I have setup (with hints from a blog) knot-resolver to use cloudflare and block lists using the “rpz” policy.
❯ tree .
.
├── aria2.log
├── EnergizedAdult.rpz
├── EnergizedSpark.rpz
├── kresd.conf
└── root.hints
0 directories, 5 files
❯ cat kresd.conf
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
-- net.listen('127.0.0.1', 853, { kind = 'tls' })
-- net.listen('127.0.0.1', 443, { kind = 'doh2' })
-- net.listen('::1', 53, { kind = 'dns', freebind = true })
-- net.listen('::1', 853, { kind = 'tls', freebind = true })
-- net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'policy',
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'stats', -- Track internal statistics
'predict' -- Prefetch expiring/frequent records
}
-- Cache size
cache.size = 100 * MB
policy.add(
policy.all(
policy.TLS_FORWARD(
{
{'1.1.1.1', hostname='one.one.one.one'},
{'9.9.9.9', hostname='dns.quad9.net'}
})))
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/EnergizedSpark.rpz'))
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/EnergizedAdult.rpz'))
knot-resolved is so snappy compared to systemd-resolved!!!
systemd can pry knot-resolved from my cold dead hands.