rm -rf /var/lib/apt/lists/* && \
mkdir /config
-COPY manager/etc/knot-resolver/config.docker.yaml /config/config.yaml
+COPY manager/etc/knot-resolver/config.example.docker.yaml /config/config.yaml
LABEL cz.knot-resolver.vendor="CZ.NIC"
LABEL maintainer="knot-resolver-users@lists.nic.cz"
-rundir: ./runtime
-workers: 1
-management:
- interface: 127.0.0.1@5000
-cache:
- storage: ./cache
-logging:
- level: notice
- groups:
- - manager
- - supervisord
+# Refer to manual: https://knot-resolver.readthedocs.io/en/stable/
+
network:
listen:
- - interface: 127.0.0.1@5353
-views:
- - subnets: [127.0.0.0/24]
- tags: [t01, t02, t03]
- options:
- dns64: false
- - subnets: [0.0.0.0/0, "::/0"]
- answer: refused
- - subnets: [10.0.10.0/24]
- answer: allow
-local-data:
- ttl: 60m
- nodata: false
- root-fallback-addresses:
- j.root-servers.net.: ["2001:503:c27::2:30", "192.58.128.30"]
- l.root-servers.net.: '199.7.83.42'
- m.root-servers.net.: '202.12.27.33'
- # root-fallback-addresses-files: root.custom
- addresses:
- foo.bar: 127.0.0.1
- # addresses-files: hosts.custom
- records: |
- example.net. TXT "foo bar"
- A 192.168.2.3
- A 192.168.2.4
- local.example.org AAAA ::1
- subtrees:
- - type: empty
- tags: [ t2 ]
- roots: [ example1.org ]
- - type: nxdomain
- roots: [ sub4.example.org ]
- rpz:
- - file: runtime/blocklist.rpz
- tags: [t01, t02]
+ # unencrypted DNS on port 53
+ - interface: &interfaces
+ - 127.0.0.1
+ - "::1"
+ # DNS over TLS on port 853
+ - interface: *interfaces
+ kind: dot
+ # DNS over HTTPS on port 443
+ - interface: *interfaces
+ kind: doh2
+
forward:
- - subtree: '.'
- options:
- dnssec: true
- authoritative: false
+ # define list of internal-only domains
+ - subtree:
+ - company.example
+ - internal.example
+ # forward all queries belonging to domains in the list above to IP address '192.0.2.44'
servers:
- - address: [2001:148f:fffe::1, 185.43.135.1]
- transport: tls
- hostname: odvr.nic.cz
- - address: [ 192.0.2.1, 192.0.2.2 ]
- pin-sha256: ['YQ==', 'Wg==']
- - subtree: 1.168.192.in-addr.arpa
+ - 192.0.2.44
+ # common options configuration for internal-only domains
options:
+ authoritative: true
dnssec: false
- servers: [ 192.0.2.1@5353 ]
--- /dev/null
+# Refer to manual: https://knot-resolver.readthedocs.io/en/stable/
+
+network:
+ listen:
+ # unencrypted DNS on port 53
+ - interface: &interfaces
+ - 127.0.0.1
+ - "::1"
+ # DNS over TLS on port 853
+ - interface: *interfaces
+ kind: dot
+ # DNS over HTTPS on port 443
+ - interface: *interfaces
+ kind: doh2
+
+ # TLS certificate configuration
+ # tls:
+ # cert-file: '/etc/knot-resolver/server-cert.pem'
+ # key-file: '/etc/knot-resolver/server-key.pem'
+
+cache:
+ size-max: 4G
+
+views:
+ # refuse everything that hasn't matched
+ - subnets: [ 0.0.0.0/0, "::/0" ]
+ answer: refused
+ # whitelist queries identified by subnet
+ - subnets: [ 192.0.2.0/24 ]
+ answer: allow
+
+local-data:
+ rpz:
+ # apply RPZ for all clients, default rule is DENY
+ - file: blacklist.rpz
+
+lua:
+ script: |
+ local ffi = require('ffi')
+
+ -- log statistics every second
+ local stat_id = event.recurrent(1 * second, function(evid)
+ log_info(ffi.C.LOG_GRP_STATISTICS, table_print(stats.list()))
+ end)
+
+ -- stop printing statistics after first minute
+ event.after(1 * minute, function(evid)
+ event.cancel(stat_id)
+ end)
+
+ -- speed_monitor definition
+ -- prints warning if more than 5% of total answers was slow
+ function speed_monitor()
+ local previous = stats.list() -- store statistics in persistent variable
+ return function(evid)
+ local now = stats.list() -- save actual statistics to variable
+ -- number of total answers between 'now' and 'previous' states
+ local total_increment = now['answer.total'] - previous['answer.total']
+ -- number of slow answers between 'now' and 'previous' states
+ local slow_increment = now['answer.slow'] - previous['answer.slow']
+ -- if percentage of slow answers is bigger than 5%, print warning
+ if slow_increment / total_increment > 0.05 then
+ log_warn(ffi.C.LOG_GRP_STATISTICS, 'WARNING! More than 5 %% of queries was slow!')
+ end
+ previous = now
+ end
+ end
+
+ -- execute speed_monitor every minute
+ local monitor_id = event.recurrent(1 * minute, speed_monitor())
--- /dev/null
+# Refer to manual: https://knot-resolver.readthedocs.io/en/stable/
+
+network:
+ listen:
+ # unencrypted DNS on port 53
+ - interface: &interfaces
+ - 127.0.0.1
+ - "::1"
+ # DNS over TLS on port 853
+ - interface: *interfaces
+ kind: dot
+ # DNS over HTTPS on port 443
+ # - interface: *interfaces
+ # kind: doh2
+
+cache:
+ size-max: 100M
+ # prefetch expiring/frequent records
+ prediction: true
projects / thirdparty / knot-resolver.git / commitdiff
