|
|
@@ -35,6 +35,11 @@
|
|
|
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
|
|
|
## Example with both IPv4 and IPv6:
|
|
|
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
|
|
|
+##
|
|
|
+## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
|
|
|
+## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
|
|
|
+
|
|
|
+listen_addresses = ['127.0.0.1:53']
|
|
|
|
|
|
|
|
|
## Maximum number of simultaneous client connections to accept
|
|
|
@@ -50,7 +55,7 @@ max_clients = 250
|
|
|
# user_name = 'nobody'
|
|
|
|
|
|
|
|
|
-## Require servers (from static + remote sources) to satisfy specific properties
|
|
|
+## Require servers (from remote sources) to satisfy specific properties
|
|
|
|
|
|
# Use servers reachable over IPv4
|
|
|
ipv4_servers = true
|
|
|
@@ -64,6 +69,9 @@ dnscrypt_servers = true
|
|
|
# Use servers implementing the DNS-over-HTTPS protocol
|
|
|
doh_servers = true
|
|
|
|
|
|
+# Use servers implementing the Oblivious DoH protocol
|
|
|
+odoh_servers = false
|
|
|
+
|
|
|
|
|
|
## Require servers defined by remote sources to satisfy specific properties
|
|
|
|
|
|
@@ -146,7 +154,7 @@ keepalive = 30
|
|
|
|
|
|
## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
|
|
|
|
|
|
-log_level = 6
|
|
|
+# log_level = 2
|
|
|
|
|
|
|
|
|
## Log file for the application, as an alternative to sending logs to
|
|
|
@@ -203,30 +211,40 @@ cert_refresh_delay = 240
|
|
|
# tls_cipher_suite = [52392, 49199]
|
|
|
|
|
|
|
|
|
-## Fallback resolvers
|
|
|
+## Bootstrap resolvers
|
|
|
+##
|
|
|
## These are normal, non-encrypted DNS resolvers, that will be only used
|
|
|
-## for one-shot queries when retrieving the initial resolvers list, and
|
|
|
-## only if the system DNS configuration doesn't work.
|
|
|
+## for one-shot queries when retrieving the initial resolvers list and if
|
|
|
+## the system DNS configuration doesn't work.
|
|
|
##
|
|
|
-## No user application queries will ever be leaked through these resolvers,
|
|
|
-## and they will not be used after IP addresses of resolvers URLs have been found.
|
|
|
-## They will never be used if lists have already been cached, and if stamps
|
|
|
-## don't include host names without IP addresses.
|
|
|
+## No user queries will ever be leaked through these resolvers, and they will
|
|
|
+## not be used after IP addresses of DoH resolvers have been found (if you are
|
|
|
+## using DoH).
|
|
|
+##
|
|
|
+## They will never be used if lists have already been cached, and if the stamps
|
|
|
+## of the configured servers already include IP addresses (which is the case for
|
|
|
+## most of DoH servers, and for all DNSCrypt servers and relays).
|
|
|
+##
|
|
|
+## They will not be used if the configured system DNS works, or after the
|
|
|
+## proxy already has at least one usable secure resolver.
|
|
|
##
|
|
|
-## They will not be used if the configured system DNS works.
|
|
|
## Resolvers supporting DNSSEC are recommended, and, if you are using
|
|
|
-## DoH, fallback resolvers should ideally be operated by a different entity than
|
|
|
-## the DoH servers you will be using, especially if you have IPv6 enabled.
|
|
|
+## DoH, bootstrap resolvers should ideally be operated by a different entity
|
|
|
+## than the DoH servers you will be using, especially if you have IPv6 enabled.
|
|
|
##
|
|
|
-## People in China may need to use 114.114.114.114:53 here.
|
|
|
-## Other popular options include 8.8.8.8 and 1.1.1.1.
|
|
|
+## People in China may want to use 114.114.114.114:53 here.
|
|
|
+## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
|
|
|
##
|
|
|
## If more than one resolver is specified, they will be tried in sequence.
|
|
|
+##
|
|
|
+## TL;DR: put valid standard resolver addresses here. Your actual queries will
|
|
|
+## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
|
|
|
+## lists are up to date, these resolvers will not even be used.
|
|
|
|
|
|
-fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
|
|
|
+bootstrap_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
|
|
|
|
|
|
|
|
|
-## Always use the fallback resolver before the system DNS settings.
|
|
|
+## Always use the bootstrap resolver before the system DNS settings.
|
|
|
|
|
|
ignore_system_dns = true
|
|
|
|
|
|
@@ -313,7 +331,7 @@ block_undelegated = true
|
|
|
## TTL for synthetic responses sent when a request has been blocked (due to
|
|
|
## IPv6 or blocklists).
|
|
|
|
|
|
-reject_ttl = 600
|
|
|
+reject_ttl = 10
|
|
|
|
|
|
|
|
|
|
|
|
@@ -651,36 +669,51 @@ cache_neg_max_ttl = 600
|
|
|
## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
|
|
|
|
|
|
[sources.'public-resolvers']
|
|
|
- urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
|
|
|
- cache_file = 'public-resolvers.md'
|
|
|
- minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
- refresh_delay = 72
|
|
|
- prefix = ''
|
|
|
+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
|
|
|
+ cache_file = 'public-resolvers.md'
|
|
|
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
+ refresh_delay = 72
|
|
|
+ prefix = ''
|
|
|
|
|
|
## Anonymized DNS relays
|
|
|
|
|
|
[sources.'relays']
|
|
|
- urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
|
|
|
- cache_file = 'relays.md'
|
|
|
- minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
- refresh_delay = 72
|
|
|
- prefix = ''
|
|
|
-
|
|
|
- ## Quad9 over DNSCrypt - https://quad9.net/
|
|
|
+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
|
|
|
+ cache_file = 'relays.md'
|
|
|
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
+ refresh_delay = 72
|
|
|
+ prefix = ''
|
|
|
+
|
|
|
+ ## ODoH (Oblivious DoH) servers and relays
|
|
|
+
|
|
|
+ # [sources.'odoh-servers']
|
|
|
+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-servers.md']
|
|
|
+ # cache_file = 'odoh-servers.md'
|
|
|
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
+ # refresh_delay = 24
|
|
|
+ # prefix = ''
|
|
|
+ # [sources.'odoh-relays']
|
|
|
+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-relays.md']
|
|
|
+ # cache_file = 'odoh-relays.md'
|
|
|
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
+ # refresh_delay = 24
|
|
|
+ # prefix = ''
|
|
|
+
|
|
|
+ ## Quad9
|
|
|
|
|
|
# [sources.quad9-resolvers]
|
|
|
- # urls = ['https://www.quad9.net/quad9-resolvers.md']
|
|
|
- # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
|
|
|
- # cache_file = 'quad9-resolvers.md'
|
|
|
- # prefix = 'quad9-'
|
|
|
+ # urls = ['https://www.quad9.net/quad9-resolvers.md']
|
|
|
+ # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
|
|
|
+ # cache_file = 'quad9-resolvers.md'
|
|
|
+ # prefix = 'quad9-'
|
|
|
|
|
|
## Another example source, with resolvers censoring some websites not appropriate for children
|
|
|
## This is a subset of the `public-resolvers` list, so enabling both is useless
|
|
|
|
|
|
# [sources.'parental-control']
|
|
|
- # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md']
|
|
|
- # cache_file = 'parental-control.md'
|
|
|
- # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md']
|
|
|
+ # cache_file = 'parental-control.md'
|
|
|
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
|
|
|
|
|
|
|
|
|
|
@@ -719,7 +752,7 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
|
|
|
|
|
|
#
|
|
|
# creds = [
|
|
|
-# { server_name='myserver', client_cert='client.crt', client_key='client.key' }
|
|
|
+# { server_name='*', client_cert='client.crt', client_key='client.key' }
|
|
|
# ]
|
|
|
|
|
|
|
陈国伟