===========================
Knot-Resolver Configuration
===========================

Configuration are made in the following file:
/etc/knot-resolver/kresd.conf

Cache Configuration
===================

Disabling cache is unofficial and is not documented in the official documentation.

.. code-block:: bash

    -- Set cache
    cache.size = ${KNOT_THREADS}*GB
    cache.max_ttl(3600) -- TTL = 1h

    -- Disabling cache completely
    policy.add(policy.all(policy.FLAGS({'NO_CACHE', 'CACHED'})))

DNS over TLS
============

This can be done with:

.. code-block:: bash

    net.tls("/etc/ssl/local/foo.pem", "/etc/ssl/local/foo.key")

Furthermore the service of kresd-tls must be unmasked again.

Forward Queries
===============

For resource records (RR) which are only in the internal view or for PTR records which reference an IP in the private range a forward to a authoritative nameserver which can serve the correct answer is necessary.
Instead the action FORWARD, STUB is also possible. The action STUB is without DNSSEC validation.

.. code-block:: bash

    -- Redirect forward queries to another DNS server
    policy:add(policy.suffix(policy.FORWARD('${IP_DNS_SERVER}'), {todname('example.com')}))
    -- Redirect reverse queries to another DNS server
    policy:add(policy.suffix(policy.FORWARD('${IP_DNS_SERVER}'), {todname('0.172.in-addr.arpa')}))

Use Regex
---------

Additionally regex can also be used to shorten the configuration for muliple line configurations.

.. code-block:: bash

    -- In this example private network class B is covered (172.16.0.0 - 17.31.255.255) and redirected to a DNS server
    policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[1][6-9]\003172\007in%-addr\004arpa\000'))
    policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[2][0-9]\003172\007in%-addr\004arpa\000'))
    policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[3][0-1]\003172\007in%-addr\004arpa\000'))

Info:
Knot-resolver uses Lua regex some syntax could be different. For more information see: https://www.lua.org/manual/5.3/manual.html#6.4.1
Consider that end of line does not work in that special case that is the reason why we don't use regex to match these queries.

Furthermore to Lua regex DNS wireformat have to be used to format the pattern. For more information see: http://www.zytrax.com/books/dns/ch15/

Response policy zone (RPZ)
==========================

To activate RPZ add this line in the configuration file. A RPZ zone file should be refrenced in there to enable this feature.

.. code-block:: bash

    policy:add(policy.rpz(policy.DENY, '/etc/knot-resolver/blocked.zone'))

RoundRobin
==========

In the moment the reorder of roundrobin records does not work. See knot-resolver 2.0.0 changelog.

.. code-block:: bash

    reorder_RR(true)

Problems
========

Sometimes query resolution time is exceeded (knot-resolver does ipv4+ipv6 recursion simultaneously)

.. code-block:: bash

    net.ipv6 = false