mirror of
https://github.com/ookangzheng/blahdns.git
synced 2025-12-15 13:45:37 +07:00
73 lines
2.5 KiB
Plaintext
Executable File
73 lines
2.5 KiB
Plaintext
Executable File
modules = {
|
|
'policy',
|
|
'hints > iterate',
|
|
'serve_stale < cache',
|
|
'workarounds < iterate',
|
|
'predict'
|
|
}
|
|
|
|
--modules.unload('cache')
|
|
--modules.unload('hints')
|
|
--modules.unload('priming')
|
|
--modules.unload('ta_sentinel')
|
|
--modules.unload('ta_signal_query')
|
|
--modules.unload('detect_time_jump')
|
|
--modules.unload('detect_time_skew')
|
|
|
|
net.listen({'::1', '127.0.0.1'}, 55)
|
|
hints.add_hosts('/etc/knot-resolver/hints.list')
|
|
|
|
-- Disallow ANY & PTR queries
|
|
policy.add(function (req, query)
|
|
if query.stype == kres.type.ANY then
|
|
return policy.DROP
|
|
elseif query.stype == kres.type.PTR then
|
|
return policy.DROP
|
|
end
|
|
end)
|
|
|
|
--policy.add(function (req, query)
|
|
-- if query.stype == kres.type.TXT or query.stype == kres.type.SRV or query.stype == kres.type.NS or query.stype == kres.type.MX or query.stype == kres.type.SOA or query.stype == kres.type.PTR then
|
|
-- return policy.TC
|
|
-- end
|
|
--end)
|
|
|
|
-- qname minimalization true
|
|
--option('NO_MINIMIZE', false)
|
|
|
|
-- Cache size
|
|
cache.size = 150 * MB
|
|
--cache.min_ttl(300)
|
|
-- Force cache timeout every 5 sec
|
|
--cache.max_ttl(5)
|
|
|
|
|
|
|
|
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/rpz.blacklist'))
|
|
|
|
-- OpenNIC
|
|
opennicTrees = policy.todnames({'uu','ti','te','ku','lib','emc','coin','baza','glue','parody','pirate','oss','oz','bit','dns.opennic.glue','bbs','chan','cyb','dyn','fur','gopher','geek','opennic.glue','o','neo','indy','libre', 'null'})
|
|
|
|
-- Beware: the rule order is important, as STUB is not a chain action.
|
|
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), opennicTrees))
|
|
policy.add(policy.suffix(policy.STUB({'::1@52'}), opennicTrees))
|
|
|
|
-- Disable cache
|
|
view:addr('0.0.0.0/0', policy.all(policy.FLAGS({'NO_CACHE'})))
|
|
view:addr('::/0', policy.all(policy.FLAGS({'NO_CACHE'})))
|
|
|
|
--view:addr('198.252.153.0/24', function (req, qry) return policy.PASS end)
|
|
--view:addr('204.13.164.0/24', function (req, qry) return policy.PASS end)
|
|
--view:addr('199.254.238.0/24', function (req, qry) return policy.PASS end)
|
|
--view:addr('199.58.80.128/25', function (req, qry) return policy.PASS end)
|
|
--view:addr('199.58.81.137/25', function (req, qry) return policy.PASS end)
|
|
--view:addr('10.0.1.0/24', function (req, qry) return policy.PASS end)
|
|
--view:addr('10.0.2.0/24', function (req, qry) return policy.PASS end)
|
|
--view:addr('127.0.0.1', function (req, qry) return policy.PASS end)
|
|
--- Drop everything that hasn't matched
|
|
-- view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
|
|
-- policy.add(policy.all(policy.FORWARD('::1@51')))
|
|
|
|
-- Disable dnssec, if need so
|
|
-- trust_anchors.negative = { '.' }
|