Commit 0134f75e authored by Marek Vavruša's avatar Marek Vavruša

support: updated doc, added config examples

parent e0fe89e5
......@@ -155,6 +155,8 @@ Configuration example
-- 10MB cache
cache.size = 10*MB
.. tip:: There are more configuration examples in `etc/` directory for personal, ISP, company internal and resolver cluster use cases.
Configuration syntax
--------------------
......
......@@ -78,24 +78,6 @@ Most of the dependencies can be resolved from packages, here's an overview for s
brew install pkg-config libuv luajit cmocka
Getting Docker image
--------------------
Docker images require only either Linux or a Linux VM (see boot2docker_ on OS X).
.. code-block:: bash
$ docker run cznic/knot-resolver
See the `Docker images`_ page for more information and options.
You can hack on the container by changing the container entrypoint to shell like:
.. code-block:: bash
$ docker run -it --entrypoint=/bin/bash cznic/knot-resolver
.. tip:: You can build the Docker image yourself with ``docker build -t knot-resolver scripts``.
Building from sources
---------------------
......@@ -151,7 +133,9 @@ The build system supports both DESTDIR_ and `amalgamated builds <https://www.sql
$ make install DESTDIR=/tmp/stage # Staged install
$ make all install AMALG=yes # Amalgamated build
.. note:: Amalgamated build assembles everything in one source file and compiles it. It is useful for packages, as the compiler sees the whole program and is able to produce a smaller and faster binary. On the other hand, it complicates debugging.
Amalgamated build assembles everything in one source file and compiles it. It is useful for packages, as the compiler sees the whole program and is able to produce a smaller and faster binary. On the other hand, it complicates debugging.
.. tip:: There is a template for service file and AppArmor profile to help you kickstart the package.
Default paths
~~~~~~~~~~~~~
......@@ -231,6 +215,24 @@ is otherwise unable to find and load modules.
Read the `documentation <deckard_doc>`_ for more information about requirements, how to run it and extend it.
Getting Docker image
--------------------
Docker images require only either Linux or a Linux VM (see boot2docker_ on OS X).
.. code-block:: bash
$ docker run cznic/knot-resolver
See the `Docker images`_ page for more information and options.
You can hack on the container by changing the container entrypoint to shell like:
.. code-block:: bash
$ docker run -it --entrypoint=/bin/bash cznic/knot-resolver
.. tip:: You can build the Docker image yourself with ``docker build -t knot-resolver scripts``.
.. _Docker images: https://registry.hub.docker.com/u/cznic/knot-resolver
.. _libuv: https://github.com/libuv/libuv
.. _MSVC: https://msdn.microsoft.com/en-us/vstudio/hh386302.aspx
......
-- Config file example useable for larger resolver farms
-- In this case cache should be made as large as possible, and prefetching turned off
-- as the resolver is busy most of the time.
-- Alternative is using `etcd` as a configuration backend.
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Listen on localhost and external interface
net = { '127.0.0.1', '::1', '192.168.1.1' }
-- Drop root privileges
user('kresd', 'kresd')
-- Auto-maintain root TA
trust_anchors.file = 'root.keys'
-- Large cache size, so we don't need to flush ever
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out as long as there's enough disk space to back it
cache.size = 100 * GB
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'cachectl', -- Cache control interface
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
graphite = { -- Send statistics to local InfluxDB
-- `worker.id` allows us to keep per-fork statistics
prefix = hostname()..worker.id,
-- Address of the Graphite/InfluxDB server
host = '192.168.1.2',
},
'redis', -- Allow to use Redis as a cache backend
}
-- Use local root server copy for performance reasons
hints.root({
['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' }
})
-- Apply RPZ for all clients, default rule is DENY
policy:add(policy.rpz(policy.DENY, 'blacklist.rpz'))
-- Optional: use Redis/Memcached as a cache backend which may be distributed between nodes
-- cache.storage = 'redis://127.0.0.1:6398'
-- Config file example useable for multi-user ISP resolver
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Listen on localhost and external interface
net = { '127.0.0.1', '::1', '192.168.1.1' }
-- Drop root privileges
user('kresd', 'kresd')
-- Auto-maintain root TA
trust_anchors.file = 'root.keys'
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out
cache.size = 4 * GB
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'view', -- Views for certain clients
'cachectl', -- Cache control interface
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
graphite = { -- Send statistics to local InfluxDB
-- `worker.id` allows us to keep per-fork statistics
prefix = hostname()..worker.id,
-- Address of the Graphite/InfluxDB server
host = '192.168.1.2',
}
}
-- Block all `site.nl` for `10.0.0.0/24` subnet
view:addr('10.0.0.0/24', policy.suffix(policy.DROP, {todname('site.nl')}))
-- Force all clients from `192.168.2.0/24` to TCP
view:addr('192.168.2.0/24', policy.all(policy.TC))
-- Apply RPZ for all clients, default rule is DENY
policy:add(policy.rpz(policy.DENY, 'blacklist.rpz'))
-- Config file example useable for personal resolver.
-- The goal is to have a validating resolver with tiny memory footprint,
-- while actively tracking and refreshing frequent records to lower user latency.
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Listen on localhost (default)
-- net = { '127.0.0.1', '::1' }
-- Drop root privileges
user('kresd', 'kresd')
-- Auto-maintain root TA
trust_anchors.file = 'root.keys'
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'cachectl', -- Cache control interface
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- Smaller cache size
cache.size = 10 * MB
-- Config file with split-view for internal zone
-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-- Listen on localhost and external interface
net = { '127.0.0.1', '::1', '192.168.1.1' }
-- Drop root privileges
user('kresd', 'kresd')
-- Auto-maintain root TA
trust_anchors.file = 'root.keys'
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'cachectl', -- Cache control interface
'hints', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
graphite = { -- Send statistics to local InfluxDB
-- `worker.id` allows us to keep per-fork statistics
prefix = hostname()..worker.id,
-- Address of the Graphite/InfluxDB server
host = '192.168.1.2',
},
-- Use DNS64 with specified NAT64 address
dns64 = 'fe80::21b:77ff:0:0',
}
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out
cache.size = 4 * GB
-- Forward everything below `company.cz` to `192.168.1.3`
policy:add(policy.suffix(policy.FORWARD('192.168.1.3'), {todname('company.cz')}))
etc_SOURCES := icann-ca.pem
etc_SOURCES := icann-ca.pem \
config.cluster \
config.isp \
config.personal \
config.splitview
etc-install: $(DESTDIR)$(ETCDIR)
$(INSTALL) -m 0640 $(addprefix etc/,$(etc_SOURCES)) $(DESTDIR)$(ETCDIR)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment