modules = { 'policy', 'hints > iterate', 'serve_stale < cache', 'workarounds < iterate', 'predict' } --modules.unload('cache') --modules.unload('hints') --modules.unload('priming') --modules.unload('ta_sentinel') --modules.unload('ta_signal_query') --modules.unload('detect_time_jump') --modules.unload('detect_time_skew') net.listen({'::1', '127.0.0.1'}, 55) hints.add_hosts('/etc/knot-resolver/hints.list') -- Disallow ANY & PTR queries policy.add(function (req, query) if query.stype == kres.type.ANY then return policy.DROP elseif query.stype == kres.type.PTR then return policy.DROP end end) --policy.add(function (req, query) -- if query.stype == kres.type.TXT or query.stype == kres.type.SRV or query.stype == kres.type.NS or query.stype == kres.type.MX or query.stype == kres.type.SOA or query.stype == kres.type.PTR then -- return policy.TC -- end --end) -- qname minimalization true --option('NO_MINIMIZE', false) -- Cache size cache.size = 150 * MB --cache.min_ttl(300) -- Force cache timeout every 5 sec --cache.max_ttl(5) policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/rpz.blacklist')) -- OpenNIC opennicTrees = policy.todnames({'uu','ti','te','ku','lib','emc','coin','baza','glue','parody','pirate','oss','oz','bit','dns.opennic.glue','bbs','chan','cyb','dyn','fur','gopher','geek','opennic.glue','o','neo','indy','libre', 'null'}) -- Beware: the rule order is important, as STUB is not a chain action. policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), opennicTrees)) policy.add(policy.suffix(policy.STUB({'::1@52'}), opennicTrees)) -- Disable cache view:addr('0.0.0.0/0', policy.all(policy.FLAGS({'NO_CACHE'}))) view:addr('::/0', policy.all(policy.FLAGS({'NO_CACHE'}))) --view:addr('198.252.153.0/24', function (req, qry) return policy.PASS end) --view:addr('204.13.164.0/24', function (req, qry) return policy.PASS end) --view:addr('199.254.238.0/24', function (req, qry) return policy.PASS end) --view:addr('199.58.80.128/25', function (req, qry) return policy.PASS end) --view:addr('199.58.81.137/25', function (req, qry) return policy.PASS end) --view:addr('10.0.1.0/24', function (req, qry) return policy.PASS end) --view:addr('10.0.2.0/24', function (req, qry) return policy.PASS end) --view:addr('127.0.0.1', function (req, qry) return policy.PASS end) --- Drop everything that hasn't matched -- view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end) -- policy.add(policy.all(policy.FORWARD('::1@51'))) -- Disable dnssec, if need so -- trust_anchors.negative = { '.' }