List of TLS servers: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

https://www.ctrl.blog/entry/resolvconf-tutorial

systemctl disable --now systemd-resolved.service

https://www.ctrl.blog/entry/knot-dns-resolver-tutorial

/etc/knot-resolver/kresd.conf:

-- vim:syntax=lua:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration

-- Load useful modules
modules = {
        'policy',   -- Block queries to local zones/bad sites
        'hints',    -- Load /etc/hosts and allow custom root hints
        'stats',    -- Track internal statistics
        'predict',  -- Prefetch expiring/frequent records
        'serve_stale < cache',
        'workarounds < iterate',
}

-- See kresd.systemd(7) about configuring network interfaces when using systemd
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }

-- RANDOMIZE SERVERS
require 'math'
math.randomseed(os.time())
dns_providers = {
        { -- Quad9
                {'9.9.9.9', hostname='dns.quad9.net'},
                {'149.112.112.112', hostname='dns.quad9.net'},
        },
        { -- Cloudflare Resolver
                {'1.1.1.1', hostname='cloudflare-dns.com'},
                {'1.0.0.1', hostname='cloudflare-dns.com'},
        }
}
tls_forwarders = {}
for n, fwdspec in ipairs(dns_providers) do
    table.insert(tls_forwarders, policy.TLS_FORWARD(fwdspec))
end

policy.add(function (request, query)
  return tls_forwarders[math.random(1, #tls_forwarders)]
end)

-- TRADITIONAL NON-RANDOMIZED
-- policy.add(policy.all(policy.TLS_FORWARD({
--  {'9.9.9.9', hostname='dns.quad9.net'},
--  {'1.1.1.1', hostname='cloudflare-dns.com'},
--  {'149.112.112.112', hostname='dns.quad9.net'},
--  {'1.0.0.1', hostname='cloudflare-dns.com'},
-- })))

-- Cache size
cache.size = 100 * MB

-- Prefetch learning (20-minute blocks over 24 hours)
predict.config(20, 72)

Restart:

systemctl disable --now kresd@1.service; systemctl restart kresd.socket
  • faq/dns.txt
  • Last modified: 15 months ago
  • by Dr Serge Victor