Install Knot Resolver

The Knot Resolver is a caching DNS resolver scalable from huge resolver farms down to home network routers

The packages available in distribution repositories of Debian and Ubuntu are outdated.
Manually download latest package and install:

wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update
apt install -y knot-resolver

Download root hints:

sudo wget -O root.hints https://www.internic.net/domain/named.root && mv root.hints /etc/knot-resolver/

Root hints needs to update every 6 months using cron job:

1 0 1 */6 * sudo wget -O root.hints https://www.internic.net/domain/named.root
2 0 1 */6 * sudo mv root.hints /etc/knot-resolver/

Remove old knot config file and re-create:

sudo rm /etc/knot-resolver/kresd.conf && sudo nano /etc/knot-resolver/kresd.conf

Copy and paste the following settings:

👊BIG THANKS👊 for configurations from jo20201

-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/


net.ipv6 = true

-- Network interface configuration
-- listen to local connections
net.listen('127.0.0.1', 53, { kind = 'dns' })


-- Load useful modules
modules = {
	
	'policy',                -- Block queries to local zones/bad sites
        'hints',                 -- Allow loading /etc/hosts or custom root hints
        'serve_stale < cache',   -- Allows stale-ness by up to one day, after roughly four seconds trying to contact the servers
        'workarounds < iterate', -- Alters resolver behavior on specific broken sub-domains
        'predict',               -- Prefetch expiring/frequent records
        'stats',                 -- Track internal statistics
        'cache',
}


-- Forward DNS to CloudFlare using TLS
policy.add(policy.all(
  policy.TLS_FORWARD({
    {'1.1.1.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'1.0.0.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'2606:4700:4700::1111', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'2606:4700:4700::1001', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle}
  })
))


 tls_bundle='/etc/ssl/certs/ca-certificates.crt' 


 hints.root_file = '/etc/knot-resolver/root.hints'
 hints.root({
 ['i.root-servers.net.'] = { '2001:7fe::53', '192.36.148.17' }
 })


-- Cache size
cache.size = 100 * MB


-- Set maximum TTL
cache.max_ttl(86400)


-- Set minimum TTL
cache.min_ttl(600)


modules = { 'serve_stale > cache' }

modules.load('rebinding < iterate')


-- Prefetch learning (20-minute blocks over 24 hours)
predict.config({ window = 20, period = 72})

 modules.load('prefill')
 prefill.config({
      ['.'] = {
              url = 'https://www.internic.net/domain/root.zone',
              ca_file = '/etc/ssl/certs/ca-certificates.crt',
              interval = 86400  -- seconds
      }
 })
 

extraTrees = policy.todnames(
    {'faketldtest.',
     'sld.example.',
     'internal.example.com.',
     '2.0.192.in-addr.arpa.'  -- this applies to reverse DNS tree as well
     })


log_level('notice')

Save file (control+x then y then enter)

Enable and start knot service:

sudo systemctl enable kresd@1.service && sudo systemctl start kresd@1.service

Check status:

sudo systemctl status kresd@1.service

🔥 For more features and tips go to Discussions#40