From 08f07cae9c2f6358a01352191abac37061878e9b Mon Sep 17 00:00:00 2001 From: quindecim Date: Wed, 25 Mar 2020 03:41:55 -0400 Subject: [PATCH] Synced with the main template --- config/example-dnscrypt-proxy.toml | 71 ++++++++++++++++++------------ 1 file changed, 43 insertions(+), 28 deletions(-) diff --git a/config/example-dnscrypt-proxy.toml b/config/example-dnscrypt-proxy.toml index 3f658e9..9d125f7 100644 --- a/config/example-dnscrypt-proxy.toml +++ b/config/example-dnscrypt-proxy.toml @@ -21,10 +21,12 @@ ## Servers from the "public-resolvers" source (see down below) can ## be viewed here: https://dnscrypt.info/public-servers ## -## If this line is commented, all registered servers matching the require_* filters -## will be used. +## The proxy will automatically pick working servers from this list. +## Note that the require_* filters do NOT apply when using this setting. +## +## By default, this list is empty and all registered servers matching the +## require_* filters will be used instead. ## -## The proxy will automatically pick the fastest, working servers from the list. ## Remove the leading # first to enable this; lines starting with # are ignored. # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'] @@ -183,21 +185,23 @@ cert_refresh_delay = 240 # tls_cipher_suite = [52392, 49199] -## Fallback resolver -## This is a normal, non-encrypted DNS resolver, that will be only used +## Fallback resolvers +## These are normal, non-encrypted DNS resolvers, that will be only used ## for one-shot queries when retrieving the initial resolvers list, and ## only if the system DNS configuration doesn't work. -## No user application queries will ever be leaked through this resolver, -## and it will not be used after IP addresses of resolvers URLs have been found. -## It will never be used if lists have already been cached, and if stamps +## No user application queries will ever be leaked through these resolvers, +## and they will not be used after IP addresses of resolvers URLs have been found. +## They will never be used if lists have already been cached, and if stamps ## don't include host names without IP addresses. -## It will not be used if the configured system DNS works. -## A resolver supporting DNSSEC is recommended. +## They will not be used if the configured system DNS works. +## Resolvers supporting DNSSEC are recommended. ## ## People in China may need to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8 and 1.1.1.1. +## +## If more than one resolver is specified, they will be tried in sequence. -fallback_resolver = '9.9.9.9:53' +fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53'] ## Always use the fallback resolver before the system DNS settings. @@ -237,8 +241,10 @@ netprobe_address = '9.9.9.9:53' ## These strings will be added as TXT records to queries. ## Do not use, except on servers explicitly asking for extra data ## to be present. +## encrypted-dns-server can be configured to use this for access control +## in the [access_control] section -# query_meta = ["key1:value1", "key2:value2", "key3:value3"] +# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"] ## Automatic log files rotation @@ -261,7 +267,7 @@ log_files_max_backups = 1 ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you ## configure dnscrypt-proxy to do any kind of filtering (including the filters ## below and blacklists). -## But you can still choose resolvers that do DNSSEC validation. +## You can still choose resolvers that do DNSSEC validation. ## Immediately respond to IPv6-related queries with an empty response @@ -293,9 +299,7 @@ reject_ttl = 600 # Route queries for specific domains to a dedicated set of servers # ################################################################################## -## Example map entries (one entry per line): -## example.com 9.9.9.9 -## example.net 9.9.9.9,8.8.8.8,1.1.1.1 +## See the `example-forwarding-rules.txt` file for an example # forwarding_rules = 'forwarding-rules.txt' @@ -309,9 +313,7 @@ reject_ttl = 600 ## In addition to acting as a HOSTS file, it can also return the IP address ## of a different name. It will also do CNAME flattening. ## -## Example map entries (one entry per line) -## example.com 10.1.1.1 -## www.google.com forcesafesearch.google.com +## See the `example-cloaking-rules.txt` file for an example # cloaking_rules = 'cloaking-rules.txt' @@ -331,7 +333,7 @@ cache = true ## Cache size -cache_size = 1024 +cache_size = 4096 ## Minimum TTL for cached entries @@ -395,7 +397,7 @@ cache_neg_max_ttl = 600 [query_log] ## Path to the query log file (absolute, or relative to the same directory as the config file) - ## Can be /dev/stdout to log to the standard output (and set log_files_max_size to 0) + ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0) # file = 'query.log' @@ -533,8 +535,7 @@ cache_neg_max_ttl = 600 ## ## For example, the following rule in a blacklist file: ## *.youtube.* @time-to-sleep -## would block access to YouTube only during the days, and period of the days -## define by the 'time-to-sleep' schedule. +## would block access to YouTube during the times defined by the 'time-to-sleep' schedule. ## ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 ## {after= '9:00', before='18:00'} matches 9:00-18:00 @@ -575,7 +576,7 @@ cache_neg_max_ttl = 600 ## must include the prefixes. ## ## If the `urls` property is missing, cache files and valid signatures -## must be already present; This doesn't prevent these cache files from +## must already be present. This doesn't prevent these cache files from ## expiring after `refresh_delay` hours. [sources] @@ -615,7 +616,6 @@ cache_neg_max_ttl = 600 - ######################################### # Servers with known bugs # ######################################### @@ -626,12 +626,27 @@ cache_neg_max_ttl = 600 # truncate reponses larger than questions as expected by the DNSCrypt protocol. # This prevents large responses from being received, and breaks relaying. # A workaround for the first issue will be applied to servers in list below. +# Quad9 appears to be dropping fragmented UDP queries, but only for some networks. # Do not change that list until the bugs are fixed server-side. broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield'] +################################ +# TLS Client Authentication # +################################ + +# This is only useful if you are operating your own, private DoH server(s). +# (for DNSCrypt, see the `query_meta` feature instead) + +[tls_client_auth] + +# creds = [ +# { server_name='myserver', client_cert='client.crt', client_key='client.key' } +# ] + + ################################ # Anonymized DNS # @@ -653,13 +668,13 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield'] ## ## !!! THESE ARE JUST EXAMPLES !!! ## -## Review the list of available relays from the "relays.md` file, and, for each +## Review the list of available relays from the "relays.md" file, and, for each ## server you want to use, define the relays you want connections to go through. ## -## Carefully choose relays and servers so that the are run by different entities. +## Carefully choose relays and servers so that they are run by different entities. ## ## "server_name" can also be set to "*" to define a default route, but this is not -## recommended. if you do so, keep "server_names" short and distinct from relays. +## recommended. If you do so, keep "server_names" short and distinct from relays. # routes = [ # { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },