For countless years, I used to run a local authoritative DNS server (nsd) together with a recursive DNS server (unbound) to have a custom TLD for my developer purposes (among other benefits). However, today I ran into yet another domain which unbound failed to validate and just returned SERVFAIL. Because enough is enough, I have switched to a high-quality alternative: Knot Resolver.
The neat thing is that I can have a functional custom local TLD just with the recursive DNS server now. Here’s my setup. For illustrational purposes, I call my TLD tld. Just replace it with whatever you want your TLD to be (and whatever isn’t taken yet).
The main configuration file /etc/knot-resolver/kresd.conf (important is the last line):
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('::1', 53, { kind = 'dns', freebind = true })
-- Load useful modules
modules = {
--'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- Cache size
cache.size = 100 * MB
-- My config
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/tld.rpz', false))
And the related zone file for the TLD in /etc/knot-resolver/tld.rpz:
*.tld. AAAA ::1
To make your system use this local resolver, you need to set it in /etc/resolv.conf:
nameserver ::1
(Note: check your system and DHCP settings to make sure your configuration in this file won’t be replaced by other mechanisms.)
If you like, you can even use the same mechanism to block (some) ads and (some) surveillance.
Tagged with: DNS, Knot Resolver
Written: 2024-01-11