summaryrefslogtreecommitdiffstats
path: root/etc/config/config.privacy
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:26:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:26:00 +0000
commit830407e88f9d40d954356c3754f2647f91d5c06a (patch)
treed6a0ece6feea91f3c656166dbaa884ef8a29740e /etc/config/config.privacy
parentInitial commit. (diff)
downloadknot-resolver-98d55686c8af309ef910d45b4aa72db5092f465c.tar.xz
knot-resolver-98d55686c8af309ef910d45b4aa72db5092f465c.zip
Adding upstream version 5.6.0.upstream/5.6.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'etc/config/config.privacy')
-rw-r--r--etc/config/config.privacy36
1 files changed, 36 insertions, 0 deletions
diff --git a/etc/config/config.privacy b/etc/config/config.privacy
new file mode 100644
index 0000000..6c14d74
--- /dev/null
+++ b/etc/config/config.privacy
@@ -0,0 +1,36 @@
+-- SPDX-License-Identifier: CC0-1.0
+-- vim:syntax=lua:set ts=4 sw=4:
+-- Config file example usable for privacy-preserving resolver
+-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/
+
+-- Network interface configuration
+net.listen('127.0.0.1', 53, { kind = 'dns' })
+net.listen('::1', 53, { kind = 'dns'})
+net.listen('127.0.0.1', 853, { kind = 'tls' })
+net.listen('::1', 853, { kind = 'tls' })
+net.listen('127.0.0.1', 443, { kind = 'doh2' })
+net.listen('::1', 443, { kind = 'doh2' })
+
+-- TLS server configuration
+-- use this to configure your TLS certificates
+-- net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem")
+
+-- Refer to manual if you would like to use non-persistent cache
+
+-- forwarding to multiple targets
+-- splits the entire DNS namespace into distinct slices
+policy.add(policy.slice(
+ -- slicing function
+ policy.slice_randomize_psl(),
+ -- forward over TLS
+ policy.TLS_FORWARD({
+ {'2001:DB8::d0c', hostname='res.example.com'},
+ {'192.0.2.1', pin_sha256={'YQ=='}},
+ }),
+ policy.TLS_FORWARD({
+ -- multiple servers can be specified for a single slice
+ -- the one with lowest round-trip time will be used
+ {'193.17.47.1', hostname='odvr.nic.cz'},
+ {'185.43.135.1', hostname='odvr.nic.cz'},
+ })
+))