an example split horizontal dns config using knot resolver

knot-resolver.conf

-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration

-- Listen on all interfaces (localhost would not work in Docker)
net.listen('0.0.0.0')
net.listen('0.0.0.0', 853, { kind = 'tls' })
net.listen('0.0.0.0', 443, { kind = 'doh' })
net.listen('0.0.0.0', 8453, { kind = 'webmgmt' })

-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')

-- Load Useful modules
modules = {
	'stats',    -- Track internal statistics
	'http',
	-- 'daf',
--   renumber = {
--       {'83.22.22.12', '192.168.1.0'},
--    },
	'hints',
	  'predict',  -- Prefetch expiring/frequent records
-- 'policy',
--      'view',
    'daf',

}
hints.add_hosts('/etc/knot-resolver/example.hosts.public')
-- view:addr('127.0.0.1', policy.all(policy.DENY))
-- view:addr('127.0.0.0', policy.all(
-- policy.REROUTE({['83.22.22.12'] = '127.3.2.1'})
-- ))

-- policy.add(policy.REROUTE({['83.22.22.12'] = '127.3.2.1'}), true)

-- modules.load('daf')
-- local ffi = require('ffi')
-- policy.add(function (state, req)
--     local answer = req.answer
--     local qry = req:current()
--     if qry.stype ~= kres.type.A then
--             return state
--     end
--     ffi.C.kr_pkt_make_auth_header(answer)
--     answer:rcode(kres.rcode.NOERROR)
--     answer:begin(kres.section.ANSWER)
--     answer:put(qry.sname, 900, answer:qclass(), kres.type.A, '\192\168\1\3')
--     return kres.DONE
-- end)

-- Block all queries with QNAME = example.com
-- daf.add 'qname = example.com deny'

-- Filters can be combined using AND/OR...
-- Block all queries with QNAME match regex and coming from given subnet
-- daf.add 'qname ~ %w+.example.com AND src = 192.0.2.0/24 deny'

-- We also can reroute addresses in response to alternate target
-- This reroutes 1.2.3.4 to localhost
daf.add 'src = 127.0.0.0/8 reroute 83.22.22.0-10.100.0.0'

-- Subnets work too, this reroutes a whole subnet
-- e.g. 192.0.2.55 to 127.0.0.55
-- daf.add 'src = 127.0.0.0/8 reroute 192.0.2.0/24-127.0.0.0'

-- This rewrites all A answers for 'example.com' from
-- whatever the original address was to 127.0.0.2
-- daf.add 'rewrite abc03.example.com. A 10.100.0.147'
-- daf.rules
-- Mirror queries matching given name to DNS logger
-- daf.add 'qname ~ %w+.example.com mirror 127.0.0.2'
-- daf.add 'qname ~ example-%d.com mirror 127.0.0.3@5353'

-- Forward queries from subnet
-- daf.add 'src = 127.0.0.1/8 forward 127.0.0.1@5353'
-- Forward to multiple targets
-- daf.add 'src = 127.0.0.1/8 forward 127.0.0.1@5353,127.0.0.2@5353'

-- Truncate queries based on destination IPs
-- daf.add 'dst = 192.0.2.51 truncate'

-- Smaller cache size
cache.size = 10 * MB
-- verbose(true)
function print_help()
	print('\nUsage\n'
	   .. '=====\n'
	   .. 'Run this container using command:\n'
	   .. '$ docker run -Pti cznic/knot-resolver\n'
	   .. '\n'
	   .. 'Docker will map ports 53, 443, 853, and 8453 to some other numbers, see\n'
	   .. '$ docker ps\n'
	   .. '(column PORTS)\n'
	   .. '53   -> DNS protocol over UDP and TCP\n'
	   .. '443  -> DNS-over-HTTPS protocol\n'
	   .. '853  -> DNS-over-TLS protocol\n'
	   .. '8453 -> web interface\n'
	   .. '\n'
	   .. 'For verbose logging enter following command to prompt below:\n'
	   .. 'verbose(true)\n')
end
print_help()