Skip to content

Knot DNS

What Is It?

Knot DNS is a high-performance authoritative DNS server. It separates the authoritative server (knot) from the resolver (knot-resolver), providing clearer separation of concerns compared to BIND. It is the primary DNS server used in this course.

Installation

dnf install knot

Key Files and Directories

Path Purpose
/etc/knot/knot.conf Main configuration
/var/lib/knot/ Zone files
/var/log/ Logs (via syslog)

Default Ports

Port Protocol Purpose
53 TCP/UDP DNS queries and zone transfers

Configuration

Knot DNS uses a configuration file typically located at /etc/knot/knot.conf. The syntax is block-based, similar to YAML but with braces.

Minimal Working Configuration

1. Install Knot DNS:

dnf install knot knot-utils
systemctl enable --now knot

2. Configure /etc/knot/knot.conf:

server:
    listen: [ 0.0.0.0@53, ::@53 ]
    user: knot:knot

log:
  - target: syslog
    any: info

template:
  - id: default
    storage: "/var/lib/knot"
    file: "%s.zone"

zone:
  - domain: <vm_name>.sysadm.ee
    template: default

3. Create the Zone File:

Create /var/lib/knot/<vm_name>.sysadm.ee.zone:

$ORIGIN <vm_name>.sysadm.ee.
$TTL 3600
@       IN      SOA     ns1.<vm_name>.sysadm.ee. root.<vm_name>.sysadm.ee. (
                        2024010101      ; Serial
                        6H              ; Refresh
                        1H              ; Retry
                        1W              ; Expire
                        1H )            ; Minimum TTL

@       IN      NS      ns1
ns1     IN      A       <your_vm_ip>
@       IN      A       <your_vm_ip>

4. Validate and Reload:

knotc conf-check
knotc reload

Important Directives

server
Global server settings. listen defines IP/ports.
template
Templates allow you to define common settings for multiple zones. storage defines where zone files live. file defines the naming convention (%s is replaced by the domain name).
zone
Defines the zones to be served.
log
Logging configuration. Can target syslog, stderr, or a file.

Common Commands

# Check status
knotc status

# Reload configuration
knotc reload

# Check configuration syntax
knotc conf-check

# Force zone refresh (if slave)
knotc zone-refresh <zone>

# Stats
knotc stats

Logging and Debugging

  • Logs: By default, logs go to journald (journalctl -u knot).
  • Debug mode: In knot.conf, set any: debug under log target for verbose output.

Troubleshooting checklist:

  1. knotc status — is the server running?
  2. knotc conf-check — syntax errors?
  3. Check file permissions: /var/lib/knot/ must be writable by knot user.
  4. ss -tulpn | grep 53 — is Knot listening?
  5. Firewalld: Open port 53 (TCP/UDP).

Security Considerations

  • User: Ensure Knot runs as knot, not root.
  • ACLs: Use acl blocks to restrict zone transfers (AXFR) to known slave servers.
  • RRL: Response Rate Limiting is built-in and should be enabled on public servers to prevent amplification attacks.

Further Reading

  • Concepts: DNS
  • SOPs: DNS Management