Knot Resolver itself doesn't configure forwarding or any resolvers to
forward to. If you want to configure forwarding, you have to provide
Knot Resolver with IP address for the policy.FORWARD() or
policy.TLS_FORWARD() function in kresd.conf. See policy module
documentation for details [1].

Thanks kindly for the pointer. Indeed with this pointer I could inspect my Omnia's instance of kresd and find a kresd.config file which contains:

--Automatically generated file; DO NOT EDIT
modules = {
��� 'hints > iterate'
� , 'policy'
� , 'stats'
� , predict = {
������� window = 30 -- 30 minutes sampling window
����� , period = 24*(60/30) -- track last 24 hours
� }
}
hints.config('/tmp/kresd/hints.tmp')
net.bufsize(4096)
net.ipv4=true
net.ipv6=true
cache.open(20*MB)
cache.clear()
policy.add(policy.all(policy.FORWARD({
��� '203.12.160.35',
��� '203.12.160.36',
})))

Where I have a working sample of configuration then and the FORWARD policy.

The follow-on questions then become:

  1. Can we configure kresd to selectively apply policy.FORWARD based on some criteria
  2. Can the response from the forward be part of those criteria

On 1. I am not clear on 2. It seems the doc (that you linked to) lists FORWARD as a Non-chain action meaning once executes no further kresd rules are evaluated, meaning the answer to 2 seems to be NO. 

Are you asking how does Turris configure Knot Resolver with the ISP's
DNS resolver as a forwarder? That, I don't know, but a proper place to
ask would probably be the Turris forum [2] or support.
Thanks. The primary objective is not to understand how the Omnia does it, it just happens to be my in situ working example. I'm asking myself can kresd be useful to me in other contexts. 
> 2. Is it possible configure a number of nameservers on a the basis of
> �� query them all (akin to dnsmasq's --all-servers) and return the
> �� first affirmative response?

No.

Alas.

> My interest is acutely related to:
> https://superuser.com/questions/1505755/can-one-configure-name-resolution-to-use-cascading-nameservers
> 
> 
> And I'd happily use kresd on my local machine(s) as well as on my LAN
> DNS (The Omnia) to help resolve names on my .lan while on a VPN!

Do you need to use the VPN's DNS resolvers? If so, why? Are there some
zones that can be resolved only on their DNS resolver? Are you concerned
about "DNS leak" when using VPN?

Same reason I need mine. They resolve VPN specific addresses. Essentially there addresses my DNS resolves that are not global, they are all on my LAN and only known to my LAN. Likewise on the VPN, there are addresses its DNS resolves that are not global but are all on the VPN (my particular VPN just wins me access to a remote LAN, the one in my office, and it's using a FortiGate SSL firewall that offers a VPN connection).

I'm not sure what you mean by zones, but I'm guessing I've covered that and that the answer is yes, there is a zone my DNS covers, and zone the VPN DNS covers and then there is the global zone.

Standard resolvers (the systemd resolver for example) permit me access only to two of those zones because they constrain me to one DNS, and any given one DNS (mine or that on the VPN) knows about only two, it's LAN and the global.

Thanks kindly for your advice thus far!

Regards,

Bernd.