Remove `dnscrypt.ca-*` resolvers (thank you)

https://github.com/DNSCrypt/dnscrypt-resolvers/pull/861

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: 'Bug Report'
+about: Create a dnscrypt-proxy-android bug report
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '...'
+3. Scroll down to '...'
+4. See error
+
+**Expected behavior (i.e. solution)**
+A clear and concise description of what you expected to happen or what could be the solution.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Device informations:**
+- Android: `version`
+- Magisk: `version`
+- OS/Custom ROM: `e.g. stock, lineageos`
+- Browser: `e.g. stock browser, safari`
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for dnscrypt-proxy-android
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.gitignore

@@ -1 +0,0 @@
-.DS_Store

CHANGELOG.md

@@ -0,0 +1,737 @@
+# Changelog
+
+## unreleased
+### Changed
+- `dct-nl1` name resolver to `dct-nl`.
+- `dct-ru1` name resolver to `dct-ru`.
+- Optimized relays.
+
+### Removed
+- `dct-at1` resolver (ceased).
+- `dnscrypt.ca-1` resolver (ceased).
+- `dnscrypt.ca-2` resolver (ceased).
+
+## 2.1.5
+### Upstream
+ - dnscrypt-proxy can be compiled with Go 1.21.0+
+ - Responses to blocked queries now include extended error codes
+ - Reliability of connections using HTTP/3 has been improved
+ - New configuration directive: `tls_key_log_file`. When defined, this
+is the path to a file where TLS secret keys will be written to, so
+that DoH traffic can be locally inspected.
+
+### Changed
+- Optimized relays.
+
+### Removed
+- `altername` resolver (temporarily down).
+- `dct-de1` resolver (ceased).
+- `dns.watch` resolver (unresponsive).
+- `starrydns` resolver (ceased).
+
+## 2.1.4
+### Upstream
+ - Fixes a regression from version 2.1.3: when cloaking was enabled,
+blocked responses were returned for records that were not A/AAAA/PTR
+even for names that were not in the cloaked list.
+
+### Added
+- `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
+
+## 2.1.3
+### Upstream
+ - DNS-over-HTTP/3 (QUIC) should be more reliable. In particular,
+version 2.1.2 required another (non-QUIC) resolver to be present for
+bootstrapping, or the resolver's IP address to be present in the
+stamp. This is not the case any more.
+ - dnscrypt-proxy is now compatible with Go 1.20+
+ - Commands (-check, -show-certs, -list, -list-all) now ignore log
+files and directly output the result to the standard output.
+ - The `cert_ignore_timestamp` configuration switch is now documented.
+It allows ignoring timestamps for DNSCrypt certificate verification,
+until a first server is available. This should only be used on devices
+that don't have any ways to set the clock before DNS service is up.
+However, a safer alternative remains to use an NTP server with a fixed
+IP address (such as time.google.com), configured in the captive portals
+file.
+ - Cloaking: when a name is cloaked, unsupported record types now
+return a blocked response rather than the actual records.
+ - systemd: report Ready earlier as dnscrypt-proxy can itself manage
+retries for updates/refreshes.
+
+### Added
+- Script in `customize.sh` file for automatically disable Private DNS feature.
+- `dct-nl1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Naaldwijk, Netherlands).
+- `openinternet` resolver (DNSCrypt resolver colocated at Sonic.net in Santa Rosa, CA in the United States. No log, no filter, DNSSEC. Provided by https://openinternet.io).
+
+### Changed
+- Optimized relays.
+
+### Removed
+- `acsacsar-ams-ipv4` resolver (unresponsive).
+- `dct-ru1` resolver (unresponsive).
+- `dnscrypt.eu-nl` resolver (ceased).
+- `dotya.ml` resolver (unresponsive).
+- `resolver4.dns.openinternet.io` resolver (changed).
+- `sgp-dn53` resolver (unresponsive).
+
+### Fixed
+- Show the correct changelog version in Magisk app.
+
+## 2.1.2.4
+### Added
+- Automatic redirections in `post-fs-data.sh` file.
+
+### Changed
+- Use a more modern [DNS.SB](https://dns.sb/) as `bootstrap_resolvers`.
+
+## 2.1.2.3
+### Changed
+- Use [DNS.SB](https://dns.sb/) as `bootstrap_resolvers`.
+- Use [DNS.SB](https://dns.sb/) as `netprobe_address`.
+
+### Removed
+- Automatic redirections in `post-fs-data.sh` file.
+
+## 2.1.2.2
+### Fixed
+- Forgotten scripts in `post-fs-data` file (it prevent using bootstrap resolvers correctly).
+
+## 2.1.2.1
+### Added
+- `dct-at1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Vienna, Austria).
+- `dct-de1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Düsseldorf, Germany).
+- `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
+- `dnswarden-uncensor-dc-swiss` resolver (Hosted in Switzerland. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dotya.ml` resolver (Free, uncensored, DNSSEC-validated, non-logging DNSCrypt server hosted in Nuremberg, Germany on Contabo servers. Operated by dotya.ml, configs live [here](https://git.dotya.ml/dotya.ml/dnscrypt-server)).
+- `sby-limotelu` resolver (non-censoring, non-logging, DNSSEC-capable Hosted in Surabaya, Indonesia (Dnscrypt) https://limotelu.org maintained by [poentodewo](https://github.com/poentodewo)).
+- `sgp-dn53` resolver (non-censoring, non-logging, DNSSEC-capable Hosted in Singapore (Dnscrypt) https://limotelu.org maintained by [poentodewo](https://github.com/poentodewo)).
+- `starrydns` resolver (DNSCrypt server in Singapore, no filter, no logs, DNSSEC support).
+
+### Changed
+- Optimized relays.
+- Use [dns.watch](https://dns.watch/) `resolver1` and `resolver2` as `bootstrap_resolvers`.
+- Use [dns.watch](https://dns.watch/) `resolver1` as `netprobe_address`.
+
+### Removed
+- `breddns` resolver (unresponsive).
+- `dnswarden-uncensor-fr1-dc` resolver (changed).
+- `dnswarden-uncensor-ind1-dc` resolver (changed).
+- `dnswarden-uncensor-sg1-dc` resolver (changed).
+- `dnswarden-uncensor-us1-dc` resolver (changed).
+- `moulticast-fr-ipv4` resolver (unresponsive).
+- `moulticast-sg-ipv4` resolver (unresponsive).
+- `moulticast-uk-ipv4` resolver (unresponsive).
+- `pwoss.org-dnscrypt` resolver (unresponsive).
+
+## 2.1.2
+### Upstream
+- Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added.
+Compatible servers will automatically use it. Note that QUIC uses UDP
+(usually over port 443, like DNSCrypt) instead of TCP.
+- In previous versions, memory usage kept growing due to channels not
+being properly closed, causing goroutines to pile up. This was fixed,
+resulting in an important reduction of memory usage. Thanks to
+@lifenjoiner for investigating and fixing this!
+- DNS64: `CNAME` records are now translated like other responses.
+Thanks to @ignoramous for this!
+- A relay whose name has been configured, but doesn't exist in the
+list of available relays is now a hard error. Thanks to @lifenjoiner!
+- Mutexes/locking: bug fixes and improvements, by @ignoramous
+- Official packages now include linux/riscv64 builds.
+- `dnscrypt-proxy -resolve` now reports if ECS (EDNS-clientsubnet) is
+supported by the server.
+- `dnscrypt-proxy -list` now includes ODoH (Oblivious DoH) servers.
+- Local DoH: queries made using the `GET` method are now handled.
+- The service can now be installed on OpenRC-based systems.
+- `PTR` queries are now supported for cloaked domains. Contributed by
+Ian Bashford, thanks!
+
+### Added
+- Scripts in `post-fs-data.sh` file for force disable IPv6 connections at OS level, preventing possible leaks.
+- `breddns` resolver (Non-logging DNSCrypt server located in Luxembourg, operated by @tmclo).
+- `dnswarden-uncensor-fr1-dc` resolver (Hosted in France. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dnswarden-uncensor-ind1-dc` resolver (Hosted in India. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dnswarden-uncensor-sg1-dc` resolver (Hosted in Singapore. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dnswarden-uncensor-us1-dc` resolver (Hosted in USA (Dallas). For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+
+### Changed
+- Adjusted `versionCode` in `module.prop` file (more easy share beta and manage minor dnscrypt-proxy versions with two digits).
+- Optimized relays.
+
+### Removed
+- `dnswarden-asia-uncensor-dcv4` resolver (changed).
+- `dnswarden-eu-uncensor-dcv4` resolver (changed).
+- `dnswarden-us-uncensor-dcv4` resolver (changed).
+
+## 2.1.1-3
+### Added
+- `plan9dns-fl` resolver (Miami Florida, US No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dns).
+- `plan9dns-mx` resolver (Mexico City, Mexico No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dns).
+- `plan9dns-nj` resolver (Piscataway New Jersey, US No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dnsPiscataway).
+- `techsaviours.org-dnscrypt` resolver (No filter | No logs | DNSSEC | Nuremberg, Germany (netcup) | Maintained by https://techsaviours.org/).
+
+### Changed
+- Optimized relays.
+
+### Fixed
+- Changelog display issues in Magisk app.
+
+### Removed
+- `bcn-dnscrypt` resolver (ceased).
+- `dns.digitalsize.net` resolver (DoH).
+- `dct-at1` resolver (temporarily down).
+- `dct-de1` resolver (temporarily down).
+- `dct-ru1` resolver (temporarily down).
+- `gombadi-syd` resolver (ceased).
+- `moulticast-ca-ipv4` resolver (unresponsive).
+- `moulticast-de-ipv4` resolver (unresponsive).
+- `plan9-ns1` resolver (changed).
+- `plan9-ns2` resolver (changed).
+
+## 2.1.1-2
+### Fixed
+- Random connection issues under mobile data. (see [DNSCrypt/dnscrypt-proxy/discussions/2020](https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2020))
+
+### Removed
+- `dct-ru2` resolver (ceased).
+- `pf-dnscrypt` resolver (unresponsive).
+- `zackptg5-us-il-ipv4` resolver (ceased).
+
+## 2.1.1-1
+### Added
+- `uninstall.sh` file for `dnscrypt-proxy` folder removal after module uninstallation (Android 7 and below at the moment).
+- `update.json` file for enable the new auto-update feature from `Magisk v24+`.
+- `dct-at1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Vienna, Austria).
+- `dct-de1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Düsseldorf, Germany).
+- `dns.digitalsize.net` resolver (A public, non-tracking, non-filtering DNS resolver with DNSSEC enabled and hosted in Germany (https://dns.digitalsize.net)).
+- `dnswarden-asia-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Singapore. by Bhanu Pratap).
+- `dnswarden-eu-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Germany. by Bhanu Pratap).
+- `dnswarden-us-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in USA (Dallas). by Bhanu Pratap).
+
+### Changed
+- Project migrated to GitHub.
+- Optimized relays.
+
+### Removed
+- `zackptg5-us-pit-ipv4` resolver (unresponsive).
+
+## 2.1.1
+### Upstream
+This is a bugfix only release, addressing regressions introduced in
+version 2.1.0:
+- When using DoH, cached responses were not served any more when
+experiencing connectivity issues. This has been fixed.
+- Time attributes in allow/block lists were ignored. This has been
+fixed.
+- The TTL as served to clients is now rounded and starts decreasing
+before the first query is received.
+- Time-based rules are properly handled again in
+generate-domains-blocklist.
+- DoH/ODoH: entries with an IP address and using a non-standard port
+used to require help from a bootstrap resolver. This is not the case
+any more.
+
+### Changed
+- Optimized relays.
+
+### Removed
+- `dama.no-osl-s04` resolver (unresponsive).
+- `dama.no-sa-a80` resolver (unresponsive).
+- `kenshiro` resolver (unresponsive, no more lucenera resolvers).
+- `suami` resolver (unresponsive, no more lucenera resolvers).
+
+## 2.1.0
+### Upstream
+- `dnscrypt-proxy` now includes support for Oblivious DoH.
+- If the proxy is overloaded, cached and synthetic queries now keep being
+served, while non-cached queries are delayed.
+- A deprecation warning was for `fallback_resolvers`.
+- Source URLs are now randomized.
+- On some platforms, redirecting the application log to a file was not
+compatible with user switching; this has been fixed.
+- `fallback_resolvers` was renamed to `bootstrap_resolvers` for
+clarity. Please update your configuration file accordingly.
+
+### Added
+- DNS Rebind Protection with `blocked-ips.txt` file enabled by default.
+- UncensoredDNS (Unicast) in addition to UncensoredDNS (Anycast) as `bootstrap_resolvers`.
+- `ams-dnscrypt-nl` resolver (Resolver in Amsterdam. Dnscrypt protocol. Non-logging, non-filtering, DNSSEC).
+- `altername` resolver (Protocol: DNSCrypt IPv4 | Features: Non-logging, Non-filtering, DNSSEC, EmerDNS | Location: Moscow, Russia).
+- `dama.no-osl-s04` resolver (DNSCrypt server located in Oslo/Norway. Link-speed 100 Mbit/s. Non-censoring, non-logging, DNSSEC-capable).
+- `dama.no-sa-a80` resolver (DNSCrypt Server located in Sandefjord/Norway. non-censoring, non-logging, DNSSEC-capable).
+- `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Saint Petersburg, Russia).
+- `dct-ru2` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
+- `dns.watch` resolver (Free, uncensored, non-logging server in Germany. https://dns.watch).
+- `gombadi-syd` resolver (Protocol: DNSCrypt IPv4 | Features: Non-logging, Non-filtering, DNSSEC, Unbound | Location: Sydney, AU).
+- `kenshiro` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Amsterdam. by lucenera).
+- `pf-dnscrypt` resolver (by post-factum | Zürich, Switzerland | Non-logging | Non-filtering | DNSSEC | https://dns.post-factum.tk).
+- `plan9-ns2` resolver (DNSCrypt server in Florida, USA. Non-logging, non-filtering, DNSSEC, anonymized. info - https://jlongua.github.io/plan9-dns/).
+- `pryv8boi` resolver (By pryv8, non Logging, uncensored, DNSSEC - hosted on contabo servers).
+- `resolver4.dns.openinternet.io` resolver (DNSCrypt resolver on dedicated hardware, colocated at Sonic.net in Santa Rosa, CA in the United States. No log, no filter, DNSSEC. Uses Sonic's recusrive DNS servers as upstream resolvers (but is not affiliated with Sonic in any way). Provided by https://openinternet.io).
+- `suami` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Frankfurt. by lucenera).
+- `zackptg5-us-il-ipv4` resolver (DNSSEC/unfiltered/non-logged. Hosted on Vultr in Chicago, IL. Running the official Docker image by @zackptg5).
+- `zackptg5-us-pit-ipv4` resolver (DNSSEC/unfiltered/non-logged. Hosted on TeraSwitch in Pittsburgh, PA. Running the official Docker image by @zackptg5).
+
+### Changed
+- The path of the config. files from `/data/media/0/dnscrypt-proxy` to `/storage/emulated/0/dnscrypt-proxy` (fix for log issues on `A11+` and an issue on `A6-` where the config. files could not be modified).
+- Set `dnscrypt-proxy.log` level from `2` to `0` (but keep it disabled by default).
+- Optimized relays.
+
+### Removed
+- `dama.no-osl-s04` resolver (unresponsive).
+- `dama.no-sa-a80` resolver (unresponsive).
+- `kenshiro` resolver (unresponsive, no more lucenera resolvers).
+- `suami` resolver (unresponsive, no more lucenera resolvers).
+
+## 2.0.45
+### Upstream
+- Configuration changes (to be required in versions 2.1.x):
+  * `[blacklist]` has been renamed to `[blocked_names]`
+  * `[ip_blacklist]` has been renamed to `[blocked_ips]`
+  * `[whitelist]` has been renamed to `[allowed_names]`
+  * `generate-domains-blacklist.py` has been renamed to
+    `generate-domains-blocklist.py`, and the configuration files have been
+    renamed as well.
+- `dnscrypt-proxy -resolve` has been completely revamped, and now requires
+the configuration file to be accessible. It will send a query to an IP address
+of the `dnscrypt-proxy` server by default. Sending queries to arbitrary
+servers is also supported with the new `-resolve name,address` syntax.
+- Relay lists can be set to `*` for automatic relay selection. When a wildcard
+is used, either for the list of servers or relays, the proxy ensures that
+relays and servers are on distinct networks.
+- Lying resolvers are detected and reported.
+- New return code: `NOT_READY` for queries received before the proxy has
+been initialized.
+- Server lists can't be older than a week any more, even if directory
+permissions are incorrect and cache files cannot be written.
+- macOS/arm64 is now officially supported.
+- New feature: `allowed_ips`, to configure a set of IP addresses to
+never block no matter what DNS name resolves to them.
+- Hard-coded IP addresses can be immediately returned for test queries
+sent by operating systems in order to check for connectivity and captive
+portals. Such responses can be sent even before an interface is considered
+as enabled by the operating system. This can be configured in a new section
+called `[captive_portals]`.
+- On Linux, OpenBSD and FreeBSD, `listen_addresses` can now include IP
+addresses that haven't been assigned to an interface yet.
+- The logo has been tweaked to look fine on a dark background.
+- `generate-domains-blocklist.py`: regular expressions are now ignored in
+time-based entries.
+- Minor bug fixes and logging improvements.
+- Cloaking plugin: if an entry has multiple IP addresses for a type,
+all the IP addresses are now returned instead of a random one.
+- Static entries can now include DNSCrypt relays.
+- Name blocking: aliases relying on `SVCB` and `HTTPS` records can now
+be blocked in addition to aliases via regular `CNAME` records.
+- EDNS-Client-Subnet information can be added to outgoing queries.
+Instead of sending the actual client IP, ECS information is user
+configurable, and IP addresses will be randomly chosen for every query.
+- Initial DoH queries are now checked using random names in order to
+properly measure CDNs such as Tencent that ignore the padding.
+- DoH: the `max-stale` cache control directive is now present in queries.
+- Logs can now be sent to `/dev/stdout` instead of actual files.
+- User switching is now supported on macOS.
+- New download mirror (https://download.dnscrypt.net) for resolvers,
+relays and parental-control.
+
+### Added
+- `allowed-ips.txt` and `blocked-ips.txt` files (as placeholder).
+- Cleanup unneeded binary files after the installation.
+- `acsacsar-ams-ipv4` resolver (Public non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver hosted on Scaleway by [acsacsar](https://nitter.net/acsacsar)).
+- `arvind-io` resolver (Public resolver by EnKrypt (https://arvind.io). Hosted in Bangalore, India. Non-logging, non-filtering, supports DNSSEC).
+- `bcn-dnscrypt` resolver (Resolver in Barcelona, Spain. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC).
+- `d0wn-tz-ns1` resolver (Server provided by Martin 'd0wn' Albus) Hosted by Aptus Solutions Ltd. in Tanzania.
+- `dnscrypt.be` resolver (Resolver in Leuven, Belgium (UCLL Campus Proximus). Non-logging/DNSSEC/Uncensored. https://dnscrypt.be
+Maintained by Sigfried (https://sigfried.be) hosted by ISW Leuven (https://iswleuven.be)).
+- `dnscrypt.ca-1` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure).
+- `dnscrypt.ca-2` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure).
+- `dnscrypt.one` resolver (Non-logging, non-censoring, DNSSEC-capable DNSCrypt resolver hosted in Germany (Nuremberg), https://dnscrypt.one).
+- `dnscrypt.pl` resolver (Free | No filtering | Zero logs | DNSSEC | Poland | https://dnscrypt.pl/).
+- `ev-canada` resolver (Non-logging, uncensored DNS resolver provided by evilvibes.com Location: Vancouver, Canada).
+- `freetsa.org-ipv4` resolver (Non-logged/Uncensored provided by www.freetsa.org. Support for DNS and DNS-over-TLS (DoT)).
+- `jp.tiar.app` resolver (Non-Logging, Non-Filtering DNSCrypt server in Japan. No ECS, Support DNSSEC).
+- `moulticast-ca-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Canada | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-de-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Germany | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-fr-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in France | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-sg-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Singapore | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-uk-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in UK | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `plan9-ns1` resolver (Resolver in New Jersey, USA. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC, anonymized. Running the official Docker image on Vultr by @jlongua1).
+- `pwoss.org-dnscrypt` resolver (No filter | No logs | DNSSEC | Nuremberg, Germany (netcup) | Maintained by https://pwoss.org/ (Dan)).
+- `sarpel-dns-istanbul` resolver (No-filter | No-logs | Uncensored | Hosted in Istanbul(Turkey) on Cloudeos).
+- `serbica` resolver (Public DNSCrypt server in the Netherlands by https://litepay.ch).
+- `ventricle.us` resolver (Public DNSCrypt resolver provided by Jacob Henner. Hosted by Digital Ocean, New York).
+
+### Changed
+- `Magisk 20.4+` required.
+- Disabled `direct_cert_fallback` option to prevent direct connections through the resolvers for failed certificate retrieved via relay.
+- Reduced the max. query waiting time from `1500` to `1000` ms.
+- Renamed `blacklist.txt` into `blocked-names.txt`.
+- Renamed `whitelist.txt` into `allowed-names.txt`.
+- Optimized relays.
+
+### Removed
+- [Applied Privacy DNS](https://applied-privacy.net/privacy-policy/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers.
+- `DROP` IPv6 queries script in `post-fs-data.sh` file.
+
+## 2.0.44
+### Upstream
+- More updates to the set of block lists, thanks again to IceCodeNew.
+- Netprobes and listening sockets are now ignored when the `-list`, `-list-all`, `-show-certs` or `-check` command-line switches are used.
+- `tls_client_auth` was renamed to `doh_client_x509_auth`. A section with the previous name is temporarily ignored if empty, but will error out if not.
+- Unit tests are now working on 32-bit systems. Thanks to Will Elwood and @lifenjoiner.
+
+## 2.0.43
+### Upstream
+- Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
+- Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
+- Multiple stamps are now allowed for a single server in resolvers and relays lists.
+- Android: the time zone for log files is now set to the system time zone.
+- Quite a lot of updates and additions have been made to the example domain block lists. Thanks to `IceCodeNew`!
+- Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. Contributed by
+`lifenjoiner`, thanks!
+- Precompiled macOS binaries are now notarized.
+- `generate-domains-blacklists` now tries to deduplicate entries clobbered by wildcard rules. Thanks to `Huhni`!
+- `generate-domains-blacklists` can now directly write lists to a file with the `-o` command-line option.
+- cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time.
+- Forwarded queries are now subject to global timeouts, and can be
+forced to use TCP.
+- The `ct` parameter has been removed from DoH queries, as Google doesn't require it any more.
+- Service installation is now supported on FreeBSD.
+- When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new `log_file_latest` option.
+
+### Added
+- [Applied Privacy DNS](https://applied-privacy.net/privacy-policy/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers.
+
+### Changed
+- `Magisk 20+` required.
+
+## 2.0.42-3
+### Added
+- `DROP` properly IPv6 queries in `post-fs-data.sh` file (no more DNS leaks this time).
+
+## 2.0.42-2
+### Added
+- 2nd attempt to `DROP` IPv6 queries in `post-fs-data.sh` file.
+
+## 2.0.42-1
+### Added
+- 1st attempt to `DROP` IPv6 queries in `post-fs-data.sh` file.
+- `whitelist.txt` file (as placeholder, once the blacklist goes public).
+- `meganerd` resolver (Non-logging, non-filtering, supports DNSSEC by MegaNerd.nl).
+
+### Changed
+- Moved all the example documents into `dnscrypt-proxy/example-docs` folder (the remaining example documents must be deleted manually).
+- Optimized relays.
+
+### Removed
+- `dnscrypt.nl-ns0` resolver.
+- `dnscrypt.one` resolver.
+- `ffmuc.net` resolver.
+- `publicarray-au2` resolver.
+
+## 2.0.42
+### Upstream
+- The current versions of the `dnsdist` load balancer (presumably used
+by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net,
+opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more)
+is preventing queries over 1500 bytes from being received over UDP.
+Temporary workarounds have been introduced to improve reliability
+with these resolvers for regular DNSCrypt. Unfortunately, anonymized
+DNS cannot be reliable until the issue is fixed server-side. `dnsdist`
+authors are aware of it and are working on a fix.
+- New option in the `[anonymized_dns]` section: `skip_incompatible`,
+to ignore resolvers incompatible with Anonymized DNS instead of
+using them without a relay.
+- The server latency benchmark is faster while being able to perform
+more retries if necessary.
+- Continuous integration has been moved to GitHub Actions.
+
+### Added
+- Set `skip_incompatible` option from `false` to `true` to ignore servers incompatible with anonymization.
+
+## 2.0.41
+### Upstream
+- Precompiled binaries for armv5, armv6 and armv7 are available.
+The default arm builds were not compatible with older CPUs when
+compiled with Go 1.14. mips64 binaries are explicitly compiled with
+softfloat to improve compatibility.
+- Quad9 seems to be only blocking fragmented queries over UDP for
+some networks. They have been removed from the default list of broken
+resolvers; runtime detection of support for fragments should now do
+the job.
+- Runtime detection of support for fragments was actually enabled.
+
+## 2.0.40
+### Upstream
+- Servers blocking fragmented queries are now automatically detected.
+- The server name is now only present in query logs when an actual upstream servers was required to resolve a query.
+- TLS client authentication has been added for DoH.
+- The Firefox plugin is now skipped for connections coming from the local DoH server.
+- DoH RTT computation is now more accurate, especially when CDNs are in the middle.
+- The forwarding plugin is now more reliable, and handles retries over TCP.
+
+## 2.0.39-2
+### Removed
+- `blacklist.txt` file (too many false positives, will be added back in the future, when it reaches a more stable level).
+
+## 2.0.39-1
+### Added
+- Automatic redirection in `post-fs-data.sh` file. (no more 3rd-party apps are required to start the service).
+- Substrings and wildcards into `blacklist.txt` file and updated to `2020.03.19`.
+
+### Removed
+- `ibksturm` resolver.
+- `dnswarden-dc1`, `dnswarden-dc2`, `dnswarden-dc3`, resolvers.
+
+## 2.0.39
+### Upstream
+- The Firefox Local DoH service didn't properly work in version 2.0.38; 
+this has been fixed. Thanks to Simon Brand for the report!
+
+## 2.0.38
+### Upstream
+- Entries from lists (forwarding, blacklists, whitelists) now support
+inline comments.
+- Reliability improvement: queries over UDP are retried after a timeout
+instead of solely relying on the client.
+- Reliability improvement: during temporary network outages, cached records
+are now served even if they are stale.
+- Bug fix: SOCKS proxies and DNS relays can be combined.
+- New feature: multiple fallback resolvers are now supported (see the
+new `fallback_resolvers` option. Note that `fallback_resolver` is
+still supported for backward compatibility).
+- Windows: the service can be installed with a configuration file
+stored separately from the application.
+- Security (affecting DoH): precompiled binaries of `dnscrypt-proxy 2.0.37` are
+built using `Go 1.13.7` that fixes a TLS certificate parsing issue present in
+previous versions of the compiler.
+
+### Added
+- `dnswarden-dc3` (DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com).
+
+### Changed
+- `Magisk 19+` required.
+- Updated `blacklist.txt` to `2020.01.30`.
+
+### Fixed
+- `dnscrypt-proxy` service doesn't detect the config file.
+
+## 2.0.36
+### Upstream
+- New option: `block_undelegated`. When enabled, `dnscrypt-proxy` will
+directly respond to queries for locally-served zones (https://sk.tl/2QqB971U)
+and nonexistent zones that should have been kept local, but are frequently
+leaked. This reduces latency and improves privacy.
+- Conformance: the `DO` bit is now set in synthetic responses if it was
+set in a question, and the `AD` bit is cleared.
+- The `miegkg/dns` module was updated to version 1.1.26, that fixes a
+security issue affecting non-encrypted/non-authenticated DNS traffic. In
+`dnscrypt-proxy`, this only affects the forwarding feature.
+
+### Added
+- `dnscrypt.one` resolver (DNSSEC / no logs / uncensored, Germany (Nuremberg), https://dnscrypt.one/).
+
+### Changed
+- Updated `blacklist.txt` to `2019.12.22`.
+- Optimized relays.
+
+## 2.0.35
+### Upstream
+- New option: `block_unqualified` to block `A`/`AAAA` queries with
+unqualified host names. These will very rarely get an answer from upstream
+resolvers, but can leak private information to these, as well as to root
+servers.
+- When a `CNAME` pointer is blocked, the original query name is now logged
+along with the pointer. This makes it easier to know what the original
+query name, so it can be whitelisted, or what the pointer was, so it
+can be removed from the blacklist.
+
+### Added
+- `scaleway-ams` resolver (DNSSEC/Non-logged/Uncensored in Amsterdam- ARM server donated by Scaleway.com) Maintained by Frank Denis- https://fr.dnscrypt.info).
+- `ffmuc.net` resolver (An open DNSCrypt resolver operated by Freifunk Munich with nodes in DE. https://ffmuc.net/).
+
+### Changed
+- Updated `blacklist.txt` to `2019.12.09`.
+- Optimized relays.
+
+### Fixed
+- Backup an existing `.toml` file before proceed with the installation.
+
+## 2.0.34
+### Upstream
+- Blacklisted names are now also blocked if they appear in `CNAME`
+pointers.
+- `dnscrypt-proxy` can now act as a local DoH *server*. Firefox can
+be configured to use it, so that ESNI can be enabled without bypassing
+your DNS proxy.
+
+### Added
+- `ibksturm`- dnscrypt-server (nginx- encrypted-dns- unbound backend), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone- Hosted in Switzerland by ibksturm, aka Andreas Ziegler).
+- `blacklist.txt` file to prevent `CNAME Cloaking` tracking feature.
+
+### Changed
+- Optimized relays.
+
+### Removed
+- `charis` and `suami` resolvers.
+
+## 2.0.33
+### Upstream
+- Fixes an issue that caused some valid queries to return `PARSE_ERROR`.
+- On certificate errors, the server name is now logged instead of the
+provider name, which is generally more useful.
+- IP addresses for DoH servers that require DNS lookups are now cached
+for at least 12 hours.
+- `ignore_system_dns` is now set to `true` by default.
+- A workaround for a bug in Cisco servers has been implemented.
+- A corrupted or incomplete resolvers list is now ignored, keeping the
+last good known cached list until the next update. In addition, logging was
+improved and unit tests were also added. Awesome contribution from William
+Elwood, thanks!
+- On Windows, the network probe immediately returned instead of blocking
+if `netprobe_timeout` was set to `-1`. This has been fixed.
+- Expired cached IP addresses now have a grace period, to avoid breaking the
+service if they temporarily can't be refreshed.
+- On Windows, the service now returns immediately, solving a long-standing
+issue when initialization took more than 30 seconds ("The service did not
+respond to the start or control request in a timely fashion"). Fantastic
+work by Alison Winters, thanks!
+- The `SERVER_ERROR` error code has been split into two new error codes:
+`NETWORK_ERROR` (self-explanatory) and `SERVFAIL` (a response was returned,
+but it includes a `SERVFAIL` error code).
+- Responses are now always compressed.
+
+### Added
+- `v.dnscrypt.uk-ipv4` (DNSCrypt v2, no logs, uncensored, DNSSEC. Hosted in London UK on Vultr- https://www.dnscrypt.uk).
+- Optimized relays (set to use other providers different from the main one).
+
+## 2.0.31
+### Upstream
+- This version fixes a startup issue introduced in version 2.0.29, on systems for which the service cannot be automatically installed (such as OpenBSD and FreeBSD). Reported by @5ch17 and Vinícius Zavam, and fixed by Will Elwood, thanks!
+- This version fixes two regressions introduced in version 2.0.29: DoH server couldn't be reached over IPv6 any more, and the proxy couldn't be interrupted while servers were being benchmarked.
+
+### Changed
+- Another way to backup an existing `.toml` file (the old configuration is now backed up with `year-month-day-hour-minute.bak` suffix, thanks to @lindroidux).
+
+## 2.0.29
+### Upstream
+- Support for Anonymized DNS has been added!
+- Wait before stopping, fixing an issue with Unbound (thanks to Vladimir Bauer)
+- DNS stamps are now included in the `-list-all-json` ouptut
+- The `netprobe_timeout` setting from the configuration file or command-line was ignored. This has been fixed.
+- The TTL or cloaked entries can now be adjusted (thanks to Markus Linnala)
+- Cached IP address from DoH servers now expire (thanks to Markus Linnala)
+- DNSCrypt certificates can be fetched over Tor and SOCKS proxies
+- Retries over TCP are faster
+- Improved logging (thanks to Alison Winters)
+- Ignore non-TXT records in certificate responses (thanks to Vladimir Bauer)
+- A lot of internal cleanups, thanks to Markus Linnala
+
+### Added
+- `publicarray-au` resolver Australia (DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on vultr.com maintained by publicarray- https://dns.seby.io).
+- `publicarray-au2` resolver Australia (DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on ovh.com.au maintained by publicarray- https://dns.seby.io).
+
+### Changed
+- Optimized relays.
+
+## 2.0.29-beta.3
+### Upstream
+- Support for Anonymized DNSCrypt has been added.
+- Latency with large responses has actually been reduced.
+- DNSCrypt certificates can now be retrieved over Tor, proxies, and DNS relays.
+- Improved server error reporting (thanks to Alison Winters)
+- Quite a lot of internal improvements and bug fixes have been made, thanks to Markus Linnala.
+- Improved logging
+- Added a workaround for DNS servers using a non-standard provider name.
+
+### Added
+- `anonymized_dns` feature (each resolver has 2 relays assigned).
+- `scaleway-fr` resolver (DNSSEC/Non-logging/Uncensored- Maintained by Frank Denis- https://fr.dnscrypt.info).
+
+## 2.0.28
+### Upstream
+- Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
+- Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
+- Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
+- Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.
+
+## 2.0.27
+### Upstream
+- The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
+- All the dependencies have been updated.
+
+### Changed
+- New project mantainer, [@quindecim](https://github.com/quindecim) :)
+___
+
+#### v2.8.7 ([@bluemeda](https://github.com/bluemeda))
+- Changed path of configuration file [dnscrypt.toml] from /system/etc/ to /data/media/0/ [or /sdcard]
+- Updated binary & configuration files to 2.0.25
+- Removed automatic redirection of dns-request and let dnscrypt-proxy do its job only.
+
+#### v2.8.5 ([@bluemeda](https://github.com/bluemeda))
+- Fix #40
+
+#### v2.8.4 ([@bluemeda](https://github.com/bluemeda))
+- Fix failed to copy or backup config file
+
+#### v2.8.3 ([@bluemeda](https://github.com/bluemeda))
+- Fix permission issue
+- Add option to replace or backup-restore config file
+
+#### v2.8.2 ([@bluemeda](https://github.com/bluemeda))
+- Fix "binary file is missing"
+
+#### v2.8.7 ([@bluemeda](https://github.com/bluemeda))
+- Update Magisk 18100 requirements
+
+#### v2.8.0 ([@bluemeda](https://github.com/bluemeda))
+- Update binary files 2.0.22
+
+#### v2.7.0 ([@bluemeda](https://github.com/bluemeda))
+- Update binary files 2.0.21
+
+#### v2.6.0 ([@bluemeda](https://github.com/bluemeda))
+- Update binary files to 2.0.19
+
+#### v2.5.0 ([@bluemeda](https://github.com/bluemeda))
+- Update binary files to 2.0.16
+- add exception for cloudflare fallback resolver.
+
+#### v2.4.0 ([@bluemeda](https://github.com/bluemeda))
+- Update binary files to 2.0.14
+
+#### v2.3.0 ([@bluemeda](https://github.com/bluemeda))
+- Update binary files to 2.0.10
+- Add option to choose auto redirect DNS or manually set with 3rd-party app.
+
+#### v2.2.0 ([@bluemeda](https://github.com/bluemeda))
+- Update binary files to 2.0.8
+
+#### v2.1.3 ([@bluemeda](https://github.com/bluemeda))
+- If you have previous version, please uninstall it first then reinstall it again or you can change listen port manually in dnscrypt-proxy.toml file.
+- Fix Tethering Client cannot Resolve DNSCrypt
+- Fix Chromecast devices not showing jedisct1/dnscrypt-proxy#226
+- Add binary files for x86 and x86_64 (test)
+
+#### v2.1.2 ([@bluemeda](https://github.com/bluemeda))
+- Bug Fixes
+
+#### v2.1.1 ([@bluemeda](https://github.com/bluemeda))
+- Bug fixes
+
+#### v2.1 ([@bluemeda](https://github.com/bluemeda))
+- Bug fixes
+
+#### v2.0 ([@bluemeda](https://github.com/bluemeda))
+- Resolve download.dnscrypt.info first before executing iptable
+- Don't override dnscrypt-proxy.toml if exist
+- Update binary files to v2.0.6
+
+#### v1.1 ([@bluemeda](https://github.com/bluemeda))
+- Change listen port to 5353 (avoid conflict while tethering)
+
+#### v1.0 ([@bluemeda](https://github.com/bluemeda))
+- Initial release
+- dnscrypt-proxy v2.0.5

LICENSE.md

@@ -0,0 +1,675 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    dnscrypt-proxy-android
+    Copyright (C) 2020-2023, d3cim
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    dnscrypt-proxy-android  Copyright (C) 2020-2023, d3cim
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
+

META-INF/com/google/android/update-binary

@@ -11,7 +11,7 @@ ui_print() { echo "$1"; }
 
 require_new_magisk() {
   ui_print "*******************************"
-  ui_print " Please install Magisk v20.0+! "
+  ui_print " Please install Magisk v20.4+! "
   ui_print "*******************************"
   exit 1
 }
@@ -27,171 +27,7 @@ mount /data 2>/dev/null
 
 [ -f /data/adb/magisk/util_functions.sh ] || require_new_magisk
 . /data/adb/magisk/util_functions.sh
-[ $MAGISK_VER_CODE -lt 20000 ] && require_new_magisk
+[ $MAGISK_VER_CODE -lt 20400 ] && require_new_magisk
 
-if [ $MAGISK_VER_CODE -ge 20400 ]; then
-  # New Magisk have complete installation logic within util_functions.sh
-  install_module
-  exit 0
-fi
-
-#################
-# Legacy Support
-#################
-
-TMPDIR=/dev/tmp
-PERSISTDIR=/sbin/.magisk/mirror/persist
-
-is_legacy_script() {
-  unzip -l "$ZIPFILE" install.sh | grep -q install.sh
-  return $?
-}
-
-print_modname() {
-  local authlen len namelen pounds
-  namelen=`echo -n $MODNAME | wc -c`
-  authlen=$((`echo -n $MODAUTH | wc -c` + 3))
-  [ $namelen -gt $authlen ] && len=$namelen || len=$authlen
-  len=$((len + 2))
-  pounds=$(printf "%${len}s" | tr ' ' '*')
-  ui_print "$pounds"
-  ui_print " $MODNAME "
-  ui_print " by $MODAUTH "
-  ui_print "$pounds"
-  ui_print "*******************"
-  ui_print " Powered by Magisk "
-  ui_print "*******************"
-}
-
-# Override abort as old scripts have some issues
-abort() {
-  ui_print "$1"
-  $BOOTMODE || recovery_cleanup
-  [ -n $MODPATH ] && rm -rf $MODPATH
-  rm -rf $TMPDIR
-  exit 1
-}
-
-rm -rf $TMPDIR 2>/dev/null
-mkdir -p $TMPDIR
-
-# Preperation for flashable zips
-setup_flashable
-
-# Mount partitions
-mount_partitions
-
-# Detect version and architecture
-api_level_arch_detect
-
-# Setup busybox and binaries
-$BOOTMODE && boot_actions || recovery_actions
-
-##############
-# Preparation
-##############
-
-# Extract prop file
-unzip -o "$ZIPFILE" module.prop -d $TMPDIR >&2
-[ ! -f $TMPDIR/module.prop ] && abort "! Unable to extract zip file!"
-
-$BOOTMODE && MODDIRNAME=modules_update || MODDIRNAME=modules
-MODULEROOT=$NVBASE/$MODDIRNAME
-MODID=`grep_prop id $TMPDIR/module.prop`
-MODNAME=`grep_prop name $TMPDIR/module.prop`
-MODAUTH=`grep_prop author $TMPDIR/module.prop`
-MODPATH=$MODULEROOT/$MODID
-
-# Create mod paths
-rm -rf $MODPATH 2>/dev/null
-mkdir -p $MODPATH
-
-##########
-# Install
-##########
-
-if is_legacy_script; then
-  unzip -oj "$ZIPFILE" module.prop install.sh uninstall.sh 'common/*' -d $TMPDIR >&2
-
-  # Load install script
-  . $TMPDIR/install.sh
-
-  # Callbacks
-  print_modname
-  on_install
-
-  # Custom uninstaller
-  [ -f $TMPDIR/uninstall.sh ] && cp -af $TMPDIR/uninstall.sh $MODPATH/uninstall.sh
-
-  # Skip mount
-  $SKIPMOUNT && touch $MODPATH/skip_mount
-
-  # prop file
-  $PROPFILE && cp -af $TMPDIR/system.prop $MODPATH/system.prop
-
-  # Module info
-  cp -af $TMPDIR/module.prop $MODPATH/module.prop
-
-  # post-fs-data scripts
-  $POSTFSDATA && cp -af $TMPDIR/post-fs-data.sh $MODPATH/post-fs-data.sh
-
-  # service scripts
-  $LATESTARTSERVICE && cp -af $TMPDIR/service.sh $MODPATH/service.sh
-
-  ui_print "- Setting permissions"
-  set_permissions
-else
-  print_modname
-
-  unzip -o "$ZIPFILE" customize.sh -d $MODPATH >&2
-
-  if ! grep -q '^SKIPUNZIP=1$' $MODPATH/customize.sh 2>/dev/null; then
-    ui_print "- Extracting module files"
-    unzip -o "$ZIPFILE" -x 'META-INF/*' -d $MODPATH >&2
-
-    # Default permissions
-    set_perm_recursive $MODPATH 0 0 0755 0644
-  fi
-
-  # Load customization script
-  [ -f $MODPATH/customize.sh ] && . $MODPATH/customize.sh
-fi
-
-# Handle replace folders
-for TARGET in $REPLACE; do
-  ui_print "- Replace target: $TARGET"
-  mktouch $MODPATH$TARGET/.replace
-done
-
-if $BOOTMODE; then
-  # Update info for Magisk Manager
-  mktouch $NVBASE/modules/$MODID/update
-  cp -af $MODPATH/module.prop $NVBASE/modules/$MODID/module.prop
-fi
-
-# Copy over custom sepolicy rules
-if [ -f $MODPATH/sepolicy.rule -a -e $PERSISTDIR ]; then
-  ui_print "- Installing custom sepolicy patch"
-  # Remove old recovery logs (which may be filling partition) to make room
-  rm -f $PERSISTDIR/cache/recovery/*
-  PERSISTMOD=$PERSISTDIR/magisk/$MODID
-  mkdir -p $PERSISTMOD
-  cp -af $MODPATH/sepolicy.rule $PERSISTMOD/sepolicy.rule || abort "! Insufficient partition size"
-fi
-
-# Remove stuffs that don't belong to modules
-rm -rf \
-$MODPATH/system/placeholder $MODPATH/customize.sh \
-$MODPATH/README.md $MODPATH/.git* 2>/dev/null
-
-#############
-# Finalizing
-#############
-
-cd /
-$BOOTMODE || recovery_cleanup
-rm -rf $TMPDIR
-
-ui_print "- Done"
+install_module
 exit 0
-

README.md

@@ -1,12 +1,13 @@
-# DNSCrypt Proxy 2 for Android | privacy oriented
+# DNSCrypt Proxy 2 for Android
 
-A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol), [DNS-over-HTTPS](https://www.rfc-editor.org/rfc/rfc8484.txt) and [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt).
+![GitHub release (latest by date)](https://img.shields.io/github/v/release/d3cim/dnscrypt-proxy-android?style=for-the-badge)
+![GitHub all releases](https://img.shields.io/github/downloads/d3cim/dnscrypt-proxy-android/total?style=for-the-badge)
 
+A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol), [DNS-over-HTTPS](https://www.rfc-editor.org/rfc/rfc8484.txt), [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt) and [ODoH (Oblivious DoH)](https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md).
 
 ## Features
-- For all features please refer to the [OFFICIAL PAGE](https://github.com/DNSCrypt/dnscrypt-proxy#features)
-- All binary files are downloaded from the [OFFICIAL RELEASE PAGE](https://github.com/DNSCrypt/dnscrypt-proxy/releases)
 
+- For all features please refer to the [official page](https://github.com/DNSCrypt/dnscrypt-proxy#features).
 
 ## Pre-built binaries
 
@@ -17,56 +18,88 @@ Up-to-date, pre-built binaries are available for:
 - Android/x86
 - Android/x86_64
 
+All the binary files are downloaded from the [official release page](https://github.com/DNSCrypt/dnscrypt-proxy/releases).
 
-## Differences between default DNSCrypt Proxy project
+## Differences from the main project
 
-##### **- CONFIG. FILE:** *(dnscrypt-proxy.toml)*
+- `server_names` = `ams-dnscrypt-nl` [NLD], `d0wn-tz-ns1` [TZA], `dct-nl` [NLD], `dct-ru` [RUS], `dnscrypt.be` [BEL], `dnscrypt.pl` [POL], `dnscrypt.uk-ipv4` [GBR], `dnswarden-uncensor-dc-swiss` [CHE], `meganerd` [NLD], `openinternet` [USA], `plan9dns-fl` [USA], `plan9dns-mx` [MEX], `plan9dns-nj` [USA], `pryv8boi` [DEU], `sby-limotelu` [IDN], `scaleway-ams` [NLD], `scaleway-fr` [FRA], `serbica` [NLD], `techsaviours.org-dnscrypt` [DEU], `v.dnscrypt.uk-ipv4` [GBR] are the resolvers in use.
 
-- ✅ `DNSSEC` required
-- ✅ Enabled `dnscrypt_ephemeral_keys` feature *(create a new, unique key for every single DNS query)*
-- ✅ Enabled `anonymized_dns` feature *(each resolver has 2 relays)*
-- ✅ Enabled `skip_incompatible` option *(ignore resolvers incompatible with Anonymized DNS instead of using them without a relay)*
-- ✅ Enabled `blacklist.txt` and `whitelist.txt` file *(as placeholder, use them as you wish)*
-- ⛔️ `DoH` disabled
-- ⛔️ `IPv6` disabled
-- ℹ️ Set`refused` response to blocked queries
-- ℹ️ Set DNS query max. response time from `5000` to `1500`, in ms.
-- ℹ️ Use [UncensoredDNS](https://blog.uncensoreddns.org/), [Applied Privacy DNS](https://appliedprivacy.net/services/dns/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers instead [CloudFlare](https://iscloudflaresafeyet.com/)
-- ℹ️ Use `dnscrypt.eu-dk` (DK), `dnscrypt.eu-nl` (NL), `dnscrypt.uk-ipv4` (UK), `meganerd` (NL), `publicarray-au` (AUS), `scaleway-ams` (NL), `scaleway-fr` (FR) and `v.dnscrypt.uk-ipv4` (UK)
+- `doh_servers = false` (disable servers implementing the `DNS-over-HTTPS` protocol)
 
+- `require_dnssec = true` (server must support `DNSSEC` security extension)
+
+- `force_tcp = true` (fix for mobile data intial connection random issues if `routes` have been set and `skip_incompatible = true`, see [DNSCrypt/dnscrypt-proxy/discussions/2020](https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2020))
+
+- `timeout = 1000` (set the max. response time of a single DNS query from `5000` to `1000` ms.)
+
+- `blocked_query_response = 'refused'` (set `refused` response to blocked queries)
+
+- `# log_level = 0` (set the log level of the `dnscrypt-proxy.log` file to very verbose, but keep it disabled by default)
+
+- `dnscrypt_ephemeral_keys = true` (create a new, unique key for every single DNS query)
+
+- `bootstrap_resolvers = ['45.11.45.11:53']` (use [DNS.SB](https://dns.sb/) instead [CloudFlare](https://archive.today/tS1Ln))
+
+- `netprobe_address = '45.11.45.11:53'` (use [DNS.SB](https://dns.sb/) instead [CloudFlare](https://archive.today/tS1Ln))
+
+- `block_ipv6 = true` (immediately respond to IPv6-related queries with an empty response)
+
+- `blocked-names.txt`, `blocked-ips.txt`, `allowed-names.txt` and `allowed-ips.txt` files enabled. (to know more specifics about this, please refer to the [Filters (optional)](https://github.com/d3cim/dnscrypt-proxy-android#filters-optional) section below)
+
+- `anonymized_dns` feature enabled. (`routes` are indirect ways to reach DNSCrypt servers, each resolver has 2 relays assigned)
+
+- `skip_incompatible = true` (skip resolvers incompatible with anonymization instead of using them directly)
+
+- `direct_cert_fallback = false` (prevent direct connections through the resolvers for failed certificate retrieved via relay)
 
 ## Installation
 
-1. Download latest `.zip` file from [dnscrypt-proxy-android | CHANNEL](https://t.me/dnscrypt_proxy) on Telegram and flash it with Magisk Manager.
-2. Reboot.
-3. Test your DNS: https://dnsleaktest.com/
-
-
-### Configuration (post-installing)
-
-- You can edit `dnscrypt-proxy.toml` as you wish located on `/sdcard/dnscrypt-proxy/dnscrypt-proxy.toml` [or /data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml].
-- For more detailed configuration please refer to [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration).
-- For more support on a good privacy oriented setup, join with us at [dnscrypt-proxy-android | CHAT](https://t.me/qd_invitation) on Telegram.
-
-
-#### AFWall+ users only
-
-If you experience no connection issue after flashing the module I suggest you to insert these scripts: (in both, enter and shutdown boxes)
+**1.** Download the latest `dnscrypt-proxy-android-*.zip` file from the [Releases](https://github.com/d3cim/dnscrypt-proxy-android/releases/latest) page and flash it with [Magisk](https://github.com/topjohnwu/Magisk):
 
 ```
-iptables -A "afwall" -d 127.0.0.1 -p tcp --dport 5354 -j ACCEPT
-iptables -A "afwall" -d 127.0.0.1 -p udp --dport 5354 -j ACCEPT
+Magisk > Modules > Install from storage > dnscrypt-proxy-android-*.zip
 ```
 
-The issue is related to the use of `AFWall+` and only happens on some devices, it depends on how the DNS configuration is implemented in the device itself.
+**2.** Reboot your device.
 
+**3.** Test your DNS at https://dnsleaktest.com/
+
+### Configuration (optional)
+
+You can edit the `dnscrypt-proxy.toml` file as you wish located on `storage/emulated/0/dnscrypt-proxy` path.
+
+For a more detailed configuration you can refer to the [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration) or simply join our group on [Telegram](https://telegram.org/), at [dnscrypt-proxy-android | CHAT](https://t.me/qd_invitations).
+
+### Filters (optional)
+
+Filters are a powerful set of built-in features, that let you control exactly what domain names and IP addresses your device are allowed to connect to. This can be used to block ads, trackers, malware, or anything you don't want your device to load.
+
+This [module](https://github.com/d3cim/dnscrypt-proxy-android) comes with the [filtering feature](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters) enabled by default, that's why you can see files designed for this operation inside the internal folder. Out of the box these files are empty and are used only to ensure the correct start of `dnscrypt-proxy` service.\
+To know more about it you can consult the [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters), or in a simpler way through my [block repository](https://github.com/d3cim/block).
+
+I'm also providing the `allowed-names.txt` and `blocked-names.txt` files regularly updated at [dnscrypt-proxy-filters | CHANNEL](https://t.me/dnscrypt_proxy_filters). The [sources](https://github.com/d3cim/block#sources) used for this merge are among the hardest on the web.
+
+You can contribute to this blocklist at anytime, opening a [New Issue](https://github.com/d3cim/dnscrypt-proxy-android/issues) here or simply reporting the issue at [dnscrypt-proxy-filters | CHAT](https://t.me/qd_invitations) on [Telegram](https://telegram.org/).
 
 ## Changelog
 
-[Full changelog](changelog.md)
+- See [CHANGELOG](https://github.com/d3cim/dnscrypt-proxy-android/blob/master/CHANGELOG.md).
 
+## Version numbers
 
-## Credit
-- DNSCrypt-Proxy2 upstream | [jedisct1](https://github.com/DNSCrypt/dnscrypt-proxy)
-- [bluemeda](https://github.com/bluemeda) for the original module
-- [All contributors](https://github.com/Magisk-Modules-Repo/dnscrypt-proxy/graphs/contributors)
+dnscrypt-proxy-android tags follow the format `{dnscrypt-proxy_version}.{revision}` where
+
+* `dnscrypt-proxy_version` is the version of dnscrypt-proxy used in `x.x.x` format, and
+* `revision` is a number indicating the version of dnscrypt-proxy-android for the corresponding dnscrypt-proxy version.
+
+## Donations
+
+- **BTC** address: `126Y2BJQyPq8CHAaFMCyVH5QcbSViQz89e`
+- **ETH** address: `0x16b917Bb585D2411b9c9C81b03de72471f3f072F`
+- **XMR** address: `41jXybL88etPg1nGuPsMZbFSzKzbXYat4Xak3QssPy7LNs4VBWXDxbhjSdtLJDA138cx7cTq8JhFoiTTVLhWrTNAUywgGFD`
+
+## Credits
+
+- [Frank Denis](https://github.com/jedisct1) and his [contributors](https://github.com/DNSCrypt/dnscrypt-proxy/graphs/contributors) for the upstream code.
+- [Affif Mukhlashin](https://github.com/bluemeda) and his [contributors](https://github.com/bluemeda/dnscrypt-proxy-magisk/graphs/contributors) for the very first module.
+- [John Wu](https://github.com/topjohnwu) and his [contributors](https://github.com/topjohnwu/Magisk/graphs/contributors) for Magisk.

changelog.md

@@ -1,442 +0,0 @@
-# Changelog
-
-
-## 2.0.44
-
-##### Updated binary files to 2.0.44 | jedisct1
-- More updates to the set of block lists, thanks again to IceCodeNew.
-- Netprobes and listening sockets are now ignored when the `-list`, `-list-all`, `-show-certs` or `-check` command-line switches are used.
-- `tls_client_auth` was renamed to `doh_client_x509_auth`. A section with the previous name is temporarily ignored if empty, but will error out if not.
-- Unit tests are now working on 32-bit systems. Thanks to Will Elwood and @lifenjoiner.
-
-##### Updated config files to 2.0.44 | quindecim
-- 
-
-
-## 2.0.43
-
-##### Updated binary files to 2.0.43 | jedisct1
-- Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
-- Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
-- Multiple stamps are now allowed for a single server in resolvers and relays lists.
-- Android: the time zone for log files is now set to the system time zone.
-- Quite a lot of updates and additions have been made to the example domain block lists. Thanks to `IceCodeNew`!
-- Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. Contributed by
-`lifenjoiner`, thanks!
-- Precompiled macOS binaries are now notarized.
-- `generate-domains-blacklists` now tries to deduplicate entries clobbered by wildcard rules. Thanks to `Huhni`!
-- `generate-domains-blacklists` can now directly write lists to a file with the `-o` command-line option.
-- cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time.
-- Forwarded queries are now subject to global timeouts, and can be
-forced to use TCP.
-- The `ct` parameter has been removed from DoH queries, as Google doesn't require it any more.
-- Service installation is now supported on FreeBSD.
-- When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new `log_file_latest` option.
-
-##### Updated config files to 2.0.43 | quindecim
-- ✅ Added `Applied Privacy DNS` and `NixNet DNS` as additional fallback resolvers.
-- ℹ️ Required `Magisk 20+` from now on.
-
-
-## 2.0.42-3
-
-##### Updated binary files to 2.0.42 | jedisct1
-- 
-
-##### Updated config files to 2.0.42-3 | quindecim
-- ⛔️ Disabled properly `IPv6` queries in `post-fs-data.sh` file (no more DNS leaks this time)
-
-
-## 2.0.42-2
-
-##### Updated binary files to 2.0.42 | jedisct1
-- 
-
-##### Updated config files to 2.0.42-2 | quindecim
-- ⛔️ Disabled every `IPv6` queries in `post-fs-data.sh` file: `INPUT`, `FORWARD` and `OUTPUT` (to enforce leaks prevention in some cases).
-
-
-## 2.0.42-1
-
-##### Updated binary files to 2.0.42 | jedisct1
-- 
-
-##### Updated config files to 2.0.42-1 | quindecim
-- ✅ Added `meganerd` resolver (Non-logging, non-filtering, supports DNSSEC by MegaNerd.nl).
-- ✅ Enabled `whitelist.txt` file (as placeholder, once the blacklist goes public).
-- ✅ Optimized relays based on geolocation.
-- ⛔️ Disabled `IPv6` in `post-fs-data.sh` file (to enforce leaks prevention in some cases).
-- ⛔️ Removed `dnscrypt.nl-ns0` resolver and related relays.
-- ⛔️ Removed `dnscrypt.one` resolver and related relays.
-- ⛔️ Removed `ffmuc.net` resolver and related relays.
-- ⛔️ Removed `publicarray-au2` resolver and related relays.
-- ℹ️ Moved all the example documents into `dnscrypt-proxy/example-docs` folder (the remaining example documents must be deleted manually).
-
-
-## 2.0.42
-
-##### Updated binary files to 2.0.42 | jedisct1
-- The current versions of the `dnsdist` load balancer (presumably used
-by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net,
-opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more)
-is preventing queries over 1500 bytes from being received over UDP.
-Temporary workarounds have been introduced to improve reliability
-with these resolvers for regular DNSCrypt. Unfortunately, anonymized
-DNS cannot be reliable until the issue is fixed server-side. `dnsdist`
-authors are aware of it and are working on a fix.
-- New option in the `[anonymized_dns]` section: `skip_incompatible`,
-to ignore resolvers incompatible with Anonymized DNS instead of
-using them without a relay.
-- The server latency benchmark is faster while being able to perform
-more retries if necessary.
-- Continuous integration has been moved to GitHub Actions.
-
-##### Updated config files to 2.0.42 | quindecim
-- ✅ Enabled `skip_incompatible` option to ignore servers incompatible with anonymization
-
-
-## 2.0.41
-
-##### Updated binary files to 2.0.41 | jedisct1
-- Precompiled binaries for armv5, armv6 and armv7 are available.
-The default arm builds were not compatible with older CPUs when
-compiled with Go 1.14. mips64 binaries are explicitly compiled with
-softfloat to improve compatibility.
-- Quad9 seems to be only blocking fragmented queries over UDP for
-some networks. They have been removed from the default list of broken
-resolvers; runtime detection of support for fragments should now do
-the job.
-- Runtime detection of support for fragments was actually enabled.
-
-##### Updated config files to 2.0.41 | quindecim
-- 
-
-
-## 2.0.40
-
-##### Updated binary files to 2.0.40 | jedisct1
-- Servers blocking fragmented queries are now automatically detected.
-- The server name is now only present in query logs when an actual upstream servers was required to resolve a query.
-- TLS client authentication has been added for DoH.
-- The Firefox plugin is now skipped for connections coming from the local DoH server.
-- DoH RTT computation is now more accurate, especially when CDNs are in the middle.
-- The forwarding plugin is now more reliable, and handles retries over TCP.
-
-##### Updated config files to 2.0.40 | quindecim
-- 
-
-
-## 2.0.39-2
-
-##### Updated binary files to 2.0.39 | jedisct1
-- 
-
-##### Updated config files to 2.0.39-2 | quindecim
-- ⛔️ Removed `blacklist.txt` file *(too many false positives, will be added back in the future, when it reaches a more stable level)*.
-
-
-## 2.0.39-1
-
-##### Updated binary files to 2.0.39 | jedisct1
-- 
-
-##### Updated config files to 2.0.39-1 | quindecim
-- ✅ Implemented automatic redirection. No more third-party apps are required to start it.
-- ✅ Introduced substrings and wildcards into `blacklist.txt` file and updated to `2020-03-19`.
-- ⛔️ Removed `ibksturm` resolver and related relays.
-- ⛔️ Removed `dnswarden-dc1`, `dnswarden-dc2`, `dnswarden-dc3`, resolvers and related relays.
-
-
-## 2.0.39
-
-##### Updated binary files to 2.0.39 | jedisct1
-- The Firefox Local DoH service didn't properly work in version 2.0.38; 
-this has been fixed. Thanks to Simon Brand for the report!
-
-##### Updated config files to 2.0.39 | quindecim
-- ✅ Added `dnswarden-dc3` (DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com).
-- ✅ Updated `Magisk Module Installer template`. It require `Magisk 19+` from now on.
-- ✅ Fixed an issue where `dnscrypt-proxy` doesn't detect the config file.
-- ✅ Updated `blacklist.txt` to `2020-01-30`.
-
-
-## 2.0.38
-
-##### Updated binary files to 2.0.38 | jedisct1
-- Entries from lists (forwarding, blacklists, whitelists) now support
-inline comments.
-- Reliability improvement: queries over UDP are retried after a timeout
-instead of solely relying on the client.
-- Reliability improvement: during temporary network outages, cached records
-are now served even if they are stale.
-- Bug fix: SOCKS proxies and DNS relays can be combined.
-- New feature: multiple fallback resolvers are now supported (see the
-new `fallback_resolvers` option. Note that `fallback_resolver` is
-still supported for backward compatibility).
-- Windows: the service can be installed with a configuration file
-stored separately from the application.
-- Security (affecting DoH): precompiled binaries of `dnscrypt-proxy 2.0.37` are
-built using `Go 1.13.7` that fixes a TLS certificate parsing issue present in
-previous versions of the compiler.
-
-##### Updated config files to 2.0.38 | quindecim
-- ✅ Added `dnswarden-dc3` (DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com).
-- ✅ Updated `Magisk Module Installer template`. It require `Magisk 19+` from now on.
-- ✅ Fixed an issue where `dnscrypt-proxy` doesn't detect the config file.
-- ✅ Updated `blacklist.txt` to `2020-01-30`.
-
-
-## 2.0.36
-
-##### Updated binary files to 2.0.36 | jedisct1
-- New option: `block_undelegated`. When enabled, `dnscrypt-proxy` will
-directly respond to queries for locally-served zones (https://sk.tl/2QqB971U)
-and nonexistent zones that should have been kept local, but are frequently
-leaked. This reduces latency and improves privacy.
-- Conformance: the `DO` bit is now set in synthetic responses if it was
-set in a question, and the `AD` bit is cleared.
-- The `miegkg/dns` module was updated to version 1.1.26, that fixes a
-security issue affecting non-encrypted/non-authenticated DNS traffic. In
-`dnscrypt-proxy`, this only affects the forwarding feature.
-
-##### Updated config files to 2.0.36 | quindecim
-- ✅ Added `dnscrypt.one` resolver (DNSSEC / no logs / uncensored, Germany (Nuremberg), https://dnscrypt.one/)
-- ✅ Optimized relays based on geolocation
-- ✅ Updated `blacklist.txt` to `2019-12-22`
-
-
-## 2.0.35
-
-##### Updated binary files to 2.0.35 | jedisct1
-- New option: `block_unqualified` to block `A`/`AAAA` queries with
-unqualified host names. These will very rarely get an answer from upstream
-resolvers, but can leak private information to these, as well as to root
-servers.
-- When a `CNAME` pointer is blocked, the original query name is now logged
-along with the pointer. This makes it easier to know what the original
-query name, so it can be whitelisted, or what the pointer was, so it
-can be removed from the blacklist.
-
-##### Updated config files to 2.0.35 | quindecim
-- ✅ Added `scaleway-ams` resolver (DNSSEC/Non-logged/Uncensored in Amsterdam- ARM server donated by Scaleway.com)
-Maintained by Frank Denis- https://fr.dnscrypt.info)
-- ✅ Added `ffmuc.net` resolver
-(An open DNSCrypt resolver operated by Freifunk Munich with nodes in DE.
-https://ffmuc.net/)
-- ✅ Fixed backup an existing `.toml` file before proceed with the installation
-- ✅ Optimized relays based on geolocation
-- ✅ Updated `blacklist.txt` to `2019-12-09`
-
-
-## 2.0.34
-
-##### Updated binary files to 2.0.34 | jedisct1
-- Blacklisted names are now also blocked if they appear in `CNAME`
-pointers.
-- `dnscrypt-proxy` can now act as a local DoH *server*. Firefox can
-be configured to use it, so that ESNI can be enabled without bypassing
-your DNS proxy.
-
-##### Updated config files to 2.0.34 | quindecim
-- ✅ Added `ibksturm`- dnscrypt-server (nginx- encrypted-dns- unbound backend), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone- Hosted in Switzerland by ibksturm, aka Andreas Ziegler)
-- ✅ Enabled `blacklist.txt` file to prevent `CNAME Cloaking` tracking feature
-- ✅ Optimized relays based on geolocation
-- ⛔️ Removed `charis` and `suami` resolvers and their relays
-
-
-## 2.0.33
-
-##### Updated binary files to 2.0.33 | jedisct1
-- Fixes an issue that caused some valid queries to return `PARSE_ERROR`.
-- On certificate errors, the server name is now logged instead of the
-provider name, which is generally more useful.
-- IP addresses for DoH servers that require DNS lookups are now cached
-for at least 12 hours.
-- `ignore_system_dns` is now set to `true` by default.
-- A workaround for a bug in Cisco servers has been implemented.
-- A corrupted or incomplete resolvers list is now ignored, keeping the
-last good known cached list until the next update. In addition, logging was
-improved and unit tests were also added. Awesome contribution from William
-Elwood, thanks!
-- On Windows, the network probe immediately returned instead of blocking
-if `netprobe_timeout` was set to `-1`. This has been fixed.
-- Expired cached IP addresses now have a grace period, to avoid breaking the
-service if they temporarily can't be refreshed.
-- On Windows, the service now returns immediately, solving a long-standing
-issue when initialization took more than 30 seconds ("The service did not
-respond to the start or control request in a timely fashion"). Fantastic
-work by Alison Winters, thanks!
-- The `SERVER_ERROR` error code has been split into two new error codes:
-`NETWORK_ERROR` (self-explanatory) and `SERVFAIL` (a response was returned,
-but it includes a `SERVFAIL` error code).
-- Responses are now always compressed.
-
-##### Updated config files to 2.0.33 | quindecim
-- ✅ Added `v.dnscrypt.uk-ipv4`- DNSCrypt v2, no logs, uncensored, DNSSEC. Hosted in London UK on Vultr- https://www.dnscrypt.uk
-- ✅ Optimized relays based on geolocation and set to use other providers different from the main one 
-
-
-## 2.0.31
-
-##### Updated binary files to 2.0.31 | jedisct1
-- This version fixes a startup issue introduced in version 2.0.29, on systems for which the service cannot be automatically installed (such as OpenBSD and FreeBSD). Reported by @5ch17 and Vinícius Zavam, and fixed by Will Elwood, thanks!
-- This version fixes two regressions introduced in version 2.0.29: DoH server couldn't be reached over IPv6 any more, and the proxy couldn't be interrupted while servers were being benchmarked.
-
-##### Updated config files to 2.0.31 | quindecim
-- ℹ️ Changed the way to backup an existing .toml file. The old configuration is now backed up with `year-month-day-hour-minute.bak` suffix (thanks to @lindroidux)
-
-
-## 2.0.29
-
-##### Updated binary files to 2.0.29 | jedisct1
-- Support for Anonymized DNS has been added!
-- Wait before stopping, fixing an issue with Unbound (thanks to Vladimir Bauer)
-- DNS stamps are now included in the `-list-all-json` ouptut
-- The `netprobe_timeout` setting from the configuration file or command-line was ignored. This has been fixed.
-- The TTL or cloaked entries can now be adjusted (thanks to Markus Linnala)
-- Cached IP address from DoH servers now expire (thanks to Markus Linnala)
-- DNSCrypt certificates can be fetched over Tor and SOCKS proxies
-- Retries over TCP are faster
-- Improved logging (thanks to Alison Winters)
-- Ignore non-TXT records in certificate responses (thanks to Vladimir Bauer)
-- A lot of internal cleanups, thanks to Markus Linnala
-
-##### Updated config files to 2.0.29 | quindecim
-- ✅ Enabled `anonymized_dns` feature *(each resolver has 2 relays)*
-- ✅ Added `scaleway-fr` resolver *(DNSSEC/Non-logging/Uncensored- Maintained by Frank Denis- https://fr.dnscrypt.info)*
-- ✅ Added `publicarray-au` resolver Australia, *(DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on vultr.com maintained by publicarray- https://dns.seby.io)*
-- ✅ Added `publicarray-au2` resolver Australia, *(DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on ovh.com.au maintained by publicarray- https://dns.seby.io)*
-- ✅ Optimized relays based on geolocation
-
-
-## 2.0.29-beta.3
-
-##### Updated binary files to 2.0.29-beta.3 | jedisct1
-- Support for Anonymized DNSCrypt has been added.
-- Latency with large responses has actually been reduced.
-- DNSCrypt certificates can now be retrieved over Tor, proxies, and DNS relays.
-- Improved server error reporting (thanks to Alison Winters)
-- Quite a lot of internal improvements and bug fixes have been made, thanks to Markus Linnala.
-- Improved logging
-- Added a workaround for DNS servers using a non-standard provider name.
-
-##### Updated config files to 2.0.29-beta.3 | quindecim
-- ✅ Enabled `anonymized_dns` feature *(each resolver has 2 relays)*
-- ✅ Added `scaleway-fr` resolver *(DNSSEC/Non-logged/Uncensored- Maintained by Frank Denis- https://fr.dnscrypt.info)*
-
-
-## 2.0.28
-
-##### Updated binary files to 2.0.28 | jedisct1
-- Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
-- Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
-- Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
-- Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.
-
-
-## 2.0.27
-
-##### Updated binary files to 2.0.27 | jedisct1
-- The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
-- All the dependencies have been updated.
-
-
-##### New maintainer | quindecim
-
-
-##### Updated config files to 2.0.27 | quindecim
-
-
------
-
-
-###### v2.8.7 | bluemeda
-- Changed path of configuration file [dnscrypt.toml] from /system/etc/ to /data/media/0/ [or /sdcard]
-- Updated binary & configuration files to 2.0.25
-- Removed automatic redirection of dns-request and let dnscrypt-proxy do its job only.
-
-
-###### v2.8.5 | bluemeda
-- Fix #40
-
-
-###### v2.8.4 | bluemeda
-- Fix failed to copy or backup config file
-
-
-###### v2.8.3 | bluemeda
-- Fix permission issue
-- Add option to replace or backup-restore config file
-
-
-###### v2.8.2 | bluemeda
-- Fix "binary file is missing"
-
-
-###### v2.8.1 | bluemeda
-- Update Magisk 18100 requirements
-
-
-###### v2.8.0 | bluemeda
-- Update binary files 2.0.22
-
-
-###### v2.7.0 | bluemeda
-- Update binary files 2.0.21
-
-
-###### v2.6.0 | bluemeda
-- Update binary files to 2.0.19
-
-
-###### v2.5.0 | bluemeda
-- Update binary files to 2.0.16
-- add exception for cloudflare fallback resolver.
-
-
-###### v2.4.0 | bluemeda
-- Update binary files to 2.0.14
-
-
-###### v2.3.0 | bluemeda
-- Update binary files to 2.0.10
-- Add option to choose auto redirect DNS or manually set with 3rd-party app.
-
-
-###### v2.2.0 | bluemeda
-- Update binary files to 2.0.8
-
-
-###### v2.1.3 | bluemeda
-- If you have previous version, please uninstall it first then reinstall it again or you can change listen port manually in dnscrypt-proxy.toml file.
-- Fix Tethering Client cannot Resolve DNSCrypt
-- Fix Chromecast devices not showing jedisct1/dnscrypt-proxy#226
-- Add binary files for x86 and x86_64 (test)
-
-
-###### v2.1.2 | bluemeda
-- Bug Fixes
-
-
-###### v2.1.1 | bluemeda
-- Bug fixes
-
-
-###### v2.1 | bluemeda
-- Bug fixes
-
-
-###### v2.0 | bluemeda
-- Resolve download.dnscrypt.info first before executing iptable
-- Don't override dnscrypt-proxy.toml if exist
-- Update binary files to v2.0.6
-
-
-###### v1.1 | bluemeda
-- Change listen port to 5353 (avoid conflict while tethering)
-
-###### v1.0 | blueme
-da
-- Initial release
-- dnscrypt-proxy v2.0.5
-

config/LICENSE

@@ -1,18 +1,15 @@
-/*
- * ISC License
- *
- * Copyright (c) 2018-2020
- * Frank Denis <j at pureftpd dot org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
+ISC License
+
+Copyright (c) 2018-2023, Frank Denis <j at pureftpd dot org>
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

config/allowed-ips.txt

@@ -0,0 +1,17 @@
+
+##############################
+#        IP allowlist        #
+##############################
+
+## Author      : d3cim  : https://github.com/d3cim
+##                        https://git.nixnet.services/d3cim
+##
+## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
+##
+##
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block

config/allowed-names.txt

@@ -0,0 +1,17 @@
+
+###########################
+#        Allowlist        #
+###########################
+
+## Author      : d3cim  : https://github.com/d3cim
+##                        https://git.nixnet.services/d3cim
+##
+## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
+##
+##
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block

config/blacklist.txt

@@ -1,12 +0,0 @@
-
-###########################
-#        Blacklist        #
-###########################
-
-## Author    : quindecim   : https://git.nixnet.xyz/quindecim
-##                           https://git.lushka.al/quindecim   | MIRROR
-##                           https://git.lelux.fi/quindecim    | MIRROR
-##
-##
-## This is just a placeholder for who want to use a blacklist file.
-

config/blocked-ips.txt

@@ -0,0 +1,43 @@
+
+##############################
+#        IP blocklist        #
+##############################
+
+## Author      : d3cim     : https://github.com/d3cim
+##                           https://git.nixnet.services/d3cim
+##
+## Based on    : DNSCrypt  : Rebind Protection  : https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters#dns-rebind-protection
+##
+## License     : GPLv3     : https://github.com/d3cim/block/blob/master/LICENSE.md
+##
+##
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block
+
+# Blocklist from [https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters#dns-rebinding-protection]
+# Localhost rebind protection
+0.0.0.0
+127.0.0.*
+# RFC1918 rebind protection
+10.*
+172.16.*
+172.17.*
+172.18.*
+172.19.*
+172.20.*
+172.21.*
+172.22.*
+172.23.*
+172.24.*
+172.25.*
+172.26.*
+172.27.*
+172.28.*
+172.29.*
+172.30.*
+172.31.*
+192.168.*

config/blocked-names.txt

@@ -0,0 +1,17 @@
+
+###########################
+#        Blocklist        #
+###########################
+
+## Author      : d3cim  : https://github.com/d3cim
+##                        https://git.nixnet.services/d3cim
+##
+## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
+##
+##
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block

config/dnscrypt-proxy.toml

@@ -29,12 +29,15 @@
 ##
 ## Remove the leading # first to enable this; lines starting with # are ignored.
 
-server_names = ['dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.uk-ipv4', 'meganerd', 'publicarray-au', 'scaleway-ams', 'scaleway-fr', 'v.dnscrypt.uk-ipv4']
+server_names = ['ams-dnscrypt-nl', 'd0wn-tz-ns1', 'dct-nl', 'dct-ru', 'dnscrypt.be', 'dnscrypt.pl', 'dnscrypt.uk-ipv4', 'dnswarden-uncensor-dc-swiss', 'meganerd', 'openinternet', 'plan9dns-fl', 'plan9dns-mx', 'plan9dns-nj', 'pryv8boi', 'sby-limotelu', 'scaleway-ams', 'scaleway-fr', 'serbica', 'techsaviours.org-dnscrypt', 'v.dnscrypt.uk-ipv4']
 
 
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 ## Example with both IPv4 and IPv6:
 ## listen_addresses = ['127.0.0.1:53', '[::1]:53']
+##
+## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
+## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
 
 listen_addresses = ['127.0.0.1:5354']
 
@@ -52,7 +55,7 @@ max_clients = 250
 # user_name = 'nobody'
 
 
-## Require servers (from static + remote sources) to satisfy specific properties
+## Require servers (from remote sources) to satisfy specific properties
 
 # Use servers reachable over IPv4
 ipv4_servers = true
@@ -66,6 +69,9 @@ dnscrypt_servers = true
 # Use servers implementing the DNS-over-HTTPS protocol
 doh_servers = false
 
+# Use servers implementing the Oblivious DoH protocol
+odoh_servers = false
+
 
 ## Require servers defined by remote sources to satisfy specific properties
 
@@ -75,7 +81,7 @@ require_dnssec = true
 # Server must not log user queries (declarative)
 require_nolog = true
 
-# Server must not enforce its own blacklist (for parental control, ads blocking...)
+# Server must not enforce its own blocklist (for parental control, ads blocking...)
 require_nofilter = true
 
 # Server names to avoid even if they match all criteria
@@ -88,7 +94,14 @@ disabled_server_names = []
 ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
 ## only increase latency.
 
-force_tcp = false
+force_tcp = true
+
+
+## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
+## Note that, like DNSCrypt but unlike other HTTP versions, this uses
+## UDP and (usually) port 443 instead of TCP.
+
+http3 = false
 
 
 ## SOCKS proxy
@@ -109,35 +122,46 @@ force_tcp = false
 ## increase this. Startup may be slower if you do so.
 ## Don't increase it too much. 10000 is the highest reasonable value.
 
-timeout = 1500
+timeout = 1000
 
 
-## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
+## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds
 
 keepalive = 30
 
 
-## Response for blocked queries.  Options are `refused`, `hinfo` (default) or
-## an IP response.  To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
+## Add EDNS-client-subnet information to outgoing queries
+##
+## Multiple networks can be listed; they will be randomly chosen.
+## These networks don't have to match your actual networks.
+
+# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']
+
+
+## Response for blocked queries. Options are `refused`, `hinfo` (default) or
+## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
 ## Using the `hinfo` option means that some responses will be lies.
 ## Unfortunately, the `hinfo` option appears to be required for Android 8+
 
 blocked_query_response = 'refused'
 
 
-## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
+## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
+## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
+## The response quality still depends on the server itself.
 
 # lb_strategy = 'p2'
 
 ## Set to `true` to constantly try to estimate the latency of all the resolvers
 ## and adjust the load-balancing parameters accordingly, or to `false` to disable.
+## Default is `true` that makes 'p2' `lb_strategy` work well.
 
 # lb_estimator = true
 
 
 ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
 
-# log_level = 2
+# log_level = 0
 
 
 ## Log file for the application, as an alternative to sending logs to
@@ -164,6 +188,13 @@ blocked_query_response = 'refused'
 cert_refresh_delay = 240
 
 
+## Initially don't check DNSCrypt server certificates for expiration, and
+## only start checking them after a first successful connection to a resolver.
+## This can be useful on routers with no battery-backed clock.
+
+# cert_ignore_timestamp = false
+
+
 ## DNSCrypt: Create a new, unique key for every single DNS query
 ## This may improve privacy but can also have a significant impact on CPU usage
 ## Only enable if you don't have a lot of network load
@@ -176,44 +207,74 @@ dnscrypt_ephemeral_keys = true
 # tls_disable_session_tickets = false
 
 
-## DoH: Use a specific cipher suite instead of the server preference
+## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference
 ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
 ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-##  4865 = TLS_AES_128_GCM_SHA256
-##  4867 = TLS_CHACHA20_POLY1305_SHA256
 ##
 ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
 ## the following suite improves performance.
 ## This may also help on Intel CPUs running 32-bit operating systems.
 ##
 ## Keep tls_cipher_suite empty if you have issues fetching sources or
-## connecting to some DoH servers. Google and Cloudflare are fine with it.
+## connecting to some DoH servers.
 
 # tls_cipher_suite = [52392, 49199]
 
 
-## Fallback resolvers
-## These are normal, non-encrypted DNS resolvers, that will be only used
-## for one-shot queries when retrieving the initial resolvers list, and
-## only if the system DNS configuration doesn't work.
-## No user application queries will ever be leaked through these resolvers,
-## and they will not be used after IP addresses of resolvers URLs have been found.
-## They will never be used if lists have already been cached, and if stamps
-## don't include host names without IP addresses.
-## They will not be used if the configured system DNS works.
-## Resolvers supporting DNSSEC are recommended.
+## Log TLS key material to a file, for debugging purposes only.
+## This file will contain the TLS master key, which can be used to decrypt
+## all TLS traffic to/from DoH servers.
+## Never ever enable except for debugging purposes with a tool such as mitmproxy.
+
+# tls_key_log_file = '/tmp/keylog.txt'
+
+
+## Bootstrap resolvers
 ##
-## People in China may need to use 114.114.114.114:53 here.
-## Other popular options include 8.8.8.8 and 1.1.1.1.
+## These are normal, non-encrypted DNS resolvers, that will be only used
+## for one-shot queries when retrieving the initial resolvers list and if
+## the system DNS configuration doesn't work.
+##
+## No user queries will ever be leaked through these resolvers, and they will
+## not be used after IP addresses of DoH resolvers have been found (if you are
+## using DoH).
+##
+## They will never be used if lists have already been cached, and if the stamps
+## of the configured servers already include IP addresses (which is the case for
+## most of DoH servers, and for all DNSCrypt servers and relays).
+##
+## They will not be used if the configured system DNS works, or after the
+## proxy already has at least one usable secure resolver.
+##
+## Resolvers supporting DNSSEC are recommended, and, if you are using
+## DoH, bootstrap resolvers should ideally be operated by a different entity
+## than the DoH servers you will be using, especially if you have IPv6 enabled.
+##
+## People in China may want to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
 ##
 ## If more than one resolver is specified, they will be tried in sequence.
+##
+## TL;DR: put valid standard resolver addresses here. Your actual queries will
+## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
+## lists are up to date, these resolvers will not even be used.
 
-fallback_resolvers = ['91.239.100.100:53', '93.177.65.183:853', '198.251.90.114:53']
+bootstrap_resolvers = ['45.11.45.11:53']
 
 
-## Always use the fallback resolver before the system DNS settings.
+## When internal DNS resolution is required, for example to retrieve
+## the resolvers list:
+##
+## - queries will be sent to dnscrypt-proxy itself, if it is already
+##   running with active servers (*)
+## - or else, queries will be sent to fallback servers
+## - finally, if `ignore_system_dns` is `false`, queries will be sent
+##   to the system DNS
+##
+## (*) this is incompatible with systemd sockets.
+## `listen_addrs` must not be empty.
 
 ignore_system_dns = true
 
@@ -236,7 +297,7 @@ netprobe_timeout = -1
 ## On other operating systems, the connection will be initialized
 ## but nothing will be sent at all.
 
-netprobe_address = '91.239.100.100:53'
+netprobe_address = '45.11.45.11:53'
 
 
 ## Offline mode - Do not use any remote encrypted servers.
@@ -253,7 +314,7 @@ netprobe_address = '91.239.100.100:53'
 ## encrypted-dns-server can be configured to use this for access control
 ## in the [access_control] section
 
-# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]
+# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
 
 
 ## Automatic log files rotation
@@ -275,7 +336,7 @@ log_files_max_backups = 1
 
 ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
 ## configure dnscrypt-proxy to do any kind of filtering (including the filters
-## below and blacklists).
+## below and blocklists).
 ## You can still choose resolvers that do DNSSEC validation.
 
 
@@ -287,6 +348,7 @@ block_ipv6 = true
 
 
 ## Immediately respond to A and AAAA queries for host names without a domain name
+## This also prevents "dotless domain names" from being resolved upstream.
 
 block_unqualified = true
 
@@ -298,9 +360,9 @@ block_undelegated = true
 
 
 ## TTL for synthetic responses sent when a request has been blocked (due to
-## IPv6 or blacklists).
+## IPv6 or blocklists).
 
-reject_ttl = 600
+reject_ttl = 10
 
 
 
@@ -321,6 +383,8 @@ reject_ttl = 600
 ## Cloaking returns a predefined address for a specific name.
 ## In addition to acting as a HOSTS file, it can also return the IP address
 ## of a different name. It will also do CNAME flattening.
+## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled
+## for cloaking rules that do not contain wild cards.
 ##
 ## See the `example-cloaking-rules.txt` file for an example
 
@@ -329,6 +393,8 @@ reject_ttl = 600
 ## TTL used when serving entries in cloaking-rules.txt
 
 # cloak_ttl = 600
+# cloak_ptr = false
+
 
 
 ###########################
@@ -366,6 +432,20 @@ cache_neg_max_ttl = 600
 
 
 
+########################################
+#        Captive portal handling       #
+########################################
+
+[captive_portals]
+
+## A file that contains a set of names used by operating systems to
+## check for connectivity and captive portals, along with hard-coded
+## IP addresses to return.
+
+# map_file = 'example-captive-portals.txt'
+
+
+
 ##################################
 #        Local DoH server        #
 ##################################
@@ -386,14 +466,17 @@ cache_neg_max_ttl = 600
 ## For each `listen_address` the complete URL to access the server will be:
 ## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
 
-# path = "/dns-query"
+# path = '/dns-query'
 
 
 ## Certificate file and key - Note that the certificate has to be trusted.
+## Can be generated using the following commands:
+## openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM.pem
+## openssl req -x509 -nodes -newkey ec:ECPARAM.pem -subj "/C=XZ/L=own PC/O=localhost/CN=localhost/" -days 5000 -sha256 -keyout localhost.pem -out localhost.pem
 ## See the documentation (wiki) for more information.
 
-# cert_file = "localhost.pem"
-# cert_key_file = "localhost.pem"
+# cert_file = 'localhost.pem'
+# cert_key_file = 'localhost.pem'
 
 
 
@@ -405,20 +488,20 @@ cache_neg_max_ttl = 600
 
 [query_log]
 
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
-  ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0)
+## Path to the query log file (absolute, or relative to the same directory as the config file)
+## Can be set to /dev/stdout in order to log to the standard output.
 
-  # file = 'query.log'
+# file = 'query.log'
 
 
-  ## Query log format (currently supported: tsv and ltsv)
+## Query log format (currently supported: tsv and ltsv)
 
-  format = 'tsv'
+format = 'tsv'
 
 
-  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+## Do not log these query types, to reduce verbosity. Keep empty to log everything.
 
-  # ignored_qtypes = ['DNSKEY', 'NS']
+# ignored_qtypes = ['DNSKEY', 'NS']
 
 
 
@@ -432,22 +515,22 @@ cache_neg_max_ttl = 600
 
 [nx_log]
 
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
+## Path to the query log file (absolute, or relative to the same directory as the config file)
 
-  # file = 'nx.log'
+# file = 'nx.log'
 
 
-  ## Query log format (currently supported: tsv and ltsv)
+## Query log format (currently supported: tsv and ltsv)
 
-  format = 'tsv'
+format = 'tsv'
 
 
 
 ######################################################
-#        Pattern-based blocking (blacklists)        #
+#        Pattern-based blocking (blocklists)         #
 ######################################################
 
-## Blacklists are made of one pattern per line. Example of valid patterns:
+## Blocklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   example.com
 ##   =example.com
@@ -456,81 +539,108 @@ cache_neg_max_ttl = 600
 ##   ads*.example.*
 ##   ads*.example[0-9]*.com
 ##
-## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
-## A script to build blacklists from public feeds can be found in the
-## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
+## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
+## A script to build blocklists from public feeds can be found in the
+## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
 
-[blacklist]
+[blocked_names]
 
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
 
-  blacklist_file = 'blacklist.txt'
+blocked_names_file = 'blocked-names.txt'
 
 
-  ## Optional path to a file logging blocked queries
+## Optional path to a file logging blocked queries
 
-  # log_file = 'blocked.log'
+# log_file = 'blocked-names.log'
 
 
-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)
 
-  # log_format = 'tsv'
+# log_format = 'tsv'
 
 
 
 ###########################################################
-#        Pattern-based IP blocking (IP blacklists)        #
+#        Pattern-based IP blocking (IP blocklists)        #
 ###########################################################
 
-## IP blacklists are made of one pattern per line. Example of valid patterns:
+## IP blocklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   127.*
 ##   fe80:abcd:*
 ##   192.168.1.4
 
-[ip_blacklist]
+[blocked_ips]
 
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
 
-  # blacklist_file = 'ip-blacklist.txt'
+blocked_ips_file = 'blocked-ips.txt'
 
 
-  ## Optional path to a file logging blocked queries
+## Optional path to a file logging blocked queries
 
-  # log_file = 'ip-blocked.log'
+# log_file = 'blocked-ips.log'
 
 
-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)
 
-  # log_format = 'tsv'
+# log_format = 'tsv'
 
 
 
 ######################################################
-#   Pattern-based whitelisting (blacklists bypass)   #
+#   Pattern-based allow lists (blocklists bypass)    #
 ######################################################
 
-## Whitelists support the same patterns as blacklists
-## If a name matches a whitelist entry, the corresponding session
+## Allowlists support the same patterns as blocklists
+## If a name matches an allowlist entry, the corresponding session
 ## will bypass names and IP filters.
 ##
 ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
 
-[whitelist]
+[allowed_names]
 
-  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)
+## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
 
-  whitelist_file = 'whitelist.txt'
+allowed_names_file = 'allowed-names.txt'
 
 
-  ## Optional path to a file logging whitelisted queries
+## Optional path to a file logging allowed queries
 
-  # log_file = 'whitelisted.log'
+# log_file = 'allowed-names.log'
 
 
-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)
 
-  # log_format = 'tsv'
+# log_format = 'tsv'
+
+
+
+#########################################################
+#   Pattern-based allowed IPs lists (blocklists bypass) #
+#########################################################
+
+## Allowed IP lists support the same patterns as IP blocklists
+## If an IP response matches an allowed entry, the corresponding session
+## will bypass IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
+[allowed_ips]
+
+## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
+
+allowed_ips_file = 'allowed-ips.txt'
+
+
+## Optional path to a file logging allowed queries
+
+# log_file = 'allowed-ips.log'
+
+## Optional log format: tsv or ltsv (default: tsv)
+
+# log_format = 'tsv'
 
 
 
@@ -539,10 +649,10 @@ cache_neg_max_ttl = 600
 ##########################################
 
 ## One or more weekly schedules can be defined here.
-## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
 ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
 ##
-## For example, the following rule in a blacklist file:
+## For example, the following rule in a blocklist file:
 ## *.youtube.* @time-to-sleep
 ## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
 ##
@@ -551,21 +661,21 @@ cache_neg_max_ttl = 600
 
 [schedules]
 
-  # [schedules.'time-to-sleep']
-  # mon = [{after='21:00', before='7:00'}]
-  # tue = [{after='21:00', before='7:00'}]
-  # wed = [{after='21:00', before='7:00'}]
-  # thu = [{after='21:00', before='7:00'}]
-  # fri = [{after='23:00', before='7:00'}]
-  # sat = [{after='23:00', before='7:00'}]
-  # sun = [{after='21:00', before='7:00'}]
+  # [schedules.time-to-sleep]
+  #   mon = [{after='21:00', before='7:00'}]
+  #   tue = [{after='21:00', before='7:00'}]
+  #   wed = [{after='21:00', before='7:00'}]
+  #   thu = [{after='21:00', before='7:00'}]
+  #   fri = [{after='23:00', before='7:00'}]
+  #   sat = [{after='23:00', before='7:00'}]
+  #   sun = [{after='21:00', before='7:00'}]
 
-  # [schedules.'work']
-  # mon = [{after='9:00', before='18:00'}]
-  # tue = [{after='9:00', before='18:00'}]
-  # wed = [{after='9:00', before='18:00'}]
-  # thu = [{after='9:00', before='18:00'}]
-  # fri = [{after='9:00', before='17:00'}]
+  # [schedules.work]
+  #   mon = [{after='9:00', before='18:00'}]
+  #   tue = [{after='9:00', before='18:00'}]
+  #   wed = [{after='9:00', before='18:00'}]
+  #   thu = [{after='9:00', before='18:00'}]
+  #   fri = [{after='9:00', before='17:00'}]
 
 
 
@@ -587,41 +697,69 @@ cache_neg_max_ttl = 600
 ## If the `urls` property is missing, cache files and valid signatures
 ## must already be present. This doesn't prevent these cache files from
 ## expiring after `refresh_delay` hours.
+## `refreshed_delay` must be in the [24..168] interval.
+## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers.
+## The maximum delay of 168 hours (1 week) ensures cache freshness.
 
 [sources]
 
-  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
+  ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
 
-  [sources.'public-resolvers']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
-  cache_file = 'public-resolvers.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  prefix = ''
+  [sources.public-resolvers]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+    cache_file = 'public-resolvers.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+    prefix = ''
 
-  ## Anonymized DNS relays
+  ### Anonymized DNS relays
 
-  [sources.'relays']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
-  cache_file = 'relays.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  refresh_delay = 72
-  prefix = ''
+  [sources.relays]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
+    cache_file = 'relays.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+    prefix = ''
 
-  ## Quad9 over DNSCrypt - https://quad9.net/
+  ### ODoH (Oblivious DoH) servers and relays
+
+  # [sources.odoh-servers]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
+  #   cache_file = 'odoh-servers.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 24
+  #   prefix = ''
+  # [sources.odoh-relays]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
+  #   cache_file = 'odoh-relays.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 24
+  #   prefix = ''
+
+  ### Quad9
 
   # [sources.quad9-resolvers]
-  # urls = ['https://www.quad9.net/quad9-resolvers.md']
-  # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
-  # cache_file = 'quad9-resolvers.md'
-  # prefix = 'quad9-'
+  #   urls = ['https://www.quad9.net/quad9-resolvers.md']
+  #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
+  #   cache_file = 'quad9-resolvers.md'
+  #   prefix = 'quad9-'
 
-  ## Another example source, with resolvers censoring some websites not appropriate for children
-  ## This is a subset of the `public-resolvers` list, so enabling both is useless
+  ### Another example source, with resolvers censoring some websites not appropriate for children
+  ### This is a subset of the `public-resolvers` list, so enabling both is useless
 
-  #  [sources.'parental-control']
-  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
-  #  cache_file = 'parental-control.md'
-  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  # [sources.parental-control]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
+  #   cache_file = 'parental-control.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+  ### dnscry.pt servers - See https://www.dnscry.pt
+
+  #  [sources.dnscry-pt-resolvers]
+  #    urls = ["https://www.dnscry.pt/resolvers.md"]
+  #    minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
+  #    cache_file = "dnscry.pt-resolvers.md"
+  #    refresh_delay = 72
+  #    prefix = "dnscry.pt-"
 
 
 
@@ -631,18 +769,18 @@ cache_neg_max_ttl = 600
 
 [broken_implementations]
 
-# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
-# truncate reponses larger than questions as expected by the DNSCrypt protocol.
-# This prevents large responses from being received over UDP and over relays.
-#
-# The `dnsdist` server software drops client queries larger than 1500 bytes.
-# They are aware of it and are working on a fix.
-#
-# The list below enables workarounds to make non-relayed usage more reliable
-# until the servers are fixed.
-
-fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
+## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
+## truncate responses larger than questions as expected by the DNSCrypt protocol.
+## This prevents large responses from being received over UDP and over relays.
+##
+## Older versions of the `dnsdist` server software had a bug with queries larger
+## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
+## some server may still run an outdated version.
+##
+## The list below enables workarounds to make non-relayed usage more reliable
+## until the servers are fixed.
 
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
 
 
 
@@ -650,16 +788,16 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 #        Certificate-based client authentication for DoH        #
 #################################################################
 
-# Use a X509 certificate to authenticate yourself when connecting to DoH servers.
-# This is only useful if you are operating your own, private DoH server(s).
-# 'creds' maps servers to certificates, and supports multiple entries.
-# If you are not using the standard root CA, an optional "root_ca"
-# property set to the path to a root CRT file can be added to a server entry.
+## Use a X509 certificate to authenticate yourself when connecting to DoH servers.
+## This is only useful if you are operating your own, private DoH server(s).
+## 'creds' maps servers to certificates, and supports multiple entries.
+## If you are not using the standard root CA, an optional "root_ca"
+## property set to the path to a root CRT file can be added to a server entry.
 
 [doh_client_x509_auth]
-#
+
 # creds = [
-#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
+#    { server_name='*', client_cert='client.crt', client_key='client.key' }
 # ]
 
 
@@ -676,11 +814,11 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 ## used to connect to that server.
 ##
 ## A relay can be specified as a DNS Stamp (either a relay stamp, or a
-## DNSCrypt stamp), an IP:port, a hostname:port, or a server name.
+## DNSCrypt stamp) or a server name.
 ##
 ## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
-## and "example-server-2" via the relay whose relay DNS stamp
-## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
+## and "example-server-2" via the relay whose relay DNS stamp is
+## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
 ##
 ## !!! THESE ARE JUST EXAMPLES !!!
 ##
@@ -689,27 +827,54 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 ##
 ## Carefully choose relays and servers so that they are run by different entities.
 ##
-## "server_name" can also be set to "*" to define a default route, but this is not
-## recommended. If you do so, keep "server_names" short and distinct from relays.
+## "server_name" can also be set to "*" to define a default route, for all servers:
+## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
+##
+## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
+## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
+##
+## Manual selection is always recommended over automatic selection, so that you can
+## select (relay,server) pairs that work well and fit your own criteria (close by or
+## in different countries, operated by different entities, on distinct ISPs...)
 
  routes = [
-    { server_name='dnscrypt.eu-dk', via=['anon-meganerd', 'anon-scaleway-ams'] },
-    { server_name='dnscrypt.eu-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
-    { server_name='dnscrypt.uk-ipv4', via=['anon-kama', 'anon-scaleway'] },
-    { server_name='meganerd', via=['anon-scaleway-ams', 'anon-v.dnscrypt.uk-ipv4'] },
-    { server_name='publicarray-au', via=['anon-ibksturm', 'anon-tiarap'] },
-    { server_name='scaleway-ams', via=['anon-meganerd', 'anon-v.dnscrypt.uk-ipv4'] },
-    { server_name='scaleway-fr', via=['anon-dnscrypt.uk-ipv4', 'anon-v.dnscrypt.uk-ipv4'] },
-    { server_name='v.dnscrypt.uk-ipv4', via=['anon-meganerd', 'anon-scaleway'] }
+    { server_name='ams-dnscrypt-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
+    { server_name='d0wn-tz-ns1', via=['anon-arapurayil-in-ipv4', 'anon-cs-rome'] },
+    { server_name='dct-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
+    { server_name='dct-ru', via=['anon-cs-czech', 'anon-techsaviours.org'] },
+    { server_name='dnscrypt.be', via=['anon-cs-belgium', 'anon-serbica'] },
+    { server_name='dnscrypt.pl', via=['anon-cs-poland', 'anon-techsaviours.org'] },
+    { server_name='dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] },
+    { server_name='dnswarden-uncensor-dc-swiss', via=['anon-cs-fr', 'anon-kama'] },
+    { server_name='meganerd', via=['anon-scaleway-ams', 'anon-serbica'] },
+    { server_name='openinternet', via=['anon-cs-sea', 'anon-inconnu'] },
+    { server_name='plan9dns-fl', via=['anon-cs-tx', 'anon-inconnu'] },
+    { server_name='plan9dns-mx', via=['anon-cs-tx', 'anon-inconnu'] },
+    { server_name='plan9dns-nj', via=['anon-cs-nyc1', 'anon-inconnu'] },
+    { server_name='pryv8boi', via=['anon-cs-dus1', 'anon-techsaviours.org'] },
+    { server_name='sby-limotelu', via=['anon-cs-sydney', 'anon-tiarap'] },
+    { server_name='scaleway-ams', via=['anon-meganerd', 'anon-serbica'] },
+    { server_name='scaleway-fr', via=['anon-cs-fr', 'anon-dnscrypt.uk-ipv4'] },
+    { server_name='serbica', via=['anon-cs-nl', 'anon-scaleway-ams'] },
+    { server_name='techsaviours.org-dnscrypt', via=['anon-cs-berlin', 'anon-dnswarden-swiss'] },
+    { server_name='v.dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] }
+#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
 #    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
  ]
 
 
-# skip resolvers incompatible with anonymization instead of using them directly
+## Skip resolvers incompatible with anonymization instead of using them directly
 
 skip_incompatible = true
 
 
+## If public server certificates for a non-conformant server cannot be
+## retrieved via a relay, try getting them directly. Actual queries
+## will then always go through relays.
+
+direct_cert_fallback = false
+
+
 
 ###############################
 #            DNS64            #
@@ -733,14 +898,16 @@ skip_incompatible = true
 
 [dns64]
 
-## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
-# prefix = ["64:ff9b::/96"]
+## Static prefix(es) as Pref64::/n CIDRs
 
-## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
+# prefix = ['64:ff9b::/96']
+
+## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs
 ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
 ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
 ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
-# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"]
+
+# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
 
 
 
@@ -753,6 +920,5 @@ skip_incompatible = true
 
 [static]
 
-  # [static.'myserver']
-  # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
-
+  # [static.myserver]
+  #   stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

config/example-docs/example-blacklist.txt

@@ -1,39 +0,0 @@
-
-###########################
-#        Blacklist        #
-###########################
-
-## Rules for name-based query blocking, one per line
-##
-## Example of valid patterns:
-##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | block example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
-
-ad.*
-ads.*
-banner.*
-banners.*
-creatives.*
-oas.*
-oascentral.*        # inline comments are allowed after a pound sign
-stats.*
-tag.*
-telemetry.*
-tracker.*
-*.local
-eth0.me
-*.workgroup
-
-
-
-## Time-based rules
-
-# *.youtube.*  @time-to-sleep
-# facebook.com @work
-

config/example-docs/example-cloaking-rules.txt

@@ -1,38 +0,0 @@
-################################
-#        Cloaking rules        #
-################################
-
-# The following example rules force "safe" (without adult content) search
-# results from Google, Bing and YouTube.
-#
-# This has to be enabled with the `cloaking_rules` parameter in the main
-# configuration file
-
-
-www.google.*             forcesafesearch.google.com
-
-www.bing.com             strict.bing.com
-
-yandex.ru                familysearch.yandex.ru       # inline comments are allowed after a pound sign
-
-=duckduckgo.com          safe.duckduckgo.com
-
-www.youtube.com          restrictmoderate.youtube.com
-m.youtube.com            restrictmoderate.youtube.com
-youtubei.googleapis.com  restrictmoderate.youtube.com
-youtube.googleapis.com   restrictmoderate.youtube.com
-www.youtube-nocookie.com restrictmoderate.youtube.com
-
-# Multiple IP entries for the same name are supported.
-# In the following example, the same name maps both to IPv4 and IPv6 addresses:
-
-localhost                127.0.0.1
-localhost                ::1
-
-# For load-balancing, multiple IP addresses of the same class can also be
-# provided using the same format, one <pattern> <ip> pair per line.
-
-# ads.*                 192.168.100.1
-# ads.*                 192.168.100.2
-# ads.*                 ::1
-

config/example-docs/example-dnscrypt-proxy.toml

@@ -1,750 +0,0 @@
-
-##############################################
-#                                            #
-#        dnscrypt-proxy configuration        #
-#                                            #
-##############################################
-
-## This is an example configuration file.
-## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
-##
-## Online documentation is available here: https://dnscrypt.info/doc
-
-
-
-##################################
-#         Global settings        #
-##################################
-
-## List of servers to use
-##
-## Servers from the "public-resolvers" source (see down below) can
-## be viewed here: https://dnscrypt.info/public-servers
-##
-## The proxy will automatically pick working servers from this list.
-## Note that the require_* filters do NOT apply when using this setting.
-##
-## By default, this list is empty and all registered servers matching the
-## require_* filters will be used instead.
-##
-## Remove the leading # first to enable this; lines starting with # are ignored.
-
-# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
-
-
-## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
-## Example with both IPv4 and IPv6:
-## listen_addresses = ['127.0.0.1:53', '[::1]:53']
-
-listen_addresses = ['127.0.0.1:53']
-
-
-## Maximum number of simultaneous client connections to accept
-
-max_clients = 250
-
-
-## Switch to a different system user after listening sockets have been created.
-## Note (1): this feature is currently unsupported on Windows.
-## Note (2): this feature is not compatible with systemd socket activation.
-## Note (3): when using -pidfile, the PID file directory must be writable by the new user
-
-# user_name = 'nobody'
-
-
-## Require servers (from static + remote sources) to satisfy specific properties
-
-# Use servers reachable over IPv4
-ipv4_servers = true
-
-# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
-ipv6_servers = false
-
-# Use servers implementing the DNSCrypt protocol
-dnscrypt_servers = true
-
-# Use servers implementing the DNS-over-HTTPS protocol
-doh_servers = true
-
-
-## Require servers defined by remote sources to satisfy specific properties
-
-# Server must support DNS security extensions (DNSSEC)
-require_dnssec = false
-
-# Server must not log user queries (declarative)
-require_nolog = true
-
-# Server must not enforce its own blacklist (for parental control, ads blocking...)
-require_nofilter = true
-
-# Server names to avoid even if they match all criteria
-disabled_server_names = []
-
-
-## Always use TCP to connect to upstream servers.
-## This can be useful if you need to route everything through Tor.
-## Otherwise, leave this to `false`, as it doesn't improve security
-## (dnscrypt-proxy will always encrypt everything even using UDP), and can
-## only increase latency.
-
-force_tcp = false
-
-
-## SOCKS proxy
-## Uncomment the following line to route all TCP connections to a local Tor node
-## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
-
-# proxy = 'socks5://127.0.0.1:9050'
-
-
-## HTTP/HTTPS proxy
-## Only for DoH servers
-
-# http_proxy = 'http://127.0.0.1:8888'
-
-
-## How long a DNS query will wait for a response, in milliseconds.
-## If you have a network with *a lot* of latency, you may need to
-## increase this. Startup may be slower if you do so.
-## Don't increase it too much. 10000 is the highest reasonable value.
-
-timeout = 5000
-
-
-## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
-
-keepalive = 30
-
-
-## Response for blocked queries.  Options are `refused`, `hinfo` (default) or
-## an IP response.  To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
-## Using the `hinfo` option means that some responses will be lies.
-## Unfortunately, the `hinfo` option appears to be required for Android 8+
-
-# blocked_query_response = 'refused'
-
-
-## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
-
-# lb_strategy = 'p2'
-
-## Set to `true` to constantly try to estimate the latency of all the resolvers
-## and adjust the load-balancing parameters accordingly, or to `false` to disable.
-
-# lb_estimator = true
-
-
-## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
-
-# log_level = 2
-
-
-## Log file for the application, as an alternative to sending logs to
-## the standard system logging service (syslog/Windows event log).
-##
-## This file is different from other log files, and will not be
-## automatically rotated by the application.
-
-# log_file = 'dnscrypt-proxy.log'
-
-
-## When using a log file, only keep logs from the most recent launch.
-
-# log_file_latest = true
-
-
-## Use the system logger (syslog on Unix, Event Log on Windows)
-
-# use_syslog = true
-
-
-## Delay, in minutes, after which certificates are reloaded
-
-cert_refresh_delay = 240
-
-
-## DNSCrypt: Create a new, unique key for every single DNS query
-## This may improve privacy but can also have a significant impact on CPU usage
-## Only enable if you don't have a lot of network load
-
-# dnscrypt_ephemeral_keys = false
-
-
-## DoH: Disable TLS session tickets - increases privacy but also latency
-
-# tls_disable_session_tickets = false
-
-
-## DoH: Use a specific cipher suite instead of the server preference
-## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-##  4865 = TLS_AES_128_GCM_SHA256
-##  4867 = TLS_CHACHA20_POLY1305_SHA256
-##
-## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
-## the following suite improves performance.
-## This may also help on Intel CPUs running 32-bit operating systems.
-##
-## Keep tls_cipher_suite empty if you have issues fetching sources or
-## connecting to some DoH servers. Google and Cloudflare are fine with it.
-
-# tls_cipher_suite = [52392, 49199]
-
-
-## Fallback resolvers
-## These are normal, non-encrypted DNS resolvers, that will be only used
-## for one-shot queries when retrieving the initial resolvers list, and
-## only if the system DNS configuration doesn't work.
-## No user application queries will ever be leaked through these resolvers,
-## and they will not be used after IP addresses of resolvers URLs have been found.
-## They will never be used if lists have already been cached, and if stamps
-## don't include host names without IP addresses.
-## They will not be used if the configured system DNS works.
-## Resolvers supporting DNSSEC are recommended.
-##
-## People in China may need to use 114.114.114.114:53 here.
-## Other popular options include 8.8.8.8 and 1.1.1.1.
-##
-## If more than one resolver is specified, they will be tried in sequence.
-
-fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
-
-
-## Always use the fallback resolver before the system DNS settings.
-
-ignore_system_dns = true
-
-
-## Maximum time (in seconds) to wait for network connectivity before
-## initializing the proxy.
-## Useful if the proxy is automatically started at boot, and network
-## connectivity is not guaranteed to be immediately available.
-## Use 0 to not test for connectivity at all (not recommended),
-## and -1 to wait as much as possible.
-
-netprobe_timeout = 60
-
-## Address and port to try initializing a connection to, just to check
-## if the network is up. It can be any address and any port, even if
-## there is nothing answering these on the other side. Just don't use
-## a local address, as the goal is to check for Internet connectivity.
-## On Windows, a datagram with a single, nul byte will be sent, only
-## when the system starts.
-## On other operating systems, the connection will be initialized
-## but nothing will be sent at all.
-
-netprobe_address = '9.9.9.9:53'
-
-
-## Offline mode - Do not use any remote encrypted servers.
-## The proxy will remain fully functional to respond to queries that
-## plugins can handle directly (forwarding, cloaking, ...)
-
-# offline_mode = false
-
-
-## Additional data to attach to outgoing queries.
-## These strings will be added as TXT records to queries.
-## Do not use, except on servers explicitly asking for extra data
-## to be present.
-## encrypted-dns-server can be configured to use this for access control
-## in the [access_control] section
-
-# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]
-
-
-## Automatic log files rotation
-
-# Maximum log files size in MB - Set to 0 for unlimited.
-log_files_max_size = 10
-
-# How long to keep backup files, in days
-log_files_max_age = 7
-
-# Maximum log files backups to keep (or 0 to keep all backups)
-log_files_max_backups = 1
-
-
-
-#########################
-#        Filters        #
-#########################
-
-## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
-## configure dnscrypt-proxy to do any kind of filtering (including the filters
-## below and blacklists).
-## You can still choose resolvers that do DNSSEC validation.
-
-
-## Immediately respond to IPv6-related queries with an empty response
-## This makes things faster when there is no IPv6 connectivity, but can
-## also cause reliability issues with some stub resolvers.
-
-block_ipv6 = false
-
-
-## Immediately respond to A and AAAA queries for host names without a domain name
-
-block_unqualified = true
-
-
-## Immediately respond to queries for local zones instead of leaking them to
-## upstream resolvers (always causing errors or timeouts).
-
-block_undelegated = true
-
-
-## TTL for synthetic responses sent when a request has been blocked (due to
-## IPv6 or blacklists).
-
-reject_ttl = 600
-
-
-
-##################################################################################
-#        Route queries for specific domains to a dedicated set of servers        #
-##################################################################################
-
-## See the `example-forwarding-rules.txt` file for an example
-
-# forwarding_rules = 'forwarding-rules.txt'
-
-
-
-###############################
-#        Cloaking rules       #
-###############################
-
-## Cloaking returns a predefined address for a specific name.
-## In addition to acting as a HOSTS file, it can also return the IP address
-## of a different name. It will also do CNAME flattening.
-##
-## See the `example-cloaking-rules.txt` file for an example
-
-# cloaking_rules = 'cloaking-rules.txt'
-
-## TTL used when serving entries in cloaking-rules.txt
-
-# cloak_ttl = 600
-
-
-###########################
-#        DNS cache        #
-###########################
-
-## Enable a DNS cache to reduce latency and outgoing traffic
-
-cache = true
-
-
-## Cache size
-
-cache_size = 4096
-
-
-## Minimum TTL for cached entries
-
-cache_min_ttl = 2400
-
-
-## Maximum TTL for cached entries
-
-cache_max_ttl = 86400
-
-
-## Minimum TTL for negatively cached entries
-
-cache_neg_min_ttl = 60
-
-
-## Maximum TTL for negatively cached entries
-
-cache_neg_max_ttl = 600
-
-
-
-##################################
-#        Local DoH server        #
-##################################
-
-[local_doh]
-
-## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
-## requiring a direct connection to a DoH server in order to enable some
-## features will enable these, without bypassing your DNS proxy.
-
-## Addresses that the local DoH server should listen to
-
-# listen_addresses = ['127.0.0.1:3000']
-
-
-## Path of the DoH URL. This is not a file, but the part after the hostname
-## in the URL. By convention, `/dns-query` is frequently chosen.
-## For each `listen_address` the complete URL to access the server will be:
-## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
-
-# path = "/dns-query"
-
-
-## Certificate file and key - Note that the certificate has to be trusted.
-## See the documentation (wiki) for more information.
-
-# cert_file = "localhost.pem"
-# cert_key_file = "localhost.pem"
-
-
-
-###############################
-#        Query logging        #
-###############################
-
-## Log client queries to a file
-
-[query_log]
-
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
-  ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0)
-
-  # file = 'query.log'
-
-
-  ## Query log format (currently supported: tsv and ltsv)
-
-  format = 'tsv'
-
-
-  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
-
-  # ignored_qtypes = ['DNSKEY', 'NS']
-
-
-
-############################################
-#        Suspicious queries logging        #
-############################################
-
-## Log queries for nonexistent zones
-## These queries can reveal the presence of malware, broken/obsolete applications,
-## and devices signaling their presence to 3rd parties.
-
-[nx_log]
-
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
-
-  # file = 'nx.log'
-
-
-  ## Query log format (currently supported: tsv and ltsv)
-
-  format = 'tsv'
-
-
-
-######################################################
-#        Pattern-based blocking (blacklists)        #
-######################################################
-
-## Blacklists are made of one pattern per line. Example of valid patterns:
-##
-##   example.com
-##   =example.com
-##   *sex*
-##   ads.*
-##   ads*.example.*
-##   ads*.example[0-9]*.com
-##
-## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
-## A script to build blacklists from public feeds can be found in the
-## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
-
-[blacklist]
-
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
-
-  # blacklist_file = 'blacklist.txt'
-
-
-  ## Optional path to a file logging blocked queries
-
-  # log_file = 'blocked.log'
-
-
-  ## Optional log format: tsv or ltsv (default: tsv)
-
-  # log_format = 'tsv'
-
-
-
-###########################################################
-#        Pattern-based IP blocking (IP blacklists)        #
-###########################################################
-
-## IP blacklists are made of one pattern per line. Example of valid patterns:
-##
-##   127.*
-##   fe80:abcd:*
-##   192.168.1.4
-
-[ip_blacklist]
-
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
-
-  # blacklist_file = 'ip-blacklist.txt'
-
-
-  ## Optional path to a file logging blocked queries
-
-  # log_file = 'ip-blocked.log'
-
-
-  ## Optional log format: tsv or ltsv (default: tsv)
-
-  # log_format = 'tsv'
-
-
-
-######################################################
-#   Pattern-based whitelisting (blacklists bypass)   #
-######################################################
-
-## Whitelists support the same patterns as blacklists
-## If a name matches a whitelist entry, the corresponding session
-## will bypass names and IP filters.
-##
-## Time-based rules are also supported to make some websites only accessible at specific times of the day.
-
-[whitelist]
-
-  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)
-
-  # whitelist_file = 'whitelist.txt'
-
-
-  ## Optional path to a file logging whitelisted queries
-
-  # log_file = 'whitelisted.log'
-
-
-  ## Optional log format: tsv or ltsv (default: tsv)
-
-  # log_format = 'tsv'
-
-
-
-##########################################
-#        Time access restrictions        #
-##########################################
-
-## One or more weekly schedules can be defined here.
-## Patterns in the name-based blocklist can optionally be followed with @schedule_name
-## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
-##
-## For example, the following rule in a blacklist file:
-## *.youtube.* @time-to-sleep
-## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
-##
-## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
-## {after= '9:00', before='18:00'} matches 9:00-18:00
-
-[schedules]
-
-  # [schedules.'time-to-sleep']
-  # mon = [{after='21:00', before='7:00'}]
-  # tue = [{after='21:00', before='7:00'}]
-  # wed = [{after='21:00', before='7:00'}]
-  # thu = [{after='21:00', before='7:00'}]
-  # fri = [{after='23:00', before='7:00'}]
-  # sat = [{after='23:00', before='7:00'}]
-  # sun = [{after='21:00', before='7:00'}]
-
-  # [schedules.'work']
-  # mon = [{after='9:00', before='18:00'}]
-  # tue = [{after='9:00', before='18:00'}]
-  # wed = [{after='9:00', before='18:00'}]
-  # thu = [{after='9:00', before='18:00'}]
-  # fri = [{after='9:00', before='17:00'}]
-
-
-
-#########################
-#        Servers        #
-#########################
-
-## Remote lists of available servers
-## Multiple sources can be used simultaneously, but every source
-## requires a dedicated cache file.
-##
-## Refer to the documentation for URLs of public sources.
-##
-## A prefix can be prepended to server names in order to
-## avoid collisions if different sources share the same for
-## different servers. In that case, names listed in `server_names`
-## must include the prefixes.
-##
-## If the `urls` property is missing, cache files and valid signatures
-## must already be present. This doesn't prevent these cache files from
-## expiring after `refresh_delay` hours.
-
-[sources]
-
-  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
-
-  [sources.'public-resolvers']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
-  cache_file = 'public-resolvers.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  prefix = ''
-
-  ## Anonymized DNS relays
-
-  [sources.'relays']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
-  cache_file = 'relays.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  refresh_delay = 72
-  prefix = ''
-
-  ## Quad9 over DNSCrypt - https://quad9.net/
-
-  # [sources.quad9-resolvers]
-  # urls = ['https://www.quad9.net/quad9-resolvers.md']
-  # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
-  # cache_file = 'quad9-resolvers.md'
-  # prefix = 'quad9-'
-
-  ## Another example source, with resolvers censoring some websites not appropriate for children
-  ## This is a subset of the `public-resolvers` list, so enabling both is useless
-
-  #  [sources.'parental-control']
-  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
-  #  cache_file = 'parental-control.md'
-  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-
-
-
-#########################################
-#        Servers with known bugs        #
-#########################################
-
-[broken_implementations]
-
-# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
-# truncate reponses larger than questions as expected by the DNSCrypt protocol.
-# This prevents large responses from being received over UDP and over relays.
-#
-# The `dnsdist` server software drops client queries larger than 1500 bytes.
-# They are aware of it and are working on a fix.
-#
-# The list below enables workarounds to make non-relayed usage more reliable
-# until the servers are fixed.
-
-fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
-
-
-
-#################################################################
-#        Certificate-based client authentication for DoH        #
-#################################################################
-
-# Use a X509 certificate to authenticate yourself when connecting to DoH servers.
-# This is only useful if you are operating your own, private DoH server(s).
-# 'creds' maps servers to certificates, and supports multiple entries.
-# If you are not using the standard root CA, an optional "root_ca"
-# property set to the path to a root CRT file can be added to a server entry.
-
-[doh_client_x509_auth]
-#
-# creds = [
-#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
-# ]
-
-
-
-################################
-#        Anonymized DNS        #
-################################
-
-[anonymized_dns]
-
-## Routes are indirect ways to reach DNSCrypt servers.
-##
-## A route maps a server name ("server_name") to one or more relays that will be
-## used to connect to that server.
-##
-## A relay can be specified as a DNS Stamp (either a relay stamp, or a
-## DNSCrypt stamp), an IP:port, a hostname:port, or a server name.
-##
-## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
-## and "example-server-2" via the relay whose relay DNS stamp
-## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
-##
-## !!! THESE ARE JUST EXAMPLES !!!
-##
-## Review the list of available relays from the "relays.md" file, and, for each
-## server you want to use, define the relays you want connections to go through.
-##
-## Carefully choose relays and servers so that they are run by different entities.
-##
-## "server_name" can also be set to "*" to define a default route, but this is not
-## recommended. If you do so, keep "server_names" short and distinct from relays.
-
-# routes = [
-#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
-#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
-# ]
-
-
-# skip resolvers incompatible with anonymization instead of using them directly
-
-skip_incompatible = false
-
-
-
-###############################
-#            DNS64            #
-###############################
-
-## DNS64 is a mechanism for synthesizing AAAA records from A records.
-## It is used with an IPv6/IPv4 translator to enable client-server
-## communication between an IPv6-only client and an IPv4-only server,
-## without requiring any changes to either the IPv6 or the IPv4 node,
-## for the class of applications that work through NATs.
-##
-## There are two options to synthesize such records:
-## Option 1: Using a set of static IPv6 prefixes;
-## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
-##
-## If both options are configured - only static prefixes are used.
-## (Ref. RFC6147, RFC6052, RFC7050)
-##
-## Do not enable unless you know what DNS64 is and why you need it, or else
-## you won't be able to connect to anything at all.
-
-[dns64]
-
-## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
-# prefix = ["64:ff9b::/96"]
-
-## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
-## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
-## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
-## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
-# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"]
-
-
-
-########################################
-#            Static entries            #
-########################################
-
-## Optional, local, static list of additional servers
-## Mostly useful for testing your own servers.
-
-[static]
-
-  # [static.'myserver']
-  # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
-

config/example-docs/example-forwarding-rules.txt

@@ -1,25 +0,0 @@
-##################################
-#        Forwarding rules        #
-##################################
-
-## This is used to route specific domain names to specific servers.
-## The general format is:
-## <domain> <server address>[:port] [, <server address>[:port]...]
-## IPv6 addresses can be specified by enclosing the address in square brackets.
-
-## In order to enable this feature, the "forwarding_rules" property needs to
-## be set to this file name inside the main configuration file.
-
-## Blocking IPv6 may prevent local devices from being discovered.
-## If this happens, set `block_ipv6` to `false` in the main config file.
-
-## Forward *.lan, *.local, *.home, *.internal and *.localdomain to 192.168.1.1
-# lan             192.168.1.1
-# local           192.168.1.1
-# home            192.168.1.1
-# internal        192.168.1.1
-# localdomain     192.168.1.1
-
-## Forward queries for example.com and *.example.com to 9.9.9.9 and 8.8.8.8
-# example.com     9.9.9.9,8.8.8.8
-

config/example-docs/example-ip-blacklist.txt

@@ -1,16 +0,0 @@
-##############################
-#        IP blacklist        #
-##############################
-
-## Response containing blacklisted IP addresses will be blocked
-##
-## Sample feeds of suspect IP addresses:
-## - https://github.com/stamparm/ipsum
-## - https://github.com/tg12/bad_packets_blocklist
-## - https://isc.sans.edu/block.txt
-## - https://block.energized.pro/extensions/ips/formats/list.txt
-
-163.5.1.4
-94.46.118.*
-fe80:53:*          # IPv6 prefix example
-

config/example-docs/example-whitelist.txt

@@ -1,26 +0,0 @@
-
-###########################
-#        Whitelist        #
-###########################
-
-## Rules for name-based query whitelisting, one per line
-##
-## Example of valid patterns:
-##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | whitelists example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
-
-tracker.debian.org
-
-
-
-## Time-based rules
-
-# *.youtube.*  @time-to-play
-# facebook.com @play
-

config/example-docs/localhost.pem

@@ -1,47 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDb7g6EQhbfby97
-k4oMbZTzdi2TWFBs7qK/QwgOu+L6EhNHPO1ZEU29v0APFBFJO5zyyAk9bZ9k9tPB
-bCuVVI9jEUfLH3UCjEQPG6XI2w++uVh0yALvc/uurCvRHVlle/V7cAoikndc2SjE
-RQUALbACIqwD5g0F77BYwcsreB4GH253/R6Q2/CJZ4jNHPjkocOJiVr3ejA0kkoN
-MXpGUXWcrVVk20M2A1CeO7HAulLRcklEdoHE3v46pjp0iZK0F9LyZX1U1ql+4QL3
-iQttoZ4tMg83lFHSt4G9PrpIhzXr9W4NW822faSvrIwwN/JbItUmRa7n/3+MkuJQ
-IGGNDayXAgMBAAECggEBANs0fmGSocuXvYL1Pi4+9qxnCOwIpTi97Zam0BwnZwcL
-Bw4FCyiwV4UdX1LoFIailT9i49rHLYzre4oZL6OKgdQjQCSTuQOOHLPWQbpdpWba
-w/C5/jr+pkemMZIfJ6BAGiArPt7Qj4oKpFhj1qUj5H9sYXkNTcOx8Fm25rLv6TT9
-O7wg0oCpyG+iBSbCYBp9mDMz8pfo4P3BhcFiyKCKeiAC6KuHU81dvuKeFB4XQK+X
-no2NqDqe6MBkmTqjNNy+wi1COR7lu34LPiWU5Hq5PdIEqBBUMjlMI6oYlhlgNTdx
-SvsqFz3Xs6kpAhJTrSiAqscPYosgaMQxo+LI26PJnikCgYEA9n0OERkm0wSBHnHY
-Kx8jaxNYg93jEzVnEgI/MBTJZqEyCs9fF6Imv737VawEN/BhesZZX7bGZQfDo8AT
-aiSa5upkkSGXEqTu5ytyoKFTb+dJ/qmx3+zP6dPVzDnc8WPYMoUg7vvjZkXXJgZX
-+oMlMUW1wWiDNI3wP19W9Is6xssCgYEA5GqkUBEns6eTFJV0JKqbEORJJ7lx5NZe
-cIx+jPpLkILG4mOKOg1TBx0wkxa9cELtsNsM+bPtu9OqRMhsfPBmsXDHhJwg0Z6G
-eDTfYYPkpRhwZvl6jBZn9sLVR9wfg2hE+n0lfV3mceg336KOkwAehDU84SWZ2e0S
-esqkpbHJa+UCgYA7PY0O8POSzcdWkNf6bS5vAqRIdSCpMjGGc4HKRYSuJNnJHVPm
-czNK7Bcm3QPaiexzvI4oYd5G09niVjyUSx3rl7P56Y/MjFVau+d90agjAfyXtyMo
-BVtnAGGnBtUiMvP4GGT06xcZMnnmCqpEbBaZQ/7N8Bdwnxh5sqlMdtX2hwKBgAhL
-hyQRO2vezgyVUN50A6WdZLq4lVZGIq/bqkzcWhopZaebDc4F5doASV9OGBsXkyI1
-EkePLTcA/NH6pVX0NQaEnfpG4To7k46R/PrBm3ATbyGONdEYjzX65VvytoJDKx4d
-pVrkKhZA5KaOdLcJ7hHHDSrv/qJXZbBn44rQ5guxAoGBAJ6oeUsUUETakxlmIhmK
-xuQmWqLf97BKt8r6Z8CqHKWK7vpG2OmgFYCQGaR7angQ8hmAOv6jM56XhoagDBoc
-UoaoEyo9/uCk6NRUkUMj7Tk/5UQSiWLceVH27w+icMFhf1b7EmmNfk+APsiathO5
-j4edf1AinVCPwRVVu1dtLL5P
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDAjCCAeoCCQCptj0+TjjIJjANBgkqhkiG9w0BAQsFADBDMREwDwYDVQQKDAhE
-TlNDcnlwdDEaMBgGA1UECwwRTG9jYWwgdGVzdCBzZXJ2ZXIxEjAQBgNVBAMMCWxv
-Y2FsaG9zdDAeFw0xOTExMTgxNDA2MzBaFw0zMzA3MjcxNDA2MzBaMEMxETAPBgNV
-BAoMCEROU0NyeXB0MRowGAYDVQQLDBFMb2NhbCB0ZXN0IHNlcnZlcjESMBAGA1UE
-AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2+4O
-hEIW328ve5OKDG2U83Ytk1hQbO6iv0MIDrvi+hITRzztWRFNvb9ADxQRSTuc8sgJ
-PW2fZPbTwWwrlVSPYxFHyx91AoxEDxulyNsPvrlYdMgC73P7rqwr0R1ZZXv1e3AK
-IpJ3XNkoxEUFAC2wAiKsA+YNBe+wWMHLK3geBh9ud/0ekNvwiWeIzRz45KHDiYla
-93owNJJKDTF6RlF1nK1VZNtDNgNQnjuxwLpS0XJJRHaBxN7+OqY6dImStBfS8mV9
-VNapfuEC94kLbaGeLTIPN5RR0reBvT66SIc16/VuDVvNtn2kr6yMMDfyWyLVJkWu
-5/9/jJLiUCBhjQ2slwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6Vz5HnGuy8jZz
-5i8ipbcDMCZNdpYYnxgD53hEKOfoSv7LaF0ztD8Kmg3s5LHv9EHlkK3+G6FWRGiP
-9f6IbtRITaiVQP3M13T78hpN5Qq5jgsqjR7ZcN7Etr6ZFd7G/0+mzqbyBuW/3szt
-RdX/YLy1csvjbZoNNuXGWRohXjg0Mjko2tRLmARvxA/gZV5zWycv3BD2BPzyCdS9
-MDMYSF0RPiL8+alfwLNqLcqMA5liHlmZa85uapQyoUI3ksKJkEgU53aD8cYhH9Yn
-6mVpsrvrcRLBiHlbi24QBolhFkCSRK8bXes8XDIPuD8iYRwlrVBwOakMFQWMqNfI
-IMOKJomU
------END CERTIFICATE-----

config/whitelist.txt

@@ -1,12 +0,0 @@
-
-###########################
-#        Whitelist        #
-###########################
-
-## Author    : quindecim   : https://git.nixnet.xyz/quindecim
-##                           https://git.lushka.al/quindecim   | MIRROR
-##                           https://git.lelux.fi/quindecim    | MIRROR
-##
-##
-## This is just a placeholder for who want to use a whitelist file.
-

customize.sh

@@ -1,57 +1,67 @@
   ui_print " "
   ui_print "******************************"
   ui_print "*   dnscrypt-proxy-android   *"
-  ui_print "*           2.0.44           *"
+  ui_print "*            2.1.5           *"
   ui_print "******************************"
-  ui_print "*         quindecim          *"
+  ui_print "*            d3cim           *"
   ui_print "******************************"
   ui_print " "
 
+# Get architecture specific binary file
+if [ "$ARCH" == "arm" ];then
+  BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-arm
+elif [ "$ARCH" == "arm64" ];then
+  BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-arm64
+elif [ "$ARCH" == "x86" ];then
+  BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-i386
+elif [ "$ARCH" == "x64" ];then
+  BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-x86_64
+fi
 
-  if [ "$ARCH" == "arm" ];then
-    BINARY_PATH=$TMPDIR/binary/dnscrypt-proxy-arm
-  elif [ "$ARCH" == "arm64" ];then
-    BINARY_PATH=$TMPDIR/binary/dnscrypt-proxy-arm64
-  elif [ "$ARCH" == "x86" ];then
-    BINARY_PATH=$TMPDIR/binary/dnscrypt-proxy-i386
-  elif [ "$ARCH" == "x64" ];then
-    BINARY_PATH=$TMPDIR/binary/dnscrypt-proxy-x86_64
-  fi
+# Set destination paths
+CONFIG_PATH=$MODPATH/config
 
-CONFIG_PATH=$TMPDIR/config
+# Create the path for the binary file
+ui_print "* Creating the binary path."
+mkdir -p $MODPATH/system/bin
 
-  unzip -o "$ZIPFILE" 'config/*' 'binary/*' -d $TMPDIR
+# Create the path for the configuration files
+ui_print "* Creating the config. path."
+mkdir -p /storage/emulated/0/dnscrypt-proxy
 
-  ui_print "* Creating binary path"
-  mkdir -p $MODPATH/system/bin
+# Copy the binary files into the right folder
+if [ -f "$BINARY_PATH" ]; then
+ui_print "* Copying the binary files."
+ cp -af $BINARY_PATH $MODPATH/system/bin/dnscrypt-proxy
+else
+  abort "The binary file for your $ARCH device is missing!"
+fi
 
-  ui_print "* Creating config path"
-  mkdir -p /data/media/0/dnscrypt-proxy
+# Backup an existing config file before proceed
+CONFIG_FILE="/storage/emulated/0/dnscrypt-proxy/dnscrypt-proxy.toml"
 
-  if [ -f "$BINARY_PATH" ]; then
-  ui_print "* Copying binary for $ARCH"
-    cp -af $BINARY_PATH $MODPATH/system/bin/dnscrypt-proxy
-  else
-    abort "Binary file for $ARCH is missing!"
-  fi
+if [ -f "$CONFIG_FILE" ]; then
+ui_print "* Backing up the existing config. file before proceed."
+  cp -af  $CONFIG_FILE ${CONFIG_FILE}-`date +%Y%m%d%H%M`.bak
+fi
 
+# Copy the configuration files into the right folder
+if [ -d "$CONFIG_PATH" ]; then
+ui_print "* Copying the configuration files into the dnscrypt-proxy folder."
+  cp -af $CONFIG_PATH/* /storage/emulated/0/dnscrypt-proxy/
+else
+  abort "Configuration file (.toml) is missing!"
+fi
 
-# Backup an existing config file before proceed | quindecim
+# Set the right permissions to the dnscrypt-proxy binary file
+ui_print "* Setting up the right permissions to the dnscrypt-proxy binary file."
+set_perm_recursive $MODPATH 0 0 0755 0755
+set_perm $MODPATH/system/bin/dnscrypt-proxy 0 0 0755
 
-CONFIG_FILE="/data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml"
+# Set Private DNS mode off
+ui_print "* Disabling Android 9+ Private DNS mode."
+settings put global private_dns_mode off
 
-  if [ -f "$CONFIG_FILE" ]; then
-  ui_print "* Backing up config file"
-    cp -af  $CONFIG_FILE ${CONFIG_FILE}-`date +%Y%m%d%H%M`.bak
-  fi
-
-  if [ -d "$CONFIG_PATH" ]; then
-  ui_print "* Copying config, example and license files"
-    cp -af $CONFIG_PATH/* /data/media/0/dnscrypt-proxy/
-  else
-    abort "Config file is missing!"
-  fi
-
-
-  set_perm_recursive $MODPATH 0 0 0755 0755
-  set_perm $MODPATH/system/bin/dnscrypt-proxy 0 0 0755
+# Cleanup unneeded binary files
+ui_print "* Cleaning up the unnecessary files."
+rm -r $MODPATH/binary

module.prop

@@ -1,6 +1,7 @@
 id=dnscrypt-proxy-android
 name=DNSCrypt-Proxy 2
-version=2.0.44
-versionCode=440
-author=quindecim
-description=A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt. Using dnscrypt-proxy 2.0.44
+version=2.1.5
+versionCode=210500
+author=d3cim
+description=A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH). Using dnscrypt-proxy 2.1.5
+updateJson=https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/master/update.json

post-fs-data.sh

@@ -8,8 +8,14 @@ MODDIR=${0%/*}
 
 # This script will be executed in post-fs-data mode
 
-iptables -t nat -A OUTPUT -p tcp ! -d 91.239.100.100 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-iptables -t nat -A OUTPUT -p udp ! -d 91.239.100.100 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-ip6tables -A OUTPUT -p tcp -j DROP
-ip6tables -A OUTPUT -p udp -j DROP
+# Redirect DNS requests to localhost
+iptables -t nat -A OUTPUT -p tcp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+iptables -t nat -A OUTPUT -p udp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+# ip6tables -t nat -A OUTPUT -p tcp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination [::1]:5354
+# ip6tables -t nat -A OUTPUT -p udp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination [::1]:5354
 
+# Force disable IPv6 OS connections
+resetprop net.ipv6.conf.all.accept_redirects 0
+resetprop net.ipv6.conf.all.disable_ipv6 1
+resetprop net.ipv6.conf.default.accept_redirects 0
+resetprop net.ipv6.conf.default.disable_ipv6 1

service.sh

@@ -7,7 +7,5 @@
 MODDIR=${0%/*}
 
 	while ! [ `pgrep -x dnscrypt-proxy` ] ; do
-		$MODDIR/system/bin/dnscrypt-proxy -config /data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml && sleep 15;
+		$MODDIR/system/bin/dnscrypt-proxy -config /storage/emulated/0/dnscrypt-proxy/dnscrypt-proxy.toml && sleep 15;
 	done
-
-

uninstall.sh

@@ -0,0 +1,15 @@
+(
+while [ "$(getprop sys.boot_completed)" != "1" ] && [ ! -d "/storage/emulated/0/Android" ]; do
+  sleep 1
+done
+
+rm -rf /data/media/0/dnscrypt-proxy
+rm -rf /mnt/runtime/default/emulated/0/dnscrypt-proxy
+rm -rf /mnt/runtime/full/emulated/0/dnscrypt-proxy
+rm -rf /mnt/runtime/read/emulated/0/dnscrypt-proxy
+rm -rf /mnt/runtime/write/emulated/0/dnscrypt-proxy
+rm -rf /sdcard/dnscrypt-proxy
+rm -rf /storage/emulated/0/dnscrypt-proxy
+rm -rf /storage/self/primary/dnscrypt-proxy
+
+)&

update.json

@@ -0,0 +1,6 @@
+{
+    "version": "2.1.5",
+    "versionCode": 210500,
+    "zipUrl": "https://github.com/d3cim/dnscrypt-proxy-android/releases/download/2.1.5/dnscrypt-proxy-android-v2.1.5.zip",
+    "changelog": "https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/2.1.5/CHANGELOG.md"
+}