Using Knot Resolver

Config file

An example configuration file for Knot that runs DNS-over-TLS on port 853 is below.

-- Default empty Knot DNS Resolver configuration in -*- lua -*-
-- Bind ports as privileged user (root) --
-- net = { '127.0.0.1', '::1', net.ens160 }
net.tls('/etc/sinodun/certs/fullchain.pem','/etc/sinodun/certs/privkey.pem')
net.listen('::', 853)
net.listen('145.100.185.17', 853)
-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
-- cache.size = 100*MB
-- verbose(true)
  • If you are using systemd with socket-based activation you need to remove the net.listen lines above and instead run
    systemctl edit kresd-tls.socket. 
    and put  
    [Socket]. 
    ListenStream=145.100.185.17:853   
    ListenStream=[2001:610:1:40ba:145:100:185:17]:853   

in the override file.

See man kresd.systemd for more info.

Depending on how your certificate is issued you may to add the intermediate certificate to your certificate file for clients to be able to validate. For example, if you use Let’s encrypt to create your certificate you will need to add the intermediate certificate (found in theĀ /etc/letsencrypt/certs/000``<N>_chain.pemĀ file) to the cert file.