diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml index a9d5c60..7839d3a 100644 --- a/config/dnscrypt-proxy.toml +++ b/config/dnscrypt-proxy.toml @@ -29,7 +29,7 @@ ## ## Remove the leading # first to enable this; lines starting with # are ignored. -server_names = ['acsacsar-ams-ipv4', 'altername', 'ams-dnscrypt-nl', 'bcn-dnscrypt', 'd0wn-tz-ns1', 'dct-at1', 'dct-de1', 'dct-ru1', 'dct-ru2', 'dns.digitalsize.net', 'dns.watch', 'dnscrypt.be', 'dnscrypt.ca-1', 'dnscrypt.ca-2', 'dnscrypt.eu-nl', 'dnscrypt.pl', 'dnscrypt.uk-ipv4', 'dnswarden-asia-uncensor-dcv4', 'dnswarden-eu-uncensor-dcv4', 'dnswarden-us-uncensor-dcv4', 'gombadi-syd', 'meganerd', 'moulticast-ca-ipv4', 'moulticast-de-ipv4', 'moulticast-fr-ipv4', 'moulticast-sg-ipv4', 'moulticast-uk-ipv4', 'plan9-dns', 'plan9-ns2', 'pryv8boi', 'pwoss.org-dnscrypt', 'resolver4.dns.openinternet.io', 'scaleway-ams', 'scaleway-fr', 'serbica', 'v.dnscrypt.uk-ipv4', 'zackptg5-us-il-ipv4'] +server_names = ['acsacsar-ams-ipv4', 'altername', 'ams-dnscrypt-nl', 'bcn-dnscrypt', 'd0wn-tz-ns1', 'dct-at1', 'dct-de1', 'dct-ru1', 'dct-ru2', 'dns.digitalsize.net', 'dns.watch', 'dnscrypt.be', 'dnscrypt.ca-1', 'dnscrypt.ca-2', 'dnscrypt.eu-nl', 'dnscrypt.pl', 'dnscrypt.uk-ipv4', 'dnswarden-asia-uncensor-dcv4', 'dnswarden-eu-uncensor-dcv4', 'dnswarden-us-uncensor-dcv4', 'gombadi-syd', 'meganerd', 'moulticast-ca-ipv4', 'moulticast-de-ipv4', 'moulticast-fr-ipv4', 'moulticast-sg-ipv4', 'moulticast-uk-ipv4', 'plan9-dns', 'plan9-ns2', 'pryv8boi', 'pwoss.org-dnscrypt', 'resolver4.dns.openinternet.io', 'scaleway-ams', 'scaleway-fr', 'serbica', 'v.dnscrypt.uk-ipv4'] ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. @@ -39,7 +39,7 @@ server_names = ['acsacsar-ams-ipv4', 'altername', 'ams-dnscrypt-nl', 'bcn-dnscry ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']` ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']` -listen_addresses = ['127.0.0.1:5354'] +listen_addresses = ['127.0.0.1:53'] ## Maximum number of simultaneous client connections to accept @@ -94,7 +94,7 @@ disabled_server_names = [] ## (dnscrypt-proxy will always encrypt everything even using UDP), and can ## only increase latency. -force_tcp = true +force_tcp = false ## SOCKS proxy @@ -128,7 +128,7 @@ keepalive = 30 ## Multiple networks can be listed; they will be randomly chosen. ## These networks don't have to match your actual networks. -# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32'] +# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"] ## Response for blocked queries. Options are `refused`, `hinfo` (default) or @@ -168,7 +168,7 @@ blocked_query_response = 'refused' ## When using a log file, only keep logs from the most recent launch. -# log_file_latest = true + log_file_latest = true ## Use the system logger (syslog on Unix, Event Log on Windows) @@ -214,7 +214,7 @@ dnscrypt_ephemeral_keys = true ## Bootstrap resolvers ## ## These are normal, non-encrypted DNS resolvers, that will be only used -## for one-shot queries when retrieving the initial resolvers list and if +## for one-shot queries when retrieving the initial resolvers list and the ## the system DNS configuration doesn't work. ## ## No user queries will ever be leaked through these resolvers, and they will @@ -454,20 +454,20 @@ cache_neg_max_ttl = 600 [query_log] -## Path to the query log file (absolute, or relative to the same directory as the config file) -## Can be set to /dev/stdout in order to log to the standard output. + ## Path to the query log file (absolute, or relative to the same directory as the config file) + ## Can be set to /dev/stdout in order to log to the standard output. -# file = 'query.log' + file = 'query.log' -## Query log format (currently supported: tsv and ltsv) + ## Query log format (currently supported: tsv and ltsv) -format = 'tsv' + format = 'tsv' -## Do not log these query types, to reduce verbosity. Keep empty to log everything. + ## Do not log these query types, to reduce verbosity. Keep empty to log everything. -# ignored_qtypes = ['DNSKEY', 'NS'] + # ignored_qtypes = ['DNSKEY', 'NS'] @@ -481,19 +481,19 @@ format = 'tsv' [nx_log] -## Path to the query log file (absolute, or relative to the same directory as the config file) + ## Path to the query log file (absolute, or relative to the same directory as the config file) -# file = 'nx.log' + file = 'nx.log' -## Query log format (currently supported: tsv and ltsv) + ## Query log format (currently supported: tsv and ltsv) -format = 'tsv' + format = 'tsv' ###################################################### -# Pattern-based blocking (blocklists) # +# Pattern-based blocking (blocklists) # ###################################################### ## Blocklists are made of one pattern per line. Example of valid patterns: @@ -511,19 +511,19 @@ format = 'tsv' [blocked_names] -## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) -blocked_names_file = 'blocked-names.txt' + blocked_names_file = 'blocked-names.txt' -## Optional path to a file logging blocked queries + ## Optional path to a file logging blocked queries -# log_file = 'blocked-names.log' + log_file = 'blocked-names.log' -## Optional log format: tsv or ltsv (default: tsv) + ## Optional log format: tsv or ltsv (default: tsv) -# log_format = 'tsv' + # log_format = 'tsv' @@ -539,24 +539,24 @@ blocked_names_file = 'blocked-names.txt' [blocked_ips] -## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) -blocked_ips_file = 'blocked-ips.txt' + blocked_ips_file = 'blocked-ips.txt' -## Optional path to a file logging blocked queries + ## Optional path to a file logging blocked queries -# log_file = 'blocked-ips.log' + # log_file = 'blocked-ips.log' -## Optional log format: tsv or ltsv (default: tsv) + ## Optional log format: tsv or ltsv (default: tsv) -# log_format = 'tsv' + # log_format = 'tsv' ###################################################### -# Pattern-based allow lists (blocklists bypass) # +# Pattern-based allow lists (blocklists bypass) # ###################################################### ## Allowlists support the same patterns as blocklists @@ -567,19 +567,19 @@ blocked_ips_file = 'blocked-ips.txt' [allowed_names] -## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) + ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) -allowed_names_file = 'allowed-names.txt' + allowed_names_file = 'allowed-names.txt' -## Optional path to a file logging allowed queries + ## Optional path to a file logging allowed queries -# log_file = 'allowed-names.log' + # log_file = 'allowed-names.log' -## Optional log format: tsv or ltsv (default: tsv) + ## Optional log format: tsv or ltsv (default: tsv) -# log_format = 'tsv' + # log_format = 'tsv' @@ -595,18 +595,18 @@ allowed_names_file = 'allowed-names.txt' [allowed_ips] -## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) + ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) -allowed_ips_file = 'allowed-ips.txt' + allowed_ips_file = 'allowed-ips.txt' -## Optional path to a file logging allowed queries + ## Optional path to a file logging allowed queries -# log_file = 'allowed-ips.log' + # log_file = 'allowed-ips.log' -## Optional log format: tsv or ltsv (default: tsv) + ## Optional log format: tsv or ltsv (default: tsv) -# log_format = 'tsv' + # log_format = 'tsv' @@ -627,21 +627,21 @@ allowed_ips_file = 'allowed-ips.txt' [schedules] - # [schedules.time-to-sleep] - # mon = [{after='21:00', before='7:00'}] - # tue = [{after='21:00', before='7:00'}] - # wed = [{after='21:00', before='7:00'}] - # thu = [{after='21:00', before='7:00'}] - # fri = [{after='23:00', before='7:00'}] - # sat = [{after='23:00', before='7:00'}] - # sun = [{after='21:00', before='7:00'}] + # [schedules.'time-to-sleep'] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] - # [schedules.work] - # mon = [{after='9:00', before='18:00'}] - # tue = [{after='9:00', before='18:00'}] - # wed = [{after='9:00', before='18:00'}] - # thu = [{after='9:00', before='18:00'}] - # fri = [{after='9:00', before='17:00'}] + # [schedules.'work'] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] @@ -669,40 +669,40 @@ allowed_ips_file = 'allowed-ips.txt' [sources] - ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers - [sources.public-resolvers] + [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] cache_file = 'public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ### Anonymized DNS relays + ## Anonymized DNS relays - [sources.relays] + [sources.'relays'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md'] cache_file = 'relays.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ### ODoH (Oblivious DoH) servers and relays + ## ODoH (Oblivious DoH) servers and relays - # [sources.odoh-servers] + # [sources.'odoh-servers'] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md'] # cache_file = 'odoh-servers.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' - # [sources.odoh-relays] + # [sources.'odoh-relays'] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md'] # cache_file = 'odoh-relays.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' - ### Quad9 + ## Quad9 # [sources.quad9-resolvers] # urls = ['https://www.quad9.net/quad9-resolvers.md'] @@ -710,13 +710,13 @@ allowed_ips_file = 'allowed-ips.txt' # cache_file = 'quad9-resolvers.md' # prefix = 'quad9-' - ### Another example source, with resolvers censoring some websites not appropriate for children - ### This is a subset of the `public-resolvers` list, so enabling both is useless + ## Another example source, with resolvers censoring some websites not appropriate for children + ## This is a subset of the `public-resolvers` list, so enabling both is useless - # [sources.parental-control] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] - # cache_file = 'parental-control.md' - # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + # [sources.'parental-control'] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] + # cache_file = 'parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' @@ -726,16 +726,16 @@ allowed_ips_file = 'allowed-ips.txt' [broken_implementations] -## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't -## truncate responses larger than questions as expected by the DNSCrypt protocol. -## This prevents large responses from being received over UDP and over relays. -## -## Older versions of the `dnsdist` server software had a bug with queries larger -## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but -## some server may still run an outdated version. -## -## The list below enables workarounds to make non-relayed usage more reliable -## until the servers are fixed. +# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't +# truncate reponses larger than questions as expected by the DNSCrypt protocol. +# This prevents large responses from being received over UDP and over relays. +# +# Older versions of the `dnsdist` server software had a bug with queries larger +# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but +# some server may still run an outdated version. +# +# The list below enables workarounds to make non-relayed usage more reliable +# until the servers are fixed. fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] @@ -745,14 +745,15 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # Certificate-based client authentication for DoH # ################################################################# -## Use a X509 certificate to authenticate yourself when connecting to DoH servers. -## This is only useful if you are operating your own, private DoH server(s). -## 'creds' maps servers to certificates, and supports multiple entries. -## If you are not using the standard root CA, an optional "root_ca" -## property set to the path to a root CRT file can be added to a server entry. +# Use a X509 certificate to authenticate yourself when connecting to DoH servers. +# This is only useful if you are operating your own, private DoH server(s). +# 'creds' maps servers to certificates, and supports multiple entries. +# If you are not using the standard root CA, an optional "root_ca" +# property set to the path to a root CRT file can be added to a server entry. [doh_client_x509_auth] +# # creds = [ # { server_name='*', client_cert='client.crt', client_key='client.key' } # ] @@ -807,8 +808,8 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys { server_name='dns.digitalsize.net', via=['anon-cs-de', 'anon-meganerd'] }, { server_name='dns.watch', via=['anon-cs-de', 'anon-meganerd'] }, { server_name='dnscrypt.be', via=['anon-cs-belgium', 'anon-serbica'] }, - { server_name='dnscrypt.ca-1', via=['anon-cs-montreal', 'anon-zackptg5-us-il-ipv4'] }, - { server_name='dnscrypt.ca-2', via=['anon-cs-montreal', 'anon-zackptg5-us-il-ipv4'] }, + { server_name='dnscrypt.ca-1', via=['anon-cs-montreal', 'anon-inconnu'] }, + { server_name='dnscrypt.ca-2', via=['anon-cs-montreal', 'anon-inconnu'] }, { server_name='dnscrypt.eu-nl', via=['anon-meganerd', 'anon-scaleway-ams'] }, { server_name='dnscrypt.pl', via=['anon-cs-poland', 'anon-curzon-prg'] }, { server_name='dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] }, @@ -817,34 +818,33 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys { server_name='dnswarden-us-uncensor-dcv4', via=['anon-cs-tx', 'anon-plan9-ns2'] }, { server_name='gombadi-syd', via=['anon-cs-sydney', 'anon-tiarap'] }, { server_name='meganerd', via=['anon-acsacsar-ams-ipv4', 'anon-scaleway-ams'] }, - { server_name='moulticast-ca-ipv4', via=['anon-cs-montreal', 'anon-zackptg5-us-il-ipv4'] }, + { server_name='moulticast-ca-ipv4', via=['anon-cs-montreal', 'anon-inconnu'] }, { server_name='moulticast-de-ipv4', via=['anon-cs-de', 'anon-meganerd'] }, { server_name='moulticast-fr-ipv4', via=['anon-cs-fr', 'anon-kama'] }, { server_name='moulticast-sg-ipv4', via=['anon-saldnssg01-conoha-ipv4', 'anon-tiarap'] }, { server_name='moulticast-uk-ipv4', via=['anon-cs-london', 'anon-dnscrypt.uk-ipv4'] }, - { server_name='plan9-dns', via=['anon-cs-nyc1', 'anon-zackptg5-us-il-ipv4'] }, - { server_name='plan9-ns2', via=['anon-cs-fl', 'anon-zackptg5-us-il-ipv4'] }, + { server_name='plan9-dns', via=['anon-cs-nyc1', 'anon-inconnu'] }, + { server_name='plan9-ns2', via=['anon-cs-fl', 'anon-inconnu'] }, { server_name='pryv8boi', via=['anon-cs-de', 'anon-meganerd'] }, { server_name='pwoss.org-dnscrypt', via=['anon-cs-de', 'anon-meganerd'] }, { server_name='resolver4.dns.openinternet.io', via=['anon-cs-montreal', 'anon-plan9-ns2'] }, { server_name='scaleway-ams', via=['anon-meganerd', 'anon-serbica'] }, { server_name='scaleway-fr', via=['anon-cs-fr', 'anon-dnscrypt.uk-ipv4'] }, { server_name='serbica', via=['anon-acsacsar-ams-ipv4', 'anon-scaleway-ams'] }, - { server_name='v.dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] }, - { server_name='zackptg5-us-il-ipv4', via=['anon-cs-il', 'anon-plan9-ns2'] } + { server_name='v.dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] } # { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] }, # { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] } ] -## Skip resolvers incompatible with anonymization instead of using them directly +# Skip resolvers incompatible with anonymization instead of using them directly skip_incompatible = true -## If public server certificates for a non-conformant server cannot be -## retrieved via a relay, try getting them directly. Actual queries -## will then always go through relays. +# If public server certificates for a non-conformant server cannot be +# retrieved via a relay, try getting them directly. Actual queries +# will then always go through relays. direct_cert_fallback = false @@ -872,15 +872,13 @@ direct_cert_fallback = false [dns64] -## Static prefix(es) as Pref64::/n CIDRs - +## (Option 1) Static prefix(es) as Pref64::/n CIDRs. # prefix = ['64:ff9b::/96'] -## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs +## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs. ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only. ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96). ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only. - # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53'] @@ -894,5 +892,5 @@ direct_cert_fallback = false [static] - # [static.myserver] - # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' + # [static.'myserver'] + # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'