Version Knot Resolver 6.0.9
Version of the configuration schema. By default it is the latest supported by the resolver, but couple of versions back are be supported as well.
Name Server Identifier (RFC 5001) which allows DNS clients to request resolver to send back its NSID along with the reply to a DNS request.
Internal DNS resolver hostname. Default is machine hostname.
Directory where the resolver can create files and which will be it's cwd.
The number of running kresd (Knot Resolver daemon) workers. If set to 'auto', it is equal to number of CPUs available.
Value must be greater or equal to 1
The maximum number of workers allowed. Cannot be changed in runtime.
Value must be greater or equal to 1
Configuration of management HTTP API.
Path to unix domain socket to listen to.
IP address and port number to listen to.
Configuration of legacy web management endpoint.
Path to unix domain socket to listen to.
IP address or interface name with port number to listen to.
Enable/disable TLS.
Path to certificate file.
Path to certificate key.
Fine-tuning global parameters of DNS resolver operation.
Glue records scrictness checking level.
Send minimum amount of information in recursive queries to enhance privacy.
Permits queries to loopback addresses.
Controls whether resource records within a RRSet are reordered each time it is served from the cache.
Randomize Query Character Case.
Initializing DNS resolver cache with Priming Queries (RFC 8109)
Protection against DNS Rebinding attack.
Queries without RD (recursion desired) bit set in query are answered with REFUSED.
Detection of difference between local system time and expiration time bounds in DNSSEC signatures for '. NS' records.
Workarounds for known DNS protocol violators.
Allows using timed-out records in case DNS resolver is unable to contact upstream servers.
Network connections and protocols configuration.
Enable/disable using IPv4 for contacting upstream nameservers.
Enable/disable using IPv6 for contacting upstream nameservers.
IPv4 address used to perform queries. Not set by default, which lets the OS choose any address.
IPv6 address used to perform queries. Not set by default, which lets the OS choose any address.
TCP pipeline limit. The number of outstanding queries that a single client connection can make in parallel.
Value must be greater or equal to 0 and lesser or equal to 65535
Allows clients to discover the connection timeout. (RFC 7828)
Maximum EDNS payload size advertised in DNS packets. Different values can be configured for communication downstream (towards clients) and upstream (towards other DNS servers).
Maximum EDNS upstream (towards other DNS servers) payload size.
Must match regular expression:^(\d+)(B|K|M|G)$ Maximum EDNS downstream (towards clients) payload size for communication.
Must match regular expression:^(\d+)(B|K|M|G)$ Renumbers addresses in answers to different address space.
No Additional ItemsRenumbers addresses in answers to different address space.
Source subnet.
Destination address prefix.
TLS configuration, also affects DNS over TLS and DNS over HTTPS.
Path to certificate file.
Path to certificate key file.
Secret for TLS session resumption via tickets. (RFC 5077).
Path to file with secret for TLS session resumption via tickets. (RFC 5077).
Experimental automatic discovery of authoritative servers supporting DNS-over-TLS.
EDNS(0) padding of queries and answers sent over an encrypted channel.
Value must be greater or equal to 0 and lesser or equal to 512
PROXYv2 protocol configuration.
PROXYv2 protocol configuration.
Allow usage of the PROXYv2 protocol headers by clients on the specified addresses.
No Additional ItemsList of interfaces to listen to and its configuration.
No Additional ItemsConfiguration of listening interface.
IP address or interface name with optional port number to listen to.
Path to unix domain socket to listen to.
Port number to listen to.
Specifies DNS query transport protocol.
Used for binding to non-local address.
List of views and its configuration.
No Additional ItemsConfiguration parameters that allow you to create personalized policy rules and other.
Identifies the client based on his subnet. Rule with more precise subnet takes priority.
No Additional ItemsDestination subnet, as an additional condition.
Transport protocol, as an additional condition.
No Additional ItemsDirect approach how to handle request from clients identified by the view.
Configuration options for clients identified by the view.
Send minimum amount of information in recursive queries to enhance privacy.
Enable/disable DNS64.
Local data for forward records (A/AAAA) and reverse records (PTR).
Default TTL value used for added local data/records.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Use NODATA synthesis. NODATA will be synthesised for matching name, but mismatching type(e.g. AAAA query when only A exists).
Direct replace of root hints.
Each additional property must conform to the following schema
Direct replace of root hints from a zonefile.
No Additional ItemsDirect addition of hostname and IP addresses pairs.
Each additional property must conform to the following schema
Direct addition of hostname and IP addresses pairs from files in '/etc/hosts' like format.
No Additional ItemsDirect addition of records in DNS zone file format.
Local data rules.
No Additional ItemsLocal data advanced rule configuration.
Hostname(s).
(?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ (?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ Type of subtree.
Address(es) to pair with hostname(s).
Path to file(s) with hostname and IP address(es) pairs in '/etc/hosts' like format.
Direct addition of records in DNS zone file format.
Optional, TTL value used for these answers.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Optional, use NODATA synthesis. NODATA will be synthesised for matching name, but mismatching type(e.g. AAAA query when only A exists).
List of Response Policy Zones and its configuration.
No Additional ItemsConfiguration or Response Policy Zone (RPZ).
Path to the RPZ zone file.
List of Forward Zones and its configuration.
No Additional ItemsConfiguration of forward subtree.
Subtree(s) to forward.
(?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ (?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ Forward servers configuration.
Forward server configuration.
IP address(es) of a forward server.
Transport protocol for a forward server.
Hash of accepted CA certificate.
^[A-Za-z\d+/]{43}=$ ^[A-Za-z\d+/]{43}=$ Hostname of the Forward server.
Must match regular expression:(?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ Path to CA certificate file.
Subtree(s) forward options.
Enable/disable DNSSEC.
DNS resolver cache configuration.
Cache storage of the DNS resolver.
Maximum size of the cache.
Must match regular expression:^(\d+)(B|K|M|G)$ Use the garbage collector (kres-cache-gc) to periodically clear cache.
Configuration options of the cache garbage collector (kres-cache-gc).
Time interval how often the garbage collector will be run.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Cache usage in percent that triggers the garbage collector.
Value must be greater or equal to 0 and lesser or equal to 100
Percent of used cache to be freed by the garbage collector.
Value must be greater or equal to 0 and lesser or equal to 100
Maximum amount of temporary memory for copied keys (0 = unlimited).
Must match regular expression:^(\d+)(B|K|M|G)$ Maximum number of deleted records per read-write transaction (0 = unlimited).
Value must be greater or equal to 0
Maximum number of readed records per read-write transaction (0 = unlimited).
Value must be greater or equal to 0
Maximum duration of read-write transaction (0 = unlimited).
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Wait time between two read-write transactions.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Run the garbage collector in dry-run mode.
Minimum time-to-live for the cache entries.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Maximum time-to-live for the cache entries.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Time interval for which a nameserver address will be ignored after determining that it does not return (useful) answers.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Prefill the cache periodically by importing zone data obtained over HTTP.
No Additional ItemsPrefill the cache periodically by importing zone data obtained over HTTP.
Origin for the imported data. Cache prefilling is only supported for the root zone ('.').
Must match regular expression:(?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ URL of the zone data to be imported.
Time interval between consecutive refreshes of the imported zone data.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Path to the file containing a CA certificate bundle that is used to authenticate the HTTPS connection.
These options help keep the cache hot by prefetching expiring records or learning usage patterns and repetitive queries.
Prefetch expiring records.
Prefetch record by predicting based on usage patterns and repetitive queries.
Sampling window length.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Number of windows that can be kept in memory.
Value must be greater or equal to 1
Disable DNSSEC, enable with defaults or set new configuration.
DNSSEC configuration.
Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)
Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, according to (RFC 8145#section-5).
Detection of difference between local system time and expiration time bounds in DNSSEC signatures for '. NS' records.
How many removed keys should be held in history (and key file) before being purged.
Value must be greater or equal to 0
Force trust-anchors to be updated every defined time periodically instead of relying on (RFC 5011) logic and TTLs. Intended only for testing purposes.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Modify hold-down timer (RFC 5011). Intended only for testing purposes.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ List of trust-anchors in DS/DNSKEY records format.
No Additional ItemsList of domain names representing negative trust-anchors. (RFC 7646)
No Additional Items(?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ List of zonefiles where trust-anchors are stored.
No Additional ItemsTrust-anchor zonefile configuration.
Path to the zonefile that stores trust-anchors.
Blocks zonefile updates according to RFC 5011.
Disable DNS64 (RFC 6147), enable with defaults or set new configuration.
DNS64 (RFC 6147) configuration.
IPv6 prefix to be used for synthesizing AAAA records.
TTL in CNAME generated in the reverse 'ip6.arpa.' subtree.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ IPv6 subnets that are disallowed in answer.
No Additional ItemsLogging and debugging configuration.
Global logging level.
Global logging stream target. "from-env" uses $KRESLOGGINGTARGET and defaults to "stdout".
List of groups for which 'debug' logging level is set.
No Additional ItemsLogging a message for each DNSSEC validation failure.
Logging DNS requests and responses to a unix socket.
Logging DNS queries and responses to a unix socket.
Path to unix domain socket where dnstap messages will be sent.
Log queries from downstream in wire format.
Log responses to downstream in wire format.
Log TCP RTT (Round-trip time).
Advanced debugging parameters for kresd (Knot Resolver daemon).
Allow the process to be aborted in case it encounters a failed assertion.
Fork and abord child kresd process to obtain a coredump, while the parent process recovers and keeps running.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Metrics exposisition configuration (Prometheus, Graphite)
configures, whether statistics module will be loaded into resolver
optionally configures where should graphite metrics be sent to
(?=^.{,253}\.?$)(^(?!\.)((?!-)\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\.?$)|^\.$ Value must be greater or equal to 1 and lesser or equal to 65535
^(\d+)(us|ms|s|m|h|d)$ Configuration of rate limiting.
Expected maximal number of blocked networks/hosts at the same time.
Value must be greater or equal to 1
Maximal number of allowed queries per second from a single host.
Value must be greater or equal to 1
Maximal number of allowed queries at a single point in time from a single host.
Value must be greater or equal to 1
Number of restricted responses out of which one is sent as truncated, the others are dropped.
Value must be greater or equal to 0 and lesser or equal to 32
Minimal time between two log messages, or '0s' to disable.
Must match regular expression:^(\d+)(us|ms|s|m|h|d)$ Perform only classification and logging but no restrictions.
Custom Lua configuration.
Ignore declarative configuration and use only Lua script or file defined in this section.
Custom Lua configuration script.
Path to file that contains Lua configuration script.