Comprehensive configuration guide for Knot DNS with detailed examples for server settings, zones, ACLs, DNSSEC, and advanced features for Linux DevOps. This guide covers all aspects of configuring Knot DNS for production environments.
Knot DNS uses a centralized configuration system with the main file typically located at /etc/knot/knot.conf. The configuration uses standard YAML syntax with sections for different aspects of the server.
The configuration follows a hierarchical YAML structure:
section-name:
parameter: value
sub-section:
- item1: value1
- item2: value2
The server section defines global server settings:
server:
# Listening addresses and ports
listen: [
0.0.0.0@53, # Listen on all IPv4 interfaces, port 53
::@53, # Listen on all IPv6 interfaces, port 53
127.0.0.1@5353 # Listen on localhost, port 5353
]
# Performance tuning
workers: 4 # Number of worker threads (typically CPU cores)
tcp-workers: 2 # Number of TCP worker threads
max-udp-payload: 1232 # Maximum UDP payload size
# Process settings
rundir: /var/run # Runtime directory
user: knot:knot # User and group to run as
# Additional settings
background-refresh: on # Background zone refresh
answer-cksum: off # Disable checksums for performance
Configure the backend database for zone storage:
database:
storage: /var/lib/knot # Base directory for zone data
# Optional: Use Redis/Valkey for zone storage (advanced)
# zone-db-listen: /run/redis/redis-server.sock
# zone-db-tls: on
Note: Knot DNS uses LMDB (Lightning Memory-Mapped Database) by default for efficient zone storage. The storage parameter defines the base directory where zone data, journal, and timers are stored automatically.
Define individual zones with their properties:
zone:
# Single zone definition
- domain: example.com
file: /var/lib/knot/zones/example.com.zone
master: [ 192.168.1.10 ] # Master server for zone transfers
notify: [ 192.168.1.11 ] # Servers to notify of changes
acl: [ transfer_acl, update_acl ] # Access control lists
# DNSSEC settings
dnssec-signing: on
dnssec-policy: default
# Zone transfer settings
zonefile-sync: 0 # Sync zone file immediately after changes
journal-content: all # What to store in journal
semantic-checks: on # Enable semantic checks
# Multiple zones using templates
- domain: example.net
file: /var/lib/knot/zones/example.net.zone
template: default
Use templates to apply common settings to multiple zones:
template:
# Default template
- id: default
# Zone file settings
file: /var/lib/knot/zones/%s.zone
zonefile-sync: 0
# DNSSEC settings
dnssec-signing: off
# Transfer settings
master: [ 192.168.1.10 ]
notify: [ 192.168.1.11, 192.168.1.12 ]
# ACL settings
acl: [ transfer_acl ]
# Apply to specific zones
zones: [ example.com, example.net ]
# Template for internal zones
- id: internal
file: /var/lib/knot/zones/internal/%s.zone
dnssec-signing: on
zones: [ internal.example.com, corp.example.com ]
Control access to various server functions:
acl:
# Zone transfer ACL
- id: transfer_acl
address: [ 192.168.1.0/24, 10.0.0.0/8 ]
key: [ transfer_key ]
action: [ transfer ]
# Dynamic update ACL
- id: update_acl
address: [ 192.168.1.100 ]
key: [ update_key ]
action: [ update ]
# Notification ACL
- id: notify_acl
address: [ 192.168.1.10, 192.168.1.11 ]
action: [ notify ]
# Query ACL (for access control)
- id: query_acl
address: [ 0.0.0.0/0, ::/0 ] # Allow from anywhere
action: [ query ]
Note: The key parameter must be specified as an array (e.g., key: [ transfer_key ]), not as a single value.
Define DNSSEC signing policies:
policy:
- id: default
# Algorithm settings
algorithm: ECDSAP256SHA256
# Key timing
propagation-delay: 2d # Propagation delay in days
rrsig-lifetime: 30d # RRSIG lifetime
dnskey-ttl: 1h # DNSKEY TTL
zsk-lifetime: 60d # ZSK lifetime (optional)
ksk-lifetime: 365d # KSK lifetime (optional)
# Automatic key management
publish-cdnskey: on # Publish CDNSKEY records
cds-digest-type: [ 2 ] # CDS digest type (SHA-256)
Note: Knot DNS handles key rollover automatically. The algorithm parameter supports ECDSAP256SHA256, ECDSAP384SHA384, and ED25519. Key timing parameters control DNSSEC key lifecycle management.
Configure logging for troubleshooting and monitoring:
log:
# System log
- target: syslog
any: info
client: debug
# File logging
- target: /var/log/knot/knot.log
any: info
client: info
zone: info
# Error log
- target: /var/log/knot/error.log
any: error
Knot DNS supports query modules for extended functionality. Statistics are enabled by default in modern versions:
# Statistics are enabled by default
# Access via: knotc stats server, knotc stats zone example.com
# For advanced module configurations (if needed):
module:
# Example: View module for response filtering (advanced use)
- id: view_module
# Module-specific configuration goes here
Note: Statistics collection is built-in and enabled by default. Use knotc stats server and knotc stats zone <domain> to access statistics. Custom modules like view require specific use cases and additional configuration.
Here’s a complete configuration file for a production environment:
# Knot DNS Configuration
# Production authoritative server
server:
listen: [ 0.0.0.0@53, ::@53 ]
workers: 4
tcp-workers: 2
max-udp-payload: 1232
rundir: /var/run
user: knot:knot
background-refresh: on
database:
storage: /var/lib/knot
template:
- id: default
file: /var/lib/knot/zones/%s.zone
zonefile-sync: 0
dnssec-signing: on
dnssec-policy: default
master: [ 192.168.1.10 ]
notify: [ 192.168.1.11, 192.168.1.12 ]
acl: [ transfer_acl, update_acl ]
zone:
- domain: example.com
template: default
- domain: example.net
template: default
- domain: internal.example.com
file: /var/lib/knot/zones/internal/internal.example.com.zone
dnssec-signing: off # Internal zones may not need DNSSEC
acl:
- id: transfer_acl
address: [ 192.168.1.0/24 ]
action: [ transfer ]
- id: update_acl
address: [ 192.168.1.100 ]
key: tsig_update_key
action: [ update ]
policy:
- id: default
algorithm: ECDSAP256SHA256
propagation-delay: 2d
rrsig-lifetime: 30d
dnskey-ttl: 1h
automatic-ksk-rollover: on
log:
- target: syslog
any: info
client: notice
module:
- id: global_stats
load: stats
Always validate configuration before applying:
# Check configuration syntax
sudo knotc conf-check
# Show current configuration
sudo knotc conf-show
# Show specific section
sudo knotc conf-show server
Reload configuration without restarting the service:
# Reload configuration
sudo knotc reload
# Reload specific zone
sudo knotc zone-reload example.com
# Flush zones to disk
sudo knotc zone-flush example.com
Before making changes, create a backup:
# Backup current configuration
sudo cp /etc/knot/knot.conf /etc/knot/knot.conf.$(date +%Y%m%d_%H%M%S)
# Or use a configuration management tool like Git
cd /etc/knot
sudo git add knot.conf
sudo git commit -m "Backup before $(date)"
Configure RRL to prevent DNS amplification attacks:
server:
listen: [ 0.0.0.0@53, ::@53 ]
# ... other settings ...
rrl-whitelist-ratio: 0.1 # Whitelist ratio
rrl-slots: 10000 # Number of RRL slots
rrl-ipv4-prefix-length: 24 # IPv4 prefix length
rrl-ipv6-prefix-length: 56 # IPv6 prefix length
For managing multiple zones:
zone:
- domain: catalog.example.com
file: /var/lib/knot/zones/catalog.example.com.zone
catalog-zone: on # Enable catalog zone functionality
For high availability setups:
zone:
- domain: example.com
file: /var/lib/knot/zones/example.com.zone
master: [ 192.168.1.10, 192.168.1.11 ] # Multiple masters
multi-primary: on # Enable multi-primary mode
While not part of the main configuration, zone files follow standard DNS format:
$ORIGIN example.com.
$TTL 3600
@ IN SOA ns1.example.com. admin.example.com. (
2026021401 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ) ; minimum (1 hour)
IN NS ns1.example.com.
IN NS ns2.example.com.
; A records
ns1 IN A 192.168.1.10
ns2 IN A 192.168.1.11
www IN A 192.168.1.20
mail IN A 192.168.1.30
; MX records
IN MX 10 mail.example.com.
; CNAME records
ftp IN CNAME www.example.com.
Validate zone files before loading:
# Check zone file syntax
sudo kzonecheck /var/lib/knot/zones/example.com.zone
# Check specific zone in server
sudo knotc zone-check example.com
Test DNS resolution after configuration:
# Test local resolution
kdig @127.0.0.1 example.com
# Test specific record types
kdig @127.0.0.1 example.com A
# Test DNSSEC validation
kdig @127.0.0.1 example.com A +dnssec
knotc conf-check to validatekzonecheck# Check configuration
sudo knotc conf-check
# View server status
sudo knotc conf-show
# Check zone status
sudo knotc zone-status example.com
# Reload configuration
sudo knotc reload
# View logs
sudo journalctl -u knot -f
Store configurations in version control:
# Initialize Git repo for configs
mkdir -p /etc/knot/configs
cd /etc/knot/configs
git init
git add *.conf
git commit -m "Initial configuration"
Include validation in CI/CD pipelines:
#!/bin/bash
# validate-config.sh
set -e
# Validate syntax
knotc conf-check
# Validate zones
for zone_file in /var/lib/knot/zones/*.zone; do
kzonecheck "$zone_file"
done
echo "Configuration validation passed!"
Every DNS deployment is unique. We provide consulting for:
Get personalized assistance: office@linux-server-admin.com | Contact Page.