comprehensive zone check
cache installation
List of TLS servers: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
https://www.ctrl.blog/entry/resolvconf-tutorial
systemctl disable --now systemd-resolved.service
https://www.ctrl.blog/entry/knot-dns-resolver-tutorial
/etc/knot-resolver/kresd.conf:
-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Load useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
'serve_stale < cache',
'workarounds < iterate',
}
-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }
-- RANDOMIZE SERVERS
require 'math'
math.randomseed(os.time())
dns_providers = {
{ -- Quad9
{'9.9.9.9', hostname='dns.quad9.net'},
{'149.112.112.112', hostname='dns.quad9.net'},
},
{ -- Cloudflare Resolver
{'1.1.1.1', hostname='cloudflare-dns.com'},
{'1.0.0.1', hostname='cloudflare-dns.com'},
}
}
tls_forwarders = {}
for n, fwdspec in ipairs(dns_providers) do
table.insert(tls_forwarders, policy.TLS_FORWARD(fwdspec))
end
policy.add(function (request, query)
return tls_forwarders[math.random(1, #tls_forwarders)]
end)
-- TRADITIONAL NON-RANDOMIZED
-- policy.add(policy.all(policy.TLS_FORWARD({
-- {'9.9.9.9', hostname='dns.quad9.net'},
-- {'1.1.1.1', hostname='cloudflare-dns.com'},
-- {'149.112.112.112', hostname='dns.quad9.net'},
-- {'1.0.0.1', hostname='cloudflare-dns.com'},
-- })))
-- Cache size
cache.size = 100 * MB
-- Prefetch learning (20-minute blocks over 24 hours)
predict.config(20, 72)
Restart:
systemctl disable --now kresd@1.service; systemctl restart kresd.socket