diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml index ee3b4c6..d4e1cd8 100644 --- a/config/dnscrypt-proxy.toml +++ b/config/dnscrypt-proxy.toml @@ -346,6 +346,7 @@ reject_ttl = 600 # cloak_ttl = 600 + ########################### # DNS cache # ########################### @@ -381,6 +382,20 @@ cache_neg_max_ttl = 600 +######################################## +# Captive portal handling # +######################################## + +[captive_portals] + +## A file that contains a set of names used by operating systems to +## check for connectivity and captive portals, along with hard-coded +## IP addresses to return. + +# map_file = 'example-captive-portals.txt' + + + ################################## # Local DoH server # ################################## @@ -688,7 +703,7 @@ cache_neg_max_ttl = 600 # The list below enables workarounds to make non-relayed usage more reliable # until the servers are fixed. -fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security'] +fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] @@ -726,8 +741,8 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys ## DNSCrypt stamp) or a server name. ## ## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`, -## and "example-server-2" via the relay whose relay DNS stamp -## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM". +## and "example-server-2" via the relay whose relay DNS stamp is +## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM". ## ## !!! THESE ARE JUST EXAMPLES !!! ## @@ -736,8 +751,15 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys ## ## Carefully choose relays and servers so that they are run by different entities. ## -## "server_name" can also be set to "*" to define a default route, but this is not -## recommended. If you do so, keep "server_names" short and distinct from relays. +## "server_name" can also be set to "*" to define a default route, for all servers: +## { server_name='*', via=['anon-example-1', 'anon-example-2'] } +## +## If a route is ["*"], the proxy automatically picks a relay on a distinct network. +## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal. +## +## Manual selection is always recommended over automatic selection, so that you can +## select (relay,server) pairs that work well and fit your own criteria (close by or +## in different countries, operated by different entities, on distinct ISPs...) routes = [ { server_name='acsacsar-ams-ipv4', via=['anon-meganerd', 'anon-scaleway-ams'] }, @@ -776,8 +798,10 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] } ] +# routes = { server_name='*', via = ['*'] } -# skip resolvers incompatible with anonymization instead of using them directly + +# Skip resolvers incompatible with anonymization instead of using them directly skip_incompatible = true @@ -833,4 +857,4 @@ direct_cert_fallback = false [static] # [static.'myserver'] - # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' + # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'