
option name 'washing’
option mac 'XX:XX:XX:XX:XX:XX’
option ip '192.XX.XX.XX’
option tag ‘googledns’ <---- the important bit.

Leave the dhcpscript entry alone.

Now onto /etc/config/kresd. Not many changes:

hints.add_hosts(’/etc/hosts’)

Because I have a number of statically allocated hosts in my network ( mainly switches etc) I added them to /etc/hosts.

in /etc/rc.local:

rm /tmp/dhcp.leases
ln -s /mnt/sda1/dhcp.leases /tmp/dhcp.leases

( A number of scripts look in /tmp/dhcp.leases so because I want these persistent across boots, a quick symbolic link removes the need to edit the scripts).

in /etc/resolv.conf:

search REDACTED.com

( this allows me to now do lookups on ‘hostname’ and ‘hostname.REDACTED.com’ depending on how lazy I feel or if I have devices dependent on FQDN)

And MAYBE in /etc/kresd/kres.config.local ( I really cant remember if I edited this file so it may be auto generated):

set_param_func “hints.config” “’/mnt/sda1/dhcp.leases’”

And that’s it. Reboot and KNOT should become the primary name server, using dnsmasq to vend local DHCP addresses and appear in name searches using either just the host name or the FQDN. This is also persistent across boots due to the dhcp.leases being stored on an mSata, giving fast recovery of DNS lookups on local devices even if they haven’t renewed their IP address recently.

OR you just kill KNOT, install dnsmasq-full to get the dnssec functionality and have a single daemon doing all this :wink:

Enjoy.

1 Like

I’m glad that you managed what you wanted :slight_smile: A few notes coming to my mind:

The DNS cache has nothing to do with DHCP-assigned names, really. BTW, on Omnia it’s in /tmp/** so your flash isn’t weared down, and the service as written in Omnia clears it even on service restarts.

This should be allowed “soon”: https://gitlab.labs.nic.cz/turris/foris/issues/75

I’m sorry that you have to wait so much for libknot workaround to arrive to Omnia; there are other threads on this, e.g.: Yamaha receiver problem with Knot DNS

I think this is a bit risky. IIRC the script handling DHCP updates does clear the hints occasionally when refreshing the state from DHCP. It should be better to add hosts-like files like this: https://www.turris.cz/doc/en/public/dns_knot_misc#adding_static_address_records

Thanks for the detailed responses. Good to know there are some changes coming to make this a little simpler. On the caching of DHCP assignments, I should add some extra color. I run three schemes - devices with hardcoded addresses ( the main hypervisor box, network switches), devices with statically allocated DHCP vended addresses ( those devices I want to monitor or limit in some fashion but want some flexibility to change addresses without logging into to all of them ) and ‘randomly’ allocated DHCP vended addresses ( everything else).

If I use the /tmp/dhcp.leases file, I’m aware there’s no wearing of the flash but on a reboot, the lease file gets zapped and therefore there’s nothing to load up the Knot cache with. My monitoring service will start to fail to find DNS addresses for the devices it’s monitoring until those devices have refreshed their IP addresses ( 6 hours in my house) and I’d get a load of false failures. IF I used the persistent Knot DNS cache to store those across boots then the system would still work since the devices would still have valid IP addresses, just not currently assigned via the recently restarted dnsmasq server. My approach works but probably isn’t that elegant. the initial removal of the /tmp/dhcp.leases file via rc.local isn’t strictly necessary of course but keeps it super clean.

I’ll certainly use the official method of adding the static hosts.

Thanks again
Ian

Thanks for that “rc.local” hint, now i finally see dhcp clients in Foris like i have it in Luci.
Also seems it fixed the “dnsmasq” syslog message i was getting all the time … “uci - entry not found”, that new python script is somehow using hardcoded “/tmp/dhcp.leases” path instead defined one via Luci (resp. uci).