A year has passed since I last looked at the Knot DNS server, so it’s time to re-visit it; a lot has happened, and there are two features I want to single out: support for RFC 2136 (dynamic DNS updates) and a bit of RRL (Response Rate Limiting).
Dynamic DNS
Knot protects Dynamic DNS Updates to master zones with TSIG keys I create and
copy into knot.conf
:
...
keys {
jpkey hmac-md5 "U/B55N6G9M8=";
}
...
remotes {
tiggr { address 172.16.153.1@53; key jpkey; }
anyclient { address 0.0.0.0/0; key jpkey; }
}
...
zones {
example.com {
file "example.com.zone";
update-in tiggr;
zonefile-sync 5m;
}
...
}
The TSIG key (named jpkey here) is associated with a remote server (or update client)
and I specify the name of the remote which is allowed to update a zone with the
update-in
(i.e. allow IN-coming updates) statement within the zone statement.
Updates received to a master zone will be handled by the server and written out
to the source zone file when the zonefile-sync
period kicks in. Knot will
forward updates received for a slave zone to the zone’s primary master server,
which I specify in an xfr-in
directive.
The server logs update requests, as follows:
09:01:19.704047+01:00 UPDATE of 'example.com.' from '172.16.153.1@52480' key 'jpkey.': Started.
09:01:19.704361+01:00 UPDATE of 'example.com.' from '172.16.153.1@52480' key 'jpkey.':: Finished.
There are currently a number of limitations regarding DNS updates on
DNSSEC-signed zones (in particular: Knot can’t re-sign records), so keep an eye
on the documentation! Knot can sign records updated dynamically.
Response Rate Limiting
Running dnsperf against my test installation (running in my portable data center, so please don’t pay too much attention to the actual numbers), I obtain the following results (output abbreviated):
...
Run time limit: 30 seconds
Ran through file: 88305 times
Queries sent: 88305 queries
Queries completed: 88305 queries
Queries lost: 0 queries
Queries per second: 2943.478807 qps
Latency Success Fail |
< 0.100s 88305 0 |############################################################
...
As of version 1.2.0, response rate limiting is compiled into Knot, but
it is disabled by default. I enable it by configuring the rate-limit
option
in the system section, for example like this:
system {
storage "/etc/knot";
user: "root";
rate-limit 100;
rate-limit-slip 2;
}
After restarting Knot with RRL enabled as above, I run dnsperf again to obtain these quite different numbers:
[Timeout] Query timed out: msg id 2042
[...]
[Timeout] Query timed out: msg id 3236
Run time limit: 30 seconds
Ran through file: 3236 times
Queries sent: 3237 queries
Queries completed: 3118 queries
Queries lost: 119 queries
Queries per second: 91.900425 qps
Latency Success Fail |
< 0.100s 3118 0 |############################################################
...
Looking only at Queries per second and Queries completed, we see Knot has indeed limited the rate of responses, and the server logs the fact that it is engaging RRL mode:
08:23:16.774694+01:00 [notice] Address '172.16.153.1' leaves rate-limiting (class 'POSITIVE').
08:23:16.877744+01:00 [notice] Address '172.16.153.1' enters rate-limiting (class 'POSITIVE').
See also: DNSSEC-signing with the Knot authoritative DNS server