diff --git a/binary/dnscrypt-proxy-arm b/binary/dnscrypt-proxy-arm index 97e884a..ee66e55 100755 Binary files a/binary/dnscrypt-proxy-arm and b/binary/dnscrypt-proxy-arm differ diff --git a/binary/dnscrypt-proxy-arm64 b/binary/dnscrypt-proxy-arm64 index 21990c7..21cca6c 100755 Binary files a/binary/dnscrypt-proxy-arm64 and b/binary/dnscrypt-proxy-arm64 differ diff --git a/binary/dnscrypt-proxy-x86 b/binary/dnscrypt-proxy-x86 index 469a4f6..1ab3caf 100755 Binary files a/binary/dnscrypt-proxy-x86 and b/binary/dnscrypt-proxy-x86 differ diff --git a/binary/dnscrypt-proxy-x86_64 b/binary/dnscrypt-proxy-x86_64 index b6d9db2..a7121c5 100755 Binary files a/binary/dnscrypt-proxy-x86_64 and b/binary/dnscrypt-proxy-x86_64 differ diff --git a/config/example-blacklist.txt b/config/example-blacklist.txt index 7f3d215..91b4a3e 100644 --- a/config/example-blacklist.txt +++ b/config/example-blacklist.txt @@ -10,6 +10,7 @@ ## ads.* | matches anything with an "ads." prefix ## *.example.com | matches example.com and all names within that zone such as www.example.com ## example.com | identical to the above +## =example.com | block example.com but not *.example.com ## *sex* | matches any name containing that substring ## ads[0-9]* | matches "ads" followed by one or more digits ## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster diff --git a/config/example-cloaking-rules.txt b/config/example-cloaking-rules.txt index 1e3e062..9b52907 100644 --- a/config/example-cloaking-rules.txt +++ b/config/example-cloaking-rules.txt @@ -3,14 +3,13 @@ ################################ # The following example rules force "safe" (without adult content) search -# results from Google, Bing and Youtube. +# results from Google, Bing and YouTube. # # This has to be enabled with the `cloaking_rules` parameter in the main # configuration file -www.google.com forcesafesearch.google.com -www.google.fr forcesafesearch.google.com +www.google.* forcesafesearch.google.com www.bing.com strict.bing.com @@ -20,3 +19,4 @@ youtubei.googleapis.com restrictmoderate.youtube.com youtube.googleapis.com restrictmoderate.youtube.com www.youtube-nocookie.com restrictmoderate.youtube.com +localhost 127.0.0.1 diff --git a/config/example-dnscrypt-proxy.toml b/config/example-dnscrypt-proxy.toml index e1eb5e6..6827de1 100644 --- a/config/example-dnscrypt-proxy.toml +++ b/config/example-dnscrypt-proxy.toml @@ -17,12 +17,17 @@ ################################## ## List of servers to use +## +## Servers from the "public-resolvers" source (see down below) can +## be viewed here: https://dnscrypt.info/public-servers +## ## If this line is commented, all registered servers matching the require_* filters -## will be used +## will be used. +## ## The proxy will automatically pick the fastest, working servers from the list. ## Remove the leading # first to enable this; lines starting with # are ignored. -# server_names = ['scaleway-fr', 'google', 'yandex'] +# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'] ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. @@ -74,6 +79,11 @@ force_tcp = false timeout = 2500 +## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds + +keepalive = 30 + + ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' # lb_strategy = 'p2' @@ -99,6 +109,34 @@ timeout = 2500 cert_refresh_delay = 240 +## DNSCrypt: Create a new, unique key for every single DNS query +## This may improve privacy but can also have a significant impact on CPU usage +## Only enable if you don't have a lot of network load + +# dnscrypt_ephemeral_keys = false + + +## DoH: Disable TLS session tickets - increases privacy but also latency + +# tls_disable_session_tickets = false + + +## DoH: Use a specific cipher suite instead of the server preference +## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 +## +## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), +## the following suite improves performance. +## This may also help on Intel CPUs running 32-bit operating systems. +## +## Keep tls_cipher_suite empty if you have issues fetching sources or +## connecting to some DoH servers. Google and Cloudflare are fine with it. + +# tls_cipher_suite = [52392, 49199] + + ## Fallback resolver ## This is a normal, non-encrypted DNS resolver, that will be only used ## for one-shot queries when retrieving the initial resolvers list, and @@ -111,6 +149,7 @@ cert_refresh_delay = 240 ## A resolver supporting DNSSEC is recommended. This may become mandatory. ## ## People in China may need to use 114.114.114.114:53 here. +## Other popular options include 8.8.8.8 and 1.1.1.1. fallback_resolver = '9.9.9.9:53' @@ -153,7 +192,7 @@ block_ipv6 = false ## Example map entries (one entry per line): ## example.com 9.9.9.9 -## example.net 9.9.9.9,8.8.8.8 +## example.net 9.9.9.9,8.8.8.8,1.1.1.1 # forwarding_rules = 'forwarding-rules.txt' @@ -186,7 +225,7 @@ cache = true ## Cache size -cache_size = 256 +cache_size = 512 ## Minimum TTL for cached entries @@ -257,6 +296,7 @@ cache_neg_ttl = 60 ## Blacklists are made of one pattern per line. Example of valid patterns: ## ## example.com +## =example.com ## *sex* ## ads.* ## ads*.example.* @@ -312,6 +352,34 @@ cache_neg_ttl = 60 +###################################################### +# Pattern-based whitelisting (blacklists bypass) # +###################################################### + +## Whitelists support the same patterns as blacklists +## If a name matches a whitelist entry, the corresponding session +## will bypass names and IP filters. +## +## Time-based rules are also supported to make some websites only accessible at specific times of the day. + +[whitelist] + + ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file) + + # whitelist_file = 'whitelist.txt' + + + ## Optional path to a file logging whitelisted queries + + # log_file = 'whitelisted.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + ########################################## # Time access restrictions # ########################################## @@ -322,7 +390,7 @@ cache_neg_ttl = 60 ## ## For example, the following rule in a blacklist file: ## *.youtube.* @time-to-sleep -## would block access to Youtube only during the days, and period of the days +## would block access to YouTube only during the days, and period of the days ## define by the 'time-to-sleep' schedule. ## ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 @@ -369,7 +437,7 @@ cache_neg_ttl = 60 [sources] - ## An example of a remote source + ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] @@ -394,4 +462,4 @@ cache_neg_ttl = 60 [static] # [static.'google'] - # stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs' + # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA' diff --git a/config/example-whitelist.txt b/config/example-whitelist.txt new file mode 100644 index 0000000..c1cbdd1 --- /dev/null +++ b/config/example-whitelist.txt @@ -0,0 +1,23 @@ + +########################### +# Whitelist # +########################### + +## Rules for name-based query whitelisting, one per line +## +## Example of valid patterns: +## +## ads.* | matches anything with an "ads." prefix +## *.example.com | matches example.com and all names within that zone such as www.example.com +## example.com | identical to the above +## =example.com | whitelists example.com but not *.example.com +## *sex* | matches any name containing that substring +## ads[0-9]* | matches "ads" followed by one or more digits +## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster + + + +## Time-based rules + +# *.youtube.* @time-to-play +# facebook.com @play