From f4291b152510eb13b31b59c97c3a49ec83adf528 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 21 Mar 2026 23:10:47 +0100 Subject: vidhar: knot-resolver --- hosts/vidhar/dns/default.nix | 89 +++++++++++++------------------------------- 1 file changed, 26 insertions(+), 63 deletions(-) (limited to 'hosts/vidhar/dns') diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index 11e6f55f..14d212e7 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix @@ -12,73 +12,36 @@ let in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); in { config = { - services.unbound = { + services.knot-resolver = { enable = true; - resolveLocalQueries = false; - stateDir = "/var/lib/unbound"; - localControlSocketPath = "/run/unbound/unbound.ctl"; - enableRootTrustAnchor = false; settings = { - server = { - interface = ["lo" "lan"]; - prefer-ip6 = true; - access-control = ["0.0.0.0/0 allow" "::/0 allow"]; - root-hints = "${pkgs.dns-root-data}/root.hints"; - trust-anchor-file = "${pkgs.dns-root-data}/root.key"; - trust-anchor-signaling = false; - ip-dscp = 20; - - num-threads = 12; - so-reuseport = true; - msg-cache-slabs = 16; - rrset-cache-slabs = 16; - infra-cache-slabs = 16; - key-cache-slabs = 16; - - rrset-cache-size = "100m"; - msg-cache-size = "50m"; - outgoing-range = 8192; - num-queries-per-thread = 4096; - - so-rcvbuf = "4m"; - so-sndbuf = "4m"; - - # serve-expired = true; - # serve-expired-ttl = 86400; - # serve-expired-reply-ttl = 0; - - prefetch = true; - prefetch-key = true; - - minimal-responses = false; - - extended-statistics = true; - - rrset-roundrobin = true; - use-caps-for-id = true; - - do-not-query-localhost = false; - local-zone = [ - "141.10.in-addr.arpa. transparent" - "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent" - "yggdrasil. transparent" - ]; - domain-insecure = [ - "141.10.in-addr.arpa." - "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa." - "yggdrasil." - ]; - }; - - stub-zone = map (name: { - inherit name; - stub-addr = "127.0.0.1@5353"; - stub-first = true; - stub-no-cache = true; - stub-prime = false; - }) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."]; + network.listen = [ + { interface = "lo"; } + { interface = "lan"; freebind = true; } + ]; + forward = [ + { + subtree = "yggdrasil."; + servers = [ { address = "::1@5353"; } ]; + options.dnssec = false; + } + { + subtree = "141.10.in-addr.arpa."; + servers = [ { address = "::1@5353"; } ]; + options.dnssec = false; + } + { + subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."; + servers = [ { address = "::1@5353"; } ]; + options.dnssec = false; + } + ]; }; }; + fileSystems."/var/cache/knot-resolver" = { + fsType = "tmpfs"; + options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ]; + }; systemd.services.knot = { unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; -- cgit v1.2.3