-
Notifications
You must be signed in to change notification settings - Fork 64
Install Knot Resolver
trinib edited this page Jun 6, 2022
·
13 revisions
The Knot Resolver is a caching DNS resolver scalable from huge resolver farms down to home network routers
The packages available in distribution repositories of Debian and Ubuntu are outdated.
Manually download latest package and install:
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update
apt install -y knot-resolver
Download root hints:
sudo wget -O root.hints https://www.internic.net/domain/named.root && mv root.hints /etc/knot-resolver/
Root hints needs to update every 6 months using cron job:
1 0 1 */6 * sudo wget -O root.hints https://www.internic.net/domain/named.root
2 0 1 */6 * sudo mv root.hints /etc/knot-resolver/
Remove old knot config file and re-create:
sudo rm /etc/knot-resolver/kresd.conf && sudo nano /etc/knot-resolver/kresd.conf
Copy and paste the following settings:
👊BIG THANKS👊 for configurations from jo20201
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
net.ipv6 = true
-- Network interface configuration
-- listen to local connections
net.listen('127.0.0.1', 53, { kind = 'dns' })
-- Load useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'serve_stale < cache', -- Allows stale-ness by up to one day, after roughly four seconds trying to contact the servers
'workarounds < iterate', -- Alters resolver behavior on specific broken sub-domains
'predict', -- Prefetch expiring/frequent records
'stats', -- Track internal statistics
'cache',
}
-- Forward DNS to CloudFlare using TLS
policy.add(policy.all(
policy.TLS_FORWARD({
{'1.1.1.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
{'1.0.0.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
{'2606:4700:4700::1111', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
{'2606:4700:4700::1001', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle}
})
))
-- cer location
tls_bundle='/etc/ssl/certs/ca-certificates.crt'
-- Cache size
cache.size = 100 * MB
-- Set maximum TTL
cache.max_ttl(86400)
-- Set minimum TTL
cache.min_ttl(600)
modules = { 'serve_stale > cache' }
modules.load('rebinding < iterate')
-- Prefetch learning (20-minute blocks over 24 hours)
predict.config({ window = 20, period = 72})
modules.load('prefill')
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
ca_file = '/etc/ssl/certs/ca-certificates.crt',
interval = 86400 -- seconds
}
})
hints.root_file = '/etc/knot-resolver/root.hints'
-- Add a custom hint
hints['foo.bar'] = '127.0.0.1'
-- Forward queries to CloudFlare
policy.add(policy.all(policy.FORWARD({'1.1.1.1', '1.0.0.1'})))
-- Enable DNSSEC validation(on by default)
-- trust_anchors.add_file('/usr/share/dns/root.key', 'readonly = false')
-- Answers for reverse queries about the 192.168.1.0/24 subnet
-- are to be obtained from IP address 127.0.0.1 port 5353(dnscrypt-proxy)
-- or port 5053(cloudflared tunnel)
-- This disables DNSSEC validation !!!
policy.add(policy.suffix(
policy.STUB('127.0.0.1@5353'),
{todname('1.168.192.in-addr.arpa')}))
-- policy.add(policy.suffix(policy.PASS, {todname('1.168.192.in-addr.arpa')}))
extraTrees = policy.todnames(
{'faketldtest.',
'sld.example.',
'internal.example.com.',
'2.0.192.in-addr.arpa.' -- this applies to reverse DNS tree as well
})
-- Beware: the rule order is important, as policy.STUB is not a chain action.
-- Flags: for "dumb" targets disabling EDNS can help (below) as DNSSEC isn't
-- validated anyway; in some of those cases adding 'NO_0X20' can also help,
-- though it also lowers defenses against off-path attacks on communication
-- between the two servers.
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), extraTrees))
policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees))
log_level('notice')
Save file (control+x then y then enter)
Enable and start knot service:
sudo systemctl enable kresd@1.service && sudo systemctl start kresd@1.service
Check status:
sudo systemctl status kresd@1.service