summaryrefslogtreecommitdiffstats
path: root/etc/config/config.isp
blob: 3dc3e7f0e1ced82ec1cd90e91aff89dcf3e47cce (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Config file example usable for ISP resolver
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/

-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('::1', 53, { kind = 'dns'})
net.listen('127.0.0.1', 853, { kind = 'tls' })
net.listen('::1', 853, { kind = 'tls' })
net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::1', 443, { kind = 'doh2' })

-- Refer to manual for optimal cache size
cache.size = 4 * GB

-- load modules
modules = {
    'view',
    'stats'
}

-- log statistics every second
local stat_id = event.recurrent(1 * second, function(evid)
    log(table_print(stats.list()))
end)

-- stop printing statistics after first minute
event.after(1 * minute, function(evid)
        event.cancel(stat_id)
end)

-- speed_monitor definition
-- prints warning if more than 5% of total answers was slow
function speed_monitor()
        local previous = stats.list()   -- store statistics in persistent variable
        return function(evid)
                local now = stats.list()    -- save actual statistics to variable
                -- number of total answers between 'now' and 'previous' states
                local total_increment = now['answer.total'] - previous['answer.total']
                -- number of slow answers between 'now' and 'previous' states
                local slow_increment = now['answer.slow'] - previous['answer.slow']
                -- if percentage of slow answers is bigger than 5%, print warning
                if slow_increment / total_increment > 0.05 then
                        log('WARNING! More than 5 %% of queries was slow!')
                end
                previous = now
         end
end

-- execute speed_monitor every minute
local monitor_id = event.recurrent(1 * minute, speed_monitor())

-- apply RPZ for all clients, default rule is DENY
policy.add(policy.rpz(policy.DENY, 'blacklist.rpz'))

-- whitelist queries identified by subnet
view:addr(''192.168.1.0/24'', policy.all(policy.PASS))

-- drop everything that hasn't matched
view:addr('0.0.0.0/0', policy.all(policy.DROP))