Adding upstream version 3.2.1.upstream/3.2.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 36 insertions, 0 deletions

diff --git a/etc/config.isp b/etc/config.isp
new file mode 100644
index 0000000..27dc76e
--- /dev/null
+++ b/etc/config.isp
@@ -0,0 +1,36 @@
+-- Config file example useable for multi-user ISP resolver
+-- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
+
+-- Listen on localhost and external interface
+net = { '127.0.0.1', '::1', '192.168.1.1' }
+
+-- Drop root privileges
+user('knot-resolver', 'knot-resolver')
+
+-- Auto-maintain root TA
+trust_anchors.file = 'root.keys'
+
+-- Large cache size, so we don't need to flush often
+-- This can be larger than available RAM, least frequently accessed
+-- records will be paged out
+cache.size = 4 * GB
+
+-- Load Useful modules
+modules = {
+	'view',     -- Views for certain clients
+	'hints > iterate', -- Load /etc/hosts and allow custom root hints
+	'stats',    -- Track internal statistics
+	graphite = { -- Send statistics to local InfluxDB
+		-- `worker.id` allows us to keep per-fork statistics
+		prefix = hostname()..worker.id,
+		-- Address of the Graphite/InfluxDB server
+		host = '192.168.1.2',
+	},
+}
+
+-- Block all `site.nl` for `10.0.0.0/24` subnet
+view:addr('10.0.0.0/24', policy.suffix(policy.DROP, {todname('site.nl')}))
+-- Force all clients from `192.168.2.0/24` to TCP
+view:addr('192.168.2.0/24', policy.all(policy.TC))
+-- Apply RPZ for all clients, default rule is DENY
+policy.add(policy.rpz(policy.DENY, 'blacklist.rpz'))