Provided by: knot-resolver_5.7.5-1_amd64 
NAME
kresd - full caching DNSSEC-enabled Knot Resolver 5.7.5.
SYNOPSIS
kresd [-a|--addr addr[@port]] [-t|--tls addr[@port]] [-S|--fd fd] [-T|--tlsfd fd] [-c|--config config]
[-n|--noninteractive] [-q|--quiet] [-v|--verbose] [-V|--version] [-h|--help] [rundir]
DESCRIPTION
Knot Resolver is a DNSSEC-enabled full caching resolver.
Default mode of operation: when it receives a DNS query it iteratively asks authoritative nameservers
starting from root zone (.) and ending with a nameservers authoritative for queried name. Automatic
DNSSEC means verification of integrity of authoritative responses by following keys and signatures
starting from root. Root trust anchor is automatically bootstrapped from IANA, or you can provide a file
with root trust anchors (same format as Unbound or BIND9 root keys file).
The daemon also caches intermediate answers into cache, which by default uses LMDB memory-mapped
database. This has a significant advantage over in-memory caches as the process may be stopped and
restarted without loss of cache entries. In multi-user scenario a shared cache is potential
privacy/security issue, with kresd each user can have resolver cache in their private directory and use
it in similar fashion to keychain.
To use a locally running kresd for resolving put
nameserver 127.0.0.1
into resolv.conf(5) and start kresd
The daemon may be configured also as a plain forwarder using query policies. This requires using a
config file. Please refer to documentation for configuration file options. It is available at
https://knot-resolver.readthedocs.io or in package documentation (available as knot-resolver-doc package
in most distributions).
The available CLI options are:
-a addr[@port], --addr=<addr[@port]>
Listen on given address (and port) pair. If no port is given, 53 is used as a default. Option may
be passed multiple times to listen on more addresses.
-t addr[@port], --tls=<addr[@port]>
Listen using TLS on given address (and port) pair. If no port is given, 853 is used as a default.
Option may be passed multiple times to listen on more addresses.
-S fd, --fd=<fd>
Listen on given file descriptor(s), passed by supervisor. Option may be passed multiple times to
listen on more file descriptors.
-T fd, --tlsfd=<fd>
Listen using TLS on given file descriptor(s), passed by supervisor. Option may be passed multiple
times to listen on more file descriptors.
-c config, --config=<config>
Set the config file with settings for kresd to read instead of reading the file at the default
location (config).
-f N, --forks=<N>
This option is deprecated since 5.0.0!
With this option, the daemon is started in non-interactive mode and instead creates a UNIX socket
in rundir that the operator can connect to for interactive session. A number greater than 1 forks
the daemon N times, all forks will bind to same addresses and the kernel will load-balance between
them on Linux with SO_REUSEPORT support.
If you want multiple concurrent processes supervised in this way, they should be supervised
independently (see kresd.systemd(7)).
-n, --noninteractive
Daemon will refrain from entering into read-eval-print loop for stdin+stdout.
-q, --quiet
Daemon will refrain from printing the command prompt.
-v, --verbose
Increase logging to debug level.
-h Show short command-line option help.
-V Show the version.
SEE ALSO
kresd.systemd(7), https://knot-resolver.readthedocs.io/en/v5.7.5/
AUTHORS
kresd developers are mentioned in the AUTHORS file in the distribution.
CZ.NIC 2025-04-24 kresd(8)