diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml index 7839d3a..c189b6e 100644 --- a/config/dnscrypt-proxy.toml +++ b/config/dnscrypt-proxy.toml @@ -39,7 +39,7 @@ server_names = ['acsacsar-ams-ipv4', 'altername', 'ams-dnscrypt-nl', 'bcn-dnscry ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']` ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']` -listen_addresses = ['127.0.0.1:53'] +listen_addresses = ['127.0.0.1:5354'] ## Maximum number of simultaneous client connections to accept @@ -94,7 +94,7 @@ disabled_server_names = [] ## (dnscrypt-proxy will always encrypt everything even using UDP), and can ## only increase latency. -force_tcp = false +force_tcp = true ## SOCKS proxy @@ -128,7 +128,7 @@ keepalive = 30 ## Multiple networks can be listed; they will be randomly chosen. ## These networks don't have to match your actual networks. -# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"] +# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32'] ## Response for blocked queries. Options are `refused`, `hinfo` (default) or @@ -168,7 +168,7 @@ blocked_query_response = 'refused' ## When using a log file, only keep logs from the most recent launch. - log_file_latest = true +# log_file_latest = true ## Use the system logger (syslog on Unix, Event Log on Windows) @@ -214,7 +214,7 @@ dnscrypt_ephemeral_keys = true ## Bootstrap resolvers ## ## These are normal, non-encrypted DNS resolvers, that will be only used -## for one-shot queries when retrieving the initial resolvers list and the +## for one-shot queries when retrieving the initial resolvers list and if ## the system DNS configuration doesn't work. ## ## No user queries will ever be leaked through these resolvers, and they will @@ -454,20 +454,20 @@ cache_neg_max_ttl = 600 [query_log] - ## Path to the query log file (absolute, or relative to the same directory as the config file) - ## Can be set to /dev/stdout in order to log to the standard output. +## Path to the query log file (absolute, or relative to the same directory as the config file) +## Can be set to /dev/stdout in order to log to the standard output. - file = 'query.log' +# file = 'query.log' - ## Query log format (currently supported: tsv and ltsv) +## Query log format (currently supported: tsv and ltsv) - format = 'tsv' +format = 'tsv' - ## Do not log these query types, to reduce verbosity. Keep empty to log everything. +## Do not log these query types, to reduce verbosity. Keep empty to log everything. - # ignored_qtypes = ['DNSKEY', 'NS'] +# ignored_qtypes = ['DNSKEY', 'NS'] @@ -481,19 +481,19 @@ cache_neg_max_ttl = 600 [nx_log] - ## Path to the query log file (absolute, or relative to the same directory as the config file) +## Path to the query log file (absolute, or relative to the same directory as the config file) - file = 'nx.log' +# file = 'nx.log' - ## Query log format (currently supported: tsv and ltsv) +## Query log format (currently supported: tsv and ltsv) - format = 'tsv' +format = 'tsv' ###################################################### -# Pattern-based blocking (blocklists) # +# Pattern-based blocking (blocklists) # ###################################################### ## Blocklists are made of one pattern per line. Example of valid patterns: @@ -511,19 +511,19 @@ cache_neg_max_ttl = 600 [blocked_names] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) +## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - blocked_names_file = 'blocked-names.txt' +blocked_names_file = 'blocked-names.txt' - ## Optional path to a file logging blocked queries +## Optional path to a file logging blocked queries - log_file = 'blocked-names.log' +# log_file = 'blocked-names.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -539,24 +539,24 @@ cache_neg_max_ttl = 600 [blocked_ips] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) +## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - blocked_ips_file = 'blocked-ips.txt' +blocked_ips_file = 'blocked-ips.txt' - ## Optional path to a file logging blocked queries +## Optional path to a file logging blocked queries - # log_file = 'blocked-ips.log' +# log_file = 'blocked-ips.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' ###################################################### -# Pattern-based allow lists (blocklists bypass) # +# Pattern-based allow lists (blocklists bypass) # ###################################################### ## Allowlists support the same patterns as blocklists @@ -567,19 +567,19 @@ cache_neg_max_ttl = 600 [allowed_names] - ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) +## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) - allowed_names_file = 'allowed-names.txt' +allowed_names_file = 'allowed-names.txt' - ## Optional path to a file logging allowed queries +## Optional path to a file logging allowed queries - # log_file = 'allowed-names.log' +# log_file = 'allowed-names.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -595,18 +595,18 @@ cache_neg_max_ttl = 600 [allowed_ips] - ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) +## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) - allowed_ips_file = 'allowed-ips.txt' +allowed_ips_file = 'allowed-ips.txt' - ## Optional path to a file logging allowed queries +## Optional path to a file logging allowed queries - # log_file = 'allowed-ips.log' +# log_file = 'allowed-ips.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -627,21 +627,21 @@ cache_neg_max_ttl = 600 [schedules] - # [schedules.'time-to-sleep'] - # mon = [{after='21:00', before='7:00'}] - # tue = [{after='21:00', before='7:00'}] - # wed = [{after='21:00', before='7:00'}] - # thu = [{after='21:00', before='7:00'}] - # fri = [{after='23:00', before='7:00'}] - # sat = [{after='23:00', before='7:00'}] - # sun = [{after='21:00', before='7:00'}] + # [schedules.time-to-sleep] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] - # [schedules.'work'] - # mon = [{after='9:00', before='18:00'}] - # tue = [{after='9:00', before='18:00'}] - # wed = [{after='9:00', before='18:00'}] - # thu = [{after='9:00', before='18:00'}] - # fri = [{after='9:00', before='17:00'}] + # [schedules.work] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] @@ -669,40 +669,40 @@ cache_neg_max_ttl = 600 [sources] - ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers - [sources.'public-resolvers'] + [sources.public-resolvers] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] cache_file = 'public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ## Anonymized DNS relays + ### Anonymized DNS relays - [sources.'relays'] + [sources.relays] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md'] cache_file = 'relays.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ## ODoH (Oblivious DoH) servers and relays + ### ODoH (Oblivious DoH) servers and relays - # [sources.'odoh-servers'] + # [sources.odoh-servers] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md'] # cache_file = 'odoh-servers.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' - # [sources.'odoh-relays'] + # [sources.odoh-relays] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md'] # cache_file = 'odoh-relays.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' - ## Quad9 + ### Quad9 # [sources.quad9-resolvers] # urls = ['https://www.quad9.net/quad9-resolvers.md'] @@ -710,13 +710,13 @@ cache_neg_max_ttl = 600 # cache_file = 'quad9-resolvers.md' # prefix = 'quad9-' - ## Another example source, with resolvers censoring some websites not appropriate for children - ## This is a subset of the `public-resolvers` list, so enabling both is useless + ### Another example source, with resolvers censoring some websites not appropriate for children + ### This is a subset of the `public-resolvers` list, so enabling both is useless - # [sources.'parental-control'] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] - # cache_file = 'parental-control.md' - # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + # [sources.parental-control] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] + # cache_file = 'parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' @@ -726,16 +726,16 @@ cache_neg_max_ttl = 600 [broken_implementations] -# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't -# truncate reponses larger than questions as expected by the DNSCrypt protocol. -# This prevents large responses from being received over UDP and over relays. -# -# Older versions of the `dnsdist` server software had a bug with queries larger -# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but -# some server may still run an outdated version. -# -# The list below enables workarounds to make non-relayed usage more reliable -# until the servers are fixed. +## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't +## truncate responses larger than questions as expected by the DNSCrypt protocol. +## This prevents large responses from being received over UDP and over relays. +## +## Older versions of the `dnsdist` server software had a bug with queries larger +## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but +## some server may still run an outdated version. +## +## The list below enables workarounds to make non-relayed usage more reliable +## until the servers are fixed. fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] @@ -745,15 +745,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # Certificate-based client authentication for DoH # ################################################################# -# Use a X509 certificate to authenticate yourself when connecting to DoH servers. -# This is only useful if you are operating your own, private DoH server(s). -# 'creds' maps servers to certificates, and supports multiple entries. -# If you are not using the standard root CA, an optional "root_ca" -# property set to the path to a root CRT file can be added to a server entry. +## Use a X509 certificate to authenticate yourself when connecting to DoH servers. +## This is only useful if you are operating your own, private DoH server(s). +## 'creds' maps servers to certificates, and supports multiple entries. +## If you are not using the standard root CA, an optional "root_ca" +## property set to the path to a root CRT file can be added to a server entry. [doh_client_x509_auth] -# # creds = [ # { server_name='*', client_cert='client.crt', client_key='client.key' } # ] @@ -837,14 +836,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys ] -# Skip resolvers incompatible with anonymization instead of using them directly +## Skip resolvers incompatible with anonymization instead of using them directly skip_incompatible = true -# If public server certificates for a non-conformant server cannot be -# retrieved via a relay, try getting them directly. Actual queries -# will then always go through relays. +## If public server certificates for a non-conformant server cannot be +## retrieved via a relay, try getting them directly. Actual queries +## will then always go through relays. direct_cert_fallback = false @@ -872,13 +871,15 @@ direct_cert_fallback = false [dns64] -## (Option 1) Static prefix(es) as Pref64::/n CIDRs. +## Static prefix(es) as Pref64::/n CIDRs + # prefix = ['64:ff9b::/96'] -## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs. +## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only. ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96). ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only. + # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53'] @@ -892,5 +893,5 @@ direct_cert_fallback = false [static] - # [static.'myserver'] - # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' + # [static.myserver] + # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'