Knot Resolver is a caching DNS resolver that can help speed up and secure DNS resolution on your Linux workstation. Here is how you set up Knot Resolver to validate DNSSEC and cache the DNS requests from your local device or set it up as a server for your other devices.

This tutorial is applicable to Knot Resolver version 2.1.0 and newer on Fedora 27. This tutorial will be updated to cover Debian 10 “Buster” and Ubuntu 18.04 “Bionic Beaver” in the future as packaging issues makes it more difficult to set up Knot Resolver on these distributions.

This tutorial is split in two sections: The first part deals with getting the service up and running for the local system, and how to enable it as a service for other systems on your network. You’ll have a fully working caching DNS server by following the first section. The second section goes more into details on configuration to enable some of Knot Resolver’s more advanced features.

Installing and starting Knot Resolver

Knot Resolver works out of the box with all the basic features without any configuration. I’ll get back to enabling some of the more interesting features of Knot Resolver in a later section of the tutorial.

Start by installing the knot-resolver package from your distribution’s package repository using your favorite package manager (e.g. apt or dnf ). This tutorial assumes you’ll be installing version 2.1.0 or later.

There’s just one step to get the service up and running: enable and start an instance of the service using the following command:

systemctl enable --now kresd@1.service

You can then immediately start using Knot Resolver on your local system. However, you must first ensure no other process is managing the /etc/resolv.conf configuration file before proceeding. Please read my extensive tutorial on taking manual control over the DNS configuration on Linux for details. Follow the instructions for configuring /etc/resolv.conf to use a DNS resolver running on localhost in the last section of that tutorial to use your Knot Resolver instance.

Allowing remote connections By default, Knot Resolver will only allow connections from the local system. This is useful if you intend to use it as a caching server for a single device. However, you’ll get the best performance by sharing the same DNS cache between all the devices in your network. (Although it can be beneficial to also setup local caches on laptops and devices that roam between different networks.) Update ( 2020-06-26 ): This section previously discussed how to manage Knot’s systemd activated socket ( kresd.socket ). However, that has been deprecated since Knot Resovler version 5 and has been removed from the tutorial. The tutorial has been updated to include new instructions. You must configure a new net.listen directive and specify the IP address you want Knot to listen to incoming connections on. Open up /etc/knot-resolver/kresd.conf in your favorite editor and include the following configuration. Adjust the IP to the server’s LAN or WAN address depending on which networks you want it to accept DNS queries from. -- listen to local connections net.listen(net.lo, 53) -- listen to connections on this IP net.listen('198.51.100.1', 53) The last step required is to poke a hole in your firewall for incoming connections. The below are example commands that create permissive rules with FirewallD or UFW. You should adjust these to only allow connections from your local network unless you want Knot Resolver to be available on the public internet. # Add DNS to default FirewallD zone (CentOS, Fedora) firewallctl zone "" --permanent add service "domain" # Add DNS to (Ubuntu) ufw allow "domain"