comprehensive zone check
cache installation
List of TLS servers: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
https://www.ctrl.blog/entry/resolvconf-tutorial
systemctl disable --now systemd-resolved.service
https://www.ctrl.blog/entry/knot-dns-resolver-tutorial
/etc/knot-resolver/kresd.conf:
-- vim:syntax=lua: -- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration -- Load useful modules modules = { 'policy', -- Block queries to local zones/bad sites 'hints', -- Load /etc/hosts and allow custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records 'serve_stale < cache', 'workarounds < iterate', } -- See kresd.systemd(7) about configuring network interfaces when using systemd -- Listen on localhost (default) -- net = { '127.0.0.1', '::1' } -- RANDOMIZE SERVERS require 'math' math.randomseed(os.time()) dns_providers = { { -- Quad9 {'9.9.9.9', hostname='dns.quad9.net'}, {'149.112.112.112', hostname='dns.quad9.net'}, }, { -- Cloudflare Resolver {'1.1.1.1', hostname='cloudflare-dns.com'}, {'1.0.0.1', hostname='cloudflare-dns.com'}, } } tls_forwarders = {} for n, fwdspec in ipairs(dns_providers) do table.insert(tls_forwarders, policy.TLS_FORWARD(fwdspec)) end policy.add(function (request, query) return tls_forwarders[math.random(1, #tls_forwarders)] end) -- TRADITIONAL NON-RANDOMIZED -- policy.add(policy.all(policy.TLS_FORWARD({ -- {'9.9.9.9', hostname='dns.quad9.net'}, -- {'1.1.1.1', hostname='cloudflare-dns.com'}, -- {'149.112.112.112', hostname='dns.quad9.net'}, -- {'1.0.0.1', hostname='cloudflare-dns.com'}, -- }))) -- Cache size cache.size = 100 * MB -- Prefetch learning (20-minute blocks over 24 hours) predict.config(20, 72)
Restart:
systemctl disable --now kresd@1.service; systemctl restart kresd.socket