1-- SPDX-License-Identifier: CC0-1.0
2-- vim:syntax=lua:set ts=4 sw=4:
3-- Config file example usable for ISP resolver
4-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/
5
6-- Network interface configuration
7net.listen('127.0.0.1', 53, { kind = 'dns' })
8net.listen('::1', 53, { kind = 'dns'})
9net.listen('127.0.0.1', 853, { kind = 'tls' })
10net.listen('::1', 853, { kind = 'tls' })
11net.listen('127.0.0.1', 443, { kind = 'doh2' })
12net.listen('::1', 443, { kind = 'doh2' })
13
14-- Refer to manual for optimal cache size
15cache.size = 4 * GB
16
17-- load modules
18modules = {
19    'view',
20    'stats'
21}
22
23local ffi = require('ffi')
24
25-- log statistics every second
26local stat_id = event.recurrent(1 * second, function(evid)
27    log_info(ffi.C.LOG_GRP_STATISTICS, table_print(stats.list()))
28end)
29
30-- stop printing statistics after first minute
31event.after(1 * minute, function(evid)
32        event.cancel(stat_id)
33end)
34
35-- speed_monitor definition
36-- prints warning if more than 5% of total answers was slow
37function speed_monitor()
38        local previous = stats.list()   -- store statistics in persistent variable
39        return function(evid)
40                local now = stats.list()    -- save actual statistics to variable
41                -- number of total answers between 'now' and 'previous' states
42                local total_increment = now['answer.total'] - previous['answer.total']
43                -- number of slow answers between 'now' and 'previous' states
44                local slow_increment = now['answer.slow'] - previous['answer.slow']
45                -- if percentage of slow answers is bigger than 5%, print warning
46                if slow_increment / total_increment > 0.05 then
47                        log_warn(ffi.C.LOG_GRP_STATISTICS, 'WARNING! More than 5 %% of queries was slow!')
48                end
49                previous = now
50         end
51end
52
53-- execute speed_monitor every minute
54local monitor_id = event.recurrent(1 * minute, speed_monitor())
55
56-- apply RPZ for all clients, default rule is DENY
57policy.add(policy.rpz(policy.DENY, 'blacklist.rpz'))
58
59-- whitelist queries identified by subnet
60view:addr(''192.168.1.0/24'', policy.all(policy.PASS))
61
62-- drop everything that hasn't matched
63view:addr('0.0.0.0/0', policy.all(policy.DROP))
64
65