From 712632ef46b245ab40b7b666e2342754be7b71f8 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 14 Jan 2020 14:08:11 +0100 Subject: etc/config: use net.listen() syntax for configs - meson templating no longer needed - commented out DoH/webmgmt configuration removed - added explicit port 53 and kind=dns --- etc/config/config.cluster | 40 +++++++++++++++++++++++++++ etc/config/config.cluster.in | 43 ----------------------------- etc/config/config.docker | 39 +++++++++++++++++++++++++++ etc/config/config.docker.in | 39 --------------------------- etc/config/config.internal | 15 +++++++++++ etc/config/config.internal.in | 10 ------- etc/config/config.isp | 61 ++++++++++++++++++++++++++++++++++++++++++ etc/config/config.isp.in | 56 -------------------------------------- etc/config/config.personal | 21 +++++++++++++++ etc/config/config.personal.in | 24 ----------------- etc/config/config.privacy | 34 +++++++++++++++++++++++ etc/config/config.privacy.in | 29 -------------------- etc/config/config.splitview | 34 +++++++++++++++++++++++ etc/config/config.splitview.in | 37 ------------------------- etc/config/meson.build | 44 ++++++------------------------ 15 files changed, 252 insertions(+), 274 deletions(-) create mode 100644 etc/config/config.cluster delete mode 100644 etc/config/config.cluster.in create mode 100644 etc/config/config.docker delete mode 100644 etc/config/config.docker.in create mode 100644 etc/config/config.internal delete mode 100644 etc/config/config.internal.in create mode 100644 etc/config/config.isp delete mode 100644 etc/config/config.isp.in create mode 100644 etc/config/config.personal delete mode 100644 etc/config/config.personal.in create mode 100644 etc/config/config.privacy delete mode 100644 etc/config/config.privacy.in create mode 100644 etc/config/config.splitview delete mode 100644 etc/config/config.splitview.in (limited to 'etc') diff --git a/etc/config/config.cluster b/etc/config/config.cluster new file mode 100644 index 00000000..33e0fe3c --- /dev/null +++ b/etc/config/config.cluster @@ -0,0 +1,40 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Config file example useable for larger resolver farms +-- In this case cache should be made as large as possible, and prefetching turned off +-- as the resolver is busy most of the time. +-- Alternative is using `etcd` as a configuration backend. +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +-- Network interface configuration +net.listen('127.0.0.1', 53, { kind = 'dns' }) +net.listen('::1', 53, { kind = 'dns'}) +net.listen('127.0.0.1', 853, { kind = 'tls' }) +net.listen('::1', 853, { kind = 'tls' }) + +-- To disable DNSSEC validation, uncomment the following line (not recommended) +-- trust_anchors.remove('.') + +-- Large cache size, so we don't need to flush ever +-- This can be larger than available RAM, least frequently accessed +-- records will be paged out as long as there's enough disk space to back it +cache.size = 100 * GB + +-- Load Useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + graphite = { -- Send statistics to local InfluxDB + -- `worker.id` allows us to keep per-fork statistics + prefix = hostname()..worker.id, + -- Address of the Graphite/InfluxDB server + host = '192.168.1.2', + }, +} + +-- Use local root server copy for performance reasons +hints.root({ + ['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' } +}) + +-- Apply RPZ for all clients, default rule is DENY +policy.add(policy.rpz(policy.DENY, 'blacklist.rpz')) diff --git a/etc/config/config.cluster.in b/etc/config/config.cluster.in deleted file mode 100644 index f5869d6e..00000000 --- a/etc/config/config.cluster.in +++ /dev/null @@ -1,43 +0,0 @@ --- vim:syntax=lua:set ts=4 sw=4: --- Config file example useable for larger resolver farms --- In this case cache should be made as large as possible, and prefetching turned off --- as the resolver is busy most of the time. --- Alternative is using `etcd` as a configuration backend. --- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ -@config_defaults@ - --- For DNS-over-HTTPS and web management when using http module --- modules.load('http') --- http.config({ --- cert = '/etc/knot-resolver/mycert.crt', --- key = '/etc/knot-resolver/mykey.key', --- tls = true, --- }) - --- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.remove('.') - --- Large cache size, so we don't need to flush ever --- This can be larger than available RAM, least frequently accessed --- records will be paged out as long as there's enough disk space to back it -cache.size = 100 * GB - --- Load Useful modules -modules = { - 'hints > iterate', -- Load /etc/hosts and allow custom root hints - 'stats', -- Track internal statistics - graphite = { -- Send statistics to local InfluxDB - -- `worker.id` allows us to keep per-fork statistics - prefix = hostname()..worker.id, - -- Address of the Graphite/InfluxDB server - host = '192.168.1.2', - }, -} - --- Use local root server copy for performance reasons -hints.root({ - ['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' } -}) - --- Apply RPZ for all clients, default rule is DENY -policy.add(policy.rpz(policy.DENY, 'blacklist.rpz')) diff --git a/etc/config/config.docker b/etc/config/config.docker new file mode 100644 index 00000000..9199880f --- /dev/null +++ b/etc/config/config.docker @@ -0,0 +1,39 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +-- Listen on all interfaces (localhost would not work in Docker) +net.listen('0.0.0.0', 53, { kind = 'dns' }) +net.listen('0.0.0.0', 853, { kind = 'tls' }) +net.listen('0.0.0.0', 443, { kind = 'doh' }) +net.listen('0.0.0.0', 8453, { kind = 'webmgmt' }) + +-- To disable DNSSEC validation, uncomment the following line (not recommended) +-- trust_anchors.remove('.') + +-- Load Useful modules +modules = { + 'stats', -- Track internal statistics + 'http', +} + +-- Smaller cache size +cache.size = 10 * MB + +function print_help() + print('\nUsage\n' + .. '=====\n' + .. 'Run this container using command:\n' + .. '$ docker run -Pti cznic/knot-resolver\n' + .. '\n' + .. 'Docker will map ports 53, 443, 853, and 8453 to some other numbers, see\n' + .. '$ docker ps\n' + .. '(column PORTS)\n' + .. '53 -> DNS protocol over UDP and TCP\n' + .. '443 -> DNS-over-HTTPS protocol\n' + .. '853 -> DNS-over-TLS protocol\n' + .. '8453 -> web interface\n' + .. '\n' + .. 'For verbose logging enter following command to prompt below:\n' + .. 'verbose(true)\n') +end +print_help() diff --git a/etc/config/config.docker.in b/etc/config/config.docker.in deleted file mode 100644 index d543a097..00000000 --- a/etc/config/config.docker.in +++ /dev/null @@ -1,39 +0,0 @@ --- vim:syntax=lua:set ts=4 sw=4: --- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ - --- Listen on all interfaces (localhost would not work in Docker) -net.listen('0.0.0.0') -net.listen('0.0.0.0', 853, { kind = 'tls' }) -net.listen('0.0.0.0', 443, { kind = 'doh' }) -net.listen('0.0.0.0', 8453, { kind = 'webmgmt' }) - --- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.remove('.') - --- Load Useful modules -modules = { - 'stats', -- Track internal statistics - 'http', -} - --- Smaller cache size -cache.size = 10 * MB - -function print_help() - print('\nUsage\n' - .. '=====\n' - .. 'Run this container using command:\n' - .. '$ docker run -Pti cznic/knot-resolver\n' - .. '\n' - .. 'Docker will map ports 53, 443, 853, and 8453 to some other numbers, see\n' - .. '$ docker ps\n' - .. '(column PORTS)\n' - .. '53 -> DNS protocol over UDP and TCP\n' - .. '443 -> DNS-over-HTTPS protocol\n' - .. '853 -> DNS-over-TLS protocol\n' - .. '8453 -> web interface\n' - .. '\n' - .. 'For verbose logging enter following command to prompt below:\n' - .. 'verbose(true)\n') -end -print_help() diff --git a/etc/config/config.internal b/etc/config/config.internal new file mode 100644 index 00000000..ed8b2f1e --- /dev/null +++ b/etc/config/config.internal @@ -0,0 +1,15 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Config file example usable for multi-user ISP resolver +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +-- Network interface configuration +net.listen('127.0.0.1', 53, { kind = 'dns' }) +net.listen('::1', 53, { kind = 'dns'}) +net.listen('127.0.0.1', 853, { kind = 'tls' }) +net.listen('::1', 853, { kind = 'tls' }) + +-- define list of internal-only domains +internalDomains = policy.todnames({'company.example', 'internal.example'}) + +-- forward all queries below 'internalDomains' to '192.168.1.2' +policy.add(policy.suffix(policy.FORWARD({'192.168.1.2'}), internalDomains)) diff --git a/etc/config/config.internal.in b/etc/config/config.internal.in deleted file mode 100644 index 64073397..00000000 --- a/etc/config/config.internal.in +++ /dev/null @@ -1,10 +0,0 @@ --- vim:syntax=lua:set ts=4 sw=4: --- Config file example usable for multi-user ISP resolver --- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ -@config_defaults@ - --- define list of internal-only domains -internalDomains = policy.todnames({'company.example', 'internal.example'}) - --- forward all queries below 'internalDomains' to '192.168.1.2' -policy.add(policy.suffix(policy.FORWARD({'192.168.1.2'}), internalDomains)) \ No newline at end of file diff --git a/etc/config/config.isp b/etc/config/config.isp new file mode 100644 index 00000000..bf9d65c8 --- /dev/null +++ b/etc/config/config.isp @@ -0,0 +1,61 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Config file example usable for ISP resolver +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +-- Network interface configuration +net.listen('127.0.0.1', 53, { kind = 'dns' }) +net.listen('::1', 53, { kind = 'dns'}) +net.listen('127.0.0.1', 853, { kind = 'tls' }) +net.listen('::1', 853, { kind = 'tls' }) + +-- Large cache size, so we don't need to flush often +-- This can be larger than available RAM, least frequently accessed +-- records will be paged out +cache.size = 4 * GB + +-- load modules +modules = { + 'view', + 'stats' +} + +-- log statistics every second +local stat_id = event.recurrent(1 * second, function(evid) + log(table_print(stats.list())) +end) + +-- stop printing statistics after first minute +event.after(1 * minute, function(evid) + event.cancel(stat_id) +end) + +-- speed_monitor definition +-- prints warning if more than 5% of total answers was slow +function speed_monitor() + local previous = stats.list() -- store statistics in persistent variable + return function(evid) + local now = stats.list() -- save actual statistics to variable + -- number of total answers between 'now' and 'previous' states + local total_increment = now['answer.total'] - previous['answer.total'] + -- number of slow answers between 'now' and 'previous' states + local slow_increment = now['answer.slow'] - previous['answer.slow'] + -- if percentage of slow answers is bigger than 5%, print warning + if slow_increment / total_increment > 0.05 then + log('WARNING! More than 5 %% of queries was slow!') + end + previous = now + end +end + +-- execute speed_monitor every minute +local monitor_id = event.recurrent(1 * minute, speed_monitor()) + +-- apply RPZ for all clients, default rule is DENY +policy.add(policy.rpz(policy.DENY, 'blacklist.rpz')) + +-- whitelist queries identified by subnet +view:addr(''192.168.1.0/24'', policy.all(policy.PASS)) + +-- drop everything that hasn't matched +view:addr('0.0.0.0/0', policy.all(policy.DROP)) + diff --git a/etc/config/config.isp.in b/etc/config/config.isp.in deleted file mode 100644 index 44272f96..00000000 --- a/etc/config/config.isp.in +++ /dev/null @@ -1,56 +0,0 @@ --- vim:syntax=lua:set ts=4 sw=4: --- Config file example usable for ISP resolver --- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ -@config_defaults@ - --- Large cache size, so we don't need to flush often --- This can be larger than available RAM, least frequently accessed --- records will be paged out -cache.size = 4 * GB - --- load modules -modules = { - 'view', - 'stats' -} - --- log statistics every second -local stat_id = event.recurrent(1 * second, function(evid) - log(table_print(stats.list())) -end) - --- stop printing statistics after first minute -event.after(1 * minute, function(evid) - event.cancel(stat_id) -end) - --- speed_monitor definition --- prints warning if more than 5% of total answers was slow -function speed_monitor() - local previous = stats.list() -- store statistics in persistent variable - return function(evid) - local now = stats.list() -- save actual statistics to variable - -- number of total answers between 'now' and 'previous' states - local total_increment = now['answer.total'] - previous['answer.total'] - -- number of slow answers between 'now' and 'previous' states - local slow_increment = now['answer.slow'] - previous['answer.slow'] - -- if percentage of slow answers is bigger than 5%, print warning - if slow_increment / total_increment > 0.05 then - log('WARNING! More than 5 %% of queries was slow!') - end - previous = now - end -end - --- execute speed_monitor every minute -local monitor_id = event.recurrent(1 * minute, speed_monitor()) - --- apply RPZ for all clients, default rule is DENY -policy.add(policy.rpz(policy.DENY, 'blacklist.rpz')) - --- whitelist queries identified by subnet -view:addr(''192.168.1.0/24'', policy.all(policy.PASS)) - --- drop everything that hasn't matched -view:addr('0.0.0.0/0', policy.all(policy.DROP)) - diff --git a/etc/config/config.personal b/etc/config/config.personal new file mode 100644 index 00000000..31d58d24 --- /dev/null +++ b/etc/config/config.personal @@ -0,0 +1,21 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/ + +-- Network interface configuration +net.listen('127.0.0.1', 53, { kind = 'dns' }) +net.listen('::1', 53, { kind = 'dns'}) +net.listen('127.0.0.1', 853, { kind = 'tls' }) +net.listen('::1', 853, { kind = 'tls' }) + +-- To disable DNSSEC validation, uncomment the following line (not recommended) +-- trust_anchors.remove('.') + +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records +} + +-- Cache size +cache.size = 100 * MB diff --git a/etc/config/config.personal.in b/etc/config/config.personal.in deleted file mode 100644 index 61969133..00000000 --- a/etc/config/config.personal.in +++ /dev/null @@ -1,24 +0,0 @@ --- vim:syntax=lua:set ts=4 sw=4: --- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/ -@config_defaults@ - --- For DNS-over-HTTPS and web management when using http module --- modules.load('http') --- http.config({ --- cert = '/etc/knot-resolver/mycert.crt', --- key = '/etc/knot-resolver/mykey.key', --- tls = true, --- }) - --- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.remove('.') - --- Load useful modules -modules = { - 'hints > iterate', -- Load /etc/hosts and allow custom root hints - 'stats', -- Track internal statistics - 'predict', -- Prefetch expiring/frequent records -} - --- Cache size -cache.size = 100 * MB diff --git a/etc/config/config.privacy b/etc/config/config.privacy new file mode 100644 index 00000000..29ee4169 --- /dev/null +++ b/etc/config/config.privacy @@ -0,0 +1,34 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Config file example usable for privacy-preserving resolver +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +-- Network interface configuration +net.listen('127.0.0.1', 53, { kind = 'dns' }) +net.listen('::1', 53, { kind = 'dns'}) +net.listen('127.0.0.1', 853, { kind = 'tls' }) +net.listen('::1', 853, { kind = 'tls' }) + +-- TLS server configuration +-- use this to configure your TLS certificates +-- net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem") + +-- move cache to '/tmp/knot-resolver' tmpfs +cache.storage = 'lmdb:///tmp/knot-resolver' + +-- forwarding to multiple targets +-- splits the entire DNS namespace into distinct slices +policy.add(policy.slice( + -- slicing function + policy.slice_randomize_psl(), + -- forward over TLS + policy.TLS_FORWARD({ + {'2001:DB8::d0c', hostname='res.example.com'}, + {'192.0.2.1', pin_sha256={'YQ=='} + }), + policy.TLS_FORWARD({ + -- multiple servers can be specified for a single slice + -- the one with lowest round-trip time will be used + {'193.17.47.1', hostname='odvr.nic.cz'}, + {'185.43.135.1', hostname='odvr.nic.cz'}, + }) +)) diff --git a/etc/config/config.privacy.in b/etc/config/config.privacy.in deleted file mode 100644 index 824aa23c..00000000 --- a/etc/config/config.privacy.in +++ /dev/null @@ -1,29 +0,0 @@ --- vim:syntax=lua:set ts=4 sw=4: --- Config file example usable for privacy-preserving resolver --- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ -@config_defaults@ - --- TLS server configuration --- use this to configure your TLS certificates --- net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem") - --- move cache to '/tmp/knot-resolver' tmpfs -cache.storage = 'lmdb:///tmp/knot-resolver' - --- forwarding to multiple targets --- splits the entire DNS namespace into distinct slices -policy.add(policy.slice( - -- slicing function - policy.slice_randomize_psl(), - -- forward over TLS - policy.TLS_FORWARD({ - {'2001:DB8::d0c', hostname='res.example.com'}, - {'192.0.2.1', pin_sha256={'YQ=='} - }), - policy.TLS_FORWARD({ - -- multiple servers can be specified for a single slice - -- the one with lowest round-trip time will be used - {'193.17.47.1', hostname='odvr.nic.cz'}, - {'185.43.135.1', hostname='odvr.nic.cz'}, - }) -)) \ No newline at end of file diff --git a/etc/config/config.splitview b/etc/config/config.splitview new file mode 100644 index 00000000..2fd2415b --- /dev/null +++ b/etc/config/config.splitview @@ -0,0 +1,34 @@ +-- vim:syntax=lua:set ts=4 sw=4: +-- Config file with split-view for internal zone +-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ + +-- Network interface configuration +net.listen('127.0.0.1', 53, { kind = 'dns' }) +net.listen('::1', 53, { kind = 'dns'}) +net.listen('127.0.0.1', 853, { kind = 'tls' }) +net.listen('::1', 853, { kind = 'tls' }) + +-- To disable DNSSEC validation, uncomment the following line (not recommended) +-- trust_anchors.remove('.') + +-- Load Useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + graphite = { -- Send statistics to local InfluxDB + -- `worker.id` allows us to keep per-fork statistics + prefix = hostname()..worker.id, + -- Address of the Graphite/InfluxDB server + host = '192.168.1.2', + }, + -- Use DNS64 with specified NAT64 address + dns64 = 'fe80::21b:77ff:0:0', +} + +-- Large cache size, so we don't need to flush often +-- This can be larger than available RAM, least frequently accessed +-- records will be paged out +cache.size = 4 * GB + +-- Forward everything below `company.cz` to `192.168.1.3` +policy.add(policy.suffix(policy.FORWARD('192.168.1.3'), {todname('company.cz')})) diff --git a/etc/config/config.splitview.in b/etc/config/config.splitview.in deleted file mode 100644 index 7051efa8..00000000 --- a/etc/config/config.splitview.in +++ /dev/null @@ -1,37 +0,0 @@ --- vim:syntax=lua:set ts=4 sw=4: --- Config file with split-view for internal zone --- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ -@config_defaults@ - --- For DNS-over-HTTPS and web management when using http module --- modules.load('http') --- http.config({ --- cert = '/etc/knot-resolver/mycert.crt', --- key = '/etc/knot-resolver/mykey.key', --- tls = true, --- }) - --- To disable DNSSEC validation, uncomment the following line (not recommended) --- trust_anchors.remove('.') - --- Load Useful modules -modules = { - 'hints > iterate', -- Load /etc/hosts and allow custom root hints - 'stats', -- Track internal statistics - graphite = { -- Send statistics to local InfluxDB - -- `worker.id` allows us to keep per-fork statistics - prefix = hostname()..worker.id, - -- Address of the Graphite/InfluxDB server - host = '192.168.1.2', - }, - -- Use DNS64 with specified NAT64 address - dns64 = 'fe80::21b:77ff:0:0', -} - --- Large cache size, so we don't need to flush often --- This can be larger than available RAM, least frequently accessed --- records will be paged out -cache.size = 4 * GB - --- Forward everything below `company.cz` to `192.168.1.3` -policy.add(policy.suffix(policy.FORWARD('192.168.1.3'), {todname('company.cz')})) diff --git a/etc/config/meson.build b/etc/config/meson.build index 85f7a379..e1623b4b 100644 --- a/etc/config/meson.build +++ b/etc/config/meson.build @@ -1,26 +1,6 @@ # etc: config examples -# Config snippets (build-dependant) -if systemd_files == 'enabled' - config_defaults = ''' --- Network interface configuration: see kresd.systemd(7)''' -else - config_defaults = ''' --- Listen on localhost -net.listen('127.0.0.1') -net.listen('::1') -net.listen('127.0.0.1', 853, { kind = 'tls' }) -net.listen('::1', 853, { kind = 'tls' }) - --- Extra interfaces for http module --- net.listen('127.0.0.1', 44353, { kind = 'doh' }) --- net.listen('::1', 44353, { kind = 'doh' }) --- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' }) --- net.listen('::1', 8453, { kind = 'webmgmt' })''' -endif - - -# Configure and install config examples +# Install config examples example_configs = [ 'config.cluster', 'config.docker', @@ -31,17 +11,10 @@ example_configs = [ 'config.splitview', ] -conf_config = configuration_data() -conf_config.set('config_defaults', config_defaults) - -foreach config_filename : example_configs - configure_file( - input: config_filename + '.in', - output: config_filename, - configuration: conf_config, - install_dir: examples_dir, - ) -endforeach +install_data( + sources: example_configs, + install_dir: examples_dir, +) # kresd.conf @@ -53,10 +26,9 @@ if get_option('install_kresd_conf') == 'auto' endif if install_kresd_conf - configure_file( - input: 'config.personal.in', - output: 'kresd.conf', - configuration: conf_config, + install_data( + sources: 'config.personal', + rename: 'kresd.conf', install_dir: etc_dir, ) endif -- cgit v1.2.3