Synced with the main template

2020-03-25 03:41:55 -04:00 · 2020-03-25 03:41:55 -04:00 · 08f07cae9c
parent 730794eaa6
commit 08f07cae9c
1 changed files with 43 additions and 28 deletions
--- a/config/example-dnscrypt-proxy.toml
+++ b/config/example-dnscrypt-proxy.toml
@ -21,10 +21,12 @@
 ## Servers from the "public-resolvers" source (see down below) can
 ## be viewed here: https://dnscrypt.info/public-servers
 ##
-## If this line is commented, all registered servers matching the require_* filters
-## will be used.
+## The proxy will automatically pick working servers from this list.
+## Note that the require_* filters do NOT apply when using this setting.
+##
+## By default, this list is empty and all registered servers matching the
+## require_* filters will be used instead.
 ##
-## The proxy will automatically pick the fastest, working servers from the list.
 ## Remove the leading # first to enable this; lines starting with # are ignored.

 # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
@ -183,21 +185,23 @@ cert_refresh_delay = 240
 # tls_cipher_suite = [52392, 49199]


-## Fallback resolver
-## This is a normal, non-encrypted DNS resolver, that will be only used
+## Fallback resolvers
+## These are normal, non-encrypted DNS resolvers, that will be only used
 ## for one-shot queries when retrieving the initial resolvers list, and
 ## only if the system DNS configuration doesn't work.
-## No user application queries will ever be leaked through this resolver,
-## and it will not be used after IP addresses of resolvers URLs have been found.
-## It will never be used if lists have already been cached, and if stamps
+## No user application queries will ever be leaked through these resolvers,
+## and they will not be used after IP addresses of resolvers URLs have been found.
+## They will never be used if lists have already been cached, and if stamps
 ## don't include host names without IP addresses.
-## It will not be used if the configured system DNS works.
-## A resolver supporting DNSSEC is recommended.
+## They will not be used if the configured system DNS works.
+## Resolvers supporting DNSSEC are recommended.
 ##
 ## People in China may need to use 114.114.114.114:53 here.
 ## Other popular options include 8.8.8.8 and 1.1.1.1.
+##
+## If more than one resolver is specified, they will be tried in sequence.

-fallback_resolver = '9.9.9.9:53'
+fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']


 ## Always use the fallback resolver before the system DNS settings.
@ -237,8 +241,10 @@ netprobe_address = '9.9.9.9:53'
 ## These strings will be added as TXT records to queries.
 ## Do not use, except on servers explicitly asking for extra data
 ## to be present.
+## encrypted-dns-server can be configured to use this for access control
+## in the [access_control] section

-# query_meta = ["key1:value1", "key2:value2", "key3:value3"]
+# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]


 ## Automatic log files rotation
@ -261,7 +267,7 @@ log_files_max_backups = 1
 ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
 ## configure dnscrypt-proxy to do any kind of filtering (including the filters
 ## below and blacklists).
-## But you can still choose resolvers that do DNSSEC validation.
+## You can still choose resolvers that do DNSSEC validation.


 ## Immediately respond to IPv6-related queries with an empty response
@ -293,9 +299,7 @@ reject_ttl = 600
 #        Route queries for specific domains to a dedicated set of servers        #
 ##################################################################################

-## Example map entries (one entry per line):
-## example.com 9.9.9.9
-## example.net 9.9.9.9,8.8.8.8,1.1.1.1
+## See the `example-forwarding-rules.txt` file for an example

 # forwarding_rules = 'forwarding-rules.txt'

@ -309,9 +313,7 @@ reject_ttl = 600
 ## In addition to acting as a HOSTS file, it can also return the IP address
 ## of a different name. It will also do CNAME flattening.
 ##
-## Example map entries (one entry per line)
-## example.com     10.1.1.1
-## www.google.com  forcesafesearch.google.com
+## See the `example-cloaking-rules.txt` file for an example

 # cloaking_rules = 'cloaking-rules.txt'

@ -331,7 +333,7 @@ cache = true

 ## Cache size

-cache_size = 1024
+cache_size = 4096


 ## Minimum TTL for cached entries
@ -395,7 +397,7 @@ cache_neg_max_ttl = 600
 [query_log]

  ## Path to the query log file (absolute, or relative to the same directory as the config file)
-  ## Can be /dev/stdout to log to the standard output (and set log_files_max_size to 0)
+  ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0)

  # file = 'query.log'

@ -533,8 +535,7 @@ cache_neg_max_ttl = 600
 ##
 ## For example, the following rule in a blacklist file:
 ## *.youtube.* @time-to-sleep
-## would block access to YouTube only during the days, and period of the days
-## define by the 'time-to-sleep' schedule.
+## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
 ##
 ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
 ## {after= '9:00', before='18:00'} matches 9:00-18:00
@ -575,7 +576,7 @@ cache_neg_max_ttl = 600
 ## must include the prefixes.
 ##
 ## If the `urls` property is missing, cache files and valid signatures
-## must be already present; This doesn't prevent these cache files from
+## must already be present. This doesn't prevent these cache files from
 ## expiring after `refresh_delay` hours.

 [sources]
@ -615,7 +616,6 @@ cache_neg_max_ttl = 600



-
 #########################################
 #        Servers with known bugs        #
 #########################################
@ -626,12 +626,27 @@ cache_neg_max_ttl = 600
 # truncate reponses larger than questions as expected by the DNSCrypt protocol.
 # This prevents large responses from being received, and breaks relaying.
 # A workaround for the first issue will be applied to servers in list below.
+# Quad9 appears to be dropping fragmented UDP queries, but only for some networks.
 # Do not change that list until the bugs are fixed server-side.

 broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield']



+################################
+#   TLS Client Authentication  #
+################################
+
+# This is only useful if you are operating your own, private DoH server(s).
+# (for DNSCrypt, see the `query_meta` feature instead)
+
+[tls_client_auth]
+
+# creds = [
+#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
+# ]
+
+

 ################################
 #        Anonymized DNS        #
@ -653,13 +668,13 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield']
 ##
 ## !!! THESE ARE JUST EXAMPLES !!!
 ##
-## Review the list of available relays from the "relays.md` file, and, for each
+## Review the list of available relays from the "relays.md" file, and, for each
 ## server you want to use, define the relays you want connections to go through.
 ##
-## Carefully choose relays and servers so that the are run by different entities.
+## Carefully choose relays and servers so that they are run by different entities.
 ##
 ## "server_name" can also be set to "*" to define a default route, but this is not
-## recommended. if you do so, keep "server_names" short and distinct from relays.
+## recommended. If you do so, keep "server_names" short and distinct from relays.

 # routes = [
 #    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },