kresd.conf

-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
-- verbose(true)
-- Load useful modules
modules = {
        'hints > iterate',  -- Load /etc/hosts and allow custom root hints
        'stats',            -- Track internal statistics
        'predict',          -- Prefetch expiring/frequent records
        'rebinding < iterate',
        'serve_stale < cache',
        'workarounds < iterate'
}
 
-- Cache size
cache.size = 512 * MB
 
-- DNS Flag Day 2020
net.bufsize(1220)
 
-- Import root zone data
modules.load('prefill')
prefill.config({
    ['.'] = {
        url = 'https://www.internic.net/domain/root.zone',
        ca_file = '/etc/ssl/certs/ca-certificates.crt',
        interval = 86400  -- seconds
    }
})
 
-- Prefetch learning
predict.config({
    window = 30, -- 30 minutes sampling window
    period = 24*(60/30) -- track last 24 hours
})
 
-- Block Firefox DoH
policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net')}))