-- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration

-- Listen on all interfaces (localhost would not work in Docker)
net.listen('0.0.0.0')
net.listen('0.0.0.0', 853, {tls=true})

-- Auto-maintain root TA
trust_anchors.file = '/data/root.keys'

-- Load Useful modules
modules = {
    'policy',                -- Block queries to local zones/bad sites
    'serve_stale < cache',   -- Allows stale-ness by up to one day, after roughly four seconds trying to contact the servers
    'workarounds < iterate', -- Alters resolver behavior on specific broken sub-domains
    'predict',               -- Prefetch expiring/frequent records
    'stats',                 -- Track internal statistics
    http = {                 -- HTTP server for serving stats etc...
        host = '192.168.2.110',
        port = 8053,
        cert = false,
    },
}

-- Smaller cache size
cache.size = 20 * MB

-- Block Ads and Malware Domains
policy.add(policy.rpz(policy.DENY, '/data/blacklist.rpz'))

-- Forward DNS to CloudFlare using TLS
policy.add(policy.all(
  policy.TLS_FORWARD({
    {'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/data/DigiCertGlobalRootCA.crt' },
    {'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/data/DigiCertGlobalRootCA.crt' },
  })
))