DOKK / manpages / debian 11 / knot-resolver / kresd.8.en
kresd(8) Knot Resolver 5.3.1 kresd(8)

kresd - full caching DNSSEC-enabled Knot Resolver 5.3.1.

kresd [-a|--addr addr[@port]] [-t|--tls addr[@port]] [-S|--fd fd] [-T|--tlsfd fd] [-c|--config config] [-n|--noninteractive] [-q|--quiet] [-v|--verbose] [-V|--version] [-h|--help] [rundir]

Knot Resolver is a DNSSEC-enabled full caching resolver.

Default mode of operation: when it receives a DNS query it iteratively asks authoritative nameservers starting from root zone (.) and ending with a nameservers authoritative for queried name. Automatic DNSSEC means verification of integrity of authoritative responses by following keys and signatures starting from root. Root trust anchor is automatically bootstrapped from IANA, or you can provide a file with root trust anchors (same format as Unbound or BIND9 root keys file).

The daemon also caches intermediate answers into cache, which by default uses LMDB memory-mapped database. This has a significant advantage over in-memory caches as the process may be stopped and restarted without loss of cache entries. In multi-user scenario a shared cache is potential privacy/security issue, with kresd each user can have resolver cache in their private directory and use it in similar fashion to keychain.

To use a locally running kresd for resolving put

nameserver 127.0.0.1

into resolv.conf(5) and start kresd

The daemon may be configured also as a plain forwarder using query policies. This requires using a config file. Please refer to documentation for configuration file options. It is available at https://knot-resolver.readthedocs.io or in package documentation (available as knot-resolver-doc package in most distributions).

The available CLI options are:

Listen on given address (and port) pair. If no port is given, 53 is used as a default. Option may be passed multiple times to listen on more addresses.
Listen using TLS on given address (and port) pair. If no port is given, 853 is used as a default. Option may be passed multiple times to listen on more addresses.
Listen on given file descriptor(s), passed by supervisor. Option may be passed multiple times to listen on more file descriptors.
Listen using TLS on given file descriptor(s), passed by supervisor. Option may be passed multiple times to listen on more file descriptors.
Set the config file with settings for kresd to read instead of reading the file at the default location (config).
This option is deprecated since 5.0.0!

With this option, the daemon is started in non-interactive mode and instead creates a UNIX socket in rundir that the operator can connect to for interactive session. A number greater than 1 forks the daemon N times, all forks will bind to same addresses and the kernel will load-balance between them on Linux with SO_REUSEPORT support.

If you want multiple concurrent processes supervised in this way, they should be supervised independently (see kresd.systemd(7)).

Daemon will refrain from entering into read-eval-print loop for stdin+stdout.
Daemon will refrain from printing the command prompt.
Increase verbosity. If given multiple times, more information is logged. This is in addition to the verbosity (if any) from the config file.
Show short commandline option help.
Show the version.

kresd.systemd(7), https://knot-resolver.readthedocs.io/en/v5.3.1/

kresd developers are mentioned in the AUTHORS file in the distribution.

2021-03-31 CZ.NIC