Knot DNS (knotd)¶

What Is It?¶

Knot DNS is a high-performance authoritative-only DNS server developed by CZ.NIC. Unlike a recursive resolver, an authoritative server holds the actual zone data and answers queries for its own domains. It does not look up records in other domains.

In this course, knotd serves as the authoritative name server on port 5353, while Knot Resolver (kresd) handles recursive resolution on port 53.

Installation¶

dnf install knot

This installs both the knotd daemon and the knotc control utility.

Key Files and Directories¶

Path	Purpose
`/etc/knot/knot.conf`	Main configuration file (YAML-like syntax)
`/var/lib/knot/`	Default zone file storage directory
`/var/lib/knot/zones/`	Recommended directory for zone files

Configuration¶

Knot DNS uses a YAML-like configuration format in /etc/knot/knot.conf.

Minimal Working Configuration¶

A basic configuration serving one zone on port 5353:

server:
    listen: 0.0.0.0@5353
    listen: ::@5353

log:
  - target: syslog
    any: info

zone:
  - domain: example.sysadm.ee
    storage: /var/lib/knot/zones/
    file: example.sysadm.ee.zone

Important Directives¶

server.listen — Address and port to listen on. Format: address@port. Use 0.0.0.0@5353 for all IPv4 interfaces.
zone.domain — The zone name (e.g., student-vm.sysadm.ee).
zone.storage — Directory where zone files are stored.
zone.file — Zone file name (relative to storage).
zone.notify — List of remotes to send NOTIFY messages to when the zone changes.
zone.acl — Access control lists for zone transfers.
remote — Define remote servers (e.g., secondary DNS servers).
acl — Define access control rules.

Configuring Notify and Zone Transfers (Hidden Primary)¶

To configure knotd as a hidden primary that notifies a secondary server and allows zone transfers:

remote:
  - id: central-secondary
    address: 193.40.153.43@53

acl:
  - id: allow-transfer
    address: [193.40.153.43, 172.17.89.217]
    action: transfer

zone:
  - domain: student-vm.sysadm.ee
    storage: /var/lib/knot/zones/
    file: student-vm.sysadm.ee.zone
    notify: central-secondary
    acl: allow-transfer

Zone File Format¶

Zone files use standard BIND-compatible format. Place them in the storage directory specified in the configuration.

Example forward zone (/var/lib/knot/zones/student-vm.sysadm.ee.zone):

$TTL 900
@       IN  SOA  ns1.student-vm.sysadm.ee. admin.student-vm.sysadm.ee. (
                  2026031701  ; Serial (YYYYMMDDNN)
                  900         ; Refresh (15 min)
                  300         ; Retry (5 min)
                  7200        ; Expire (2 hours)
                  600 )       ; Negative Cache TTL

@              IN  NS   ns1.student-vm.sysadm.ee.
@              IN  NS   ns.sysadm.ee.
@              IN  A    <VM_IP>
ns1            IN  A    <VM_IP>
blog           IN  CNAME  student-vm.sysadm.ee.
inventory      IN  CNAME  student-vm.sysadm.ee.

Example reverse zone (/var/lib/knot/zones/X.Y.Z.in-addr.arpa.zone):

$TTL 900
@       IN  SOA  ns1.student-vm.sysadm.ee. admin.student-vm.sysadm.ee. (
                  2026031701  ; Serial
                  900         ; Refresh
                  300         ; Retry
                  7200        ; Expire
                  600 )       ; Negative Cache TTL

@              IN  NS   ns1.student-vm.sysadm.ee.
@              IN  NS   ns.sysadm.ee.
<LAST_OCTET>  IN  PTR  student-vm.sysadm.ee.

Trailing dots

FQDNs in zone files must end with a dot (e.g., student-vm.sysadm.ee.). Without the dot, the zone origin is appended, creating an incorrect name like student-vm.sysadm.ee.student-vm.sysadm.ee.

Common Commands¶

# Start the service
systemctl start knot

# Enable at boot
systemctl enable knot

# Check status
systemctl status knot

# Validate configuration
knotc conf-check

# Reload configuration and zones (no restart needed)
knotc reload

# Check a specific zone
knotc zone-check student-vm.sysadm.ee

# Read the current zone data
knotc zone-read student-vm.sysadm.ee

# Trigger a NOTIFY to secondaries
knotc zone-notify student-vm.sysadm.ee

# Check a loaded zone for errors
knotc zone-check student-vm.sysadm.ee

Logging and Debugging¶

knotd logs to syslog by default. View logs with:

journalctl -u knot

# Or check syslog directly
grep knotd /var/log/messages

To increase log verbosity, change the log level in knot.conf:

log:
  - target: syslog
    any: debug

Security Considerations¶

Firewall: Open port 5353 for TCP and UDP:

firewall-cmd --add-port=5353/tcp --permanent
firewall-cmd --add-port=5353/udp --permanent
firewall-cmd --reload

File permissions: Zone files should be owned by knot:knot and readable by the knot user:
```
chown knot:knot /var/lib/knot/zones/*.zone
chmod 640 /var/lib/knot/zones/*.zone
```
Zone transfer ACLs: Always restrict zone transfers to known secondaries using acl rules.