diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml index 88282a3..607b0a5 100644 --- a/config/dnscrypt-proxy.toml +++ b/config/dnscrypt-proxy.toml @@ -454,20 +454,20 @@ cache_neg_max_ttl = 600 [query_log] - ## Path to the query log file (absolute, or relative to the same directory as the config file) - ## Can be set to /dev/stdout in order to log to the standard output. +## Path to the query log file (absolute, or relative to the same directory as the config file) +## Can be set to /dev/stdout in order to log to the standard output. - # file = 'query.log' +# file = 'query.log' - ## Query log format (currently supported: tsv and ltsv) +## Query log format (currently supported: tsv and ltsv) - format = 'tsv' +format = 'tsv' - ## Do not log these query types, to reduce verbosity. Keep empty to log everything. +## Do not log these query types, to reduce verbosity. Keep empty to log everything. - # ignored_qtypes = ['DNSKEY', 'NS'] +# ignored_qtypes = ['DNSKEY', 'NS'] @@ -481,14 +481,14 @@ cache_neg_max_ttl = 600 [nx_log] - ## Path to the query log file (absolute, or relative to the same directory as the config file) +## Path to the query log file (absolute, or relative to the same directory as the config file) - # file = 'nx.log' +# file = 'nx.log' - ## Query log format (currently supported: tsv and ltsv) +## Query log format (currently supported: tsv and ltsv) - format = 'tsv' +format = 'tsv' @@ -511,19 +511,19 @@ cache_neg_max_ttl = 600 [blocked_names] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) +## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - blocked_names_file = 'blocked-names.txt' +blocked_names_file = 'blocked-names.txt' - ## Optional path to a file logging blocked queries +## Optional path to a file logging blocked queries - # log_file = 'blocked-names.log' +# log_file = 'blocked-names.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -539,19 +539,19 @@ cache_neg_max_ttl = 600 [blocked_ips] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) +## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - blocked_ips_file = 'blocked-ips.txt' +blocked_ips_file = 'blocked-ips.txt' - ## Optional path to a file logging blocked queries +## Optional path to a file logging blocked queries - # log_file = 'blocked-ips.log' +# log_file = 'blocked-ips.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -567,19 +567,19 @@ cache_neg_max_ttl = 600 [allowed_names] - ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) +## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) - allowed_names_file = 'allowed-names.txt' +allowed_names_file = 'allowed-names.txt' - ## Optional path to a file logging allowed queries +## Optional path to a file logging allowed queries - # log_file = 'allowed-names.log' +# log_file = 'allowed-names.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -595,18 +595,18 @@ cache_neg_max_ttl = 600 [allowed_ips] - ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) +## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) - allowed_ips_file = 'allowed-ips.txt' +allowed_ips_file = 'allowed-ips.txt' - ## Optional path to a file logging allowed queries +## Optional path to a file logging allowed queries - # log_file = 'allowed-ips.log' +# log_file = 'allowed-ips.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -628,20 +628,20 @@ cache_neg_max_ttl = 600 [schedules] # [schedules.'time-to-sleep'] - # mon = [{after='21:00', before='7:00'}] - # tue = [{after='21:00', before='7:00'}] - # wed = [{after='21:00', before='7:00'}] - # thu = [{after='21:00', before='7:00'}] - # fri = [{after='23:00', before='7:00'}] - # sat = [{after='23:00', before='7:00'}] - # sun = [{after='21:00', before='7:00'}] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] # [schedules.'work'] - # mon = [{after='9:00', before='18:00'}] - # tue = [{after='9:00', before='18:00'}] - # wed = [{after='9:00', before='18:00'}] - # thu = [{after='9:00', before='18:00'}] - # fri = [{after='9:00', before='17:00'}] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] @@ -669,7 +669,7 @@ cache_neg_max_ttl = 600 [sources] - ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] @@ -678,7 +678,7 @@ cache_neg_max_ttl = 600 refresh_delay = 72 prefix = '' - ## Anonymized DNS relays + ### Anonymized DNS relays [sources.'relays'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md'] @@ -687,7 +687,7 @@ cache_neg_max_ttl = 600 refresh_delay = 72 prefix = '' - ## ODoH (Oblivious DoH) servers and relays + ### ODoH (Oblivious DoH) servers and relays # [sources.'odoh-servers'] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md'] @@ -702,7 +702,7 @@ cache_neg_max_ttl = 600 # refresh_delay = 24 # prefix = '' - ## Quad9 + ### Quad9 # [sources.quad9-resolvers] # urls = ['https://www.quad9.net/quad9-resolvers.md'] @@ -710,8 +710,8 @@ cache_neg_max_ttl = 600 # cache_file = 'quad9-resolvers.md' # prefix = 'quad9-' - ## Another example source, with resolvers censoring some websites not appropriate for children - ## This is a subset of the `public-resolvers` list, so enabling both is useless + ### Another example source, with resolvers censoring some websites not appropriate for children + ### This is a subset of the `public-resolvers` list, so enabling both is useless # [sources.'parental-control'] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] @@ -726,16 +726,16 @@ cache_neg_max_ttl = 600 [broken_implementations] -# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't -# truncate responses larger than questions as expected by the DNSCrypt protocol. -# This prevents large responses from being received over UDP and over relays. -# -# Older versions of the `dnsdist` server software had a bug with queries larger -# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but -# some server may still run an outdated version. -# -# The list below enables workarounds to make non-relayed usage more reliable -# until the servers are fixed. +## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't +## truncate responses larger than questions as expected by the DNSCrypt protocol. +## This prevents large responses from being received over UDP and over relays. +## +## Older versions of the `dnsdist` server software had a bug with queries larger +## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but +## some server may still run an outdated version. +## +## The list below enables workarounds to make non-relayed usage more reliable +## until the servers are fixed. fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] @@ -745,15 +745,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # Certificate-based client authentication for DoH # ################################################################# -# Use a X509 certificate to authenticate yourself when connecting to DoH servers. -# This is only useful if you are operating your own, private DoH server(s). -# 'creds' maps servers to certificates, and supports multiple entries. -# If you are not using the standard root CA, an optional "root_ca" -# property set to the path to a root CRT file can be added to a server entry. +## Use a X509 certificate to authenticate yourself when connecting to DoH servers. +## This is only useful if you are operating your own, private DoH server(s). +## 'creds' maps servers to certificates, and supports multiple entries. +## If you are not using the standard root CA, an optional "root_ca" +## property set to the path to a root CRT file can be added to a server entry. [doh_client_x509_auth] -# # creds = [ # { server_name='*', client_cert='client.crt', client_key='client.key' } # ] @@ -839,14 +838,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys ] -# Skip resolvers incompatible with anonymization instead of using them directly +## Skip resolvers incompatible with anonymization instead of using them directly skip_incompatible = true -# If public server certificates for a non-conformant server cannot be -# retrieved via a relay, try getting them directly. Actual queries -# will then always go through relays. +## If public server certificates for a non-conformant server cannot be +## retrieved via a relay, try getting them directly. Actual queries +## will then always go through relays. direct_cert_fallback = false @@ -895,4 +894,4 @@ direct_cert_fallback = false [static] # [static.'myserver'] - # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' + # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'