Skip to content

Install Knot Resolver

Jump to bottom
trinib edited this page May 29, 2022 · 13 revisions


The Knot Resolver is a caching DNS resolver scalable from huge resolver farms down to home network routers

Download deb file and install:

wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update
apt install -y knot-resolver

Download root hints:

sudo wget -O root.hints https://www.internic.net/domain/named.root && mv root.hints /etc/knot-resolver/

Remove old knot config file and re-create:

sudo rm /etc/knot-resolver/kresd.conf && sudo nano /etc/knot-resolver/kresd.conf

Copy and paste the following settings:

👊BIG THANKS👊 for configurations from jo20201

-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/


net.ipv6 = true

-- Network interface configuration
-- listen to local connections
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('::1', 53, { kind = 'dns' })


-- Load useful modules
modules = {
	
	'policy',                -- Block queries to local zones/bad sites
        'hints',                 -- Allow loading /etc/hosts or custom root hints
        'serve_stale < cache',   -- Allows stale-ness by up to one day, after roughly four seconds trying to contact the servers
        'workarounds < iterate', -- Alters resolver behavior on specific broken sub-domains
        'predict',               -- Prefetch expiring/frequent records
        'stats',                 -- Track internal statistics
        'cache',
}


-- Forward DNS to CloudFlare using TLS
policy.add(policy.all(
  policy.TLS_FORWARD({
    {'1.1.1.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'1.0.0.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'2606:4700:4700::1111', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'2606:4700:4700::1001', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle}
  })
))


 tls_bundle='/etc/ssl/certs/ca-certificates.crt' 


 hints.root_file = '/etc/knot-resolver/root.hints'
 hints.root({
 ['i.root-servers.net.'] = { '2001:7fe::53', '192.36.148.17' }
 })


-- Cache size
cache.size = 100 * MB

-- Get maximum TTL
cache.max_ttl(518400)

-- Set maximum TTL
cache.max_ttl(86400)

-- Get minimum TTL
cache.min_ttl(0)

-- Set minimum TTL
cache.min_ttl(300)


modules = { 'serve_stale > cache' }

modules.load('rebinding < iterate')


-- Prefetch learning (20-minute blocks over 24 hours)
predict.config({ window = 20, period = 72})

 modules.load('prefill')
 prefill.config({
      ['.'] = {
              url = 'https://www.internic.net/domain/root.zone',
              ca_file = '/etc/ssl/certs/ca-certificates.crt',
              interval = 86400  -- seconds
      }
 })
 

extraTrees = policy.todnames(
    {'faketldtest.',
     'sld.example.',
     'internal.example.com.',
     '2.0.192.in-addr.arpa.'  -- this applies to reverse DNS tree as well
     })


log_level('notice')

Save file (control+x then y then enter)

Enable and start knot service:

sudo systemctl enable kresd@1.service && sudo systemctl start kresd@1.service

Check status:

sudo systemctl status kresd@1.service

image

🔥 For more features and tips got to Discussions#40

Clone this wiki locally