-- 10MB cache
cache.size = 10*MB
+.. tip:: There are more configuration examples in `etc/` directory for personal, ISP, company internal and resolver cluster use cases.
+
Configuration syntax
--------------------
brew install pkg-config libuv luajit cmocka
-Getting Docker image
---------------------
-
-Docker images require only either Linux or a Linux VM (see boot2docker_ on OS X).
-
-.. code-block:: bash
-
- $ docker run cznic/knot-resolver
-
-See the `Docker images`_ page for more information and options.
-You can hack on the container by changing the container entrypoint to shell like:
-
-.. code-block:: bash
-
- $ docker run -it --entrypoint=/bin/bash cznic/knot-resolver
-
-.. tip:: You can build the Docker image yourself with ``docker build -t knot-resolver scripts``.
-
Building from sources
---------------------
$ make install DESTDIR=/tmp/stage # Staged install
$ make all install AMALG=yes # Amalgamated build
-.. note:: Amalgamated build assembles everything in one source file and compiles it. It is useful for packages, as the compiler sees the whole program and is able to produce a smaller and faster binary. On the other hand, it complicates debugging.
+Amalgamated build assembles everything in one source file and compiles it. It is useful for packages, as the compiler sees the whole program and is able to produce a smaller and faster binary. On the other hand, it complicates debugging.
+
+.. tip:: There is a template for service file and AppArmor profile to help you kickstart the package.
Default paths
~~~~~~~~~~~~~
Read the `documentation <deckard_doc>`_ for more information about requirements, how to run it and extend it.
+Getting Docker image
+--------------------
+
+Docker images require only either Linux or a Linux VM (see boot2docker_ on OS X).
+
+.. code-block:: bash
+
+ $ docker run cznic/knot-resolver
+
+See the `Docker images`_ page for more information and options.
+You can hack on the container by changing the container entrypoint to shell like:
+
+.. code-block:: bash
+
+ $ docker run -it --entrypoint=/bin/bash cznic/knot-resolver
+
+.. tip:: You can build the Docker image yourself with ``docker build -t knot-resolver scripts``.
+
.. _Docker images: https://registry.hub.docker.com/u/cznic/knot-resolver
.. _libuv: https://github.com/libuv/libuv
.. _MSVC: https://msdn.microsoft.com/en-us/vstudio/hh386302.aspx
--- /dev/null
+-- Config file example useable for larger resolver farms
+-- In this case cache should be made as large as possible, and prefetching turned off
+-- as the resolver is busy most of the time.
+-- Alternative is using `etcd` as a configuration backend.
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
+
+-- Listen on localhost and external interface
+net = { '127.0.0.1', '::1', '192.168.1.1' }
+
+-- Drop root privileges
+user('kresd', 'kresd')
+
+-- Auto-maintain root TA
+trust_anchors.file = 'root.keys'
+
+-- Large cache size, so we don't need to flush ever
+-- This can be larger than available RAM, least frequently accessed
+-- records will be paged out as long as there's enough disk space to back it
+cache.size = 100 * GB
+
+-- Load Useful modules
+modules = {
+ 'policy', -- Block queries to local zones/bad sites
+ 'cachectl', -- Cache control interface
+ 'hints', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ graphite = { -- Send statistics to local InfluxDB
+ -- `worker.id` allows us to keep per-fork statistics
+ prefix = hostname()..worker.id,
+ -- Address of the Graphite/InfluxDB server
+ host = '192.168.1.2',
+ },
+ 'redis', -- Allow to use Redis as a cache backend
+}
+
+-- Use local root server copy for performance reasons
+hints.root({
+ ['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' }
+})
+
+-- Apply RPZ for all clients, default rule is DENY
+policy:add(policy.rpz(policy.DENY, 'blacklist.rpz'))
+
+-- Optional: use Redis/Memcached as a cache backend which may be distributed between nodes
+-- cache.storage = 'redis://127.0.0.1:6398'
+
--- /dev/null
+-- Config file example useable for multi-user ISP resolver
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
+
+-- Listen on localhost and external interface
+net = { '127.0.0.1', '::1', '192.168.1.1' }
+
+-- Drop root privileges
+user('kresd', 'kresd')
+
+-- Auto-maintain root TA
+trust_anchors.file = 'root.keys'
+
+-- Large cache size, so we don't need to flush often
+-- This can be larger than available RAM, least frequently accessed
+-- records will be paged out
+cache.size = 4 * GB
+
+-- Load Useful modules
+modules = {
+ 'policy', -- Block queries to local zones/bad sites
+ 'view', -- Views for certain clients
+ 'cachectl', -- Cache control interface
+ 'hints', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ graphite = { -- Send statistics to local InfluxDB
+ -- `worker.id` allows us to keep per-fork statistics
+ prefix = hostname()..worker.id,
+ -- Address of the Graphite/InfluxDB server
+ host = '192.168.1.2',
+ }
+}
+
+-- Block all `site.nl` for `10.0.0.0/24` subnet
+view:addr('10.0.0.0/24', policy.suffix(policy.DROP, {todname('site.nl')}))
+-- Force all clients from `192.168.2.0/24` to TCP
+view:addr('192.168.2.0/24', policy.all(policy.TC))
+-- Apply RPZ for all clients, default rule is DENY
+policy:add(policy.rpz(policy.DENY, 'blacklist.rpz'))
+
--- /dev/null
+-- Config file example useable for personal resolver.
+-- The goal is to have a validating resolver with tiny memory footprint,
+-- while actively tracking and refreshing frequent records to lower user latency.
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
+
+-- Listen on localhost (default)
+-- net = { '127.0.0.1', '::1' }
+
+-- Drop root privileges
+user('kresd', 'kresd')
+
+-- Auto-maintain root TA
+trust_anchors.file = 'root.keys'
+
+-- Load Useful modules
+modules = {
+ 'policy', -- Block queries to local zones/bad sites
+ 'cachectl', -- Cache control interface
+ 'hints', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ 'predict', -- Prefetch expiring/frequent records
+}
+
+-- Smaller cache size
+cache.size = 10 * MB
--- /dev/null
+-- Config file with split-view for internal zone
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
+
+-- Listen on localhost and external interface
+net = { '127.0.0.1', '::1', '192.168.1.1' }
+
+-- Drop root privileges
+user('kresd', 'kresd')
+
+-- Auto-maintain root TA
+trust_anchors.file = 'root.keys'
+
+-- Load Useful modules
+modules = {
+ 'policy', -- Block queries to local zones/bad sites
+ 'cachectl', -- Cache control interface
+ 'hints', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ graphite = { -- Send statistics to local InfluxDB
+ -- `worker.id` allows us to keep per-fork statistics
+ prefix = hostname()..worker.id,
+ -- Address of the Graphite/InfluxDB server
+ host = '192.168.1.2',
+ },
+ -- Use DNS64 with specified NAT64 address
+ dns64 = 'fe80::21b:77ff:0:0',
+}
+
+-- Large cache size, so we don't need to flush often
+-- This can be larger than available RAM, least frequently accessed
+-- records will be paged out
+cache.size = 4 * GB
+
+-- Forward everything below `company.cz` to `192.168.1.3`
+policy:add(policy.suffix(policy.FORWARD('192.168.1.3'), {todname('company.cz')}))
-etc_SOURCES := icann-ca.pem
+etc_SOURCES := icann-ca.pem \
+ config.cluster \
+ config.isp \
+ config.personal \
+ config.splitview
etc-install: $(DESTDIR)$(ETCDIR)
$(INSTALL) -m 0640 $(addprefix etc/,$(etc_SOURCES)) $(DESTDIR)$(ETCDIR)
projects / thirdparty / knot-resolver.git / commitdiff
