resolver — format of resolver component configuration


General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the resolver component configuration.

Repeatable sections/items are marked by the '*' before section/item name.


Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in resolver configuration directives:

enabling (see common(5))

ip-version (see common(5))

dns-type (name-usage optional)

none (0), A (1), NS (2), MD (3), MF (4), CNAME (5), SOA (6), MB (7), MG (8), MR (9), NULL (10), WKS (11), PTR (12), HINFO (13), MINFO (14), MX (15), TXT (16), RP (17), AFSDB (18), X25 (19), ISDN (20), RT (21), NSAP (22), NSAP-PTR (23), SIG (24), KEY (25), PX (26), GPOS (27), AAAA (28), LOC (29), NXT (30), EID (31), NIMLOC (32), SRV (33), ATMA (34), NAPTR (35), KX (36), CERT (37), A6 (38), DNAME (39), SINK (40), OPT (41), APL (42), DS (43), SSHFP (44), IPSECKEY (45), RRSIG (46), NSEC (47), DNSKEY (48), NSEC3 (50), NSEC3PARAM (51), TLSA (52), SPF (99), TKEY (249), TSIG (250), IXFR (251), AXFR (252), MAILB (253), MAILA (254), ANY (255), CAA (257)

dns-class (name-usage optional)

NONE (0), IN (1), CH (3), HS (4), ANY (255)

dns-opcode (name-usage optional)


dns-response (name-usage optional)

NoError (0), FormErr (1), ServFail (2), NXDomain (3), NotImp (4), Refused (5), YXDomain (6), YXRRSet (7), NXRRSet (8), NotAuth (9), NotZone (10), BADVERS (16), BADSIG (17), BADKEY (18), BADTIME (19), BADMODE (20), BADNAME (21), BADALG (22)

dns-qaction (name-usage obligatory)

Action used for particular query received.


Query is aborted, no answer.


Query is denied, reply by given code.


Query is resolved from root accepting trusted answers only.


Query is forwarded to DNS server.


Query is replied according to configuration setting.

dns-raction (name-usage obligatory)

Action used for particular resource record received in reply.


Query is aborted, no answer.


Query is denied, reply by given code.


Record is added to reply.


Record is removed from reply.

dns-fake (name-usage obligatory)

RR types with faking implemented.


xfr-mode (name-usage obligatory)

Zone transfer modes.


Use the same format as originator.


Use more messages, one RR per message.


Use one message with all RRs.


Configuration of resolver library component consists of following prototypes:

* ns-list name { ... }
* resolver name { ... }
  use-resolver ... ;
  cfg-resolution ... ;


ns-list name {

* server ... ;


This section defines set of nameservers used by dns-proxy for forwarding.

No "default server set" exist. Typical set of public internet root servers can be found in file samples/root-servers.cml that you can include into your configuration and use here. See instructions in the file.


At least one server must be specified.

Items & subsections:

server name addr [port port];

Single server description.

name (type: str)

Domain name of server

addr (type: host-list)

List of server IP addresses

port port (type: port, optional, default: 53)

[End of section ns-list description.]

resolver name {

* server ... ;
  search ... ;
  preference ... ;
  edns ... ;
  conf-timeout ... ;
  initial-timeout ... ;
  final-timeout ... ;
  conn-timeout ... ;
  disable-deresolution ... ;


Domain Names Resolver Configuration.

This prototype defines Kernun resolver parameters. It can be used generally, for any Kernun application, or redefined for particular proxy.

The resolver section is derived from ns-list section prototype. For detail description of it, see above.

Added items & subsections:

search names;

Domain search list.

If omitted, system domain name is used.

names (type: str-list)


Search list must not be empty.

preference versions;

IP address versions preference.

This item controls selection of IPv4 and IPv6 addresses obtained by resolving a name. If not set, the default value depends on global Kernun configuration: if no interface has IPv6 address, only IPv4 addresses are used, otherwise the default behavior according to the RFC 3484 is used.

versions (type: ip-version-list)

Ordered list of versions.


Version list must contain one or two items of ipv4/ipv6.

edns [support];

EDNS support.

support (type: enabling, optional, default: enable)

conf-timeout [seconds];

Timeout for resolution of each domain name in configuration.

seconds (type: fract, optional, default: 15)

initial-timeout [seconds];

Timeout for initial attempt to deresolve client address.

If this deresolution fails, client address will be logged without name till the SESSION-END message.

seconds (type: fract, optional, default: 0.200)

final-timeout [seconds];

Timeout used for deresolving client address immediately before logging the SESSION-END message (if the first attempt of client deresolution failed due to INITIAL-TIMEOUT).

seconds (type: fract, optional, default: 5)

conn-timeout [seconds];

Timeout to resolve connection critical addresses.

This timeout will be used for any resolution necessary for successful progress of connection, e.g. server address.

seconds (type: fract, optional, default: 30)


Flag to switch off IP addresses deresolution.

[End of section resolver description.]

use-resolver name;

Resolver Section Specification.

This item defines name of global (system) resolver section used in particular configuration environment. Namely, it is applicable within SYSTEM section and within any section derived from PROXY prototype. The former usage defines system-wide values, the latter one values valid for particular proxy.

name (type: name of resolver, see above)

cfg-resolution [max-addrs [min-ttl [def-ttl [max-ttl [hosts-ttl [pool-dir]]]]]];

Attributes for resolution of domain names in configuration.

max-addrs (type: uint8, optional, default: 10)

Maximum of addresses per a single domain name.

min-ttl (type: uint32, optional, default: 10)

Minimum TTL accepted, used instead of too small TTL values (e.g. 0).

def-ttl (type: uint32, optional, default: 1m)

Default TTL used in case of unsuccessful DNS resolution.

max-ttl (type: uint32, optional, default: 1d)

Maximum TTL accepted, used instead of large TTL values.

hosts-ttl (type: uint32, optional, default: 1d)

TTL used for names in /etc/hosts.

pool-dir (type: str, optional, default: "/tmp")

Directory for temporary files used to share results.


configuration(7), common(5)