If you're using our packages with systemd with sockets support (not supported
on CentOS 7), network interfaces are configured using systemd drop-in files for
-``kresd.socket`` and ``kresd-tls.socket``.
+``kresd.socket``, ``kresd-tls.socket`` and ``kresd-doh.socket``.
To configure kresd to listen on public interface, create a drop-in file:
[Socket]
ListenStream=192.0.2.115:853
+.. _kresd-doh-socket-configuration:
+
+To configure socket for DNS-over-HTTPS, make sure you have
+``kresd-doh.socket`` installed (it might be part of a separate
+``knot-resolver-module-http`` package). Then, you can configure its network
+interfaces as above. Also, don't forget to load http module in configuration
+file, otherwise the socket won't have any function.
+
+For example, to remove the default localhost:44353 and listen on all interfaces
+on port 443, create the following drop-in file for ``kresd-doh.socket``:
+
+.. code-block:: bash
+
+ # /etc/systemd/system/kresd-doh.socket.d/override.conf
+ [Socket]
+ ListenStream=
+ ListenStream=[::]:443
+
+Make sure no other service is using port 443, as that will result in
+unpredictable behaviour. Alternately, you can use port 44353 where a collision
+is unlikely. Also, don't forget to load http module in configuration file.
+
**Daemon network configuration**
If you don't use systemd with sockets to run kresd, network interfaces are
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
@config_defaults@
+-- For DNS-over-HTTPS and web management when using http module
+-- modules.load('http')
+-- http.config({
+-- cert = '/etc/knot-resolver/mycert.crt',
+-- key = '/etc/knot-resolver/mykey.key',
+-- tls = true,
+-- })
+
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
@config_defaults@
+-- For DNS-over-HTTPS and web management when using http module
+-- modules.load('http')
+-- http.config({
+-- cert = '/etc/knot-resolver/mycert.crt',
+-- key = '/etc/knot-resolver/mykey.key',
+-- tls = true,
+-- })
+
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
-- Refer to manual: http://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration
@config_defaults@
+-- For DNS-over-HTTPS and web management when using http module
+-- modules.load('http')
+-- http.config({
+-- cert = '/etc/knot-resolver/mycert.crt',
+-- key = '/etc/knot-resolver/mykey.key',
+-- tls = true,
+-- })
+
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
@config_defaults@
+-- For DNS-over-HTTPS and web management when using http module
+-- modules.load('http')
+-- http.config({
+-- cert = '/etc/knot-resolver/mycert.crt',
+-- key = '/etc/knot-resolver/mykey.key',
+-- tls = true,
+-- })
+
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
net.listen('::1')
net.listen('::1', 853)
+-- Extra interfaces for http module
+-- net.listen('127.0.0.1', 44353, { kind = 'doh' })
+-- net.listen('::1', 44353, { kind = 'doh' })
+-- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
+-- net.listen('::1', 8453, { kind = 'webmgmt' })
+
-- Drop root privileges
user('@0@', '@1@')'''.format(user, group)
endif
For possible workarounds, see
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/445
+To configure socket for DNS-over-HTTPS, make sure you have
+\fBkresd-doh.socket\fR installed (it might be part of a separate
+knot-resolver-module-http package). Then, you can configure its network
+interfaces as above. Also, don't forget to load http module in configuration
+file, otherwise the socket won't have any function.
+
+For example, to remove the default localhost:44353 and listen on all interfaces
+on port 443, create the following drop-in file for \fBkresd-doh.socket\fR:
+
+.nf
+.RS 4n
+# /etc/systemd/system/kresd-doh.socket.d/override.conf
+[Socket]
+ListenStream=
+ListenStream=[::]:443
+.RE
+.fi
+
+Make sure no other service is using port 443, as that will result in
+unpredictable behaviour. Alternately, you can use port 44353 where a collision
+is unlikely.
+
For more detailed socket configuration, see \fBsystemd.socket\fR(5).
.B Concurrent daemons
projects / thirdparty / knot-resolver.git / commitdiff
