DNS server installation - knot-resolver

Install a DNS server on the server machine - here we show how to setup KNOT on Ubuntu 22.04

Every device on the network needs to know how to reach the Aivero system.

If your IT department handles this network, please have them resolve aivero.lan and any sub- and sub-sub domain (eg. api.openbalena.aivero.lan) to the server IP.

In this guide, we will use the https://knot-resolver.readthedocs.io/en/stable/#

Overview

We will

  1. Install knot
  2. Configure Ubuntu's systemd-resolv to use knot as the DNS server
  3. Configure knot to listen also to requests coming from the network and to resolve the aivero.lan domains to the server
  4. Restart both systemd-resolv and knot
  5. Test DNS resolution

Installation

We follow: https://knot-resolver.readthedocs.io/en/stable/quickstart-install.html

wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
sudo dpkg -i knot-resolver-release.deb
sudo apt update
sudo apt install -y knot-resolver

sudo systemctl start [email protected]
sudo systemctl enable [email protected]

Configure systemd-resolv to use knot

Create a systemd-resolv configuration stub file to configure systemd-resolv to use knot and

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo nano /etc/systemd/resolved.conf.d/00-use-knot.conf
# press `ctrl+x` and then `y+enter` to save

And add the following config:

[Resolve]
DNS=127.0.0.1
DNSStubListener=no


Configure knot to listen on port 53

Open the knot config file and adjust the IPs to listen on from 127.0.0.1 to 0.0.0.0.

Knot will then respond to requests coming in on any network the server is attached to.

sudo nano /etc/knot-resolver/kresd.conf
# press `ctrl+x` and then `y+enter` to save

This will look like this:

-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/

-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })

-- Load useful modules
modules = {
        'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
        'stats',            -- Track internal statistics
        'predict',          -- Prefetch expiring/frequent records
}

-- Cache size
cache.size = 100 * MB

Here modify the IPs from 127.0.0.1 to 0.0.0.0 so that it looks as such

-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/

-- Network interface configuration
net.listen('0.0.0.0', 53, { kind = 'dns' })
net.listen('0.0.0.0', 853, { kind = 'tls' })
--net.listen('0.0.0.0', 443, { kind = 'doh2' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })

-- Load useful modules
modules = {
        'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
        'stats',            -- Track internal statistics
        'predict',          -- Prefetch expiring/frequent records
}

-- Cache size
cache.size = 100 * MB


Configure knot to resolve aivero.lan domains

Now add the configuration snippet allowing knot to resolve aivero.lan to this server.

🚧

For this, you need to know the IP address that we configured for the server Please replace the PUT_IP_ADDRESS_HERE_IN_THESE_SINGLE_TICKS in the script below.


Simply add this snippet to the bottom of the file

sudo nano /etc/knot-resolver/kresd.conf
# press `ctrl+x` and then `y+enter` to save

local genRR = policy.ANSWER({
[kres.type.A] = { rdata=kres.str2ip('PUT_IP_ADDRESS_HERE_IN_THESE_SINGLE_TICKS'), ttl=900 },
}, true)

policy.add(policy.suffix(genRR, { todname('aivero.lan.') }))
policy.add(policy.suffix(genRR, { todname('openbalena.aivero.lan.') }))

The complete file should look like this now:

-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/

-- Network interface configuration
net.listen('0.0.0.0', 53, { kind = 'dns' })
net.listen('0.0.0.0', 853, { kind = 'tls' })
--net.listen('0.0.0.0', 443, { kind = 'doh2' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })

-- Load useful modules
modules = {
        'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
        'stats',            -- Track internal statistics
        'predict',          -- Prefetch expiring/frequent records
}

-- Cache size
cache.size = 100 * MB

local genRR = policy.ANSWER({
[kres.type.A] = { rdata=kres.str2ip('192.168.88.248'), ttl=900 },
}, true)

policy.add(policy.suffix(genRR, { todname('aivero.lan.') }))
policy.add(policy.suffix(genRR, { todname('openbalena.aivero.lan.') }))

Restart systemd-resolv and knot

sudo systemctl restart systemd-resolved

sudo systemctl restart [email protected]


# Check both services are running correctly by checking for the text `active (running)` in
sudo systemctl status systemd-resolved

sudo systemctl status [email protected]


Test DNS resolution works

You should now be able to resolve any subdomain of aivero.lan

ping api.openbalena.aivero.lan
ping aivero.lan


# Alternatively, if you have dig installed, there will be more logs
dig api.openbalena.aivero.lan
dig aivero.lan

Allow DNS requests in the Ubuntu Firewall (if enabled)

In case you did previously enable the ubuntu firewall (this is not part of this guide) you need to allow traffic to the DNS port to pass through. You can configure the ufw firewall as such:

sudo ufw allow 53/tcp
sudo ufw allow 53/udp

Configure your router / DHCP server to advertise this DNS server

Mikrotik

Navigate to the Mikrotik configuration frontend (e.g. 192.168.88.1).

Now find IP on the left-hand bar and there select DNS.

Place your server's IP address (e.g. 192.168.88.248) in the Servers section and press Apply