From 1852910ef0fd7393da62b88aee66ee092208748e Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 12:41:58 +0200 Subject: Adding upstream version 5.3.1. Signed-off-by: Daniel Baumann --- etc/config/config.privacy | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 etc/config/config.privacy (limited to 'etc/config/config.privacy') diff --git a/etc/config/config.privacy b/etc/config/config.privacy new file mode 100644 index 0000000..d36f3a2 --- /dev/null +++ b/etc/config/config.privacy @@ -0,0 +1,36 @@ +-- SPDX-License-Identifier: CC0-1.0 +-- vim:syntax=lua:set ts=4 sw=4: +-- Config file example usable for privacy-preserving resolver +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +-- Network interface configuration +net.listen('127.0.0.1', 53, { kind = 'dns' }) +net.listen('::1', 53, { kind = 'dns'}) +net.listen('127.0.0.1', 853, { kind = 'tls' }) +net.listen('::1', 853, { kind = 'tls' }) +net.listen('127.0.0.1', 443, { kind = 'doh2' }) +net.listen('::1', 443, { kind = 'doh2' }) + +-- TLS server configuration +-- use this to configure your TLS certificates +-- net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem") + +-- Refer to manual if you would like to use non-persistent cache + +-- forwarding to multiple targets +-- splits the entire DNS namespace into distinct slices +policy.add(policy.slice( + -- slicing function + policy.slice_randomize_psl(), + -- forward over TLS + policy.TLS_FORWARD({ + {'2001:DB8::d0c', hostname='res.example.com'}, + {'192.0.2.1', pin_sha256={'YQ=='} + }), + policy.TLS_FORWARD({ + -- multiple servers can be specified for a single slice + -- the one with lowest round-trip time will be used + {'193.17.47.1', hostname='odvr.nic.cz'}, + {'185.43.135.1', hostname='odvr.nic.cz'}, + }) +)) -- cgit v1.2.3