From: Stefan Schantl Date: Mon, 11 May 2026 18:56:52 +0000 (+0200) Subject: knot-resolver: Add basic config file X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a8b0754ecc35b4985b34111e7fe4c64de6ee4eaa;p=ipfire-2.x.git knot-resolver: Add basic config file Signed-off-by: Stefan Schantl --- diff --git a/config/knot-resolver/kresd.conf b/config/knot-resolver/kresd.conf new file mode 100644 index 000000000..e69b0498b --- /dev/null +++ b/config/knot-resolver/kresd.conf @@ -0,0 +1,133 @@ +-- SPDX-License-Identifier: CC0-1.0 +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: https://www.knot-resolver.cz/documentation/latest/ + +local csv = require("csv") + +local ETHERNET_SETTINGS_FILE = "/var/ipfire/ethernet/settings" +local DNS_SETTINGS_FILE = "/var/ipfire/dns/settings" +local HOSTS_FILE = "/var/ipfire/main/hosts" +local UPSTREAM_DNS_SERVERS_FILE = "/var/ipfire/dns/servers" +local FORWARD_DNS_FILE = "/var/ipfire/dnsforward/config" + +local CA_FILE = "/etc/ssl/cert.pem" + +-- Load useful modules +modules = { + 'hints > iterate', -- Allow loading /etc/hosts or custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records + 'ta_sentinel', + 'ta_signal_query', + 'view' +} + +hostname('gate.lastresort') + +-- log_level('info') +log_level('debug') +-- log_target('syslog') +log_target('stdout') + +net.ipv4 = true +net.ipv6 = false + +-- Network interface configuration +-- XXX: Need to read-in the network settings file to determine the available network zones. + +net.listen(net['green0'],5053,{kind='dns',freebind=false}) +net.listen('/tmp/kres.control', nil, { kind = 'control' }) + +-- Load configured static hosts from Hostsfile +print ("Loading Hosts...") +local hosts_file = csv.open(HOSTS_FILE) + +if hosts_file then + for Line in hosts_file:lines() do + status = Line[1] + address = Line[2] + host = Line[3] + domain = Line[4] + ptr = Line[5] + + if status == "on" then + if domain == "" then + hints.set(string.format("%s %s", host, address)) + else + hints.set(string.format("%s.%s %s", host, domain, address)) + end + end + end + hosts_file:close() +else + print("ERROR:", HOSTS_FILE) +end + +-- Load configured upstream servers +print("Loading Upstream DNS servers...") +local upstream_dns_servers = csv.open(UPSTREAM_DNS_SERVERS_FILE) + +if upstream_dns_servers then + for Line in upstream_dns_servers:lines() do + server = Line[1] + tls_name = Line[2] + status = Line[3] + + if status == "enabled" then + -- XXX: Need to check if we want TLS or not + -- if TLS then + policy.TLS_FORWARD({server, hostname=tls_name, ca_file=CA_FILE}) + -- else + --policy.FORWARD({server}) + --end + end + end + upstream_dns_servers:close() + + -- XXX: Add providers DNS servers if enabled +else + print("ERROR:", UPSTREAM_DNS_SERVERS_FILE) +end + +-- Load zones which should be forwarded to a certain DNS server +print("Loading domains which should be forwarded to a certain server...") +local forward_dns = csv.open(FORWARD_DNS_FILE) + +if forward_dns then + for Line in forward_dns:lines() do + status = Line[1] + domain = Line[2] + server = Line[3] + comment = Line[4] + disable_dnssec = Line[5] + + if status == "on" then + if disable_dnssec == "on" then + policy.add(policy.suffix(policy.STUB(server),{todname(domain)})) + else + policy.add(policy.suffix(policy.FORWARD(server),{todname(domain)})) + end + end + end + forward_dns:close() +else + print("ERROR:", FORWARD_DNS_FILE) +end + +-- Safe serach +-- XXX: TO DO + +-- RPZ +-- XXX: TO DO - RPZ files needs to be declared once and then passed to a view (ACL) to prevent from loading +-- the same RPZ file multiple times +--porn = policy.rpz(policy.DENY_MSG('porn domain blocked by your resolver operator'), '/tmp/porn.axfr', true) +--view:addr('192.168.40.0/24', porn) +--view:addr('192.168.41.0/24', porn) +--view:addr('192.168.42.0/24', porn) + +-- CACHE section ------------------------------------ +cache.open(104857600, 'lmdb:///var/cache/knot-resolver') +cache.min_ttl(5) +cache.max_ttl(86400) +cache.ns_tout(1000) +cache.size = 100 * MB