Knot DNS: One Tame and Sane Authoritative DNS Server

How to install and minimally configure Knot
to act as your home lab’s local domain master and slave servers.

If you were a regular viewer of the original Saturday Night Live era, you
will remember the Festrunks, two lewd but naïve Czech brothers who were
self-described “wild and crazy guys!” For me, Gyorg and Yortuk
(plus having my binomial handed to me by tests designed by a brilliant Czech
professor at the local university’s high-school mathematics contests) were
the extent of my knowledge of the Czech Republic.

I recently discovered something else Czech, and it’s not wild and crazy
at all, but quite tame and sane, open-source and easy to configure. Knot DNS
is an authoritative DNS server written in 2011 by
the Czech CZ.NIC organization. They wrote and continue to maintain it to
serve their national top-level domain (TLD) as well as to prevent further
extension of a worldwide BIND9 software monoculture across all TLDs.
Knot provides a separate fast caching server and resolver library alongside
its authoritative server.

Authoritative nameserver and caching/recursive nameserver functions are
separated for good reason. A nameserver’s query result cache can be
“poisoned” by queries that forward to malicious external servers, so
if you don’t allow the authoritative nameserver to answer queries for
other domains, it cannot be poisoned and its answers for its own domain can
be trusted.

A software monoculture means running identical software like BIND9 everywhere
rather than different software providing identical functionality and
interoperability. This is bad for the same reasons we eventually will lose
our current popular species of banana—being genetically identical, all
bananas everywhere can be wiped out by a single infectious agent. As with
fruit, a bit of genetic diversity in critical infrastructure is a good thing.

In this article, I describe how to install and minimally configure Knot
to act as your home lab’s local domain master and slave servers. I will
secure zone transfer using Transaction Signatures (TSIG). Although Knot
supports DNSSEC, I don’t discuss it here, because I like you and want you
to finish reading before we both die of old age. I assume you already know
what a DNS zone file is and what it looks like.

Powered by WPeMatico