summaryrefslogtreecommitdiffstats
path: root/etc/config/config.privacy
blob: d36f3a2d2ede4052f9b2cb75ffbfba3c612d29e6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Config file example usable for privacy-preserving resolver
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/

-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('::1', 53, { kind = 'dns'})
net.listen('127.0.0.1', 853, { kind = 'tls' })
net.listen('::1', 853, { kind = 'tls' })
net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::1', 443, { kind = 'doh2' })

-- TLS server configuration
-- use this to configure your TLS certificates
-- net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem")

-- Refer to manual if you would like to use non-persistent cache

-- forwarding to multiple targets
-- splits the entire DNS namespace into distinct slices
policy.add(policy.slice(
   -- slicing function
   policy.slice_randomize_psl(),
   -- forward over TLS
   policy.TLS_FORWARD({
      {'2001:DB8::d0c', hostname='res.example.com'},
      {'192.0.2.1', pin_sha256={'YQ=='}
   }),
   policy.TLS_FORWARD({
      -- multiple servers can be specified for a single slice
      -- the one with lowest round-trip time will be used
      {'193.17.47.1', hostname='odvr.nic.cz'},
      {'185.43.135.1', hostname='odvr.nic.cz'},
   })
))