Knot Resolver - Tips & Tricks

Advanced configuration of Whalebone resolver allows to apply any Knot Resolver configuration. In this section we are going to describe the most frequent use cases and examples of such configuration snippets. Views, policies and their actions are evaluated in the sequence as they are defined (except special chain actions that are described in the official Knot Resolver documentation). First match will execute the action, the rest of the policy rules is not evaluated. If you are going to combine different configuration snippets, you can load the same module just once at the beginning of the configuration.

Allow particular IP ranges

Define a list of IP ranges that will be allowed to use this DNS resolver. Queries from all other ranges will be refused.

-- load modules
modules = {'policy', 'view'}

--define list of ranges to allow
--127.0.0.1 should always be allowed
allowed = {
  '127.0.0.1/32',
  '10.10.20.5/32',
  '10.30.10.0/24'
}

-- allow list of ranges
for i,subnet in ipairs(allowed) do
  view:addr(subnet, policy.all(policy.PASS))
end

-- block all other ranges
view:addr('0.0.0.0/0', policy.all(policy.DENY))

Refuse particular IP ranges

Define a list of IP ranges that will be blocked to use this DNS resolver. Queries from all other ranges will be allowed.

-- load modules
modules = {'policy', 'view'}

--define list of ranges to block
blocked = {
  '10.10.20.5/32',
  '10.30.10.0/24'
}

-- block list of ranges
for i,subnet in ipairs(blocked) do
  view:addr(subnet, policy.all(policy.REFUSE))
end

Allow list of domains

-- load modules
modules = {'policy'}

--define list of allowed domains
domains = {
  'example.com',
  'anotherexample.org'
}

-- allow list of domains
for i,domain in ipairs(domains) do
  policy.add(policy.suffix(policy.PASS, {todname(domain)}))
end

Deny list of domains

-- load modules
modules = {'policy'}

--define list of denied domains
domains = {
  'example.com',
  'anotherexample.org'
}

-- deny list of domains, while returning NXDOMAIN
for i,domain in ipairs(domains) do
  policy.add(policy.suffix(policy.DENY, {todname(domain)}))
end

Disable DNSSEC globally

trust_anchors.negative = { '.' }

Disable DNSSEC validation for a domain

trust_anchors.set_insecure({ 'domain.com' })

Disable Query Case Randomization

policy.add(policy.suffix(policy.FLAGS('NO_0X20'), {todname('domain.com')}))

Disable QNAME Minimization

policy.add(policy.suffix(policy.FLAGS('NO_MINIMIZE'), {todname('domain.com')}))

Disable Domain caching

policy.add(policy.suffix(policy.FLAGS('NO_CACHE'), {todname('domain.com')}))

Enable Prometheus Metrics

The resolver can expose its metrics in Prometheus text format. The following script enables the HTTP module and the respective /metrics endpoint is made available.

More information and configuration options can be found on Knot Resolver Documentation

modules.load('http')
function startHttp ()
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
end
pcall(startHttp)