Policy, access control, data manipulation

This chapter briefly describes rules for access control and for overriding DNS by local or remote sources of data. These rules are declarative, contrary to the imperative Lua commands used before Knot Resolver 6.

The main parts described in this chapter are:

  • views: A means of achieving access control by changing responses based on where the DNS request came from.

  • local-data: Overriding returned DNS data, which also includes blocking.

  • forward: Rules overriding which servers get asked to obtain DNS data.

The so-called tags are used to link clients defined using views and the rules applied to them in local-data.

It is also possible to modify data returned to clients, either by providing DNS64 translation, or IP address renumbering.

Additional features offer protection against various DNS-based attacks, see Rebinding protection and Refuse queries without RD bit.


An incoming request receives a set of tags assigned by views, which restricts what content rules may apply. This principle is very similar to Unbound’s tags (which were a significant inspiration).

A local-data rule may only be applied if its tag-set intersects with the tag-set selected for this client – or if the rule’s tag-set is empty. This matching may be used in quite different ways. Simple usage pattern examples:

  • Rule-focused tags (typical in our examples). Each content rule has a single tag, so the rules are split into disjunct groups, and for each client we choose an arbitrary subset of these groups.

  • Client-focused tags. Each client gets a single tag, so the clients are split into disjunct groups, and for each rule we choose an arbitrary subset of these groups.

  • In any case, typically the majority of content rules don’t have any tags and thus always apply.

Tag names are basically arbitrary, but the number of tags that you use at once in one resolver instance is limited by a constant (see kr_rule_tags_t).