diff --git a/config/example-docs/example-dnscrypt-proxy.toml b/config/example-docs/example-dnscrypt-proxy.toml index 7974296..b25b94a 100644 --- a/config/example-docs/example-dnscrypt-proxy.toml +++ b/config/example-docs/example-dnscrypt-proxy.toml @@ -140,11 +140,20 @@ keepalive = 30 # log_level = 2 -## log file for the application +## Log file for the application, as an alternative to sending logs to +## the standard system logging service (syslog/Windows event log). +## +## This file is different from other log files, and will not be +## automatically rotated by the application. # log_file = 'dnscrypt-proxy.log' +## When using a log file, only keep logs from the most recent launch. + +# log_file_latest = true + + ## Use the system logger (syslog on Unix, Event Log on Windows) # use_syslog = true @@ -636,17 +645,18 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys - ################################################################# # Certificate-based client authentication for DoH # ################################################################# # Use a X509 certificate to authenticate yourself when connecting to DoH servers. # This is only useful if you are operating your own, private DoH server(s). -# (for DNSCrypt, see the `query_meta` feature instead) +# 'creds' maps servers to certificates, and supports multiple entries. +# If you are not using the standard root CA, an optional "root_ca" +# property set to the path to a root CRT file can be added to a server entry. # [doh_client_x509_auth] - +# # creds = [ # { server_name='myserver', client_cert='client.crt', client_key='client.key' } # ] @@ -693,6 +703,42 @@ skip_incompatible = false +############################### +# DNS64 # +############################### + +## DNS64 is a mechanism for synthesizing AAAA records from A records. +## It is used with an IPv6/IPv4 translator to enable client-server +## communication between an IPv6-only client and an IPv4-only server, +## without requiring any changes to either the IPv6 or the IPv4 node, +## for the class of applications that work through NATs. +## +## There are two options to synthesize such records: +## Option 1: Using a set of static IPv6 prefixes; +## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver. +## +## If both options are configured - only static prefixes are used. +## (Ref. RFC6147, RFC6052, RFC7050) +## +## Do not enable unless you know what DNS64 is and why you need it, or else +## you won't be able to connect to anything at all. + +# [dns64] + +## (Option 1) Static prefix(es) as Pref64::/n CIDRs. +# prefix = ["64:ff9b::/96"] + +## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs. +## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only. +## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96). +## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only. +# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"] + + + +######################################## +# Static entries # +######################################## ## Optional, local, static list of additional servers ## Mostly useful for testing your own servers.