From 3f91b8dd2a207fc6addeed28be838fdd99f4bb73 Mon Sep 17 00:00:00 2001 From: quindecim Date: Thu, 19 Dec 2019 11:10:10 -0500 Subject: [PATCH] Synced with the main template --- config/dnscrypt-proxy.toml | 32 ++++++++++++++++++++---------- config/example-dnscrypt-proxy.toml | 29 ++++++++++++++++++--------- 2 files changed, 41 insertions(+), 20 deletions(-) diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml index c066e78..ae9e731 100644 --- a/config/dnscrypt-proxy.toml +++ b/config/dnscrypt-proxy.toml @@ -198,7 +198,7 @@ dnscrypt_ephemeral_keys = true fallback_resolver = '91.239.100.100:53' -## Always use the fallback resolver before the system DNS settings +## Always use the fallback resolver before the system DNS settings. ignore_system_dns = true @@ -256,13 +256,17 @@ log_files_max_backups = 1 # Filters # ######################### +## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you +## configure dnscrypt-proxy to do any kind of filtering (including the filters +## below and blacklists). +## But you can still choose resolvers that do DNSSEC validation. + + ## Immediately respond to IPv6-related queries with an empty response ## This makes things faster when there is no IPv6 connectivity, but can ## also cause reliability issues with some stub resolvers. -## Do not enable if you added a validating resolver such as dnsmasq in front -## of the proxy. -block_ipv6 = true +block_ipv6 = false ## Immediately respond to A and AAAA queries for host names without a domain name @@ -270,6 +274,12 @@ block_ipv6 = true block_unqualified = true +## Immediately respond to queries for local zones instead of leaking them to +## upstream resolvers (always causing errors or timeouts). + +block_undelegated = true + + ## TTL for synthetic responses sent when a request has been blocked (due to ## IPv6 or blacklists). @@ -382,7 +392,7 @@ cache_neg_max_ttl = 600 [query_log] - ## Path to the query log file (absolute, or relative to the same directory as the executable file) + ## Path to the query log file (absolute, or relative to the same directory as the config file) ## Can be /dev/stdout to log to the standard output (and set log_files_max_size to 0) # file = 'query.log' @@ -409,7 +419,7 @@ cache_neg_max_ttl = 600 [nx_log] - ## Path to the query log file (absolute, or relative to the same directory as the executable file) + ## Path to the query log file (absolute, or relative to the same directory as the config file) # file = 'nx.log' @@ -439,7 +449,7 @@ cache_neg_max_ttl = 600 [blacklist] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) blacklist_file = 'blacklist.txt' @@ -467,7 +477,7 @@ cache_neg_max_ttl = 600 [ip_blacklist] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) # blacklist_file = 'ip-blacklist.txt' @@ -495,7 +505,7 @@ cache_neg_max_ttl = 600 [whitelist] - ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file) + ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file) # whitelist_file = 'whitelist.txt' @@ -635,7 +645,7 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield'] ## A relay can be specified as a DNS Stamp (either a relay stamp, or a ## DNSCrypt stamp), an IP:port, a hostname:port, or a server name. ## -## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2``, +## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`, ## and "example-server-2" via the relay whose relay DNS stamp ## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM". ## @@ -673,4 +683,4 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield'] [static] # [static.'myserver'] - # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' \ No newline at end of file + # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' diff --git a/config/example-dnscrypt-proxy.toml b/config/example-dnscrypt-proxy.toml index 98e2985..3f658e9 100644 --- a/config/example-dnscrypt-proxy.toml +++ b/config/example-dnscrypt-proxy.toml @@ -200,7 +200,7 @@ cert_refresh_delay = 240 fallback_resolver = '9.9.9.9:53' -## Always use the fallback resolver before the system DNS settings +## Always use the fallback resolver before the system DNS settings. ignore_system_dns = true @@ -258,11 +258,15 @@ log_files_max_backups = 1 # Filters # ######################### +## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you +## configure dnscrypt-proxy to do any kind of filtering (including the filters +## below and blacklists). +## But you can still choose resolvers that do DNSSEC validation. + + ## Immediately respond to IPv6-related queries with an empty response ## This makes things faster when there is no IPv6 connectivity, but can ## also cause reliability issues with some stub resolvers. -## Do not enable if you added a validating resolver such as dnsmasq in front -## of the proxy. block_ipv6 = false @@ -272,6 +276,12 @@ block_ipv6 = false block_unqualified = true +## Immediately respond to queries for local zones instead of leaking them to +## upstream resolvers (always causing errors or timeouts). + +block_undelegated = true + + ## TTL for synthetic responses sent when a request has been blocked (due to ## IPv6 or blacklists). @@ -384,7 +394,7 @@ cache_neg_max_ttl = 600 [query_log] - ## Path to the query log file (absolute, or relative to the same directory as the executable file) + ## Path to the query log file (absolute, or relative to the same directory as the config file) ## Can be /dev/stdout to log to the standard output (and set log_files_max_size to 0) # file = 'query.log' @@ -411,7 +421,7 @@ cache_neg_max_ttl = 600 [nx_log] - ## Path to the query log file (absolute, or relative to the same directory as the executable file) + ## Path to the query log file (absolute, or relative to the same directory as the config file) # file = 'nx.log' @@ -441,7 +451,7 @@ cache_neg_max_ttl = 600 [blacklist] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) # blacklist_file = 'blacklist.txt' @@ -469,7 +479,7 @@ cache_neg_max_ttl = 600 [ip_blacklist] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) # blacklist_file = 'ip-blacklist.txt' @@ -497,7 +507,7 @@ cache_neg_max_ttl = 600 [whitelist] - ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file) + ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file) # whitelist_file = 'whitelist.txt' @@ -637,7 +647,7 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield'] ## A relay can be specified as a DNS Stamp (either a relay stamp, or a ## DNSCrypt stamp), an IP:port, a hostname:port, or a server name. ## -## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2``, +## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`, ## and "example-server-2" via the relay whose relay DNS stamp ## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM". ## @@ -664,3 +674,4 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield'] # [static.'myserver'] # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' +