From bc37eda4a322cb91d89ac03d6f08d52d39f951eb Mon Sep 17 00:00:00 2001 From: quindecim Date: Tue, 9 Jun 2020 07:32:17 -0400 Subject: [PATCH] [UPSTREAM] - (see description) https://github.com/DNSCrypt/dnscrypt-proxy/commit/5db436554031fb1bf3c0895b3b2f27214c252e8a https://github.com/DNSCrypt/dnscrypt-proxy/commit/d766dc8bf78fc6dcc8c07c428cb814654732dbe5 https://github.com/DNSCrypt/dnscrypt-proxy/commit/f48b13f7b895bc3424344c611004a39695a50a23 https://github.com/DNSCrypt/dnscrypt-proxy/commit/b32ffbb807db8b62e289ab8a88503989cefea5dd https://github.com/DNSCrypt/dnscrypt-proxy/commit/87c161ab76bcf692f049f3c9a85658371ed7366c https://github.com/DNSCrypt/dnscrypt-proxy/commit/8945cb1b908cc1fd1e7172a2f67617538388d581 --- config/dnscrypt-proxy.toml | 53 +++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml index dc2dd25..a40deac 100644 --- a/config/dnscrypt-proxy.toml +++ b/config/dnscrypt-proxy.toml @@ -140,11 +140,20 @@ blocked_query_response = 'refused' # log_level = 2 -## log file for the application +## Log file for the application, as an alternative to sending logs to +## the standard system logging service (syslog/Windows event log). +## +## This file is different from other log files, and will not be +## automatically rotated by the application. # log_file = 'dnscrypt-proxy.log' +## When using a log file, only keep logs from the most recent launch. + +# log_file_latest = true + + ## Use the system logger (syslog on Unix, Event Log on Windows) # use_syslog = true @@ -643,10 +652,12 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # Use a X509 certificate to authenticate yourself when connecting to DoH servers. # This is only useful if you are operating your own, private DoH server(s). -# (for DNSCrypt, see the `query_meta` feature instead) +# 'creds' maps servers to certificates, and supports multiple entries. +# If you are not using the standard root CA, an optional "root_ca" +# property set to the path to a root CRT file can be added to a server entry. # [doh_client_x509_auth] - +# # creds = [ # { server_name='myserver', client_cert='client.crt', client_key='client.key' } # ] @@ -700,6 +711,42 @@ skip_incompatible = true +############################### +# DNS64 # +############################### + +## DNS64 is a mechanism for synthesizing AAAA records from A records. +## It is used with an IPv6/IPv4 translator to enable client-server +## communication between an IPv6-only client and an IPv4-only server, +## without requiring any changes to either the IPv6 or the IPv4 node, +## for the class of applications that work through NATs. +## +## There are two options to synthesize such records: +## Option 1: Using a set of static IPv6 prefixes; +## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver. +## +## If both options are configured - only static prefixes are used. +## (Ref. RFC6147, RFC6052, RFC7050) +## +## Do not enable unless you know what DNS64 is and why you need it, or else +## you won't be able to connect to anything at all. + +# [dns64] + +## (Option 1) Static prefix(es) as Pref64::/n CIDRs. +# prefix = ["64:ff9b::/96"] + +## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs. +## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only. +## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96). +## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only. +# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"] + + + +######################################## +# Static entries # +######################################## ## Optional, local, static list of additional servers ## Mostly useful for testing your own servers.