Config file

An example configuration file for Knot that runs DNS-over-TLS on port 853 is below.

-- Default empty Knot DNS Resolver configuration in -*- lua -*-
-- Bind ports as privileged user (root) --
-- net = { '127.0.0.1', '::1', net.ens160 }
net.tls('/etc/sinodun/certs/fullchain.pem','/etc/sinodun/certs/privkey.pem')
net.listen('::', 853)
net.listen('145.100.185.17', 853)
-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
-- cache.size = 100*MB
-- verbose(true)

If you are using systemd with socket-based activation you need to remove the net.listen lines above and instead run

systemctl edit kresd-tls.socket
and put 
[Socket]
ListenStream=145.100.185.17:853
ListenStream=[2001:610:1:40ba:145:100:185:17]:853
in the override file.

If you are using the packages from home:CZ-NIC:knot-resolver-latest you need to enable the service using

systemctl enable --now kresd@1.service


See man kresd.systemd for more info.

Depending on how your certificate is issued you may to add the intermediate certificate to your certificate file for clients to be able to validate. For example, if you use Let's encrypt to create your certificate you will need to add the intermediate certificate (found in the /etc/letsencrypt/certs/000<N>_chain.pem file) to the cert file.

  • No labels