kresd man page

kresd — Knot DNS 1.1.0 full caching resolver.

Synopsis

kresd [-a|--addr addr[#port]] [-S|--fd fd] [-c|--config config] [-k|--keyfile keyfile] [-f|--forks N] [-q|--quiet] [-v|--verbose] [-V|--version] [-h|--help] [rundir]

Description

Knot DNS Resolver is a DNSSEC-enabled full caching resolver.

Default mode of operation: when it receives a DNS query it iteratively asks authoritative nameservers starting from root zone (.) and ending with a nameservers authoritative for queried name. Automatic DNSSEC means verification of integrity of authoritative responses by following keys and signatures starting from root. Root trust anchor is automatically bootstrapped from IANA, or you can provide a file with root trust anchors (same format as Unbound or BIND9 root keys file).

The daemon also caches intermediate answers into cache, which by default uses LMDB memory-mapped database. This has a significant advantage over in-memory caches as the process may be stopped and restarted without loss of cache entries. In multi-user scenario a shared cache is potential privacy/security issue, with kresd each user can have resolver cache in their private directory and use it in similar fashion to keychain.

By default, no configuration is needed, only a directory where the daemon can store runtime data (cache, control sockets, ...)

To use a locally running kresd for resolving put

nameserver 127.0.0.1

into resolv.conf(5) and start kresd

$ kresd -a 127.0.0.1 -k root.keys
[system] interactive mode
>

The daemon may be configured also as a plain forwarder using query policies, that requires creating a file config in daemon runtime directory. See daemon/README.md for more information about interacting with CLI and configuration file options, or visit https://knot-resolver.readthedocs.io online documentation.

# Create a basic forwarder configuration 
$ cat << EOF > config
modules = { 'policy' }
policy:add(policy.all(policy.FORWARD('192.168.1.1')))
$ kresd -a 127.0.0.1 -k root.keys
EOF

The available CLI options are:

-a addr[#port], --addr=<addr[#port]>
Listen on given address (and port) pair. If no port is given, 53 is used as a default. Option may be passed multiple times to listen on more addresses.
-t addr[#port], --tls=<addr[#port]>
Listen using TLS on given address (and port) pair. If no port is given, 853 is used as a default. Option may be passed multiple times to listen on more addresses.
-S fd, --fd=<fd>
Listen on given file descriptor(s), passed by supervisor. Option may be passed multiple times to listen on more file descriptors.
-T fd, --tlsfd=<fd>
Listen using TLS on given file descriptor(s), passed by supervisor. Option may be passed multiple times to listen on more file descriptors.
-k keyfile, --keyfile=<keyfile>
Use given for keeping root trust anchors. If the file doesn't exist, it will be automatically boostrapped from IANA and warning for you will be issued to check it before trusting it. The file contains DNSKEY/DS records in presentation format, and is compatible with Unbound or BIND9 root key files.
-f N, --forks=<N>

With this option, the daemon is started in non-interactive mode and instead creates a UNIX socket in rundir that the operator can connect to for interactive session. A number greater than 1 forks the daemon N times, all forks will bind to same addresses and the kernel will load-balance between them on Linux with SO_REUSEPORT support.

When socket-activated and supervised by systemd or the equivalent, kresd defaults to --forks=1, and must not be set to any other value. If you want multiple concurrent processes supervised in this way, they should be supervised independently.

-q, --quiet
Daemon will refrain from printing any informative messages, not even a prompt.
-v, --verbose
Increase verbosity. If given multiple times, more information is logged. This is in addition to the verbosity (if any) from the config file.
-c config, --config=<config>
Set the config file with settings for unbound to read instead of reading the file at the default location (config). The syntax is described in daemon/README.md.
-h
Show the version and commandline option help.
-V
Show the version.

See Also

daemon/README.md, https://knot-resolver.readthedocs.io

Authors

kresd developers are mentioned in the Authors file in the distribution.

Info

2016-11-19 CZ.NIC Knot DNS Resolver 1.1.0