From 0f95c7c9d11e7b7149d3c64d2c00917fc9e4fbde Mon Sep 17 00:00:00 2001 From: quindecim Date: Sat, 19 Dec 2020 04:37:10 -0500 Subject: [PATCH] [UPSTREAM] - Add recommendation for fallback resolvers in the example config https://github.com/DNSCrypt/dnscrypt-proxy/commit/77f81cc8c2aeb8b0efac16ea1e110910d7225242 --- config/dnscrypt-proxy.toml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml index 471f0fe..c21ca0b 100644 --- a/config/dnscrypt-proxy.toml +++ b/config/dnscrypt-proxy.toml @@ -209,12 +209,16 @@ dnscrypt_ephemeral_keys = true ## These are normal, non-encrypted DNS resolvers, that will be only used ## for one-shot queries when retrieving the initial resolvers list, and ## only if the system DNS configuration doesn't work. +## ## No user application queries will ever be leaked through these resolvers, ## and they will not be used after IP addresses of resolvers URLs have been found. ## They will never be used if lists have already been cached, and if stamps ## don't include host names without IP addresses. +## ## They will not be used if the configured system DNS works. -## Resolvers supporting DNSSEC are recommended. +## Resolvers supporting DNSSEC are recommended, and, if you are using +## DoH, fallback resolvers should ideally be operated by a different entity than +## the DoH servers you will be using, especially if you have IPv6 enabled. ## ## People in China may need to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8 and 1.1.1.1. @@ -744,7 +748,7 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys { server_name='dnscrypt.one', via=['anon-ibksturm', 'anon-serbica'] }, { server_name='dnscrypt.pl', via=['anon-dnscrypt.one', 'anon-meganerd'] }, { server_name='dnscrypt.uk-ipv4', via=['anon-kama', 'anon-scaleway'] }, - { server_name='ev-va', via=['anon-inconnu', 'anon-plan9-dns'] }, + { server_name='ev-canada', via=['anon-inconnu', 'anon-plan9-dns'] }, { server_name='faelix-ch-ipv4', via=['anon-ibksturm', 'anon-kama'] }, { server_name='faelix-uk-ipv4', via=['anon-meganerd', 'anon-v.dnscrypt.uk-ipv4'] }, { server_name='ffmuc.net', via=['anon-acsacsar-ams-ipv4', 'anon-dnscrypt.one'] },