DNS Privacy Project > Running a DNS Privacy server > Using Knot Resolver

Using Knot Resolver

Config file

An example configuration file for Knot that runs DNS-over-TLS on port 853 is below.

-- Default empty Knot DNS Resolver configuration in -*- lua -*-
-- Bind ports as privileged user (root) --
-- net = { '127.0.0.1', '::1', net.ens160 }
net.tls('/etc/sinodun/certs/fullchain.pem','/etc/sinodun/certs/privkey.pem')
net.listen('::', 853)
net.listen('145.100.185.17', 853)
-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
-- cache.size = 100*MB
-- verbose(true)

If you are using systemd with socket-based activation you need to remove the net.listen lines above and instead run

    systemctl edit kresd-tls.socket. 
    and put  
    [Socket]. 
    ListenStream=145.100.185.17:853   
    ListenStream=[2001:610:1:40ba:145:100:185:17]:853

in the override file.

If you are using the packages from home:CZ-NIC:knot-resolver-latest you need to enable the service using

systemctl enable –now kresd@1.service

See man kresd.systemd for more info.

Depending on how your certificate is issued you may to add the intermediate certificate to your certificate file for clients to be able to validate. For example, if you use Let’s encrypt to create your certificate you will need to add the intermediate certificate (found in the /etc/letsencrypt/certs/000``<N>_chain.pem file) to the cert file.