From: Aleš Mrázek Date: Tue, 8 Aug 2023 12:35:02 +0000 (+0200) Subject: manager: config examples X-Git-Tag: v6.0.3~2^2~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=163eb77038bc9471e98ec0b1eb04828b307a17df;p=thirdparty%2Fknot-resolver.git manager: config examples --- diff --git a/Dockerfile b/Dockerfile index f0ac6ba24..e5e46b6ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,7 +43,7 @@ RUN apt-get install -y /pkg/*/*.deb && \ rm -rf /var/lib/apt/lists/* && \ mkdir /config -COPY manager/etc/knot-resolver/config.docker.yaml /config/config.yaml +COPY manager/etc/knot-resolver/config.example.docker.yaml /config/config.yaml LABEL cz.knot-resolver.vendor="CZ.NIC" LABEL maintainer="knot-resolver-users@lists.nic.cz" diff --git a/manager/etc/knot-resolver/config.docker.yaml b/manager/etc/knot-resolver/config.example.docker.yaml similarity index 100% rename from manager/etc/knot-resolver/config.docker.yaml rename to manager/etc/knot-resolver/config.example.docker.yaml diff --git a/manager/etc/knot-resolver/config.example.internal.yaml b/manager/etc/knot-resolver/config.example.internal.yaml index 859de8f51..9c934af23 100644 --- a/manager/etc/knot-resolver/config.example.internal.yaml +++ b/manager/etc/knot-resolver/config.example.internal.yaml @@ -1,63 +1,27 @@ -rundir: ./runtime -workers: 1 -management: - interface: 127.0.0.1@5000 -cache: - storage: ./cache -logging: - level: notice - groups: - - manager - - supervisord +# Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + network: listen: - - interface: 127.0.0.1@5353 -views: - - subnets: [127.0.0.0/24] - tags: [t01, t02, t03] - options: - dns64: false - - subnets: [0.0.0.0/0, "::/0"] - answer: refused - - subnets: [10.0.10.0/24] - answer: allow -local-data: - ttl: 60m - nodata: false - root-fallback-addresses: - j.root-servers.net.: ["2001:503:c27::2:30", "192.58.128.30"] - l.root-servers.net.: '199.7.83.42' - m.root-servers.net.: '202.12.27.33' - # root-fallback-addresses-files: root.custom - addresses: - foo.bar: 127.0.0.1 - # addresses-files: hosts.custom - records: | - example.net. TXT "foo bar" - A 192.168.2.3 - A 192.168.2.4 - local.example.org AAAA ::1 - subtrees: - - type: empty - tags: [ t2 ] - roots: [ example1.org ] - - type: nxdomain - roots: [ sub4.example.org ] - rpz: - - file: runtime/blocklist.rpz - tags: [t01, t02] + # unencrypted DNS on port 53 + - interface: &interfaces + - 127.0.0.1 + - "::1" + # DNS over TLS on port 853 + - interface: *interfaces + kind: dot + # DNS over HTTPS on port 443 + - interface: *interfaces + kind: doh2 + forward: - - subtree: '.' - options: - dnssec: true - authoritative: false + # define list of internal-only domains + - subtree: + - company.example + - internal.example + # forward all queries belonging to domains in the list above to IP address '192.0.2.44' servers: - - address: [2001:148f:fffe::1, 185.43.135.1] - transport: tls - hostname: odvr.nic.cz - - address: [ 192.0.2.1, 192.0.2.2 ] - pin-sha256: ['YQ==', 'Wg=='] - - subtree: 1.168.192.in-addr.arpa + - 192.0.2.44 + # common options configuration for internal-only domains options: + authoritative: true dnssec: false - servers: [ 192.0.2.1@5353 ] diff --git a/manager/etc/knot-resolver/config.example.isp.yaml b/manager/etc/knot-resolver/config.example.isp.yaml new file mode 100644 index 000000000..72b75e000 --- /dev/null +++ b/manager/etc/knot-resolver/config.example.isp.yaml @@ -0,0 +1,70 @@ +# Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +network: + listen: + # unencrypted DNS on port 53 + - interface: &interfaces + - 127.0.0.1 + - "::1" + # DNS over TLS on port 853 + - interface: *interfaces + kind: dot + # DNS over HTTPS on port 443 + - interface: *interfaces + kind: doh2 + + # TLS certificate configuration + # tls: + # cert-file: '/etc/knot-resolver/server-cert.pem' + # key-file: '/etc/knot-resolver/server-key.pem' + +cache: + size-max: 4G + +views: + # refuse everything that hasn't matched + - subnets: [ 0.0.0.0/0, "::/0" ] + answer: refused + # whitelist queries identified by subnet + - subnets: [ 192.0.2.0/24 ] + answer: allow + +local-data: + rpz: + # apply RPZ for all clients, default rule is DENY + - file: blacklist.rpz + +lua: + script: | + local ffi = require('ffi') + + -- log statistics every second + local stat_id = event.recurrent(1 * second, function(evid) + log_info(ffi.C.LOG_GRP_STATISTICS, table_print(stats.list())) + end) + + -- stop printing statistics after first minute + event.after(1 * minute, function(evid) + event.cancel(stat_id) + end) + + -- speed_monitor definition + -- prints warning if more than 5% of total answers was slow + function speed_monitor() + local previous = stats.list() -- store statistics in persistent variable + return function(evid) + local now = stats.list() -- save actual statistics to variable + -- number of total answers between 'now' and 'previous' states + local total_increment = now['answer.total'] - previous['answer.total'] + -- number of slow answers between 'now' and 'previous' states + local slow_increment = now['answer.slow'] - previous['answer.slow'] + -- if percentage of slow answers is bigger than 5%, print warning + if slow_increment / total_increment > 0.05 then + log_warn(ffi.C.LOG_GRP_STATISTICS, 'WARNING! More than 5 %% of queries was slow!') + end + previous = now + end + end + + -- execute speed_monitor every minute + local monitor_id = event.recurrent(1 * minute, speed_monitor()) diff --git a/manager/etc/knot-resolver/config.example.personal.yaml b/manager/etc/knot-resolver/config.example.personal.yaml new file mode 100644 index 000000000..a3df2c2a2 --- /dev/null +++ b/manager/etc/knot-resolver/config.example.personal.yaml @@ -0,0 +1,19 @@ +# Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +network: + listen: + # unencrypted DNS on port 53 + - interface: &interfaces + - 127.0.0.1 + - "::1" + # DNS over TLS on port 853 + - interface: *interfaces + kind: dot + # DNS over HTTPS on port 443 + # - interface: *interfaces + # kind: doh2 + +cache: + size-max: 100M + # prefetch expiring/frequent records + prediction: true