Skip to content

PipeToNull/recursive-resolver

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
blocklists
blocklists
 
 
dnsdist
dnsdist
 
 
knot-resolver
knot-resolver
 
 
README.md
README.md
 
 

Repository files navigation

Secure recursive resolver using knot-resolver + dnsdist with minimal logging and sane defaults.

First I have setup knot-resolver as a localhost only recursive resolver on port 5775 (IPv4 + IPv6) and kept it behind dnsdist. DNSSEC is enabled along with QNAME minimization, query case randomization, strict glue checking, and rebinding protection for basic hardening. I have used cache prefetching (including prediction), root zone prefilling, and serve-stale to keep responses fast and resilient. Logging is kept minimal (crit), and RPZ blocklists are applied to filter ads, trackers, and malware at the resolver level.

Next I have setup dnsdist as the public entry point with a packet cache. It only exposes encrypted DNS protocols (DoT on 853 and DoH on 443) over IPv4 and IPv6, with no plain DNS open. All queries are forwarded to the local backend that is knot-resolver, while unsafe query types like AXFR/IXFR/UPDATE/NOTIFY are refused. Dynamic blocking is enabled to rate-limit abusive traffic (high QPS, NXDOMAIN/SERVFAIL floods, ANY queries, and bandwidth spikes), keeping the setup simple, fast, and reasonably hardened against amplification and DoS attempts.

Big thanks to the devs behind knot-resolver and dnsdist, this setup wouldn't be possible without them!

About

A recursive resolver based on knot-resolver and dnsdist, with a focus on minimal logging and security.

Topics

dns-over-https dnsdist dns-over-tls knot-resolver

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors 1

Languages