{"id":10263,"date":"2023-02-27T20:31:00","date_gmt":"2023-02-27T19:31:00","guid":{"rendered":"https:\/\/monodes.com\/predaelli\/?p=10263"},"modified":"2023-02-27T08:32:22","modified_gmt":"2023-02-27T07:32:22","slug":"knot-dns","status":"publish","type":"post","link":"https:\/\/monodes.com\/predaelli\/2023\/02\/27\/knot-dns\/","title":{"rendered":"Knot DNS"},"content":{"rendered":"<p>I&#8217;ve just read the interesing <em>&#8220;<a href=\"https:\/\/yeupou.wordpress.com\/2023\/02\/11\/replace-powerdns-by-knot-dns-and-knot-resolversupervisor-with-dnssec-dns-over-tls-and-domain-name-spoofing\/\">Replace PowerDNS by Knot DNS and Knot Resolver+supervisor with DNSSEC, DNS over TLS and domain name spoofing<\/a>&#8221; from &#8230;.<\/em><\/p>\n<p>I didn&#8217;t knew <a href=\"https:\/\/www.knot-dns.cz\/\">KnotDNS<\/a>. It may be a wiser choice than MaraDNS<\/p>\n<p><!--more--><!--nextpage--><\/p>\n<blockquote>\n<header class=\"entry-header\">\n<h1 class=\"entry-title\">Replace PowerDNS by Knot DNS and Knot Resolver+supervisor with DNSSEC, DNS over TLS and domain name&nbsp;spoofing<\/h1>\n<div class=\"entry-meta small-part\"><span class=\"posted-on\"><i class=\"fa fa-clock-o space-left-right\"><\/i><a href=\"https:\/\/yeupou.wordpress.com\/2023\/02\/11\/replace-powerdns-by-knot-dns-and-knot-resolversupervisor-with-dnssec-dns-over-tls-and-domain-name-spoofing\/\" rel=\"bookmark\"><time class=\"entry-date published\" datetime=\"2023-02-11T17:28:13+01:00\">February 11, 2023<\/time><\/a><\/span><span class=\"byline\"> <i class=\"fa fa-user space-left-right\"><\/i><span class=\"author vcard\"><a class=\"url fn n\" href=\"https:\/\/yeupou.wordpress.com\/author\/yeupou\/\">yeupou<\/a><\/span><\/span><span class=\"comments-link\"><i class=\"fa fa-comments-o space-left-right\"><\/i><a href=\"https:\/\/yeupou.wordpress.com\/2023\/02\/11\/replace-powerdns-by-knot-dns-and-knot-resolversupervisor-with-dnssec-dns-over-tls-and-domain-name-spoofing\/#comments\">1 Comment<\/a><\/span><\/div>\n<\/header>\n<div class=\"entry-content\">\n<p class=\"has-text-align-justify\"><a href=\"https:\/\/yeupou.wordpress.com\/2021\/03\/12\/using-powerdns-server-and-recursor-with-dnssec-and-domain-name-spoofing-caching\/\">I was considering using Knot DNS since a while<\/a>. Switching to DNS over TLS for the resolver queries was the push needed. Turns out that transposing my setup with Knot DNS is very easy and fast.<\/p>\n<p class=\"has-text-align-justify\">Knot Resolver does not provide init scripts and suggests to use supervisor as an alternative to systemd omnipresent features. Wary with this idea, turns out that <a href=\"http:\/\/supervisord.org\/\">supervisor<\/a> is very easy to put in place and I might use it more, replace some xinetd, in the future.<\/p>\n<p class=\"has-text-align-justify\">For the record, my setup is as follow: there is a local DNS server to serve the local area network HERE.ici domain and is a resolver that cache requests. All requests are sent to the resolver and this one, if he cannot answer, then ask the relevant DNS server. Nothing too fancy, even if sometimes LAN are set up the other way around, where people query the local DNS server by default and this one query the local resolver if he can\u2019t answer.<\/p>\n<p class=\"has-text-align-justify\">Install require the following:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<div>\n<div id=\"highlighter_969488\" class=\"syntaxhighlighter  bash\">\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">apt <\/code><code class=\"\" data-line=\"\">install<\/code> <code class=\"\" data-line=\"\">knot<\/code><code class=\"\" data-line=\"\">\/testing<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">apt <\/code><code class=\"\" data-line=\"\">install<\/code> <code class=\"\" data-line=\"\">knot-resolver supervisor<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<h2 class=\"wp-block-heading\">DNS for the local area network<\/h2>\n<p>The Knot DNS server will not be queried directly but by the Knot Resolver and DHCPd. Edit \/etc\/knot\/knot.conf by adding:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<div>\n<div id=\"highlighter_105174\" class=\"syntaxhighlighter  plain\">\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<div class=\"line number18 index17 alt1\">18<\/div>\n<div class=\"line number19 index18 alt2\">19<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">server:<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\"># meant to be called only on loopback<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\"># by knot-resolver and dhcpd on update<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">listen: 127.0.1.1@53<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"\" data-line=\"\">acl:<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">- id: update_acl<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\"># restrict by IP is enough, no need for a ddns key stored on the same host<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">address: 127.0.0.1<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">action: update<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"\" data-line=\"\">zone:<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">- domain: HERE.ici<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">dnssec-signing: on<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">acl: update_acl<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">- domain: 10.in-addr.arpa<\/code><\/div>\n<div class=\"line number18 index17 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">dnssec-signing: on<\/code><\/div>\n<div class=\"line number19 index18 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">acl: update_acl<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<p>Create the zones (edit serverhostname and HERE.ici according to your setup):<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<div>\n<div id=\"highlighter_163672\" class=\"syntaxhighlighter  bash\">\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">invoke-rc.d knot restart<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"\" data-line=\"\">knotc zone-begin HERE.ici<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">HERE.ici @ 7200 SOA serverhostname hostmaster 1 86400 900 691200 3600<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">HERE.ici serverhostname 3600 A 10.10.10.1<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">HERE.ici @ 3600 NS serverhostname<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">HERE.ici @ 3600 MX 10 mx.HERE.ici<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">HERE.ici jeden 3600 CNAME serverhostname<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"\" data-line=\"\">knotc zone-commit HERE.ici<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"\" data-line=\"\">knotc zone-begin 10.<\/code><code class=\"\" data-line=\"\">in<\/code><code class=\"\" data-line=\"\">-addr.arpa<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">10.<\/code><code class=\"\" data-line=\"\">in<\/code><code class=\"\" data-line=\"\">-addr.arpa @ 7200 SOA serverhostname.HERE.ici. hostmaster.HERE.ici. 1 86400 900 691<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"\" data-line=\"\">200 3600<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">10.<\/code><code class=\"\" data-line=\"\">in<\/code><code class=\"\" data-line=\"\">-addr.arpa 10.10.10.1 3600 PTR serverhostname<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"\" data-line=\"\">knotc zone-<\/code><code class=\"\" data-line=\"\">set<\/code> <code class=\"\" data-line=\"\">10.<\/code><code class=\"\" data-line=\"\">in<\/code><code class=\"\" data-line=\"\">-addr.arpa @ 3600 NS serverhostname.HERE.ici.<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"\" data-line=\"\">knotc zone-commit 10.<\/code><code class=\"\" data-line=\"\">in<\/code><code class=\"\" data-line=\"\">-addr.arpa<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<p>Zone will to be updated by the DHCP server, in this case ISC dhcpd. Edit \/etc\/dhcp\/dhcpd.conf accordingly:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<div>\n<div id=\"highlighter_766851\" class=\"syntaxhighlighter  bash\">\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<div class=\"line number18 index17 alt1\">18<\/div>\n<div class=\"line number19 index18 alt2\">19<\/div>\n<div class=\"line number20 index19 alt1\">20<\/div>\n<div class=\"line number21 index20 alt2\">21<\/div>\n<div class=\"line number22 index21 alt1\">22<\/div>\n<div class=\"line number23 index22 alt2\">23<\/div>\n<div class=\"line number24 index23 alt1\">24<\/div>\n<div class=\"line number25 index24 alt2\">25<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\"># dynamic update<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">ddns-updates on;<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"\" data-line=\"\">ddns-update-style standard;<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"\" data-line=\"\">ignore client-updates; <\/code><code class=\"\" data-line=\"\"># restrict to domain name<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"\" data-line=\"\"># option definitions common to all supported networks...<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"\" data-line=\"\">option domain-name <\/code><code class=\"\" data-line=\"\">&quot;HERE.ici&quot;<\/code><code class=\"\" data-line=\"\">;<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"\" data-line=\"\">option domain-search <\/code><code class=\"\" data-line=\"\">&quot;HERE.ici&quot;<\/code><code class=\"\" data-line=\"\">;<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"\" data-line=\"\"># you can add other extra name servers if you consider acceptable <\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"\" data-line=\"\"># direct external queries in case the resolver is dead<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"\" data-line=\"\">option domain-name-servers 10.0.0.1;<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"\" data-line=\"\">option routers 10.0.0.1;<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"\" data-line=\"\">default-lease-<\/code><code class=\"\" data-line=\"\">time<\/code> <code class=\"\" data-line=\"\">600;<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"\" data-line=\"\">max-lease-<\/code><code class=\"\" data-line=\"\">time<\/code> <code class=\"\" data-line=\"\">6000;<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"\" data-line=\"\">update-static-leases on;<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"\" data-line=\"\">authoritative;<\/code><\/div>\n<div class=\"line number17 index16 alt2\"><\/div>\n<div class=\"line number18 index17 alt1\"><code class=\"\" data-line=\"\">&nbsp;<\/code><code class=\"\" data-line=\"\">[...]<\/code><\/div>\n<div class=\"line number19 index18 alt2\"><\/div>\n<div class=\"line number20 index19 alt1\"><code class=\"\" data-line=\"\">zone HERE.ici. {<\/code><\/div>\n<div class=\"line number21 index20 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">primary 127.0.1.1;<\/code><\/div>\n<div class=\"line number22 index21 alt1\"><code class=\"\" data-line=\"\">}<\/code><\/div>\n<div class=\"line number23 index22 alt2\"><code class=\"\" data-line=\"\">zone 10.<\/code><code class=\"\" data-line=\"\">in<\/code><code class=\"\" data-line=\"\">-addr.arpa. {<\/code><\/div>\n<div class=\"line number24 index23 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">primary 127.0.1.1;<\/code><\/div>\n<div class=\"line number25 index24 alt2\"><code class=\"\" data-line=\"\">}<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<p>No dynamic update keys, everything goes through the loopback. You might want erase DHCPd leases (usually in \/var\/lib\/dhcp\/) so it does not get confused.<\/p>\n<h2 class=\"wp-block-heading\">DNS Resolver<\/h2>\n<p>The Knot Resolver will handle all clients queries, contacting Internet DNS over TLS if need be and caching results. Edit \/etc\/knot-resolver\/kresd.conf to contain:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<div>\n<div id=\"highlighter_490246\" class=\"syntaxhighlighter  python\">\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<div class=\"line number18 index17 alt1\">18<\/div>\n<div class=\"line number19 index18 alt2\">19<\/div>\n<div class=\"line number20 index19 alt1\">20<\/div>\n<div class=\"line number21 index20 alt2\">21<\/div>\n<div class=\"line number22 index21 alt1\">22<\/div>\n<div class=\"line number23 index22 alt2\">23<\/div>\n<div class=\"line number24 index23 alt1\">24<\/div>\n<div class=\"line number25 index24 alt2\">25<\/div>\n<div class=\"line number26 index25 alt1\">26<\/div>\n<div class=\"line number27 index26 alt2\">27<\/div>\n<div class=\"line number28 index27 alt1\">28<\/div>\n<div class=\"line number29 index28 alt2\">29<\/div>\n<div class=\"line number30 index29 alt1\">30<\/div>\n<div class=\"line number31 index30 alt2\">31<\/div>\n<div class=\"line number32 index31 alt1\">32<\/div>\n<div class=\"line number33 index32 alt2\">33<\/div>\n<div class=\"line number34 index33 alt1\">34<\/div>\n<div class=\"line number35 index34 alt2\">35<\/div>\n<div class=\"line number36 index35 alt1\">36<\/div>\n<div class=\"line number37 index36 alt2\">37<\/div>\n<div class=\"line number38 index37 alt1\">38<\/div>\n<div class=\"line number39 index38 alt2\">39<\/div>\n<div class=\"line number40 index39 alt1\">40<\/div>\n<div class=\"line number41 index40 alt2\">41<\/div>\n<div class=\"line number42 index41 alt1\">42<\/div>\n<div class=\"line number43 index42 alt2\">43<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">Network interface configuration<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">(knot dns should be using <\/code><code class=\"\" data-line=\"\">127.0<\/code><code class=\"\" data-line=\"\">.<\/code><code class=\"\" data-line=\"\">1.1<\/code><code class=\"\" data-line=\"\">)<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"\" data-line=\"\">net.listen(<\/code><code class=\"\" data-line=\"\">&#039;127.0.0.1&#039;<\/code><code class=\"\" data-line=\"\">, <\/code><code class=\"\" data-line=\"\">53<\/code><code class=\"\" data-line=\"\">, { kind <\/code><code class=\"\" data-line=\"\">=<\/code> <code class=\"\" data-line=\"\">&#039;dns&#039;<\/code> <code class=\"\" data-line=\"\">})<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"\" data-line=\"\">net.listen(<\/code><code class=\"\" data-line=\"\">&#039;127.0.0.1&#039;<\/code><code class=\"\" data-line=\"\">, <\/code><code class=\"\" data-line=\"\">853<\/code><code class=\"\" data-line=\"\">, { kind <\/code><code class=\"\" data-line=\"\">=<\/code> <code class=\"\" data-line=\"\">&#039;tls&#039;<\/code> <code class=\"\" data-line=\"\">})<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"\" data-line=\"\">net.listen(<\/code><code class=\"\" data-line=\"\">&#039;10.0.0.1&#039;<\/code><code class=\"\" data-line=\"\">, <\/code><code class=\"\" data-line=\"\">53<\/code><code class=\"\" data-line=\"\">, { kind <\/code><code class=\"\" data-line=\"\">=<\/code> <code class=\"\" data-line=\"\">&#039;dns&#039;<\/code> <code class=\"\" data-line=\"\">})<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"\" data-line=\"\">net.listen(<\/code><code class=\"\" data-line=\"\">&#039;10.0.0.1&#039;<\/code><code class=\"\" data-line=\"\">, <\/code><code class=\"\" data-line=\"\">853<\/code><code class=\"\" data-line=\"\">, { kind <\/code><code class=\"\" data-line=\"\">=<\/code> <code class=\"\" data-line=\"\">&#039;tls&#039;<\/code> <code class=\"\" data-line=\"\">})<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">drop privileges (check <\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">var<\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">lib<\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">knot<\/code><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">resolves modes<\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">owner)<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"\" data-line=\"\">user(<\/code><code class=\"\" data-line=\"\">&#039;knot-resolver&#039;<\/code><code class=\"\" data-line=\"\">, <\/code><code class=\"\" data-line=\"\">&#039;knot-resolver&#039;<\/code><code class=\"\" data-line=\"\">)<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">Load useful modules<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"\" data-line=\"\">modules <\/code><code class=\"\" data-line=\"\">=<\/code> <code class=\"\" data-line=\"\">{<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">&#039;hints &gt; iterate&#039;<\/code><code class=\"\" data-line=\"\">,&nbsp; <\/code><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">Load <\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">etc<\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">hosts <\/code><code class=\"\" data-line=\"\">and<\/code> <code class=\"\" data-line=\"\">allow custom root hints<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">&#039;stats&#039;<\/code><code class=\"\" data-line=\"\">,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/code><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">Track internal statistics<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">&#039;predict&#039;<\/code><code class=\"\" data-line=\"\">,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/code><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">Prefetch expiring<\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">frequent records<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">&#039;view&#039;<\/code><code class=\"\" data-line=\"\">,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/code><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">require to limit access<\/code><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"\" data-line=\"\">}<\/code><\/div>\n<div class=\"line number18 index17 alt1\"><\/div>\n<div class=\"line number19 index18 alt2\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">Cache size<\/code><\/div>\n<div class=\"line number20 index19 alt1\"><code class=\"\" data-line=\"\">cache.size <\/code><code class=\"\" data-line=\"\">=<\/code> <code class=\"\" data-line=\"\">500<\/code> <code class=\"\" data-line=\"\">*<\/code> <code class=\"\" data-line=\"\">MB<\/code><\/div>\n<div class=\"line number21 index20 alt2\"><\/div>\n<div class=\"line number22 index21 alt1\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">whitelist queries identified by subnet<\/code><\/div>\n<div class=\"line number23 index22 alt2\"><code class=\"\" data-line=\"\">view:addr(<\/code><code class=\"\" data-line=\"\">&#039;127.0.0.0\/24&#039;<\/code><code class=\"\" data-line=\"\">, policy.<\/code><code class=\"\" data-line=\"\">all<\/code><code class=\"\" data-line=\"\">(policy.PASS))<\/code><\/div>\n<div class=\"line number24 index23 alt1\"><code class=\"\" data-line=\"\">view:addr(<\/code><code class=\"\" data-line=\"\">&#039;10.0.0.0\/24&#039;<\/code><code class=\"\" data-line=\"\">, policy.<\/code><code class=\"\" data-line=\"\">all<\/code><code class=\"\" data-line=\"\">(policy.PASS))<\/code><\/div>\n<div class=\"line number25 index24 alt2\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">drop everything that hasn&#039;t matched<\/code><\/div>\n<div class=\"line number26 index25 alt1\"><code class=\"\" data-line=\"\">view:addr(<\/code><code class=\"\" data-line=\"\">&#039;0.0.0.0\/0&#039;<\/code><code class=\"\" data-line=\"\">, policy.<\/code><code class=\"\" data-line=\"\">all<\/code><code class=\"\" data-line=\"\">(policy.DROP))<\/code><\/div>\n<div class=\"line number27 index26 alt2\"><\/div>\n<div class=\"line number28 index27 alt1\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">Custom hints: local spoofed address <\/code><code class=\"\" data-line=\"\">and<\/code> <code class=\"\" data-line=\"\">antispam<\/code><code class=\"\" data-line=\"\">\/<\/code><code class=\"\" data-line=\"\">ads<\/code><\/div>\n<div class=\"line number29 index28 alt2\"><code class=\"\" data-line=\"\">hints.add_hosts(<\/code><code class=\"\" data-line=\"\">&quot;\/etc\/knot-resolver\/redirect-spoof&quot;<\/code><code class=\"\" data-line=\"\">)<\/code><\/div>\n<div class=\"line number30 index29 alt1\"><code class=\"\" data-line=\"\">hints.add_hosts(<\/code><code class=\"\" data-line=\"\">&quot;\/etc\/knot-resolver\/redirect-ads&quot;<\/code><code class=\"\" data-line=\"\">)<\/code><\/div>\n<div class=\"line number31 index30 alt2\"><\/div>\n<div class=\"line number32 index31 alt1\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">internal domain: use knot dns listening on loopback<\/code><\/div>\n<div class=\"line number33 index32 alt2\"><code class=\"\" data-line=\"\">internalDomains <\/code><code class=\"\" data-line=\"\">=<\/code> <code class=\"\" data-line=\"\">policy.todnames({<\/code><code class=\"\" data-line=\"\">&#039;HERE.ici&#039;<\/code><code class=\"\" data-line=\"\">, <\/code><code class=\"\" data-line=\"\">&#039;10.in-addr.arpa&#039;<\/code><code class=\"\" data-line=\"\">})<\/code><\/div>\n<div class=\"line number34 index33 alt1\"><code class=\"\" data-line=\"\">policy.add(policy.suffix(policy.FLAGS({<\/code><code class=\"\" data-line=\"\">&#039;NO_CACHE&#039;<\/code><code class=\"\" data-line=\"\">}), internalDomains))<\/code><\/div>\n<div class=\"line number35 index34 alt2\"><code class=\"\" data-line=\"\">policy.add(policy.suffix(policy.STUB({<\/code><code class=\"\" data-line=\"\">&#039;127.0.1.1@53&#039;<\/code><code class=\"\" data-line=\"\">}), internalDomains))<\/code><\/div>\n<div class=\"line number36 index35 alt1\"><\/div>\n<div class=\"line number37 index36 alt2\"><code class=\"\" data-line=\"\">-<\/code><code class=\"\" data-line=\"\">-<\/code> <code class=\"\" data-line=\"\">forward <\/code><code class=\"\" data-line=\"\">in<\/code> <code class=\"\" data-line=\"\">TLS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/code><\/div>\n<div class=\"line number38 index37 alt1\"><code class=\"\" data-line=\"\">policy.add(policy.<\/code><code class=\"\" data-line=\"\">all<\/code><code class=\"\" data-line=\"\">(policy.TLS_FORWARD(<\/code><\/div>\n<div class=\"line number39 index38 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">{<\/code><code class=\"\" data-line=\"\">&#039;208.67.222.222&#039;<\/code><code class=\"\" data-line=\"\">, hostname<\/code><code class=\"\" data-line=\"\">=<\/code><code class=\"\" data-line=\"\">&#039;dns.opendns.com&#039;<\/code><code class=\"\" data-line=\"\">},<\/code><\/div>\n<div class=\"line number40 index39 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">{<\/code><code class=\"\" data-line=\"\">&#039;208.67.220.220&#039;<\/code><code class=\"\" data-line=\"\">, hostname<\/code><code class=\"\" data-line=\"\">=<\/code><code class=\"\" data-line=\"\">&#039;dns.opendns.com&#039;<\/code><code class=\"\" data-line=\"\">},<\/code><\/div>\n<div class=\"line number41 index40 alt2\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">{<\/code><code class=\"\" data-line=\"\">&#039;1.1.1.1&#039;<\/code><code class=\"\" data-line=\"\">, hostname<\/code><code class=\"\" data-line=\"\">=<\/code><code class=\"\" data-line=\"\">&#039;cloudflare-dns.com&#039;<\/code><code class=\"\" data-line=\"\">},<\/code><\/div>\n<div class=\"line number42 index41 alt1\"><code class=\"\" data-line=\"\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code class=\"\" data-line=\"\">{<\/code><code class=\"\" data-line=\"\">&#039;1.0.0.1&#039;<\/code><code class=\"\" data-line=\"\">, hostname<\/code><code class=\"\" data-line=\"\">=<\/code><code class=\"\" data-line=\"\">&#039;cloudflare-dns.com&#039;<\/code><code class=\"\" data-line=\"\">},<\/code><\/div>\n<div class=\"line number43 index42 alt2\"><code class=\"\" data-line=\"\">})))<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"has-text-align-justify\">redirect-spoof and redirect-ads at \/etc\/hosts format: it allows domain spoofing or ads domains filtering. It replaces conveniently the extra lua script that my setup was using with PowerDNS.<\/p>\n<p class=\"has-text-align-justify has-luminous-vivid-amber-background-color has-background\">Update Feb 19 2023: Check <a href=\"https:\/\/gitlab.com\/yeupou\/rien\/-\/tree\/master\/knot-resolver\">recent files on gitlab<\/a>, I know use RPZ instead of hints\/hosts file to block hostile domains. No real change in principle but knot-resolver seems to handle better very long lists in this form.<\/p>\n<p>Finally, the resolver need to be started by the supervisord, with a \/etc\/supervisor\/conf.d\/knot-resolver.conf as such:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<div>\n<div id=\"highlighter_753340\" class=\"syntaxhighlighter  bash\">\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">[program:knot-resolver]<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">command<\/code><code class=\"\" data-line=\"\">=<\/code><code class=\"\" data-line=\"\">\/usr\/sbin\/kresd<\/code> <code class=\"\" data-line=\"\">-c <\/code><code class=\"\" data-line=\"\">\/etc\/knot-resolver\/kresd<\/code><code class=\"\" data-line=\"\">.conf --noninteractive<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"\" data-line=\"\">priority=0<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"\" data-line=\"\">autostart=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"\" data-line=\"\">autorestart=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"\" data-line=\"\">stdout_syslog=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"\" data-line=\"\">stderr_syslog=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"\" data-line=\"\">directory=<\/code><code class=\"\" data-line=\"\">\/var\/lib\/knot-resolver<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"\" data-line=\"\">[program:knot-resolver-gc]<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"\" data-line=\"\">command<\/code><code class=\"\" data-line=\"\">=<\/code><code class=\"\" data-line=\"\">\/usr\/sbin\/kres-cache-gc<\/code> <code class=\"\" data-line=\"\">-c <\/code><code class=\"\" data-line=\"\">\/var\/lib\/knot-resolver<\/code> <code class=\"\" data-line=\"\">-d 120000<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"\" data-line=\"\">user=knot-resolver<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"\" data-line=\"\">autostart=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"\" data-line=\"\">autorestart=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"\" data-line=\"\">stdout_syslog=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"\" data-line=\"\">stderr_syslog=<\/code><code class=\"\" data-line=\"\">true<\/code><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"\" data-line=\"\">directory=<\/code><code class=\"\" data-line=\"\">\/var\/lib\/knot-resolver<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<p>Restart the supervisor, check logs. Everything should be fine. You can cleanup.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<div>\n<div id=\"highlighter_163353\" class=\"syntaxhighlighter  bash\">\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">rc-update add supervisor<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">rc-update add knot<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"\" data-line=\"\">apt --purge remove pdns-*<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"\" data-line=\"\"># check if there is still traffic on DNS port 53 on the public network interface (should be none)<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"\" data-line=\"\">tcpdump -ni eth0 -p port&nbsp; 53<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"\" data-line=\"\"># check if there is trafic on DNS over TLS port 853 (should be whenever there is a query outside of the cache and LAN)<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"\" data-line=\"\">tcpdump -ni eth0 -p port&nbsp; 853<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<p>(My default files are my <a href=\"https:\/\/gitlab.com\/yeupou\/rien\/-\/tree\/master\/host\/etc\">rien-host<\/a> package; if you have on your network a mail server using DNS blacklist which will inevitably blocked, you might want to install knot-resolver also on this server, in recursive mode)<\/p>\n<\/div>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p class=\"excerpt\">I&#8217;ve just read the interesing &#8220;Replace PowerDNS by Knot DNS and Knot Resolver+supervisor with DNSSEC, DNS over TLS and domain name spoofing&#8221; from &#8230;. I didn&#8217;t knew KnotDNS. It may be a wiser choice than MaraDNS<\/p>\n<p class=\"more-link-p\"><a class=\"more-link\" href=\"https:\/\/monodes.com\/predaelli\/2023\/02\/27\/knot-dns\/\">Read more &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"link","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[52,14],"tags":[333],"class_list":["post-10263","post","type-post","status-publish","format-link","hentry","category-software","category-software-libero","tag-dns","post_format-post-format-link"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6daft-2Fx","jetpack-related-posts":[{"id":144,"url":"https:\/\/monodes.com\/predaelli\/2015\/05\/14\/fix-dns-issues-with-local-addresses-on-ms-domain\/","url_meta":{"origin":10263,"position":0},"title":"Fix DNS issues with .local addresses on MS domain","author":"Paolo Redaelli","date":"2015-05-14","format":false,"excerpt":"I can't believe it is that simple Fix linux DNS issues with .local addresses on MS domain B.L.U.F.: Microsoft uses .local as the recommended root of internal domains, and serves them via unicast dns. Linux uses .local as the root of multicast dns. If you're stuck on a broken MS\u2026","rel":"","context":"In &quot;Senza categoria&quot;","block_context":{"text":"Senza categoria","link":"https:\/\/monodes.com\/predaelli\/category\/senza-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4912,"url":"https:\/\/monodes.com\/predaelli\/2018\/11\/13\/1-1-1-1-the-internets-fastest-privacy-first-dns-resolver\/","url_meta":{"origin":10263,"position":1},"title":"1.1.1.1 \u2014 the Internet\u2019s Fastest, Privacy-First DNS Resolver","author":"Paolo Redaelli","date":"2018-11-13","format":false,"excerpt":"\u270c\ufe0f\u270c\ufe0f Browse a faster, more private internet. Source: 1.1.1.1 \u2014 the Internet\u2019s Fastest, Privacy-First DNS Resolver","rel":"","context":"In &quot;Senza categoria&quot;","block_context":{"text":"Senza categoria","link":"https:\/\/monodes.com\/predaelli\/category\/senza-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8010,"url":"https:\/\/monodes.com\/predaelli\/2021\/01\/04\/geektalk-debian-postfix-docker-ed-il-ruolo-degli-sviluppatori-nel-devops-con-marco-ditri-youtube\/","url_meta":{"origin":10263,"position":2},"title":"GeekTalk: DEBIAN, POSTFIX, Docker ed il ruolo degli sviluppatori nel DEVOPS con Marco d&#8217;Itri &#8211; YouTube","author":"Paolo Redaelli","date":"2021-01-04","format":"video","excerpt":"Postfix: \"il codice di POSTFIX dovrebbe essere usato a fini didattici, \u00e8 un grande design. Scritto molto bene, chiaro e sicuro. Un buon esempio di come si scrive C eccellente\" Dnsmasq per resolver domestico Knot DNS PowerDNS","rel":"","context":"In &quot;Senza categoria&quot;","block_context":{"text":"Senza categoria","link":"https:\/\/monodes.com\/predaelli\/category\/senza-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1887,"url":"https:\/\/monodes.com\/predaelli\/2016\/11\/13\/linux-per-tutti-cambiare-dns-su-linux-e-quali-scegliere\/","url_meta":{"origin":10263,"position":3},"title":"Linux per tutti: Cambiare DNS su Linux e quali scegliere","author":"Paolo Redaelli","date":"2016-11-13","format":false,"excerpt":"Linux per tutti: Cambiare DNS su Linux e quali scegliere - TechnoBlitz.it Google DNS 8.8.8.8 8.8.4.4 SecureDNS 8.26.56.26 8.20.247.20 OpenDNS 208.67.222.222 (Resolver1.OpenDNS.com) 208.67.220.220 (Resolver2.OpenDNS.com) 208.67.222.220 208.67.220.222 Norton DNS 198.153.192.1 198.153.194.1","rel":"","context":"In &quot;Documentations&quot;","block_context":{"text":"Documentations","link":"https:\/\/monodes.com\/predaelli\/category\/documentations\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12821,"url":"https:\/\/monodes.com\/predaelli\/2025\/02\/21\/7-reasons-you-should-turn-your-raspberry-pi-into-a-dns-server\/","url_meta":{"origin":10263,"position":4},"title":"7 reasons you should turn your Raspberry Pi into a DNS server","author":"Paolo Redaelli","date":"2025-02-21","format":"link","excerpt":"If you aren't using your Raspberry Pi as a DNS server for your home network, there are plenty of reasons why you should Source: 7 reasons you should turn your Raspberry Pi into a DNS server","rel":"","context":"In &quot;Senza categoria&quot;","block_context":{"text":"Senza categoria","link":"https:\/\/monodes.com\/predaelli\/category\/senza-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4368,"url":"https:\/\/monodes.com\/predaelli\/2018\/06\/06\/a-cartoon-intro-to-dns-over-https-mozilla-hacks-the-web-developer-blog\/","url_meta":{"origin":10263,"position":5},"title":"A cartoon intro to DNS over HTTPS \u2013 Mozilla Hacks \u2013 the Web developer blog","author":"Paolo Redaelli","date":"2018-06-06","format":"link","excerpt":"Sorgente: A cartoon intro to DNS over HTTPS \u2013 Mozilla Hacks \u2013 the Web developer blog","rel":"","context":"In &quot;Senza categoria&quot;","block_context":{"text":"Senza categoria","link":"https:\/\/monodes.com\/predaelli\/category\/senza-categoria\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/monodes.com\/predaelli\/wp-content\/uploads\/sites\/4\/2018\/06\/03_04-500x249.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts\/10263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/comments?post=10263"}],"version-history":[{"count":0,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts\/10263\/revisions"}],"wp:attachment":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/media?parent=10263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/categories?post=10263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/tags?post=10263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}