1-- SPDX-License-Identifier: CC0-1.0 2-- vim:syntax=lua:set ts=4 sw=4: 3-- Config file example usable for ISP resolver 4-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/ 5 6-- Network interface configuration 7net.listen('127.0.0.1', 53, { kind = 'dns' }) 8net.listen('::1', 53, { kind = 'dns'}) 9net.listen('127.0.0.1', 853, { kind = 'tls' }) 10net.listen('::1', 853, { kind = 'tls' }) 11net.listen('127.0.0.1', 443, { kind = 'doh2' }) 12net.listen('::1', 443, { kind = 'doh2' }) 13 14-- Refer to manual for optimal cache size 15cache.size = 4 * GB 16 17-- load modules 18modules = { 19 'view', 20 'stats' 21} 22 23local ffi = require('ffi') 24 25-- log statistics every second 26local stat_id = event.recurrent(1 * second, function(evid) 27 log_info(ffi.C.LOG_GRP_STATISTICS, table_print(stats.list())) 28end) 29 30-- stop printing statistics after first minute 31event.after(1 * minute, function(evid) 32 event.cancel(stat_id) 33end) 34 35-- speed_monitor definition 36-- prints warning if more than 5% of total answers was slow 37function speed_monitor() 38 local previous = stats.list() -- store statistics in persistent variable 39 return function(evid) 40 local now = stats.list() -- save actual statistics to variable 41 -- number of total answers between 'now' and 'previous' states 42 local total_increment = now['answer.total'] - previous['answer.total'] 43 -- number of slow answers between 'now' and 'previous' states 44 local slow_increment = now['answer.slow'] - previous['answer.slow'] 45 -- if percentage of slow answers is bigger than 5%, print warning 46 if slow_increment / total_increment > 0.05 then 47 log_warn(ffi.C.LOG_GRP_STATISTICS, 'WARNING! More than 5 %% of queries was slow!') 48 end 49 previous = now 50 end 51end 52 53-- execute speed_monitor every minute 54local monitor_id = event.recurrent(1 * minute, speed_monitor()) 55 56-- apply RPZ for all clients, default rule is DENY 57policy.add(policy.rpz(policy.DENY, 'blacklist.rpz')) 58 59-- whitelist queries identified by subnet 60view:addr(''192.168.1.0/24'', policy.all(policy.PASS)) 61 62-- drop everything that hasn't matched 63view:addr('0.0.0.0/0', policy.all(policy.DROP)) 64 65