Skip to content

Install Knot Resolver

Jump to bottom
trinib edited this page Nov 10, 2022 · 13 revisions


The Knot Resolver is a caching DNS resolver scalable from huge resolver farms down to home network routers

The packages available in distribution repositories of Debian and Ubuntu are outdated.
Manually download latest package and install:

wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update
apt install -y knot-resolver

Download root hints:

sudo wget -O root.hints https://www.internic.net/domain/named.root && mv root.hints /etc/knot-resolver/

Root hints needs to update every 6 months using cron job:

1 0 1 */6 * sudo wget -O root.hints https://www.internic.net/domain/named.root
2 0 1 */6 * sudo mv root.hints /etc/knot-resolver/

Remove old knot config file and re-create:

sudo rm /etc/knot-resolver/kresd.conf && sudo nano /etc/knot-resolver/kresd.conf

Copy and paste the following settings:
👊BIG THANKS👊 for configurations from jo20201

For more info go to knot docs. Tip: use the site search function to find feature explanations.

NOTE: currently set to cloudflare DNS servers and reverse queries from DNScrypt. Edit to suite, add/remove -- in front lines for disabling/enabling.

-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/


net.ipv6 = true

-- Network interface configuration
-- listen to local connections
net.listen('127.0.0.1', 53, { kind = 'dns' })


-- Load useful modules
modules = {
	
	'policy',                    -- Block queries to local zones/bad sites
        'hints > iterate',       -- Allow loading /etc/hosts or custom root hints
        'serve_stale < cache',   -- Allows stale-ness by up to one day, after roughly four seconds trying to contact the servers
        'workarounds < iterate', -- Alters resolver behavior on specific broken sub-domains
        'predict',               -- Prefetch expiring/frequent records
        'stats',                 -- Track internal statistics
        'cache',
}


-- Forward DNS to CloudFlare using TLS
policy.add(policy.all(
  policy.TLS_FORWARD({
    {'1.1.1.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'1.0.0.1', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'2606:4700:4700::1111', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle},
    {'2606:4700:4700::1001', hostname='tls://1dot1dot1dot1.cloudflare-dns.com'; ca_file=tls_bundle}
  })
))

-- Forward DNS to Quad9 using TLS
--policy.add(policy.all(
--  policy.TLS_FORWARD({
--    {'9.9.9.9', hostname='tls://dns.quad9.net'; ca_file=tls_bundle},
--    {'149.112.112.112', hostname='tls://dns.quad9.net'; ca_file=tls_bundle},
--    {'2620:fe::fe', hostname='tls://dns.quad9.net'; ca_file=tls_bundle},
--    {'2620:fe::fe:9', hostname='tls://dns.quad9.net'; ca_file=tls_bundle}
--  })
--))


-- cer location
 tls_bundle='/etc/ssl/certs/ca-certificates.crt' 




-- Cache size
cache.size = 100 * MB


-- Set maximum TTL
cache.max_ttl(86400)


-- Set minimum TTL
cache.min_ttl(600)


modules = { 'serve_stale > cache' }

modules.load('rebinding < iterate')


-- Prefetch learning (20-minute blocks over 24 hours)
predict.config({ window = 20, period = 72})

 modules.load('prefill')
 prefill.config({
      ['.'] = {
              url = 'https://www.internic.net/domain/root.zone',
              ca_file = '/etc/ssl/certs/ca-certificates.crt',
              interval = 86400  -- seconds
      }
 })

 hints.root_file = '/etc/knot-resolver/root.hints'

-- Add a custom hint
hints['foo.bar'] = '127.0.0.1'



-- Forward queries to CloudFlare
policy.add(policy.all(policy.FORWARD({'1.1.1.1', '1.0.0.1'})))


-- Enable DNSSEC validation(on by default)
-- trust_anchors.add_file('/usr/share/dns/root.key', 'readonly = false')
 

-- Answers for reverse queries about the 192.168.1.0/24 subnet
-- are to be obtained from IP address 127.0.0.1 port 5353(dnscrypt-proxy) 
-- or port 5053(cloudflared-tunnel)
-- This disables DNSSEC validation !!!
policy.add(policy.suffix(
    policy.STUB('127.0.0.1@5353'),
    {todname('1.168.192.in-addr.arpa')}))


-- policy.add(policy.suffix(policy.PASS, {todname('1.168.192.in-addr.arpa')}))


extraTrees = policy.todnames(
    {'faketldtest.',
     'sld.example.',
     'internal.example.com.',
     '2.0.192.in-addr.arpa.'  -- this applies to reverse DNS tree as well
     })

-- Beware: the rule order is important, as policy.STUB is not a chain action.
-- Flags: for "dumb" targets disabling EDNS can help (below) as DNSSEC isn't
-- validated anyway; in some of those cases adding 'NO_0X20' can also help,
-- though it also lowers defenses against off-path attacks on communication
-- between the two servers.
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), extraTrees))
policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees))


log_level('notice')

Save file (control+x then y then enter)

Enable and start knot service:

sudo systemctl enable kresd@1.service && sudo systemctl start kresd@1.service

Check status:

sudo systemctl status kresd@1.service

image

🔥 For more features and tips go to Discussions#40

Clone this wiki locally