--- /dev/null
+-- SPDX-License-Identifier: CC0-1.0
+-- vim:syntax=lua:set ts=4 sw=4:
+-- Refer to manual: https://www.knot-resolver.cz/documentation/latest/
+
+local csv = require("csv")
+
+local ETHERNET_SETTINGS_FILE = "/var/ipfire/ethernet/settings"
+local DNS_SETTINGS_FILE = "/var/ipfire/dns/settings"
+local HOSTS_FILE = "/var/ipfire/main/hosts"
+local UPSTREAM_DNS_SERVERS_FILE = "/var/ipfire/dns/servers"
+local FORWARD_DNS_FILE = "/var/ipfire/dnsforward/config"
+
+local CA_FILE = "/etc/ssl/cert.pem"
+
+-- Load useful modules
+modules = {
+ 'hints > iterate', -- Allow loading /etc/hosts or custom root hints
+ 'stats', -- Track internal statistics
+ 'predict', -- Prefetch expiring/frequent records
+ 'ta_sentinel',
+ 'ta_signal_query',
+ 'view'
+}
+
+hostname('gate.lastresort')
+
+-- log_level('info')
+log_level('debug')
+-- log_target('syslog')
+log_target('stdout')
+
+net.ipv4 = true
+net.ipv6 = false
+
+-- Network interface configuration
+-- XXX: Need to read-in the network settings file to determine the available network zones.
+
+net.listen(net['green0'],5053,{kind='dns',freebind=false})
+net.listen('/tmp/kres.control', nil, { kind = 'control' })
+
+-- Load configured static hosts from Hostsfile
+print ("Loading Hosts...")
+local hosts_file = csv.open(HOSTS_FILE)
+
+if hosts_file then
+ for Line in hosts_file:lines() do
+ status = Line[1]
+ address = Line[2]
+ host = Line[3]
+ domain = Line[4]
+ ptr = Line[5]
+
+ if status == "on" then
+ if domain == "" then
+ hints.set(string.format("%s %s", host, address))
+ else
+ hints.set(string.format("%s.%s %s", host, domain, address))
+ end
+ end
+ end
+ hosts_file:close()
+else
+ print("ERROR:", HOSTS_FILE)
+end
+
+-- Load configured upstream servers
+print("Loading Upstream DNS servers...")
+local upstream_dns_servers = csv.open(UPSTREAM_DNS_SERVERS_FILE)
+
+if upstream_dns_servers then
+ for Line in upstream_dns_servers:lines() do
+ server = Line[1]
+ tls_name = Line[2]
+ status = Line[3]
+
+ if status == "enabled" then
+ -- XXX: Need to check if we want TLS or not
+ -- if TLS then
+ policy.TLS_FORWARD({server, hostname=tls_name, ca_file=CA_FILE})
+ -- else
+ --policy.FORWARD({server})
+ --end
+ end
+ end
+ upstream_dns_servers:close()
+
+ -- XXX: Add providers DNS servers if enabled
+else
+ print("ERROR:", UPSTREAM_DNS_SERVERS_FILE)
+end
+
+-- Load zones which should be forwarded to a certain DNS server
+print("Loading domains which should be forwarded to a certain server...")
+local forward_dns = csv.open(FORWARD_DNS_FILE)
+
+if forward_dns then
+ for Line in forward_dns:lines() do
+ status = Line[1]
+ domain = Line[2]
+ server = Line[3]
+ comment = Line[4]
+ disable_dnssec = Line[5]
+
+ if status == "on" then
+ if disable_dnssec == "on" then
+ policy.add(policy.suffix(policy.STUB(server),{todname(domain)}))
+ else
+ policy.add(policy.suffix(policy.FORWARD(server),{todname(domain)}))
+ end
+ end
+ end
+ forward_dns:close()
+else
+ print("ERROR:", FORWARD_DNS_FILE)
+end
+
+-- Safe serach
+-- XXX: TO DO
+
+-- RPZ
+-- XXX: TO DO - RPZ files needs to be declared once and then passed to a view (ACL) to prevent from loading
+-- the same RPZ file multiple times
+--porn = policy.rpz(policy.DENY_MSG('porn domain blocked by your resolver operator'), '/tmp/porn.axfr', true)
+--view:addr('192.168.40.0/24', porn)
+--view:addr('192.168.41.0/24', porn)
+--view:addr('192.168.42.0/24', porn)
+
+-- CACHE section ------------------------------------
+cache.open(104857600, 'lmdb:///var/cache/knot-resolver')
+cache.min_ttl(5)
+cache.max_ttl(86400)
+cache.ns_tout(1000)
+cache.size = 100 * MB
projects / ipfire-2.x.git / commitdiff
