Knot-Resolver Configuration¶

Cache Configuration¶

Disabling cache is unofficial and is not documented in the official documentation.

-- Set cache
cache.size = ${KNOT_THREADS}*GB
cache.max_ttl(3600) -- TTL = 1h

-- Disabling cache completely
policy.add(policy.all(policy.FLAGS({'NO_CACHE', 'CACHED'})))

DNS over TLS¶

This can be done with:

net.tls("/etc/ssl/local/foo.pem", "/etc/ssl/local/foo.key")

Furthermore the service of kresd-tls must be unmasked again.

Forward Queries¶

For resource records (RR) which are only in the internal view or for PTR records which reference an IP in the private range a forward to a authoritative nameserver which can serve the correct answer is necessary. Instead the action FORWARD, STUB is also possible. The action STUB is without DNSSEC validation.

-- Redirect forward queries to another DNS server
policy:add(policy.suffix(policy.FORWARD('${IP_DNS_SERVER}'), {todname('example.com')}))
-- Redirect reverse queries to another DNS server
policy:add(policy.suffix(policy.FORWARD('${IP_DNS_SERVER}'), {todname('0.172.in-addr.arpa')}))

-- In this example private network class B is covered (172.16.0.0 - 17.31.255.255) and redirected to a DNS server
policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[1][6-9]\003172\007in%-addr\004arpa\000'))
policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[2][0-9]\003172\007in%-addr\004arpa\000'))
policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[3][0-1]\003172\007in%-addr\004arpa\000'))

Response policy zone (RPZ)¶

To activate RPZ add this line in the configuration file. A RPZ zone file should be refrenced in there to enable this feature.

policy:add(policy.rpz(policy.DENY, '/etc/knot-resolver/blocked.zone'))

RoundRobin¶

In the moment the reorder of roundrobin records does not work. See knot-resolver 2.0.0 changelog.

reorder_RR(true)

Problems¶

Sometimes query resolution time is exceeded (knot-resolver does ipv4+ipv6 recursion simultaneously)

net.ipv6 = false