Knot-Resolver Configuration

Configuration are made in the following file: /etc/knot-resolver/kresd.conf

Cache Configuration

Disabling cache is unofficial and is not documented in the official documentation.

-- Set cache
cache.size = ${KNOT_THREADS}*GB
cache.max_ttl(3600) -- TTL = 1h

-- Disabling cache completely
policy.add(policy.all(policy.FLAGS({'NO_CACHE', 'CACHED'})))

DNS over TLS

This can be done with:

net.tls("/etc/ssl/local/foo.pem", "/etc/ssl/local/foo.key")

Furthermore the service of kresd-tls must be unmasked again.

Forward Queries

For resource records (RR) which are only in the internal view or for PTR records which reference an IP in the private range a forward to a authoritative nameserver which can serve the correct answer is necessary. Instead the action FORWARD, STUB is also possible. The action STUB is without DNSSEC validation.

-- Redirect forward queries to another DNS server
policy:add(policy.suffix(policy.FORWARD('${IP_DNS_SERVER}'), {todname('example.com')}))
-- Redirect reverse queries to another DNS server
policy:add(policy.suffix(policy.FORWARD('${IP_DNS_SERVER}'), {todname('0.172.in-addr.arpa')}))

Use Regex

Additionally regex can also be used to shorten the configuration for muliple line configurations.

-- In this example private network class B is covered (172.16.0.0 - 17.31.255.255) and redirected to a DNS server
policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[1][6-9]\003172\007in%-addr\004arpa\000'))
policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[2][0-9]\003172\007in%-addr\004arpa\000'))
policy:add(policy.pattern(policy.FORWARD('${IP_DNS_SERVER}'), '\002[3][0-1]\003172\007in%-addr\004arpa\000'))

Info: Knot-resolver uses Lua regex some syntax could be different. For more information see: https://www.lua.org/manual/5.3/manual.html#6.4.1 Consider that end of line does not work in that special case that is the reason why we don’t use regex to match these queries.

Furthermore to Lua regex DNS wireformat have to be used to format the pattern. For more information see: http://www.zytrax.com/books/dns/ch15/

Response policy zone (RPZ)

To activate RPZ add this line in the configuration file. A RPZ zone file should be refrenced in there to enable this feature.

policy:add(policy.rpz(policy.DENY, '/etc/knot-resolver/blocked.zone'))

RoundRobin

In the moment the reorder of roundrobin records does not work. See knot-resolver 2.0.0 changelog.

reorder_RR(true)

Problems

Sometimes query resolution time is exceeded (knot-resolver does ipv4+ipv6 recursion simultaneously)

net.ipv6 = false