Remove `dnscrypt.ca-*` resolvers (thank you)

https://github.com/DNSCrypt/dnscrypt-resolvers/pull/861

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: 'Bug Report'
+about: Create a dnscrypt-proxy-android bug report
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '...'
+3. Scroll down to '...'
+4. See error
+
+**Expected behavior (i.e. solution)**
+A clear and concise description of what you expected to happen or what could be the solution.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Device informations:**
+- Android: `version`
+- Magisk: `version`
+- OS/Custom ROM: `e.g. stock, lineageos`
+- Browser: `e.g. stock browser, safari`
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for dnscrypt-proxy-android
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.gitignore

@@ -1 +0,0 @@
-.DS_Store

CHANGELOG.md

@@ -1,109 +1,388 @@
 # Changelog
 
+## unreleased
+### Changed
+- `dct-nl1` name resolver to `dct-nl`.
+- `dct-ru1` name resolver to `dct-ru`.
+- Optimized relays.
+
+### Removed
+- `dct-at1` resolver (ceased).
+- `dnscrypt.ca-1` resolver (ceased).
+- `dnscrypt.ca-2` resolver (ceased).
+
+## 2.1.5
+### Upstream
+ - dnscrypt-proxy can be compiled with Go 1.21.0+
+ - Responses to blocked queries now include extended error codes
+ - Reliability of connections using HTTP/3 has been improved
+ - New configuration directive: `tls_key_log_file`. When defined, this
+is the path to a file where TLS secret keys will be written to, so
+that DoH traffic can be locally inspected.
+
+### Changed
+- Optimized relays.
+
+### Removed
+- `altername` resolver (temporarily down).
+- `dct-de1` resolver (ceased).
+- `dns.watch` resolver (unresponsive).
+- `starrydns` resolver (ceased).
+
+## 2.1.4
+### Upstream
+ - Fixes a regression from version 2.1.3: when cloaking was enabled,
+blocked responses were returned for records that were not A/AAAA/PTR
+even for names that were not in the cloaked list.
+
+### Added
+- `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
+
+## 2.1.3
+### Upstream
+ - DNS-over-HTTP/3 (QUIC) should be more reliable. In particular,
+version 2.1.2 required another (non-QUIC) resolver to be present for
+bootstrapping, or the resolver's IP address to be present in the
+stamp. This is not the case any more.
+ - dnscrypt-proxy is now compatible with Go 1.20+
+ - Commands (-check, -show-certs, -list, -list-all) now ignore log
+files and directly output the result to the standard output.
+ - The `cert_ignore_timestamp` configuration switch is now documented.
+It allows ignoring timestamps for DNSCrypt certificate verification,
+until a first server is available. This should only be used on devices
+that don't have any ways to set the clock before DNS service is up.
+However, a safer alternative remains to use an NTP server with a fixed
+IP address (such as time.google.com), configured in the captive portals
+file.
+ - Cloaking: when a name is cloaked, unsupported record types now
+return a blocked response rather than the actual records.
+ - systemd: report Ready earlier as dnscrypt-proxy can itself manage
+retries for updates/refreshes.
+
+### Added
+- Script in `customize.sh` file for automatically disable Private DNS feature.
+- `dct-nl1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Naaldwijk, Netherlands).
+- `openinternet` resolver (DNSCrypt resolver colocated at Sonic.net in Santa Rosa, CA in the United States. No log, no filter, DNSSEC. Provided by https://openinternet.io).
+
+### Changed
+- Optimized relays.
+
+### Removed
+- `acsacsar-ams-ipv4` resolver (unresponsive).
+- `dct-ru1` resolver (unresponsive).
+- `dnscrypt.eu-nl` resolver (ceased).
+- `dotya.ml` resolver (unresponsive).
+- `resolver4.dns.openinternet.io` resolver (changed).
+- `sgp-dn53` resolver (unresponsive).
+
+### Fixed
+- Show the correct changelog version in Magisk app.
+
+## 2.1.2.4
+### Added
+- Automatic redirections in `post-fs-data.sh` file.
+
+### Changed
+- Use a more modern [DNS.SB](https://dns.sb/) as `bootstrap_resolvers`.
+
+## 2.1.2.3
+### Changed
+- Use [DNS.SB](https://dns.sb/) as `bootstrap_resolvers`.
+- Use [DNS.SB](https://dns.sb/) as `netprobe_address`.
+
+### Removed
+- Automatic redirections in `post-fs-data.sh` file.
+
+## 2.1.2.2
+### Fixed
+- Forgotten scripts in `post-fs-data` file (it prevent using bootstrap resolvers correctly).
+
+## 2.1.2.1
+### Added
+- `dct-at1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Vienna, Austria).
+- `dct-de1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Düsseldorf, Germany).
+- `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
+- `dnswarden-uncensor-dc-swiss` resolver (Hosted in Switzerland. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dotya.ml` resolver (Free, uncensored, DNSSEC-validated, non-logging DNSCrypt server hosted in Nuremberg, Germany on Contabo servers. Operated by dotya.ml, configs live [here](https://git.dotya.ml/dotya.ml/dnscrypt-server)).
+- `sby-limotelu` resolver (non-censoring, non-logging, DNSSEC-capable Hosted in Surabaya, Indonesia (Dnscrypt) https://limotelu.org maintained by [poentodewo](https://github.com/poentodewo)).
+- `sgp-dn53` resolver (non-censoring, non-logging, DNSSEC-capable Hosted in Singapore (Dnscrypt) https://limotelu.org maintained by [poentodewo](https://github.com/poentodewo)).
+- `starrydns` resolver (DNSCrypt server in Singapore, no filter, no logs, DNSSEC support).
+
+### Changed
+- Optimized relays.
+- Use [dns.watch](https://dns.watch/) `resolver1` and `resolver2` as `bootstrap_resolvers`.
+- Use [dns.watch](https://dns.watch/) `resolver1` as `netprobe_address`.
+
+### Removed
+- `breddns` resolver (unresponsive).
+- `dnswarden-uncensor-fr1-dc` resolver (changed).
+- `dnswarden-uncensor-ind1-dc` resolver (changed).
+- `dnswarden-uncensor-sg1-dc` resolver (changed).
+- `dnswarden-uncensor-us1-dc` resolver (changed).
+- `moulticast-fr-ipv4` resolver (unresponsive).
+- `moulticast-sg-ipv4` resolver (unresponsive).
+- `moulticast-uk-ipv4` resolver (unresponsive).
+- `pwoss.org-dnscrypt` resolver (unresponsive).
+
+## 2.1.2
+### Upstream
+- Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added.
+Compatible servers will automatically use it. Note that QUIC uses UDP
+(usually over port 443, like DNSCrypt) instead of TCP.
+- In previous versions, memory usage kept growing due to channels not
+being properly closed, causing goroutines to pile up. This was fixed,
+resulting in an important reduction of memory usage. Thanks to
+@lifenjoiner for investigating and fixing this!
+- DNS64: `CNAME` records are now translated like other responses.
+Thanks to @ignoramous for this!
+- A relay whose name has been configured, but doesn't exist in the
+list of available relays is now a hard error. Thanks to @lifenjoiner!
+- Mutexes/locking: bug fixes and improvements, by @ignoramous
+- Official packages now include linux/riscv64 builds.
+- `dnscrypt-proxy -resolve` now reports if ECS (EDNS-clientsubnet) is
+supported by the server.
+- `dnscrypt-proxy -list` now includes ODoH (Oblivious DoH) servers.
+- Local DoH: queries made using the `GET` method are now handled.
+- The service can now be installed on OpenRC-based systems.
+- `PTR` queries are now supported for cloaked domains. Contributed by
+Ian Bashford, thanks!
+
+### Added
+- Scripts in `post-fs-data.sh` file for force disable IPv6 connections at OS level, preventing possible leaks.
+- `breddns` resolver (Non-logging DNSCrypt server located in Luxembourg, operated by @tmclo).
+- `dnswarden-uncensor-fr1-dc` resolver (Hosted in France. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dnswarden-uncensor-ind1-dc` resolver (Hosted in India. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dnswarden-uncensor-sg1-dc` resolver (Hosted in Singapore. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+- `dnswarden-uncensor-us1-dc` resolver (Hosted in USA (Dallas). For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
+
+### Changed
+- Adjusted `versionCode` in `module.prop` file (more easy share beta and manage minor dnscrypt-proxy versions with two digits).
+- Optimized relays.
+
+### Removed
+- `dnswarden-asia-uncensor-dcv4` resolver (changed).
+- `dnswarden-eu-uncensor-dcv4` resolver (changed).
+- `dnswarden-us-uncensor-dcv4` resolver (changed).
+
+## 2.1.1-3
+### Added
+- `plan9dns-fl` resolver (Miami Florida, US No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dns).
+- `plan9dns-mx` resolver (Mexico City, Mexico No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dns).
+- `plan9dns-nj` resolver (Piscataway New Jersey, US No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dnsPiscataway).
+- `techsaviours.org-dnscrypt` resolver (No filter | No logs | DNSSEC | Nuremberg, Germany (netcup) | Maintained by https://techsaviours.org/).
+
+### Changed
+- Optimized relays.
+
+### Fixed
+- Changelog display issues in Magisk app.
+
+### Removed
+- `bcn-dnscrypt` resolver (ceased).
+- `dns.digitalsize.net` resolver (DoH).
+- `dct-at1` resolver (temporarily down).
+- `dct-de1` resolver (temporarily down).
+- `dct-ru1` resolver (temporarily down).
+- `gombadi-syd` resolver (ceased).
+- `moulticast-ca-ipv4` resolver (unresponsive).
+- `moulticast-de-ipv4` resolver (unresponsive).
+- `plan9-ns1` resolver (changed).
+- `plan9-ns2` resolver (changed).
+
+## 2.1.1-2
+### Fixed
+- Random connection issues under mobile data. (see [DNSCrypt/dnscrypt-proxy/discussions/2020](https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2020))
+
+### Removed
+- `dct-ru2` resolver (ceased).
+- `pf-dnscrypt` resolver (unresponsive).
+- `zackptg5-us-il-ipv4` resolver (ceased).
+
+## 2.1.1-1
+### Added
+- `uninstall.sh` file for `dnscrypt-proxy` folder removal after module uninstallation (Android 7 and below at the moment).
+- `update.json` file for enable the new auto-update feature from `Magisk v24+`.
+- `dct-at1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Vienna, Austria).
+- `dct-de1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Düsseldorf, Germany).
+- `dns.digitalsize.net` resolver (A public, non-tracking, non-filtering DNS resolver with DNSSEC enabled and hosted in Germany (https://dns.digitalsize.net)).
+- `dnswarden-asia-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Singapore. by Bhanu Pratap).
+- `dnswarden-eu-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Germany. by Bhanu Pratap).
+- `dnswarden-us-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in USA (Dallas). by Bhanu Pratap).
+
+### Changed
+- Project migrated to GitHub.
+- Optimized relays.
+
+### Removed
+- `zackptg5-us-pit-ipv4` resolver (unresponsive).
+
+## 2.1.1
+### Upstream
+This is a bugfix only release, addressing regressions introduced in
+version 2.1.0:
+- When using DoH, cached responses were not served any more when
+experiencing connectivity issues. This has been fixed.
+- Time attributes in allow/block lists were ignored. This has been
+fixed.
+- The TTL as served to clients is now rounded and starts decreasing
+before the first query is received.
+- Time-based rules are properly handled again in
+generate-domains-blocklist.
+- DoH/ODoH: entries with an IP address and using a non-standard port
+used to require help from a bootstrap resolver. This is not the case
+any more.
+
+### Changed
+- Optimized relays.
+
+### Removed
+- `dama.no-osl-s04` resolver (unresponsive).
+- `dama.no-sa-a80` resolver (unresponsive).
+- `kenshiro` resolver (unresponsive, no more lucenera resolvers).
+- `suami` resolver (unresponsive, no more lucenera resolvers).
+
+## 2.1.0
+### Upstream
+- `dnscrypt-proxy` now includes support for Oblivious DoH.
+- If the proxy is overloaded, cached and synthetic queries now keep being
+served, while non-cached queries are delayed.
+- A deprecation warning was for `fallback_resolvers`.
+- Source URLs are now randomized.
+- On some platforms, redirecting the application log to a file was not
+compatible with user switching; this has been fixed.
+- `fallback_resolvers` was renamed to `bootstrap_resolvers` for
+clarity. Please update your configuration file accordingly.
+
+### Added
+- DNS Rebind Protection with `blocked-ips.txt` file enabled by default.
+- UncensoredDNS (Unicast) in addition to UncensoredDNS (Anycast) as `bootstrap_resolvers`.
+- `ams-dnscrypt-nl` resolver (Resolver in Amsterdam. Dnscrypt protocol. Non-logging, non-filtering, DNSSEC).
+- `altername` resolver (Protocol: DNSCrypt IPv4 | Features: Non-logging, Non-filtering, DNSSEC, EmerDNS | Location: Moscow, Russia).
+- `dama.no-osl-s04` resolver (DNSCrypt server located in Oslo/Norway. Link-speed 100 Mbit/s. Non-censoring, non-logging, DNSSEC-capable).
+- `dama.no-sa-a80` resolver (DNSCrypt Server located in Sandefjord/Norway. non-censoring, non-logging, DNSSEC-capable).
+- `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Saint Petersburg, Russia).
+- `dct-ru2` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
+- `dns.watch` resolver (Free, uncensored, non-logging server in Germany. https://dns.watch).
+- `gombadi-syd` resolver (Protocol: DNSCrypt IPv4 | Features: Non-logging, Non-filtering, DNSSEC, Unbound | Location: Sydney, AU).
+- `kenshiro` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Amsterdam. by lucenera).
+- `pf-dnscrypt` resolver (by post-factum | Zürich, Switzerland | Non-logging | Non-filtering | DNSSEC | https://dns.post-factum.tk).
+- `plan9-ns2` resolver (DNSCrypt server in Florida, USA. Non-logging, non-filtering, DNSSEC, anonymized. info - https://jlongua.github.io/plan9-dns/).
+- `pryv8boi` resolver (By pryv8, non Logging, uncensored, DNSSEC - hosted on contabo servers).
+- `resolver4.dns.openinternet.io` resolver (DNSCrypt resolver on dedicated hardware, colocated at Sonic.net in Santa Rosa, CA in the United States. No log, no filter, DNSSEC. Uses Sonic's recusrive DNS servers as upstream resolvers (but is not affiliated with Sonic in any way). Provided by https://openinternet.io).
+- `suami` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Frankfurt. by lucenera).
+- `zackptg5-us-il-ipv4` resolver (DNSSEC/unfiltered/non-logged. Hosted on Vultr in Chicago, IL. Running the official Docker image by @zackptg5).
+- `zackptg5-us-pit-ipv4` resolver (DNSSEC/unfiltered/non-logged. Hosted on TeraSwitch in Pittsburgh, PA. Running the official Docker image by @zackptg5).
+
+### Changed
+- The path of the config. files from `/data/media/0/dnscrypt-proxy` to `/storage/emulated/0/dnscrypt-proxy` (fix for log issues on `A11+` and an issue on `A6-` where the config. files could not be modified).
+- Set `dnscrypt-proxy.log` level from `2` to `0` (but keep it disabled by default).
+- Optimized relays.
+
+### Removed
+- `dama.no-osl-s04` resolver (unresponsive).
+- `dama.no-sa-a80` resolver (unresponsive).
+- `kenshiro` resolver (unresponsive, no more lucenera resolvers).
+- `suami` resolver (unresponsive, no more lucenera resolvers).
 
 ## 2.0.45
-
-##### Updated binary files to 2.0.45 | jedisct1
- - Configuration changes (to be required in versions 2.1.x):
-   * `[blacklist]` has been renamed to `[blocked_names]`
-   * `[ip_blacklist]` has been renamed to `[blocked_ips]`
-   * `[whitelist]` has been renamed to `[allowed_names]`
-   * `generate-domains-blacklist.py` has been renamed to
-     `generate-domains-blocklist.py`, and the configuration files have been
-     renamed as well.
- - `dnscrypt-proxy -resolve` has been completely revamped, and now requires
+### Upstream
+- Configuration changes (to be required in versions 2.1.x):
+  * `[blacklist]` has been renamed to `[blocked_names]`
+  * `[ip_blacklist]` has been renamed to `[blocked_ips]`
+  * `[whitelist]` has been renamed to `[allowed_names]`
+  * `generate-domains-blacklist.py` has been renamed to
+    `generate-domains-blocklist.py`, and the configuration files have been
+    renamed as well.
+- `dnscrypt-proxy -resolve` has been completely revamped, and now requires
 the configuration file to be accessible. It will send a query to an IP address
 of the `dnscrypt-proxy` server by default. Sending queries to arbitrary
 servers is also supported with the new `-resolve name,address` syntax.
- - Relay lists can be set to `*` for automatic relay selection. When a wildcard
+- Relay lists can be set to `*` for automatic relay selection. When a wildcard
 is used, either for the list of servers or relays, the proxy ensures that
 relays and servers are on distinct networks.
- - Lying resolvers are detected and reported.
- - New return code: `NOT_READY` for queries received before the proxy has
+- Lying resolvers are detected and reported.
+- New return code: `NOT_READY` for queries received before the proxy has
 been initialized.
- - Server lists can't be older than a week any more, even if directory
+- Server lists can't be older than a week any more, even if directory
 permissions are incorrect and cache files cannot be written.
- - macOS/arm64 is now officially supported.
- - New feature: `allowed_ips`, to configure a set of IP addresses to
+- macOS/arm64 is now officially supported.
+- New feature: `allowed_ips`, to configure a set of IP addresses to
 never block no matter what DNS name resolves to them.
- - Hard-coded IP addresses can be immediately returned for test queries
+- Hard-coded IP addresses can be immediately returned for test queries
 sent by operating systems in order to check for connectivity and captive
 portals. Such responses can be sent even before an interface is considered
 as enabled by the operating system. This can be configured in a new section
 called `[captive_portals]`.
- - On Linux, OpenBSD and FreeBSD, `listen_addresses` can now include IP
+- On Linux, OpenBSD and FreeBSD, `listen_addresses` can now include IP
 addresses that haven't been assigned to an interface yet.
- - The logo has been tweaked to look fine on a dark background.
- - `generate-domains-blocklist.py`: regular expressions are now ignored in
+- The logo has been tweaked to look fine on a dark background.
+- `generate-domains-blocklist.py`: regular expressions are now ignored in
 time-based entries.
- - Minor bug fixes and logging improvements.
- - Cloaking plugin: if an entry has multiple IP addresses for a type,
+- Minor bug fixes and logging improvements.
+- Cloaking plugin: if an entry has multiple IP addresses for a type,
 all the IP addresses are now returned instead of a random one.
- - Static entries can now include DNSCrypt relays.
- - Name blocking: aliases relying on `SVCB` and `HTTPS` records can now
+- Static entries can now include DNSCrypt relays.
+- Name blocking: aliases relying on `SVCB` and `HTTPS` records can now
 be blocked in addition to aliases via regular `CNAME` records.
- - EDNS-Client-Subnet information can be added to outgoing queries.
+- EDNS-Client-Subnet information can be added to outgoing queries.
 Instead of sending the actual client IP, ECS information is user
 configurable, and IP addresses will be randomly chosen for every query.
- - Initial DoH queries are now checked using random names in order to
+- Initial DoH queries are now checked using random names in order to
 properly measure CDNs such as Tencent that ignore the padding.
- - DoH: the `max-stale` cache control directive is now present in queries.
- - Logs can now be sent to `/dev/stdout` instead of actual files.
- - User switching is now supported on macOS.
- - New download mirror (https://download.dnscrypt.net) for resolvers,
+- DoH: the `max-stale` cache control directive is now present in queries.
+- Logs can now be sent to `/dev/stdout` instead of actual files.
+- User switching is now supported on macOS.
+- New download mirror (https://download.dnscrypt.net) for resolvers,
 relays and parental-control.
 
-##### Updated module files to 2.0.45 | quindecim
-- Enabled `allowed-ips.txt` and `blocked-ips.txt` files (as placeholder).
-- Added `acsacsar-ams-ipv4` resolver (Public non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver hosted on Scaleway by [acsacsar](https://nitter.net/acsacsar)).
-- Added `arvind-io` resolver (Public resolver by EnKrypt (https://arvind.io). Hosted in Bangalore, India. Non-logging, non-filtering, supports DNSSEC.).
-- Added `bcn-dnscrypt` resolver (Resolver in Barcelona, Spain. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC.).
-- Added `d0wn-tz-ns1` resolver (Server provided by Martin 'd0wn' Albus) Hosted by Aptus Solutions Ltd. in Tanzania.
-- Added `dnscrypt.be` resolver (Resolver in Leuven, Belgium (UCLL Campus Proximus). Non-logging/DNSSEC/Uncensored. https://dnscrypt.be
-Maintained by Sigfried (https://sigfried.be) hosted by ISW Leuven (https://iswleuven.be)).
-- Added `dnscrypt.ca-1` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure.).
-- Added `dnscrypt.ca-2` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure.).
-- Added `dnscrypt.one` resolver (Non-logging, non-censoring, DNSSEC-capable DNSCrypt resolver hosted in Germany (Nuremberg), https://dnscrypt.one).
-- Added `dnscrypt.pl` resolver (Free | No filtering | Zero logs | DNSSEC | Poland | https://dnscrypt.pl/).
-- Added `ev-canada` resolver (Non-logging, uncensored DNS resolver provided by evilvibes.com Location: Vancouver, Canada).
-- Added `freetsa.org-ipv4` resolver (Non-logged/Uncensored provided by www.freetsa.org. Support for DNS and DNS-over-TLS (DoT)).
-- Added `jp.tiar.app` resolver (Non-Logging, Non-Filtering DNSCrypt server in Japan. No ECS, Support DNSSEC).
-- Added `moulticast-ca-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Canada | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
-- Added `moulticast-de-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Germany | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
-- Added `moulticast-fr-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in France | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
-- Added `moulticast-sg-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Singapore | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
-- Added `moulticast-uk-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in UK | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
-- Added `plan9-dns` resolver (Resolver in New Jersey, USA. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC, anonymized. Running the official Docker image on Vultr by @jlongua1).
-- Added `pwoss.org-dnscrypt` resolver (No filter | No logs | DNSSEC | Nuremberg, Germany (netcup) | Maintained by https://pwoss.org/ (Dan)).
-- Added `sarpel-dns-istanbul` resolver (No-filter | No-logs | Uncensored | Hosted in Istanbul(Turkey) on Cloudeos).
-- Added `serbica` resolver (Public DNSCrypt server in the Netherlands by https://litepay.ch).
-- Added `ventricle.us` resolver (Public DNSCrypt resolver provided by Jacob Henner. Hosted by Digital Ocean, New York).
-- Added and optimized relays based on geolocation.
-- Removed [Applied Privacy DNS](https://applied-privacy.net/privacy-policy/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers.
-- Disabled `direct_cert_fallback` option to prevent direct connections through the resolvers for failed certificate retrieved via relay.
-- Require `Magisk 20.4+` from now on.
-- Stop to drop `IPv6` queries script in `post-fs-data.sh` file.
+### Added
+- `allowed-ips.txt` and `blocked-ips.txt` files (as placeholder).
 - Cleanup unneeded binary files after the installation.
+- `acsacsar-ams-ipv4` resolver (Public non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver hosted on Scaleway by [acsacsar](https://nitter.net/acsacsar)).
+- `arvind-io` resolver (Public resolver by EnKrypt (https://arvind.io). Hosted in Bangalore, India. Non-logging, non-filtering, supports DNSSEC).
+- `bcn-dnscrypt` resolver (Resolver in Barcelona, Spain. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC).
+- `d0wn-tz-ns1` resolver (Server provided by Martin 'd0wn' Albus) Hosted by Aptus Solutions Ltd. in Tanzania.
+- `dnscrypt.be` resolver (Resolver in Leuven, Belgium (UCLL Campus Proximus). Non-logging/DNSSEC/Uncensored. https://dnscrypt.be
+Maintained by Sigfried (https://sigfried.be) hosted by ISW Leuven (https://iswleuven.be)).
+- `dnscrypt.ca-1` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure).
+- `dnscrypt.ca-2` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure).
+- `dnscrypt.one` resolver (Non-logging, non-censoring, DNSSEC-capable DNSCrypt resolver hosted in Germany (Nuremberg), https://dnscrypt.one).
+- `dnscrypt.pl` resolver (Free | No filtering | Zero logs | DNSSEC | Poland | https://dnscrypt.pl/).
+- `ev-canada` resolver (Non-logging, uncensored DNS resolver provided by evilvibes.com Location: Vancouver, Canada).
+- `freetsa.org-ipv4` resolver (Non-logged/Uncensored provided by www.freetsa.org. Support for DNS and DNS-over-TLS (DoT)).
+- `jp.tiar.app` resolver (Non-Logging, Non-Filtering DNSCrypt server in Japan. No ECS, Support DNSSEC).
+- `moulticast-ca-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Canada | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-de-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Germany | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-fr-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in France | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-sg-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Singapore | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `moulticast-uk-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in UK | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
+- `plan9-ns1` resolver (Resolver in New Jersey, USA. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC, anonymized. Running the official Docker image on Vultr by @jlongua1).
+- `pwoss.org-dnscrypt` resolver (No filter | No logs | DNSSEC | Nuremberg, Germany (netcup) | Maintained by https://pwoss.org/ (Dan)).
+- `sarpel-dns-istanbul` resolver (No-filter | No-logs | Uncensored | Hosted in Istanbul(Turkey) on Cloudeos).
+- `serbica` resolver (Public DNSCrypt server in the Netherlands by https://litepay.ch).
+- `ventricle.us` resolver (Public DNSCrypt resolver provided by Jacob Henner. Hosted by Digital Ocean, New York).
+
+### Changed
+- `Magisk 20.4+` required.
+- Disabled `direct_cert_fallback` option to prevent direct connections through the resolvers for failed certificate retrieved via relay.
 - Reduced the max. query waiting time from `1500` to `1000` ms.
 - Renamed `blacklist.txt` into `blocked-names.txt`.
 - Renamed `whitelist.txt` into `allowed-names.txt`.
+- Optimized relays.
 
+### Removed
+- [Applied Privacy DNS](https://applied-privacy.net/privacy-policy/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers.
+- `DROP` IPv6 queries script in `post-fs-data.sh` file.
 
 ## 2.0.44
-
-##### Updated binary files to 2.0.44 | jedisct1
+### Upstream
 - More updates to the set of block lists, thanks again to IceCodeNew.
 - Netprobes and listening sockets are now ignored when the `-list`, `-list-all`, `-show-certs` or `-check` command-line switches are used.
 - `tls_client_auth` was renamed to `doh_client_x509_auth`. A section with the previous name is temporarily ignored if empty, but will error out if not.
 - Unit tests are now working on 32-bit systems. Thanks to Will Elwood and @lifenjoiner.
 
-##### Updated module files to 2.0.44 | quindecim
-- 
-
-
 ## 2.0.43
-
-##### Updated binary files to 2.0.43 | jedisct1
+### Upstream
 - Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
 - Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
 - Multiple stamps are now allowed for a single server in resolvers and relays lists.
@@ -121,49 +400,38 @@ forced to use TCP.
 - Service installation is now supported on FreeBSD.
 - When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new `log_file_latest` option.
 
-##### Updated module files to 2.0.43 | quindecim
-- Added `Applied Privacy DNS` and `NixNet DNS` as additional fallback resolvers.
-- Required `Magisk 20+` from now on.
+### Added
+- [Applied Privacy DNS](https://applied-privacy.net/privacy-policy/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers.
 
+### Changed
+- `Magisk 20+` required.
 
 ## 2.0.42-3
-
-##### Updated binary files to 2.0.42 | jedisct1
-- 
-
-##### Updated module files to 2.0.42-3 | quindecim
-- Disabled properly `IPv6` queries in `post-fs-data.sh` file (no more DNS leaks this time)
-
+### Added
+- `DROP` properly IPv6 queries in `post-fs-data.sh` file (no more DNS leaks this time).
 
 ## 2.0.42-2
-
-##### Updated binary files to 2.0.42 | jedisct1
-- 
-
-##### Updated module files to 2.0.42-2 | quindecim
-- Disabled every `IPv6` queries in `post-fs-data.sh` file: `INPUT`, `FORWARD` and `OUTPUT` (to enforce leaks prevention in some cases).
-
+### Added
+- 2nd attempt to `DROP` IPv6 queries in `post-fs-data.sh` file.
 
 ## 2.0.42-1
+### Added
+- 1st attempt to `DROP` IPv6 queries in `post-fs-data.sh` file.
+- `whitelist.txt` file (as placeholder, once the blacklist goes public).
+- `meganerd` resolver (Non-logging, non-filtering, supports DNSSEC by MegaNerd.nl).
 
-##### Updated binary files to 2.0.42 | jedisct1
-- 
-
-##### Updated module files to 2.0.42-1 | quindecim
-- Added `meganerd` resolver (Non-logging, non-filtering, supports DNSSEC by MegaNerd.nl).
-- Enabled `whitelist.txt` file (as placeholder, once the blacklist goes public).
-- Optimized relays based on geolocation.
-- Disabled `IPv6` in `post-fs-data.sh` file (to enforce leaks prevention in some cases).
-- Removed `dnscrypt.nl-ns0` resolver and related relays.
-- Removed `dnscrypt.one` resolver and related relays.
-- Removed `ffmuc.net` resolver and related relays.
-- Removed `publicarray-au2` resolver and related relays.
+### Changed
 - Moved all the example documents into `dnscrypt-proxy/example-docs` folder (the remaining example documents must be deleted manually).
+- Optimized relays.
 
+### Removed
+- `dnscrypt.nl-ns0` resolver.
+- `dnscrypt.one` resolver.
+- `ffmuc.net` resolver.
+- `publicarray-au2` resolver.
 
 ## 2.0.42
-
-##### Updated binary files to 2.0.42 | jedisct1
+### Upstream
 - The current versions of the `dnsdist` load balancer (presumably used
 by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net,
 opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more)
@@ -179,13 +447,11 @@ using them without a relay.
 more retries if necessary.
 - Continuous integration has been moved to GitHub Actions.
 
-##### Updated module files to 2.0.42 | quindecim
-- Enabled `skip_incompatible` option to ignore servers incompatible with anonymization
-
+### Added
+- Set `skip_incompatible` option from `false` to `true` to ignore servers incompatible with anonymization.
 
 ## 2.0.41
-
-##### Updated binary files to 2.0.41 | jedisct1
+### Upstream
 - Precompiled binaries for armv5, armv6 and armv7 are available.
 The default arm builds were not compatible with older CPUs when
 compiled with Go 1.14. mips64 binaries are explicitly compiled with
@@ -196,13 +462,8 @@ resolvers; runtime detection of support for fragments should now do
 the job.
 - Runtime detection of support for fragments was actually enabled.
 
-##### Updated module files to 2.0.41 | quindecim
-- 
-
-
 ## 2.0.40
-
-##### Updated binary files to 2.0.40 | jedisct1
+### Upstream
 - Servers blocking fragmented queries are now automatically detected.
 - The server name is now only present in query logs when an actual upstream servers was required to resolve a query.
 - TLS client authentication has been added for DoH.
@@ -210,47 +471,26 @@ the job.
 - DoH RTT computation is now more accurate, especially when CDNs are in the middle.
 - The forwarding plugin is now more reliable, and handles retries over TCP.
 
-##### Updated module files to 2.0.40 | quindecim
-- 
-
-
 ## 2.0.39-2
-
-##### Updated binary files to 2.0.39 | jedisct1
-- 
-
-##### Updated module files to 2.0.39-2 | quindecim
-- Removed `blacklist.txt` file *(too many false positives, will be added back in the future, when it reaches a more stable level)*.
-
+### Removed
+- `blacklist.txt` file (too many false positives, will be added back in the future, when it reaches a more stable level).
 
 ## 2.0.39-1
+### Added
+- Automatic redirection in `post-fs-data.sh` file. (no more 3rd-party apps are required to start the service).
+- Substrings and wildcards into `blacklist.txt` file and updated to `2020.03.19`.
 
-##### Updated binary files to 2.0.39 | jedisct1
-- 
-
-##### Updated module files to 2.0.39-1 | quindecim
-- Implemented automatic redirection. No more third-party apps are required to start it.
-- Introduced substrings and wildcards into `blacklist.txt` file and updated to `2020-03-19`.
-- Removed `ibksturm` resolver and related relays.
-- Removed `dnswarden-dc1`, `dnswarden-dc2`, `dnswarden-dc3`, resolvers and related relays.
-
+### Removed
+- `ibksturm` resolver.
+- `dnswarden-dc1`, `dnswarden-dc2`, `dnswarden-dc3`, resolvers.
 
 ## 2.0.39
-
-##### Updated binary files to 2.0.39 | jedisct1
+### Upstream
 - The Firefox Local DoH service didn't properly work in version 2.0.38; 
 this has been fixed. Thanks to Simon Brand for the report!
 
-##### Updated module files to 2.0.39 | quindecim
-- Added `dnswarden-dc3` (DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com).
-- Updated `Magisk Module Installer template`. It require `Magisk 19+` from now on.
-- Fixed an issue where `dnscrypt-proxy` doesn't detect the config file.
-- Updated `blacklist.txt` to `2020-01-30`.
-
-
 ## 2.0.38
-
-##### Updated binary files to 2.0.38 | jedisct1
+### Upstream
 - Entries from lists (forwarding, blacklists, whitelists) now support
 inline comments.
 - Reliability improvement: queries over UDP are retried after a timeout
@@ -267,16 +507,18 @@ stored separately from the application.
 built using `Go 1.13.7` that fixes a TLS certificate parsing issue present in
 previous versions of the compiler.
 
-##### Updated module files to 2.0.38 | quindecim
-- Added `dnswarden-dc3` (DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com).
-- Updated `Magisk Module Installer template`. It require `Magisk 19+` from now on.
-- Fixed an issue where `dnscrypt-proxy` doesn't detect the config file.
-- Updated `blacklist.txt` to `2020-01-30`.
+### Added
+- `dnswarden-dc3` (DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com).
 
+### Changed
+- `Magisk 19+` required.
+- Updated `blacklist.txt` to `2020.01.30`.
+
+### Fixed
+- `dnscrypt-proxy` service doesn't detect the config file.
 
 ## 2.0.36
-
-##### Updated binary files to 2.0.36 | jedisct1
+### Upstream
 - New option: `block_undelegated`. When enabled, `dnscrypt-proxy` will
 directly respond to queries for locally-served zones (https://sk.tl/2QqB971U)
 and nonexistent zones that should have been kept local, but are frequently
@@ -287,15 +529,15 @@ set in a question, and the `AD` bit is cleared.
 security issue affecting non-encrypted/non-authenticated DNS traffic. In
 `dnscrypt-proxy`, this only affects the forwarding feature.
 
-##### Updated module files to 2.0.36 | quindecim
-- Added `dnscrypt.one` resolver (DNSSEC / no logs / uncensored, Germany (Nuremberg), https://dnscrypt.one/)
-- Optimized relays based on geolocation
-- Updated `blacklist.txt` to `2019-12-22`
+### Added
+- `dnscrypt.one` resolver (DNSSEC / no logs / uncensored, Germany (Nuremberg), https://dnscrypt.one/).
 
+### Changed
+- Updated `blacklist.txt` to `2019.12.22`.
+- Optimized relays.
 
 ## 2.0.35
-
-##### Updated binary files to 2.0.35 | jedisct1
+### Upstream
 - New option: `block_unqualified` to block `A`/`AAAA` queries with
 unqualified host names. These will very rarely get an answer from upstream
 resolvers, but can leak private information to these, as well as to root
@@ -305,36 +547,37 @@ along with the pointer. This makes it easier to know what the original
 query name, so it can be whitelisted, or what the pointer was, so it
 can be removed from the blacklist.
 
-##### Updated module files to 2.0.35 | quindecim
-- Added `scaleway-ams` resolver (DNSSEC/Non-logged/Uncensored in Amsterdam- ARM server donated by Scaleway.com)
-Maintained by Frank Denis- https://fr.dnscrypt.info)
-- Added `ffmuc.net` resolver
-(An open DNSCrypt resolver operated by Freifunk Munich with nodes in DE.
-https://ffmuc.net/)
-- Fixed backup an existing `.toml` file before proceed with the installation
-- Optimized relays based on geolocation
-- Updated `blacklist.txt` to `2019-12-09`
+### Added
+- `scaleway-ams` resolver (DNSSEC/Non-logged/Uncensored in Amsterdam- ARM server donated by Scaleway.com) Maintained by Frank Denis- https://fr.dnscrypt.info).
+- `ffmuc.net` resolver (An open DNSCrypt resolver operated by Freifunk Munich with nodes in DE. https://ffmuc.net/).
 
+### Changed
+- Updated `blacklist.txt` to `2019.12.09`.
+- Optimized relays.
+
+### Fixed
+- Backup an existing `.toml` file before proceed with the installation.
 
 ## 2.0.34
-
-##### Updated binary files to 2.0.34 | jedisct1
+### Upstream
 - Blacklisted names are now also blocked if they appear in `CNAME`
 pointers.
 - `dnscrypt-proxy` can now act as a local DoH *server*. Firefox can
 be configured to use it, so that ESNI can be enabled without bypassing
 your DNS proxy.
 
-##### Updated module files to 2.0.34 | quindecim
-- Added `ibksturm`- dnscrypt-server (nginx- encrypted-dns- unbound backend), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone- Hosted in Switzerland by ibksturm, aka Andreas Ziegler)
-- Enabled `blacklist.txt` file to prevent `CNAME Cloaking` tracking feature
-- Optimized relays based on geolocation
-- Removed `charis` and `suami` resolvers and their relays
+### Added
+- `ibksturm`- dnscrypt-server (nginx- encrypted-dns- unbound backend), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone- Hosted in Switzerland by ibksturm, aka Andreas Ziegler).
+- `blacklist.txt` file to prevent `CNAME Cloaking` tracking feature.
 
+### Changed
+- Optimized relays.
+
+### Removed
+- `charis` and `suami` resolvers.
 
 ## 2.0.33
-
-##### Updated binary files to 2.0.33 | jedisct1
+### Upstream
 - Fixes an issue that caused some valid queries to return `PARSE_ERROR`.
 - On certificate errors, the server name is now logged instead of the
 provider name, which is generally more useful.
@@ -359,24 +602,20 @@ work by Alison Winters, thanks!
 but it includes a `SERVFAIL` error code).
 - Responses are now always compressed.
 
-##### Updated module files to 2.0.33 | quindecim
-- Added `v.dnscrypt.uk-ipv4`- DNSCrypt v2, no logs, uncensored, DNSSEC. Hosted in London UK on Vultr- https://www.dnscrypt.uk
-- Optimized relays based on geolocation and set to use other providers different from the main one 
-
+### Added
+- `v.dnscrypt.uk-ipv4` (DNSCrypt v2, no logs, uncensored, DNSSEC. Hosted in London UK on Vultr- https://www.dnscrypt.uk).
+- Optimized relays (set to use other providers different from the main one).
 
 ## 2.0.31
-
-##### Updated binary files to 2.0.31 | jedisct1
+### Upstream
 - This version fixes a startup issue introduced in version 2.0.29, on systems for which the service cannot be automatically installed (such as OpenBSD and FreeBSD). Reported by @5ch17 and Vinícius Zavam, and fixed by Will Elwood, thanks!
 - This version fixes two regressions introduced in version 2.0.29: DoH server couldn't be reached over IPv6 any more, and the proxy couldn't be interrupted while servers were being benchmarked.
 
-##### Updated module files to 2.0.31 | quindecim
-- Changed the way to backup an existing .toml file. The old configuration is now backed up with `year-month-day-hour-minute.bak` suffix (thanks to @lindroidux)
-
+### Changed
+- Another way to backup an existing `.toml` file (the old configuration is now backed up with `year-month-day-hour-minute.bak` suffix, thanks to @lindroidux).
 
 ## 2.0.29
-
-##### Updated binary files to 2.0.29 | jedisct1
+### Upstream
 - Support for Anonymized DNS has been added!
 - Wait before stopping, fixing an issue with Unbound (thanks to Vladimir Bauer)
 - DNS stamps are now included in the `-list-all-json` ouptut
@@ -389,17 +628,15 @@ but it includes a `SERVFAIL` error code).
 - Ignore non-TXT records in certificate responses (thanks to Vladimir Bauer)
 - A lot of internal cleanups, thanks to Markus Linnala
 
-##### Updated module files to 2.0.29 | quindecim
-- Enabled `anonymized_dns` feature *(each resolver has 2 relays)*
-- Added `scaleway-fr` resolver *(DNSSEC/Non-logging/Uncensored- Maintained by Frank Denis- https://fr.dnscrypt.info)*
-- Added `publicarray-au` resolver Australia, *(DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on vultr.com maintained by publicarray- https://dns.seby.io)*
-- Added `publicarray-au2` resolver Australia, *(DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on ovh.com.au maintained by publicarray- https://dns.seby.io)*
-- Optimized relays based on geolocation
+### Added
+- `publicarray-au` resolver Australia (DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on vultr.com maintained by publicarray- https://dns.seby.io).
+- `publicarray-au2` resolver Australia (DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on ovh.com.au maintained by publicarray- https://dns.seby.io).
 
+### Changed
+- Optimized relays.
 
 ## 2.0.29-beta.3
-
-##### Updated binary files to 2.0.29-beta.3 | jedisct1
+### Upstream
 - Support for Anonymized DNSCrypt has been added.
 - Latency with large responses has actually been reduced.
 - DNSCrypt certificates can now be retrieved over Tor, proxies, and DNS relays.
@@ -408,123 +645,93 @@ but it includes a `SERVFAIL` error code).
 - Improved logging
 - Added a workaround for DNS servers using a non-standard provider name.
 
-##### Updated module files to 2.0.29-beta.3 | quindecim
-- Enabled `anonymized_dns` feature *(each resolver has 2 relays)*
-- Added `scaleway-fr` resolver *(DNSSEC/Non-logged/Uncensored- Maintained by Frank Denis- https://fr.dnscrypt.info)*
-
+### Added
+- `anonymized_dns` feature (each resolver has 2 relays assigned).
+- `scaleway-fr` resolver (DNSSEC/Non-logging/Uncensored- Maintained by Frank Denis- https://fr.dnscrypt.info).
 
 ## 2.0.28
-
-##### Updated binary files to 2.0.28 | jedisct1
+### Upstream
 - Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
 - Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
 - Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
 - Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.
 
-
 ## 2.0.27
-
-##### Updated binary files to 2.0.27 | jedisct1
+### Upstream
 - The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
 - All the dependencies have been updated.
 
+### Changed
+- New project mantainer, [@quindecim](https://github.com/quindecim) :)
+___
 
-##### New maintainer | quindecim
-
-
-##### Updated module files to 2.0.27 | quindecim
-
-
------
-
-
-###### v2.8.7 | bluemeda
+#### v2.8.7 ([@bluemeda](https://github.com/bluemeda))
 - Changed path of configuration file [dnscrypt.toml] from /system/etc/ to /data/media/0/ [or /sdcard]
 - Updated binary & configuration files to 2.0.25
 - Removed automatic redirection of dns-request and let dnscrypt-proxy do its job only.
 
-
-###### v2.8.5 | bluemeda
+#### v2.8.5 ([@bluemeda](https://github.com/bluemeda))
 - Fix #40
 
-
-###### v2.8.4 | bluemeda
+#### v2.8.4 ([@bluemeda](https://github.com/bluemeda))
 - Fix failed to copy or backup config file
 
-
-###### v2.8.3 | bluemeda
+#### v2.8.3 ([@bluemeda](https://github.com/bluemeda))
 - Fix permission issue
 - Add option to replace or backup-restore config file
 
-
-###### v2.8.2 | bluemeda
+#### v2.8.2 ([@bluemeda](https://github.com/bluemeda))
 - Fix "binary file is missing"
 
-
-###### v2.8.1 | bluemeda
+#### v2.8.7 ([@bluemeda](https://github.com/bluemeda))
 - Update Magisk 18100 requirements
 
-
-###### v2.8.0 | bluemeda
+#### v2.8.0 ([@bluemeda](https://github.com/bluemeda))
 - Update binary files 2.0.22
 
-
-###### v2.7.0 | bluemeda
+#### v2.7.0 ([@bluemeda](https://github.com/bluemeda))
 - Update binary files 2.0.21
 
-
-###### v2.6.0 | bluemeda
+#### v2.6.0 ([@bluemeda](https://github.com/bluemeda))
 - Update binary files to 2.0.19
 
-
-###### v2.5.0 | bluemeda
+#### v2.5.0 ([@bluemeda](https://github.com/bluemeda))
 - Update binary files to 2.0.16
 - add exception for cloudflare fallback resolver.
 
-
-###### v2.4.0 | bluemeda
+#### v2.4.0 ([@bluemeda](https://github.com/bluemeda))
 - Update binary files to 2.0.14
 
-
-###### v2.3.0 | bluemeda
+#### v2.3.0 ([@bluemeda](https://github.com/bluemeda))
 - Update binary files to 2.0.10
 - Add option to choose auto redirect DNS or manually set with 3rd-party app.
 
-
-###### v2.2.0 | bluemeda
+#### v2.2.0 ([@bluemeda](https://github.com/bluemeda))
 - Update binary files to 2.0.8
 
-
-###### v2.1.3 | bluemeda
+#### v2.1.3 ([@bluemeda](https://github.com/bluemeda))
 - If you have previous version, please uninstall it first then reinstall it again or you can change listen port manually in dnscrypt-proxy.toml file.
 - Fix Tethering Client cannot Resolve DNSCrypt
 - Fix Chromecast devices not showing jedisct1/dnscrypt-proxy#226
 - Add binary files for x86 and x86_64 (test)
 
-
-###### v2.1.2 | bluemeda
+#### v2.1.2 ([@bluemeda](https://github.com/bluemeda))
 - Bug Fixes
 
-
-###### v2.1.1 | bluemeda
+#### v2.1.1 ([@bluemeda](https://github.com/bluemeda))
 - Bug fixes
 
-
-###### v2.1 | bluemeda
+#### v2.1 ([@bluemeda](https://github.com/bluemeda))
 - Bug fixes
 
-
-###### v2.0 | bluemeda
+#### v2.0 ([@bluemeda](https://github.com/bluemeda))
 - Resolve download.dnscrypt.info first before executing iptable
 - Don't override dnscrypt-proxy.toml if exist
 - Update binary files to v2.0.6
 
-
-###### v1.1 | bluemeda
+#### v1.1 ([@bluemeda](https://github.com/bluemeda))
 - Change listen port to 5353 (avoid conflict while tethering)
 
-###### v1.0 | blueme
-da
+#### v1.0 ([@bluemeda](https://github.com/bluemeda))
 - Initial release
 - dnscrypt-proxy v2.0.5
-

LICENSE.md

@@ -632,7 +632,7 @@ state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
     dnscrypt-proxy-android
-    Copyright (C) 2021  quindecim
+    Copyright (C) 2020-2023, d3cim
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -652,7 +652,7 @@ Also add information on how to contact you by electronic and paper mail.
   If the program does terminal interaction, make it output a short
 notice like this when it starts in an interactive mode:
 
-    dnscrypt-proxy-android  Copyright (C) 2021  quindecim
+    dnscrypt-proxy-android  Copyright (C) 2020-2023, d3cim
     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.

README.md

@@ -1,13 +1,13 @@
-# DNSCrypt Proxy 2 for Android | privacy oriented
+# DNSCrypt Proxy 2 for Android
 
-A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol), [DNS-over-HTTPS](https://www.rfc-editor.org/rfc/rfc8484.txt) and [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt).
+![GitHub release (latest by date)](https://img.shields.io/github/v/release/d3cim/dnscrypt-proxy-android?style=for-the-badge)
+![GitHub all releases](https://img.shields.io/github/downloads/d3cim/dnscrypt-proxy-android/total?style=for-the-badge)
 
+A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol), [DNS-over-HTTPS](https://www.rfc-editor.org/rfc/rfc8484.txt), [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt) and [ODoH (Oblivious DoH)](https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md).
 
 ## Features
 
-- For all features please refer to the [OFFICIAL PAGE](https://github.com/DNSCrypt/dnscrypt-proxy#features)
-- All binary files are downloaded from the [OFFICIAL RELEASE PAGE](https://github.com/DNSCrypt/dnscrypt-proxy/releases)
-
+- For all features please refer to the [official page](https://github.com/DNSCrypt/dnscrypt-proxy#features).
 
 ## Pre-built binaries
 
@@ -18,74 +18,88 @@ Up-to-date, pre-built binaries are available for:
 - Android/x86
 - Android/x86_64
 
+All the binary files are downloaded from the [official release page](https://github.com/DNSCrypt/dnscrypt-proxy/releases).
 
-## Differences from the main dnscrypt-proxy project
+## Differences from the main project
 
-- `server_names` = `acsacsar-ams-ipv4` [NLD], `arvind-io` [IND], `bcn-dnscrypt` [ESP], `d0wn-tz-ns1` [TZA], `dnscrypt.be` [BEL], `dnscrypt.ca-1` [CAN], `dnscrypt.ca-2` [CAN], `dnscrypt.eu-dk` [DNK], `dnscrypt.eu-nl` [NLD], `dnscrypt.one` [DEU], `dnscrypt.pl` [POL], `dnscrypt.uk-ipv4` [GBR], `ev-canada` [CAN], `freetsa.org-ipv4` [CAN] `jp.tiar.app` [JPN], `meganerd` [NLD], `moulticast-ca-ipv4` [CAN], `moulticast-de-ipv4` [DEU], `moulticast-fr-ipv4` [FRA], `moulticast-sg-ipv4` [SGP], `moulticast-uk-ipv4` [GBR], `plan9-dns` [USA], `publicarray-au` [AUS], `pwoss.org-dnscrypt` [DEU], `sarpel-dns-istanbul` [TUR], `scaleway-ams` [NLD], `scaleway-fr` [FRA], `serbica` [NLD], `v.dnscrypt.uk-ipv4` [GBR], `ventricle.us` [USA] are the resolvers in use.
+- `server_names` = `ams-dnscrypt-nl` [NLD], `d0wn-tz-ns1` [TZA], `dct-nl` [NLD], `dct-ru` [RUS], `dnscrypt.be` [BEL], `dnscrypt.pl` [POL], `dnscrypt.uk-ipv4` [GBR], `dnswarden-uncensor-dc-swiss` [CHE], `meganerd` [NLD], `openinternet` [USA], `plan9dns-fl` [USA], `plan9dns-mx` [MEX], `plan9dns-nj` [USA], `pryv8boi` [DEU], `sby-limotelu` [IDN], `scaleway-ams` [NLD], `scaleway-fr` [FRA], `serbica` [NLD], `techsaviours.org-dnscrypt` [DEU], `v.dnscrypt.uk-ipv4` [GBR] are the resolvers in use.
 
-- `doh_servers` = `false` (disable servers implementing the `DNS-over-HTTPS` protocol)
+- `doh_servers = false` (disable servers implementing the `DNS-over-HTTPS` protocol)
 
-- `require_dnssec` = `true` (server must support `DNSSEC` security extension)
+- `require_dnssec = true` (server must support `DNSSEC` security extension)
 
-- `timeout` = `1000` (set the max. response time of a single DNS query from `5000` to `1000` ms.)
+- `force_tcp = true` (fix for mobile data intial connection random issues if `routes` have been set and `skip_incompatible = true`, see [DNSCrypt/dnscrypt-proxy/discussions/2020](https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2020))
 
-- `blocked_query_response` = `'refused'` (set `refused` response to blocked queries)
+- `timeout = 1000` (set the max. response time of a single DNS query from `5000` to `1000` ms.)
 
-- `dnscrypt_ephemeral_keys` = `true` (create a new, unique key for every single DNS query)
+- `blocked_query_response = 'refused'` (set `refused` response to blocked queries)
 
-- `fallback_resolvers` = `['91.239.100.100:53']` (use [UncensoredDNS](https://blog.uncensoreddns.org/) instead [CloudFlare](https://iscloudflaresafeyet.com/))
+- `# log_level = 0` (set the log level of the `dnscrypt-proxy.log` file to very verbose, but keep it disabled by default)
 
-- `netprobe_address` = `'91.239.100.100:53'` (use [UncensoredDNS](https://blog.uncensoreddns.org/) instead [CloudFlare](https://iscloudflaresafeyet.com/))
+- `dnscrypt_ephemeral_keys = true` (create a new, unique key for every single DNS query)
 
-- `block_ipv6` = `true` (immediately respond to IPv6-related queries with an empty response)
+- `bootstrap_resolvers = ['45.11.45.11:53']` (use [DNS.SB](https://dns.sb/) instead [CloudFlare](https://archive.today/tS1Ln))
 
-- `blocked_names_file`, `blocked_ips_file`, `allowed_names_file` and `allowed_ips_file` options enabled. (you can now filter your web content, to know how, please refer to the [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters) or take a look at my [block repository](https://git.nixnet.services/quindecim/block))
+- `netprobe_address = '45.11.45.11:53'` (use [DNS.SB](https://dns.sb/) instead [CloudFlare](https://archive.today/tS1Ln))
+
+- `block_ipv6 = true` (immediately respond to IPv6-related queries with an empty response)
+
+- `blocked-names.txt`, `blocked-ips.txt`, `allowed-names.txt` and `allowed-ips.txt` files enabled. (to know more specifics about this, please refer to the [Filters (optional)](https://github.com/d3cim/dnscrypt-proxy-android#filters-optional) section below)
 
 - `anonymized_dns` feature enabled. (`routes` are indirect ways to reach DNSCrypt servers, each resolver has 2 relays assigned)
 
-- `skip_incompatible` = `true` (skip resolvers incompatible with anonymization instead of using them directly)
-
-- `direct_cert_fallback` = `false` (prevent direct connections through the resolvers for failed certificate retrieved via relay)
+- `skip_incompatible = true` (skip resolvers incompatible with anonymization instead of using them directly)
 
+- `direct_cert_fallback = false` (prevent direct connections through the resolvers for failed certificate retrieved via relay)
 
 ## Installation
 
-1. Download the latest `.zip` file from the [Releases](https://git.nixnet.services/quindecim/dnscrypt-proxy-android/releases) page or from my [dnscrypt-proxy-android | CHANNEL](https://t.me/dnscrypt_proxy) on Telegram and flash it with [Magisk](https://github.com/topjohnwu/Magisk):
+**1.** Download the latest `dnscrypt-proxy-android-*.zip` file from the [Releases](https://github.com/d3cim/dnscrypt-proxy-android/releases/latest) page and flash it with [Magisk](https://github.com/topjohnwu/Magisk):
 
 ```
-Magisk Manager > Modules > + > dnscrypt-proxy-android-v*.zip
+Magisk > Modules > Install from storage > dnscrypt-proxy-android-*.zip
 ```
 
-2. Reboot your device.
+**2.** Reboot your device.
 
-3. Test your DNS: https://dnsleaktest.com/
+**3.** Test your DNS at https://dnsleaktest.com/
 
+### Configuration (optional)
 
-### Configuration (post-installing)
+You can edit the `dnscrypt-proxy.toml` file as you wish located on `storage/emulated/0/dnscrypt-proxy` path.
 
-- You can edit `dnscrypt-proxy.toml` as you wish located on `/sdcard/dnscrypt-proxy/dnscrypt-proxy.toml`, or `/data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml`.
-- For more detailed configuration please refer to [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration).
-- For more support on a good privacy oriented setup, join our group at [dnscrypt-proxy-android | CHAT](https://t.me/qd_invitations) on Telegram.
+For a more detailed configuration you can refer to the [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration) or simply join our group on [Telegram](https://telegram.org/), at [dnscrypt-proxy-android | CHAT](https://t.me/qd_invitations).
 
+### Filters (optional)
 
-#### AFWall+ users only
+Filters are a powerful set of built-in features, that let you control exactly what domain names and IP addresses your device are allowed to connect to. This can be used to block ads, trackers, malware, or anything you don't want your device to load.
 
-If you experience no connection issue after flashing the module I suggest you to insert these scripts: (in both, enter and shutdown boxes)
+This [module](https://github.com/d3cim/dnscrypt-proxy-android) comes with the [filtering feature](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters) enabled by default, that's why you can see files designed for this operation inside the internal folder. Out of the box these files are empty and are used only to ensure the correct start of `dnscrypt-proxy` service.\
+To know more about it you can consult the [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters), or in a simpler way through my [block repository](https://github.com/d3cim/block).
 
-```
-iptables -A "afwall" -d 127.0.0.1 -p tcp --dport 5354 -j ACCEPT
-iptables -A "afwall" -d 127.0.0.1 -p udp --dport 5354 -j ACCEPT
-```
-
-The issue is related to the use of `AFWall+` and only happens on some devices, it depends on how the DNS configuration is implemented in the device itself.
+I'm also providing the `allowed-names.txt` and `blocked-names.txt` files regularly updated at [dnscrypt-proxy-filters | CHANNEL](https://t.me/dnscrypt_proxy_filters). The [sources](https://github.com/d3cim/block#sources) used for this merge are among the hardest on the web.
 
+You can contribute to this blocklist at anytime, opening a [New Issue](https://github.com/d3cim/dnscrypt-proxy-android/issues) here or simply reporting the issue at [dnscrypt-proxy-filters | CHAT](https://t.me/qd_invitations) on [Telegram](https://telegram.org/).
 
 ## Changelog
 
-[Full changelog](https://git.nixnet.services/quindecim/dnscrypt-proxy-android/blob/master/CHANGELOG.md)
+- See [CHANGELOG](https://github.com/d3cim/dnscrypt-proxy-android/blob/master/CHANGELOG.md).
 
+## Version numbers
+
+dnscrypt-proxy-android tags follow the format `{dnscrypt-proxy_version}.{revision}` where
+
+* `dnscrypt-proxy_version` is the version of dnscrypt-proxy used in `x.x.x` format, and
+* `revision` is a number indicating the version of dnscrypt-proxy-android for the corresponding dnscrypt-proxy version.
+
+## Donations
+
+- **BTC** address: `126Y2BJQyPq8CHAaFMCyVH5QcbSViQz89e`
+- **ETH** address: `0x16b917Bb585D2411b9c9C81b03de72471f3f072F`
+- **XMR** address: `41jXybL88etPg1nGuPsMZbFSzKzbXYat4Xak3QssPy7LNs4VBWXDxbhjSdtLJDA138cx7cTq8JhFoiTTVLhWrTNAUywgGFD`
 
 ## Credits
-- DNSCrypt-Proxy2 upstream | [jedisct1](https://github.com/DNSCrypt/dnscrypt-proxy)
-- [bluemeda](https://github.com/bluemeda) for the original module
-- [All contributors](https://github.com/Magisk-Modules-Repo/dnscrypt-proxy/graphs/contributors)
+
+- [Frank Denis](https://github.com/jedisct1) and his [contributors](https://github.com/DNSCrypt/dnscrypt-proxy/graphs/contributors) for the upstream code.
+- [Affif Mukhlashin](https://github.com/bluemeda) and his [contributors](https://github.com/bluemeda/dnscrypt-proxy-magisk/graphs/contributors) for the very first module.
+- [John Wu](https://github.com/topjohnwu) and his [contributors](https://github.com/topjohnwu/Magisk/graphs/contributors) for Magisk.

config/LICENSE

@@ -1,18 +1,15 @@
-/*
- * ISC License
- *
- * Copyright (c) 2018-2021
- * Frank Denis <j at pureftpd dot org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
+ISC License
+
+Copyright (c) 2018-2023, Frank Denis <j at pureftpd dot org>
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

config/allowed-ips.txt

@@ -3,9 +3,15 @@
 #        IP allowlist        #
 ##############################
 
-## Author      : quindecim   : https://git.nixnet.services/quindecim   | MAINSTREAM
-##                             https://git.lushka.al/quindecim         | MIRROR
-##                             https://git.lelux.fi/quindecim          | MIRROR
+## Author      : d3cim  : https://github.com/d3cim
+##                        https://git.nixnet.services/d3cim
+##
+## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
 ##
 ##
-## This is just a placeholder for who want to use a whitelist file.
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block

config/allowed-names.txt

@@ -3,9 +3,15 @@
 #        Allowlist        #
 ###########################
 
-## Author      : quindecim   : https://git.nixnet.services/quindecim   | MAINSTREAM
-##                             https://git.lushka.al/quindecim         | MIRROR
-##                             https://git.lelux.fi/quindecim          | MIRROR
+## Author      : d3cim  : https://github.com/d3cim
+##                        https://git.nixnet.services/d3cim
+##
+## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
 ##
 ##
-## This is just a placeholder for who want to use a allowlist file.
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block

config/blocked-ips.txt

@@ -3,9 +3,41 @@
 #        IP blocklist        #
 ##############################
 
-## Author      : quindecim   : https://git.nixnet.services/quindecim   | MAINSTREAM
-##                             https://git.lushka.al/quindecim         | MIRROR
-##                             https://git.lelux.fi/quindecim          | MIRROR
+## Author      : d3cim     : https://github.com/d3cim
+##                           https://git.nixnet.services/d3cim
+##
+## Based on    : DNSCrypt  : Rebind Protection  : https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters#dns-rebind-protection
+##
+## License     : GPLv3     : https://github.com/d3cim/block/blob/master/LICENSE.md
 ##
 ##
-## This is just a placeholder for who want to use a blocklist file.
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block
+
+# Blocklist from [https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters#dns-rebinding-protection]
+# Localhost rebind protection
+0.0.0.0
+127.0.0.*
+# RFC1918 rebind protection
+10.*
+172.16.*
+172.17.*
+172.18.*
+172.19.*
+172.20.*
+172.21.*
+172.22.*
+172.23.*
+172.24.*
+172.25.*
+172.26.*
+172.27.*
+172.28.*
+172.29.*
+172.30.*
+172.31.*
+192.168.*

config/blocked-names.txt

@@ -3,9 +3,15 @@
 #        Blocklist        #
 ###########################
 
-## Author      : quindecim   : https://git.nixnet.services/quindecim   | MAINSTREAM
-##                             https://git.lushka.al/quindecim         | MIRROR
-##                             https://git.lelux.fi/quindecim          | MIRROR
+## Author      : d3cim  : https://github.com/d3cim
+##                        https://git.nixnet.services/d3cim
+##
+## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
 ##
 ##
-## This is just a placeholder for who want to use a blocklist file.
+## DO NOT DELETE THIS FILE !!
+##
+## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
+##
+## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
+##               https://github.com/d3cim/block

config/dnscrypt-proxy.toml

@@ -29,12 +29,15 @@
 ##
 ## Remove the leading # first to enable this; lines starting with # are ignored.
 
-server_names = ['acsacsar-ams-ipv4', 'arvind-io', 'bcn-dnscrypt', 'd0wn-tz-ns1', 'dnscrypt.be', 'dnscrypt.ca-1', 'dnscrypt.ca-2', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.one', 'dnscrypt.pl', 'dnscrypt.uk-ipv4', 'ev-canada', 'freetsa.org-ipv4', 'jp.tiar.app', 'meganerd', 'moulticast-ca-ipv4', 'moulticast-de-ipv4', 'moulticast-fr-ipv4', 'moulticast-sg-ipv4', 'moulticast-uk-ipv4', 'plan9-dns', 'publicarray-au', 'pwoss.org-dnscrypt', 'sarpel-dns-istanbul', 'scaleway-ams', 'scaleway-fr', 'serbica', 'v.dnscrypt.uk-ipv4', 'ventricle.us']
+server_names = ['ams-dnscrypt-nl', 'd0wn-tz-ns1', 'dct-nl', 'dct-ru', 'dnscrypt.be', 'dnscrypt.pl', 'dnscrypt.uk-ipv4', 'dnswarden-uncensor-dc-swiss', 'meganerd', 'openinternet', 'plan9dns-fl', 'plan9dns-mx', 'plan9dns-nj', 'pryv8boi', 'sby-limotelu', 'scaleway-ams', 'scaleway-fr', 'serbica', 'techsaviours.org-dnscrypt', 'v.dnscrypt.uk-ipv4']
 
 
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 ## Example with both IPv4 and IPv6:
 ## listen_addresses = ['127.0.0.1:53', '[::1]:53']
+##
+## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
+## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
 
 listen_addresses = ['127.0.0.1:5354']
 
@@ -52,7 +55,7 @@ max_clients = 250
 # user_name = 'nobody'
 
 
-## Require servers (from static + remote sources) to satisfy specific properties
+## Require servers (from remote sources) to satisfy specific properties
 
 # Use servers reachable over IPv4
 ipv4_servers = true
@@ -66,6 +69,9 @@ dnscrypt_servers = true
 # Use servers implementing the DNS-over-HTTPS protocol
 doh_servers = false
 
+# Use servers implementing the Oblivious DoH protocol
+odoh_servers = false
+
 
 ## Require servers defined by remote sources to satisfy specific properties
 
@@ -88,7 +94,14 @@ disabled_server_names = []
 ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
 ## only increase latency.
 
-force_tcp = false
+force_tcp = true
+
+
+## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
+## Note that, like DNSCrypt but unlike other HTTP versions, this uses
+## UDP and (usually) port 443 instead of TCP.
+
+http3 = false
 
 
 ## SOCKS proxy
@@ -112,7 +125,7 @@ force_tcp = false
 timeout = 1000
 
 
-## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
+## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds
 
 keepalive = 30
 
@@ -122,7 +135,7 @@ keepalive = 30
 ## Multiple networks can be listed; they will be randomly chosen.
 ## These networks don't have to match your actual networks.
 
-# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"]
+# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']
 
 
 ## Response for blocked queries. Options are `refused`, `hinfo` (default) or
@@ -148,7 +161,7 @@ blocked_query_response = 'refused'
 
 ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
 
-# log_level = 2
+# log_level = 0
 
 
 ## Log file for the application, as an alternative to sending logs to
@@ -175,6 +188,13 @@ blocked_query_response = 'refused'
 cert_refresh_delay = 240
 
 
+## Initially don't check DNSCrypt server certificates for expiration, and
+## only start checking them after a first successful connection to a resolver.
+## This can be useful on routers with no battery-backed clock.
+
+# cert_ignore_timestamp = false
+
+
 ## DNSCrypt: Create a new, unique key for every single DNS query
 ## This may improve privacy but can also have a significant impact on CPU usage
 ## Only enable if you don't have a lot of network load
@@ -187,48 +207,74 @@ dnscrypt_ephemeral_keys = true
 # tls_disable_session_tickets = false
 
 
-## DoH: Use a specific cipher suite instead of the server preference
+## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference
 ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
 ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-##  4865 = TLS_AES_128_GCM_SHA256
-##  4867 = TLS_CHACHA20_POLY1305_SHA256
 ##
 ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
 ## the following suite improves performance.
 ## This may also help on Intel CPUs running 32-bit operating systems.
 ##
 ## Keep tls_cipher_suite empty if you have issues fetching sources or
-## connecting to some DoH servers. Google and Cloudflare are fine with it.
+## connecting to some DoH servers.
 
 # tls_cipher_suite = [52392, 49199]
 
 
-## Fallback resolvers
+## Log TLS key material to a file, for debugging purposes only.
+## This file will contain the TLS master key, which can be used to decrypt
+## all TLS traffic to/from DoH servers.
+## Never ever enable except for debugging purposes with a tool such as mitmproxy.
+
+# tls_key_log_file = '/tmp/keylog.txt'
+
+
+## Bootstrap resolvers
+##
 ## These are normal, non-encrypted DNS resolvers, that will be only used
-## for one-shot queries when retrieving the initial resolvers list, and
-## only if the system DNS configuration doesn't work.
+## for one-shot queries when retrieving the initial resolvers list and if
+## the system DNS configuration doesn't work.
 ##
-## No user application queries will ever be leaked through these resolvers,
-## and they will not be used after IP addresses of resolvers URLs have been found.
-## They will never be used if lists have already been cached, and if stamps
-## don't include host names without IP addresses.
+## No user queries will ever be leaked through these resolvers, and they will
+## not be used after IP addresses of DoH resolvers have been found (if you are
+## using DoH).
+##
+## They will never be used if lists have already been cached, and if the stamps
+## of the configured servers already include IP addresses (which is the case for
+## most of DoH servers, and for all DNSCrypt servers and relays).
+##
+## They will not be used if the configured system DNS works, or after the
+## proxy already has at least one usable secure resolver.
 ##
-## They will not be used if the configured system DNS works.
 ## Resolvers supporting DNSSEC are recommended, and, if you are using
-## DoH, fallback resolvers should ideally be operated by a different entity than
-## the DoH servers you will be using, especially if you have IPv6 enabled.
+## DoH, bootstrap resolvers should ideally be operated by a different entity
+## than the DoH servers you will be using, especially if you have IPv6 enabled.
 ##
-## People in China may need to use 114.114.114.114:53 here.
-## Other popular options include 8.8.8.8 and 1.1.1.1.
+## People in China may want to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
 ##
 ## If more than one resolver is specified, they will be tried in sequence.
+##
+## TL;DR: put valid standard resolver addresses here. Your actual queries will
+## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
+## lists are up to date, these resolvers will not even be used.
 
-fallback_resolvers = ['91.239.100.100:53']
+bootstrap_resolvers = ['45.11.45.11:53']
 
 
-## Always use the fallback resolver before the system DNS settings.
+## When internal DNS resolution is required, for example to retrieve
+## the resolvers list:
+##
+## - queries will be sent to dnscrypt-proxy itself, if it is already
+##   running with active servers (*)
+## - or else, queries will be sent to fallback servers
+## - finally, if `ignore_system_dns` is `false`, queries will be sent
+##   to the system DNS
+##
+## (*) this is incompatible with systemd sockets.
+## `listen_addrs` must not be empty.
 
 ignore_system_dns = true
 
@@ -251,7 +297,7 @@ netprobe_timeout = -1
 ## On other operating systems, the connection will be initialized
 ## but nothing will be sent at all.
 
-netprobe_address = '91.239.100.100:53'
+netprobe_address = '45.11.45.11:53'
 
 
 ## Offline mode - Do not use any remote encrypted servers.
@@ -302,6 +348,7 @@ block_ipv6 = true
 
 
 ## Immediately respond to A and AAAA queries for host names without a domain name
+## This also prevents "dotless domain names" from being resolved upstream.
 
 block_unqualified = true
 
@@ -315,7 +362,7 @@ block_undelegated = true
 ## TTL for synthetic responses sent when a request has been blocked (due to
 ## IPv6 or blocklists).
 
-reject_ttl = 600
+reject_ttl = 10
 
 
 
@@ -336,6 +383,8 @@ reject_ttl = 600
 ## Cloaking returns a predefined address for a specific name.
 ## In addition to acting as a HOSTS file, it can also return the IP address
 ## of a different name. It will also do CNAME flattening.
+## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled
+## for cloaking rules that do not contain wild cards.
 ##
 ## See the `example-cloaking-rules.txt` file for an example
 
@@ -344,6 +393,7 @@ reject_ttl = 600
 ## TTL used when serving entries in cloaking-rules.txt
 
 # cloak_ttl = 600
+# cloak_ptr = false
 
 
 
@@ -420,6 +470,9 @@ cache_neg_max_ttl = 600
 
 
 ## Certificate file and key - Note that the certificate has to be trusted.
+## Can be generated using the following commands:
+## openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM.pem
+## openssl req -x509 -nodes -newkey ec:ECPARAM.pem -subj "/C=XZ/L=own PC/O=localhost/CN=localhost/" -days 5000 -sha256 -keyout localhost.pem -out localhost.pem
 ## See the documentation (wiki) for more information.
 
 # cert_file = 'localhost.pem'
@@ -435,20 +488,20 @@ cache_neg_max_ttl = 600
 
 [query_log]
 
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
-  ## Can be set to /dev/stdout in order to log to the standard output.
+## Path to the query log file (absolute, or relative to the same directory as the config file)
+## Can be set to /dev/stdout in order to log to the standard output.
 
-  # file = 'query.log'
+# file = 'query.log'
 
 
-  ## Query log format (currently supported: tsv and ltsv)
+## Query log format (currently supported: tsv and ltsv)
 
-  format = 'tsv'
+format = 'tsv'
 
 
-  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+## Do not log these query types, to reduce verbosity. Keep empty to log everything.
 
-  # ignored_qtypes = ['DNSKEY', 'NS']
+# ignored_qtypes = ['DNSKEY', 'NS']
 
 
 
@@ -462,19 +515,19 @@ cache_neg_max_ttl = 600
 
 [nx_log]
 
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
+## Path to the query log file (absolute, or relative to the same directory as the config file)
 
-  # file = 'nx.log'
+# file = 'nx.log'
 
 
-  ## Query log format (currently supported: tsv and ltsv)
+## Query log format (currently supported: tsv and ltsv)
 
-  format = 'tsv'
+format = 'tsv'
 
 
 
 ######################################################
-#        Pattern-based blocking (blocklists)        #
+#        Pattern-based blocking (blocklists)         #
 ######################################################
 
 ## Blocklists are made of one pattern per line. Example of valid patterns:
@@ -492,19 +545,19 @@ cache_neg_max_ttl = 600
 
 [blocked_names]
 
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
 
-  blocked_names_file = 'blocked-names.txt'
+blocked_names_file = 'blocked-names.txt'
 
 
-  ## Optional path to a file logging blocked queries
+## Optional path to a file logging blocked queries
 
-  # log_file = 'blocked-names.log'
+# log_file = 'blocked-names.log'
 
 
-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)
 
-  # log_format = 'tsv'
+# log_format = 'tsv'
 
 
 
@@ -520,24 +573,24 @@ cache_neg_max_ttl = 600
 
 [blocked_ips]
 
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
 
-  blocked_ips_file = 'blocked-ips.txt'
+blocked_ips_file = 'blocked-ips.txt'
 
 
-  ## Optional path to a file logging blocked queries
+## Optional path to a file logging blocked queries
 
-  # log_file = 'blocked-ips.log'
+# log_file = 'blocked-ips.log'
 
 
-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)
 
-  # log_format = 'tsv'
+# log_format = 'tsv'
 
 
 
 ######################################################
-#   Pattern-based allow lists (blocklists bypass)   #
+#   Pattern-based allow lists (blocklists bypass)    #
 ######################################################
 
 ## Allowlists support the same patterns as blocklists
@@ -548,19 +601,19 @@ cache_neg_max_ttl = 600
 
 [allowed_names]
 
-  ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
+## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
 
-  allowed_names_file = 'allowed-names.txt'
+allowed_names_file = 'allowed-names.txt'
 
 
-  ## Optional path to a file logging allowed queries
+## Optional path to a file logging allowed queries
 
-  # log_file = 'allowed-names.log'
+# log_file = 'allowed-names.log'
 
 
-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)
 
-  # log_format = 'tsv'
+# log_format = 'tsv'
 
 
 
@@ -569,25 +622,25 @@ cache_neg_max_ttl = 600
 #########################################################
 
 ## Allowed IP lists support the same patterns as IP blocklists
-## If an IP response matches an allow ip entry, the corresponding session
+## If an IP response matches an allowed entry, the corresponding session
 ## will bypass IP filters.
 ##
 ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
 
 [allowed_ips]
 
-  ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
+## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
 
-  allowed_ips_file = 'allowed-ips.txt'
+allowed_ips_file = 'allowed-ips.txt'
 
 
-  ## Optional path to a file logging allowed queries
+## Optional path to a file logging allowed queries
 
-  # log_file = 'allowed-ips.log'
+# log_file = 'allowed-ips.log'
 
-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)
 
-  # log_format = 'tsv'
+# log_format = 'tsv'
 
 
 
@@ -608,21 +661,21 @@ cache_neg_max_ttl = 600
 
 [schedules]
 
-  # [schedules.'time-to-sleep']
-  # mon = [{after='21:00', before='7:00'}]
-  # tue = [{after='21:00', before='7:00'}]
-  # wed = [{after='21:00', before='7:00'}]
-  # thu = [{after='21:00', before='7:00'}]
-  # fri = [{after='23:00', before='7:00'}]
-  # sat = [{after='23:00', before='7:00'}]
-  # sun = [{after='21:00', before='7:00'}]
+  # [schedules.time-to-sleep]
+  #   mon = [{after='21:00', before='7:00'}]
+  #   tue = [{after='21:00', before='7:00'}]
+  #   wed = [{after='21:00', before='7:00'}]
+  #   thu = [{after='21:00', before='7:00'}]
+  #   fri = [{after='23:00', before='7:00'}]
+  #   sat = [{after='23:00', before='7:00'}]
+  #   sun = [{after='21:00', before='7:00'}]
 
-  # [schedules.'work']
-  # mon = [{after='9:00', before='18:00'}]
-  # tue = [{after='9:00', before='18:00'}]
-  # wed = [{after='9:00', before='18:00'}]
-  # thu = [{after='9:00', before='18:00'}]
-  # fri = [{after='9:00', before='17:00'}]
+  # [schedules.work]
+  #   mon = [{after='9:00', before='18:00'}]
+  #   tue = [{after='9:00', before='18:00'}]
+  #   wed = [{after='9:00', before='18:00'}]
+  #   thu = [{after='9:00', before='18:00'}]
+  #   fri = [{after='9:00', before='17:00'}]
 
 
 
@@ -644,45 +697,69 @@ cache_neg_max_ttl = 600
 ## If the `urls` property is missing, cache files and valid signatures
 ## must already be present. This doesn't prevent these cache files from
 ## expiring after `refresh_delay` hours.
-## Cache freshness is checked every 24 hours, so values for 'refresh_delay'
-## of less than 24 hours will have no effect.
-## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness.
+## `refreshed_delay` must be in the [24..168] interval.
+## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers.
+## The maximum delay of 168 hours (1 week) ensures cache freshness.
 
 [sources]
 
-  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
+  ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
 
-  [sources.'public-resolvers']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
-  cache_file = 'public-resolvers.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  refresh_delay = 72
-  prefix = ''
+  [sources.public-resolvers]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+    cache_file = 'public-resolvers.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+    prefix = ''
 
-  ## Anonymized DNS relays
+  ### Anonymized DNS relays
 
-  [sources.'relays']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
-  cache_file = 'relays.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  refresh_delay = 72
-  prefix = ''
+  [sources.relays]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
+    cache_file = 'relays.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+    prefix = ''
 
-  ## Quad9 over DNSCrypt - https://quad9.net/
+  ### ODoH (Oblivious DoH) servers and relays
+
+  # [sources.odoh-servers]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
+  #   cache_file = 'odoh-servers.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 24
+  #   prefix = ''
+  # [sources.odoh-relays]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
+  #   cache_file = 'odoh-relays.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 24
+  #   prefix = ''
+
+  ### Quad9
 
   # [sources.quad9-resolvers]
-  # urls = ['https://www.quad9.net/quad9-resolvers.md']
-  # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
-  # cache_file = 'quad9-resolvers.md'
-  # prefix = 'quad9-'
+  #   urls = ['https://www.quad9.net/quad9-resolvers.md']
+  #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
+  #   cache_file = 'quad9-resolvers.md'
+  #   prefix = 'quad9-'
 
-  ## Another example source, with resolvers censoring some websites not appropriate for children
-  ## This is a subset of the `public-resolvers` list, so enabling both is useless
+  ### Another example source, with resolvers censoring some websites not appropriate for children
+  ### This is a subset of the `public-resolvers` list, so enabling both is useless
 
-  #  [sources.'parental-control']
-  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md']
-  #  cache_file = 'parental-control.md'
-  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  # [sources.parental-control]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
+  #   cache_file = 'parental-control.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+  ### dnscry.pt servers - See https://www.dnscry.pt
+
+  #  [sources.dnscry-pt-resolvers]
+  #    urls = ["https://www.dnscry.pt/resolvers.md"]
+  #    minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
+  #    cache_file = "dnscry.pt-resolvers.md"
+  #    refresh_delay = 72
+  #    prefix = "dnscry.pt-"
 
 
 
@@ -692,16 +769,16 @@ cache_neg_max_ttl = 600
 
 [broken_implementations]
 
-# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
-# truncate reponses larger than questions as expected by the DNSCrypt protocol.
-# This prevents large responses from being received over UDP and over relays.
-#
-# Older versions of the `dnsdist` server software had a bug with queries larger
-# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
-# some server may still run an outdated version.
-#
-# The list below enables workarounds to make non-relayed usage more reliable
-# until the servers are fixed.
+## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
+## truncate responses larger than questions as expected by the DNSCrypt protocol.
+## This prevents large responses from being received over UDP and over relays.
+##
+## Older versions of the `dnsdist` server software had a bug with queries larger
+## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
+## some server may still run an outdated version.
+##
+## The list below enables workarounds to make non-relayed usage more reliable
+## until the servers are fixed.
 
 fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
 
@@ -711,17 +788,16 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 #        Certificate-based client authentication for DoH        #
 #################################################################
 
-# Use a X509 certificate to authenticate yourself when connecting to DoH servers.
-# This is only useful if you are operating your own, private DoH server(s).
-# 'creds' maps servers to certificates, and supports multiple entries.
-# If you are not using the standard root CA, an optional "root_ca"
-# property set to the path to a root CRT file can be added to a server entry.
+## Use a X509 certificate to authenticate yourself when connecting to DoH servers.
+## This is only useful if you are operating your own, private DoH server(s).
+## 'creds' maps servers to certificates, and supports multiple entries.
+## If you are not using the standard root CA, an optional "root_ca"
+## property set to the path to a root CRT file can be added to a server entry.
 
 [doh_client_x509_auth]
 
-#
 # creds = [
-#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
+#    { server_name='*', client_cert='client.crt', client_key='client.key' }
 # ]
 
 
@@ -762,48 +838,39 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 ## in different countries, operated by different entities, on distinct ISPs...)
 
  routes = [
-    { server_name='acsacsar-ams-ipv4', via=['anon-meganerd', 'anon-scaleway-ams'] },
-    { server_name='arvind-io', via=['anon-dnscrypt.one', 'anon-tiarap'] },
-    { server_name='bcn-dnscrypt', via=['anon-kama', 'anon-scaleway'] },
-    { server_name='d0wn-tz-ns1', via=['anon-dnscrypt.one', 'anon-pwoss.org'] },
-    { server_name='dnscrypt.be', via=['anon-acsacsar-ams-ipv4', 'anon-scaleway'] },
-    { server_name='dnscrypt.ca-1', via=['anon-ev-canada', 'anon-plan9-dns'] },
-    { server_name='dnscrypt.ca-2', via=['anon-ev-canada', 'anon-plan9-dns'] },
-    { server_name='dnscrypt.eu-dk', via=['anon-meganerd', 'anon-scaleway-ams'] },
-    { server_name='dnscrypt.eu-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
-    { server_name='dnscrypt.one', via=['anon-pwoss.org', 'anon-serbica'] },
-    { server_name='dnscrypt.pl', via=['anon-dnscrypt.one', 'anon-pwoss.org'] },
-    { server_name='dnscrypt.uk-ipv4', via=['anon-kama', 'anon-scaleway'] },
-    { server_name='ev-canada', via=['anon-inconnu', 'anon-plan9-dns'] },
-    { server_name='freetsa.org-ipv4', via=['anon-ev-canada', 'anon-plan9-dns'] },
-    { server_name='jp.tiar.app', via=['anon-dnscrypt.one', 'anon-pwoss.org'] },
-    { server_name='meganerd', via=['anon-acsacsar-ams-ipv4', 'anon-scaleway-ams'] },
-    { server_name='moulticast-ca-ipv4', via=['anon-ev-canada', 'anon-plan9-dns'] },
-    { server_name='moulticast-de-ipv4', via=['anon-dnscrypt.one', 'anon-pwoss.org'] },
-    { server_name='moulticast-fr-ipv4', via=['anon-kama', 'anon-scaleway'] },
-    { server_name='moulticast-sg-ipv4', via=['anon-dnscrypt.one', 'anon-tiarap'] },
-    { server_name='moulticast-uk-ipv4', via=['anon-dnscrypt.uk-ipv4', 'anon-v.dnscrypt.uk-ipv4'] },
-    { server_name='plan9-dns', via=['anon-ev-canada', 'anon-inconnu'] },
-    { server_name='publicarray-au', via=['anon-pwoss.org', 'anon-tiarap'] },
-    { server_name='pwoss.org-dnscrypt', via=['anon-dnscrypt.one', 'anon-serbica'] },
-    { server_name='sarpel-dns-istanbul', via=['anon-bcn', 'anon-kama'] },
-    { server_name='scaleway-ams', via=['anon-acsacsar-ams-ipv4', 'anon-serbica'] },
-    { server_name='scaleway-fr', via=['anon-dnscrypt.uk-ipv4', 'anon-v.dnscrypt.uk-ipv4'] },
-    { server_name='serbica', via=['anon-acsacsar-ams-ipv4', 'anon-scaleway-ams'] },
-    { server_name='v.dnscrypt.uk-ipv4', via=['anon-meganerd', 'anon-scaleway'] },
-    { server_name='ventricle.us', via=['anon-inconnu', 'anon-plan9-dns'] }
+    { server_name='ams-dnscrypt-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
+    { server_name='d0wn-tz-ns1', via=['anon-arapurayil-in-ipv4', 'anon-cs-rome'] },
+    { server_name='dct-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
+    { server_name='dct-ru', via=['anon-cs-czech', 'anon-techsaviours.org'] },
+    { server_name='dnscrypt.be', via=['anon-cs-belgium', 'anon-serbica'] },
+    { server_name='dnscrypt.pl', via=['anon-cs-poland', 'anon-techsaviours.org'] },
+    { server_name='dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] },
+    { server_name='dnswarden-uncensor-dc-swiss', via=['anon-cs-fr', 'anon-kama'] },
+    { server_name='meganerd', via=['anon-scaleway-ams', 'anon-serbica'] },
+    { server_name='openinternet', via=['anon-cs-sea', 'anon-inconnu'] },
+    { server_name='plan9dns-fl', via=['anon-cs-tx', 'anon-inconnu'] },
+    { server_name='plan9dns-mx', via=['anon-cs-tx', 'anon-inconnu'] },
+    { server_name='plan9dns-nj', via=['anon-cs-nyc1', 'anon-inconnu'] },
+    { server_name='pryv8boi', via=['anon-cs-dus1', 'anon-techsaviours.org'] },
+    { server_name='sby-limotelu', via=['anon-cs-sydney', 'anon-tiarap'] },
+    { server_name='scaleway-ams', via=['anon-meganerd', 'anon-serbica'] },
+    { server_name='scaleway-fr', via=['anon-cs-fr', 'anon-dnscrypt.uk-ipv4'] },
+    { server_name='serbica', via=['anon-cs-nl', 'anon-scaleway-ams'] },
+    { server_name='techsaviours.org-dnscrypt', via=['anon-cs-berlin', 'anon-dnswarden-swiss'] },
+    { server_name='v.dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] }
+#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
 #    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
  ]
 
 
-# Skip resolvers incompatible with anonymization instead of using them directly
+## Skip resolvers incompatible with anonymization instead of using them directly
 
 skip_incompatible = true
 
 
-# If public server certificates for a non-conformant server cannot be
-# retrieved via a relay, try getting them directly. Actual queries
-# will then always go through relays.
+## If public server certificates for a non-conformant server cannot be
+## retrieved via a relay, try getting them directly. Actual queries
+## will then always go through relays.
 
 direct_cert_fallback = false
 
@@ -831,13 +898,15 @@ direct_cert_fallback = false
 
 [dns64]
 
-## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
+## Static prefix(es) as Pref64::/n CIDRs
+
 # prefix = ['64:ff9b::/96']
 
-## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
+## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs
 ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
 ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
 ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
+
 # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
 
 
@@ -851,5 +920,5 @@ direct_cert_fallback = false
 
 [static]
 
-  # [static.'myserver']
-  # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
+  # [static.myserver]
+  #   stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

config/example-docs/example-allowed-ips.txt

@@ -1,7 +0,0 @@
-##############################
-#   Allowed IPs List         #
-##############################
-
-#192.168.0.*
-#fe80:53:*          # IPv6 prefix example
-#81.169.145.105

config/example-docs/example-allowed-names.txt

@@ -1,31 +0,0 @@
-
-###########################
-#        Allowlist        #
-###########################
-
-## Rules for allowing queries based on name, one per line
-##
-## Example of valid patterns:
-##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | allows example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
-
-
-# That one may be blocked due to 'tracker' being in the name.
-tracker.debian.org
-
-# That one may be blocked due to 'ads' being in the name.
-# However, blocking it prevents all sponsored links from the Google
-# search engine from being opened.
-googleadservices.com
-
-
-## Time-based rules
-
-# *.youtube.*  @time-to-play
-# facebook.com @play

config/example-docs/example-blocked-ips.txt

@@ -1,15 +0,0 @@
-##############################
-#        IP blocklist        #
-##############################
-
-## Rules for IP-based response blocking
-##
-## Sample feeds of suspect IP addresses:
-## - https://github.com/stamparm/ipsum
-## - https://github.com/tg12/bad_packets_blocklist
-## - https://isc.sans.edu/block.txt
-## - https://block.energized.pro/extensions/ips/formats/list.txt
-
-163.5.1.4
-94.46.118.*
-fe80:53:*          # IPv6 prefix example

config/example-docs/example-blocked-names.txt

@@ -1,38 +0,0 @@
-
-###########################
-#        Blocklist        #
-###########################
-
-## Rules for name-based query blocking, one per line
-##
-## Example of valid patterns:
-##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | block example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
-
-ad.*
-ads.*
-banner.*
-banners.*
-creatives.*
-oas.*
-oascentral.*        # inline comments are allowed after a pound sign
-stats.*
-tag.*
-telemetry.*
-tracker.*
-*.local
-eth0.me
-*.workgroup
-
-
-
-## Time-based rules
-
-# *.youtube.*  @time-to-sleep
-# facebook.com @work

config/example-docs/example-captive-portals.txt

@@ -1,22 +0,0 @@
-###########################################
-#        Captive portal test names        #
-###########################################
-
-## Some operating systems send queries to these names after a network change,
-## in order to check if connectivity beyond the router is possible without
-## going through a captive portal.
-##
-## This is a list of hard-coded IP addresses that will be returned when queries
-## for these names are received, even before the operating system an interface
-## as usable for reaching the Internet.
-##
-## Note that IPv6 addresses don't need to be specified within brackets,
-## as there are no port numbers.
-
-captive.apple.com               17.253.109.201, 17.253.113.202
-connectivitycheck.gstatic.com   64.233.162.94, 64.233.164.94, 64.233.165.94, 64.233.177.94, 64.233.185.94, 74.125.132.94, 74.125.136.94, 74.125.20.94, 74.125.21.94, 74.125.28.94
-connectivitycheck.android.com   64.233.162.100, 64.233.162.101, 64.233.162.102, 64.233.162.113, 64.233.162.138, 64.233.162.139
-www.msftncsi.com                95.100.252.49, 95.100.252.8, 2.19.98.8, 2.19.98.59, 88.221.113.88, 88.221.113.43, 88.221.113.49, 88.221.113.75
-dns.msftncsi.com                131.107.255.255, fd3e:4f5a:5b81::1
-www.msftconnecttest.com         13.107.4.52
-ipv4only.arpa                   192.0.0.170, 192.0.0.171

config/example-docs/example-cloaking-rules.txt

@@ -1,37 +0,0 @@
-################################
-#        Cloaking rules        #
-################################
-
-# The following example rules force "safe" (without adult content) search
-# results from Google, Bing and YouTube.
-#
-# This has to be enabled with the `cloaking_rules` parameter in the main
-# configuration file
-
-
-www.google.*             forcesafesearch.google.com
-
-www.bing.com             strict.bing.com
-
-yandex.ru                familysearch.yandex.ru       # inline comments are allowed after a pound sign
-
-=duckduckgo.com          safe.duckduckgo.com
-
-www.youtube.com          restrictmoderate.youtube.com
-m.youtube.com            restrictmoderate.youtube.com
-youtubei.googleapis.com  restrictmoderate.youtube.com
-youtube.googleapis.com   restrictmoderate.youtube.com
-www.youtube-nocookie.com restrictmoderate.youtube.com
-
-# Multiple IP entries for the same name are supported.
-# In the following example, the same name maps both to IPv4 and IPv6 addresses:
-
-localhost                127.0.0.1
-localhost                ::1
-
-# For load-balancing, multiple IP addresses of the same class can also be
-# provided using the same format, one <pattern> <ip> pair per line.
-
-# ads.*                 192.168.100.1
-# ads.*                 192.168.100.2
-# ads.*                 ::1

config/example-docs/example-dnscrypt-proxy.toml

@@ -1,826 +0,0 @@
-
-##############################################
-#                                            #
-#        dnscrypt-proxy configuration        #
-#                                            #
-##############################################
-
-## This is an example configuration file.
-## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
-##
-## Online documentation is available here: https://dnscrypt.info/doc
-
-
-
-##################################
-#         Global settings        #
-##################################
-
-## List of servers to use
-##
-## Servers from the "public-resolvers" source (see down below) can
-## be viewed here: https://dnscrypt.info/public-servers
-##
-## The proxy will automatically pick working servers from this list.
-## Note that the require_* filters do NOT apply when using this setting.
-##
-## By default, this list is empty and all registered servers matching the
-## require_* filters will be used instead.
-##
-## Remove the leading # first to enable this; lines starting with # are ignored.
-
-# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
-
-
-## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
-## Example with both IPv4 and IPv6:
-## listen_addresses = ['127.0.0.1:53', '[::1]:53']
-
-listen_addresses = ['127.0.0.1:53']
-
-
-## Maximum number of simultaneous client connections to accept
-
-max_clients = 250
-
-
-## Switch to a different system user after listening sockets have been created.
-## Note (1): this feature is currently unsupported on Windows.
-## Note (2): this feature is not compatible with systemd socket activation.
-## Note (3): when using -pidfile, the PID file directory must be writable by the new user
-
-# user_name = 'nobody'
-
-
-## Require servers (from static + remote sources) to satisfy specific properties
-
-# Use servers reachable over IPv4
-ipv4_servers = true
-
-# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
-ipv6_servers = false
-
-# Use servers implementing the DNSCrypt protocol
-dnscrypt_servers = true
-
-# Use servers implementing the DNS-over-HTTPS protocol
-doh_servers = true
-
-
-## Require servers defined by remote sources to satisfy specific properties
-
-# Server must support DNS security extensions (DNSSEC)
-require_dnssec = false
-
-# Server must not log user queries (declarative)
-require_nolog = true
-
-# Server must not enforce its own blocklist (for parental control, ads blocking...)
-require_nofilter = true
-
-# Server names to avoid even if they match all criteria
-disabled_server_names = []
-
-
-## Always use TCP to connect to upstream servers.
-## This can be useful if you need to route everything through Tor.
-## Otherwise, leave this to `false`, as it doesn't improve security
-## (dnscrypt-proxy will always encrypt everything even using UDP), and can
-## only increase latency.
-
-force_tcp = false
-
-
-## SOCKS proxy
-## Uncomment the following line to route all TCP connections to a local Tor node
-## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
-
-# proxy = 'socks5://127.0.0.1:9050'
-
-
-## HTTP/HTTPS proxy
-## Only for DoH servers
-
-# http_proxy = 'http://127.0.0.1:8888'
-
-
-## How long a DNS query will wait for a response, in milliseconds.
-## If you have a network with *a lot* of latency, you may need to
-## increase this. Startup may be slower if you do so.
-## Don't increase it too much. 10000 is the highest reasonable value.
-
-timeout = 5000
-
-
-## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
-
-keepalive = 30
-
-
-## Add EDNS-client-subnet information to outgoing queries
-##
-## Multiple networks can be listed; they will be randomly chosen.
-## These networks don't have to match your actual networks.
-
-# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"]
-
-
-## Response for blocked queries. Options are `refused`, `hinfo` (default) or
-## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
-## Using the `hinfo` option means that some responses will be lies.
-## Unfortunately, the `hinfo` option appears to be required for Android 8+
-
-# blocked_query_response = 'refused'
-
-
-## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
-## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
-## The response quality still depends on the server itself.
-
-# lb_strategy = 'p2'
-
-## Set to `true` to constantly try to estimate the latency of all the resolvers
-## and adjust the load-balancing parameters accordingly, or to `false` to disable.
-## Default is `true` that makes 'p2' `lb_strategy` work well.
-
-# lb_estimator = true
-
-
-## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
-
-# log_level = 2
-
-
-## Log file for the application, as an alternative to sending logs to
-## the standard system logging service (syslog/Windows event log).
-##
-## This file is different from other log files, and will not be
-## automatically rotated by the application.
-
-# log_file = 'dnscrypt-proxy.log'
-
-
-## When using a log file, only keep logs from the most recent launch.
-
-# log_file_latest = true
-
-
-## Use the system logger (syslog on Unix, Event Log on Windows)
-
-# use_syslog = true
-
-
-## Delay, in minutes, after which certificates are reloaded
-
-cert_refresh_delay = 240
-
-
-## DNSCrypt: Create a new, unique key for every single DNS query
-## This may improve privacy but can also have a significant impact on CPU usage
-## Only enable if you don't have a lot of network load
-
-# dnscrypt_ephemeral_keys = false
-
-
-## DoH: Disable TLS session tickets - increases privacy but also latency
-
-# tls_disable_session_tickets = false
-
-
-## DoH: Use a specific cipher suite instead of the server preference
-## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-##  4865 = TLS_AES_128_GCM_SHA256
-##  4867 = TLS_CHACHA20_POLY1305_SHA256
-##
-## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
-## the following suite improves performance.
-## This may also help on Intel CPUs running 32-bit operating systems.
-##
-## Keep tls_cipher_suite empty if you have issues fetching sources or
-## connecting to some DoH servers. Google and Cloudflare are fine with it.
-
-# tls_cipher_suite = [52392, 49199]
-
-
-## Fallback resolvers
-## These are normal, non-encrypted DNS resolvers, that will be only used
-## for one-shot queries when retrieving the initial resolvers list, and
-## only if the system DNS configuration doesn't work.
-##
-## No user application queries will ever be leaked through these resolvers,
-## and they will not be used after IP addresses of resolvers URLs have been found.
-## They will never be used if lists have already been cached, and if stamps
-## don't include host names without IP addresses.
-##
-## They will not be used if the configured system DNS works.
-## Resolvers supporting DNSSEC are recommended, and, if you are using
-## DoH, fallback resolvers should ideally be operated by a different entity than
-## the DoH servers you will be using, especially if you have IPv6 enabled.
-##
-## People in China may need to use 114.114.114.114:53 here.
-## Other popular options include 8.8.8.8 and 1.1.1.1.
-##
-## If more than one resolver is specified, they will be tried in sequence.
-
-fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
-
-
-## Always use the fallback resolver before the system DNS settings.
-
-ignore_system_dns = true
-
-
-## Maximum time (in seconds) to wait for network connectivity before
-## initializing the proxy.
-## Useful if the proxy is automatically started at boot, and network
-## connectivity is not guaranteed to be immediately available.
-## Use 0 to not test for connectivity at all (not recommended),
-## and -1 to wait as much as possible.
-
-netprobe_timeout = 60
-
-## Address and port to try initializing a connection to, just to check
-## if the network is up. It can be any address and any port, even if
-## there is nothing answering these on the other side. Just don't use
-## a local address, as the goal is to check for Internet connectivity.
-## On Windows, a datagram with a single, nul byte will be sent, only
-## when the system starts.
-## On other operating systems, the connection will be initialized
-## but nothing will be sent at all.
-
-netprobe_address = '9.9.9.9:53'
-
-
-## Offline mode - Do not use any remote encrypted servers.
-## The proxy will remain fully functional to respond to queries that
-## plugins can handle directly (forwarding, cloaking, ...)
-
-# offline_mode = false
-
-
-## Additional data to attach to outgoing queries.
-## These strings will be added as TXT records to queries.
-## Do not use, except on servers explicitly asking for extra data
-## to be present.
-## encrypted-dns-server can be configured to use this for access control
-## in the [access_control] section
-
-# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
-
-
-## Automatic log files rotation
-
-# Maximum log files size in MB - Set to 0 for unlimited.
-log_files_max_size = 10
-
-# How long to keep backup files, in days
-log_files_max_age = 7
-
-# Maximum log files backups to keep (or 0 to keep all backups)
-log_files_max_backups = 1
-
-
-
-#########################
-#        Filters        #
-#########################
-
-## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
-## configure dnscrypt-proxy to do any kind of filtering (including the filters
-## below and blocklists).
-## You can still choose resolvers that do DNSSEC validation.
-
-
-## Immediately respond to IPv6-related queries with an empty response
-## This makes things faster when there is no IPv6 connectivity, but can
-## also cause reliability issues with some stub resolvers.
-
-block_ipv6 = false
-
-
-## Immediately respond to A and AAAA queries for host names without a domain name
-
-block_unqualified = true
-
-
-## Immediately respond to queries for local zones instead of leaking them to
-## upstream resolvers (always causing errors or timeouts).
-
-block_undelegated = true
-
-
-## TTL for synthetic responses sent when a request has been blocked (due to
-## IPv6 or blocklists).
-
-reject_ttl = 600
-
-
-
-##################################################################################
-#        Route queries for specific domains to a dedicated set of servers        #
-##################################################################################
-
-## See the `example-forwarding-rules.txt` file for an example
-
-# forwarding_rules = 'forwarding-rules.txt'
-
-
-
-###############################
-#        Cloaking rules       #
-###############################
-
-## Cloaking returns a predefined address for a specific name.
-## In addition to acting as a HOSTS file, it can also return the IP address
-## of a different name. It will also do CNAME flattening.
-##
-## See the `example-cloaking-rules.txt` file for an example
-
-# cloaking_rules = 'cloaking-rules.txt'
-
-## TTL used when serving entries in cloaking-rules.txt
-
-# cloak_ttl = 600
-
-
-
-###########################
-#        DNS cache        #
-###########################
-
-## Enable a DNS cache to reduce latency and outgoing traffic
-
-cache = true
-
-
-## Cache size
-
-cache_size = 4096
-
-
-## Minimum TTL for cached entries
-
-cache_min_ttl = 2400
-
-
-## Maximum TTL for cached entries
-
-cache_max_ttl = 86400
-
-
-## Minimum TTL for negatively cached entries
-
-cache_neg_min_ttl = 60
-
-
-## Maximum TTL for negatively cached entries
-
-cache_neg_max_ttl = 600
-
-
-
-########################################
-#        Captive portal handling       #
-########################################
-
-[captive_portals]
-
-## A file that contains a set of names used by operating systems to
-## check for connectivity and captive portals, along with hard-coded
-## IP addresses to return.
-
-# map_file = 'example-captive-portals.txt'
-
-
-
-##################################
-#        Local DoH server        #
-##################################
-
-[local_doh]
-
-## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
-## requiring a direct connection to a DoH server in order to enable some
-## features will enable these, without bypassing your DNS proxy.
-
-## Addresses that the local DoH server should listen to
-
-# listen_addresses = ['127.0.0.1:3000']
-
-
-## Path of the DoH URL. This is not a file, but the part after the hostname
-## in the URL. By convention, `/dns-query` is frequently chosen.
-## For each `listen_address` the complete URL to access the server will be:
-## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
-
-# path = '/dns-query'
-
-
-## Certificate file and key - Note that the certificate has to be trusted.
-## See the documentation (wiki) for more information.
-
-# cert_file = 'localhost.pem'
-# cert_key_file = 'localhost.pem'
-
-
-
-###############################
-#        Query logging        #
-###############################
-
-## Log client queries to a file
-
-[query_log]
-
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
-  ## Can be set to /dev/stdout in order to log to the standard output.
-
-  # file = 'query.log'
-
-
-  ## Query log format (currently supported: tsv and ltsv)
-
-  format = 'tsv'
-
-
-  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
-
-  # ignored_qtypes = ['DNSKEY', 'NS']
-
-
-
-############################################
-#        Suspicious queries logging        #
-############################################
-
-## Log queries for nonexistent zones
-## These queries can reveal the presence of malware, broken/obsolete applications,
-## and devices signaling their presence to 3rd parties.
-
-[nx_log]
-
-  ## Path to the query log file (absolute, or relative to the same directory as the config file)
-
-  # file = 'nx.log'
-
-
-  ## Query log format (currently supported: tsv and ltsv)
-
-  format = 'tsv'
-
-
-
-######################################################
-#        Pattern-based blocking (blocklists)        #
-######################################################
-
-## Blocklists are made of one pattern per line. Example of valid patterns:
-##
-##   example.com
-##   =example.com
-##   *sex*
-##   ads.*
-##   ads*.example.*
-##   ads*.example[0-9]*.com
-##
-## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
-## A script to build blocklists from public feeds can be found in the
-## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
-
-[blocked_names]
-
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
-
-  # blocked_names_file = 'blocked-names.txt'
-
-
-  ## Optional path to a file logging blocked queries
-
-  # log_file = 'blocked-names.log'
-
-
-  ## Optional log format: tsv or ltsv (default: tsv)
-
-  # log_format = 'tsv'
-
-
-
-###########################################################
-#        Pattern-based IP blocking (IP blocklists)        #
-###########################################################
-
-## IP blocklists are made of one pattern per line. Example of valid patterns:
-##
-##   127.*
-##   fe80:abcd:*
-##   192.168.1.4
-
-[blocked_ips]
-
-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
-
-  # blocked_ips_file = 'blocked-ips.txt'
-
-
-  ## Optional path to a file logging blocked queries
-
-  # log_file = 'blocked-ips.log'
-
-
-  ## Optional log format: tsv or ltsv (default: tsv)
-
-  # log_format = 'tsv'
-
-
-
-######################################################
-#   Pattern-based allow lists (blocklists bypass)   #
-######################################################
-
-## Allowlists support the same patterns as blocklists
-## If a name matches an allowlist entry, the corresponding session
-## will bypass names and IP filters.
-##
-## Time-based rules are also supported to make some websites only accessible at specific times of the day.
-
-[allowed_names]
-
-  ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
-
-  # allowed_names_file = 'allowed-names.txt'
-
-
-  ## Optional path to a file logging allowed queries
-
-  # log_file = 'allowed-names.log'
-
-
-  ## Optional log format: tsv or ltsv (default: tsv)
-
-  # log_format = 'tsv'
-
-
-
-#########################################################
-#   Pattern-based allowed IPs lists (blocklists bypass) #
-#########################################################
-
-## Allowed IP lists support the same patterns as IP blocklists
-## If an IP response matches an allow ip entry, the corresponding session
-## will bypass IP filters.
-##
-## Time-based rules are also supported to make some websites only accessible at specific times of the day.
-
-[allowed_ips]
-
-  ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
-
-  # allowed_ips_file = 'allowed-ips.txt'
-
-
-  ## Optional path to a file logging allowed queries
-
-  # log_file = 'allowed-ips.log'
-
-  ## Optional log format: tsv or ltsv (default: tsv)
-
-  # log_format = 'tsv'
-
-
-
-##########################################
-#        Time access restrictions        #
-##########################################
-
-## One or more weekly schedules can be defined here.
-## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
-## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
-##
-## For example, the following rule in a blocklist file:
-## *.youtube.* @time-to-sleep
-## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
-##
-## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
-## {after= '9:00', before='18:00'} matches 9:00-18:00
-
-[schedules]
-
-  # [schedules.'time-to-sleep']
-  # mon = [{after='21:00', before='7:00'}]
-  # tue = [{after='21:00', before='7:00'}]
-  # wed = [{after='21:00', before='7:00'}]
-  # thu = [{after='21:00', before='7:00'}]
-  # fri = [{after='23:00', before='7:00'}]
-  # sat = [{after='23:00', before='7:00'}]
-  # sun = [{after='21:00', before='7:00'}]
-
-  # [schedules.'work']
-  # mon = [{after='9:00', before='18:00'}]
-  # tue = [{after='9:00', before='18:00'}]
-  # wed = [{after='9:00', before='18:00'}]
-  # thu = [{after='9:00', before='18:00'}]
-  # fri = [{after='9:00', before='17:00'}]
-
-
-
-#########################
-#        Servers        #
-#########################
-
-## Remote lists of available servers
-## Multiple sources can be used simultaneously, but every source
-## requires a dedicated cache file.
-##
-## Refer to the documentation for URLs of public sources.
-##
-## A prefix can be prepended to server names in order to
-## avoid collisions if different sources share the same for
-## different servers. In that case, names listed in `server_names`
-## must include the prefixes.
-##
-## If the `urls` property is missing, cache files and valid signatures
-## must already be present. This doesn't prevent these cache files from
-## expiring after `refresh_delay` hours.
-## Cache freshness is checked every 24 hours, so values for 'refresh_delay'
-## of less than 24 hours will have no effect.
-## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness.
-
-[sources]
-
-  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
-
-  [sources.'public-resolvers']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
-  cache_file = 'public-resolvers.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  refresh_delay = 72
-  prefix = ''
-
-  ## Anonymized DNS relays
-
-  [sources.'relays']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
-  cache_file = 'relays.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  refresh_delay = 72
-  prefix = ''
-
-  ## Quad9 over DNSCrypt - https://quad9.net/
-
-  # [sources.quad9-resolvers]
-  # urls = ['https://www.quad9.net/quad9-resolvers.md']
-  # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
-  # cache_file = 'quad9-resolvers.md'
-  # prefix = 'quad9-'
-
-  ## Another example source, with resolvers censoring some websites not appropriate for children
-  ## This is a subset of the `public-resolvers` list, so enabling both is useless
-
-  #  [sources.'parental-control']
-  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md']
-  #  cache_file = 'parental-control.md'
-  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-
-
-
-#########################################
-#        Servers with known bugs        #
-#########################################
-
-[broken_implementations]
-
-# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
-# truncate reponses larger than questions as expected by the DNSCrypt protocol.
-# This prevents large responses from being received over UDP and over relays.
-#
-# Older versions of the `dnsdist` server software had a bug with queries larger
-# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
-# some server may still run an outdated version.
-#
-# The list below enables workarounds to make non-relayed usage more reliable
-# until the servers are fixed.
-
-fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
-
-
-
-#################################################################
-#        Certificate-based client authentication for DoH        #
-#################################################################
-
-# Use a X509 certificate to authenticate yourself when connecting to DoH servers.
-# This is only useful if you are operating your own, private DoH server(s).
-# 'creds' maps servers to certificates, and supports multiple entries.
-# If you are not using the standard root CA, an optional "root_ca"
-# property set to the path to a root CRT file can be added to a server entry.
-
-[doh_client_x509_auth]
-
-#
-# creds = [
-#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
-# ]
-
-
-
-################################
-#        Anonymized DNS        #
-################################
-
-[anonymized_dns]
-
-## Routes are indirect ways to reach DNSCrypt servers.
-##
-## A route maps a server name ("server_name") to one or more relays that will be
-## used to connect to that server.
-##
-## A relay can be specified as a DNS Stamp (either a relay stamp, or a
-## DNSCrypt stamp) or a server name.
-##
-## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
-## and "example-server-2" via the relay whose relay DNS stamp is
-## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
-##
-## !!! THESE ARE JUST EXAMPLES !!!
-##
-## Review the list of available relays from the "relays.md" file, and, for each
-## server you want to use, define the relays you want connections to go through.
-##
-## Carefully choose relays and servers so that they are run by different entities.
-##
-## "server_name" can also be set to "*" to define a default route, for all servers:
-## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
-##
-## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
-## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
-##
-## Manual selection is always recommended over automatic selection, so that you can
-## select (relay,server) pairs that work well and fit your own criteria (close by or
-## in different countries, operated by different entities, on distinct ISPs...)
-
-# routes = [
-#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
-#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
-# ]
-
-
-# Skip resolvers incompatible with anonymization instead of using them directly
-
-skip_incompatible = false
-
-
-# If public server certificates for a non-conformant server cannot be
-# retrieved via a relay, try getting them directly. Actual queries
-# will then always go through relays.
-
-# direct_cert_fallback = false
-
-
-
-###############################
-#            DNS64            #
-###############################
-
-## DNS64 is a mechanism for synthesizing AAAA records from A records.
-## It is used with an IPv6/IPv4 translator to enable client-server
-## communication between an IPv6-only client and an IPv4-only server,
-## without requiring any changes to either the IPv6 or the IPv4 node,
-## for the class of applications that work through NATs.
-##
-## There are two options to synthesize such records:
-## Option 1: Using a set of static IPv6 prefixes;
-## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
-##
-## If both options are configured - only static prefixes are used.
-## (Ref. RFC6147, RFC6052, RFC7050)
-##
-## Do not enable unless you know what DNS64 is and why you need it, or else
-## you won't be able to connect to anything at all.
-
-[dns64]
-
-## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
-# prefix = ['64:ff9b::/96']
-
-## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
-## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
-## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
-## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
-# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
-
-
-
-########################################
-#            Static entries            #
-########################################
-
-## Optional, local, static list of additional servers
-## Mostly useful for testing your own servers.
-
-[static]
-
-  # [static.'myserver']
-  # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

config/example-docs/example-forwarding-rules.txt

@@ -1,25 +0,0 @@
-##################################
-#        Forwarding rules        #
-##################################
-
-## This is used to route specific domain names to specific servers.
-## The general format is:
-## <domain> <server address>[:port] [, <server address>[:port]...]
-## IPv6 addresses can be specified by enclosing the address in square brackets.
-
-## In order to enable this feature, the "forwarding_rules" property needs to
-## be set to this file name inside the main configuration file.
-
-## Blocking IPv6 may prevent local devices from being discovered.
-## If this happens, set `block_ipv6` to `false` in the main config file.
-
-## Forward *.lan, *.local, *.home, *.home.arpa, *.internal and *.localdomain to 192.168.1.1
-# lan             192.168.1.1
-# local           192.168.1.1
-# home            192.168.1.1
-# home.arpa       192.168.1.1
-# internal        192.168.1.1
-# localdomain     192.168.1.1
-
-## Forward queries for example.com and *.example.com to 9.9.9.9 and 8.8.8.8
-# example.com     9.9.9.9,8.8.8.8

config/example-docs/localhost.pem

@@ -1,47 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDb7g6EQhbfby97
-k4oMbZTzdi2TWFBs7qK/QwgOu+L6EhNHPO1ZEU29v0APFBFJO5zyyAk9bZ9k9tPB
-bCuVVI9jEUfLH3UCjEQPG6XI2w++uVh0yALvc/uurCvRHVlle/V7cAoikndc2SjE
-RQUALbACIqwD5g0F77BYwcsreB4GH253/R6Q2/CJZ4jNHPjkocOJiVr3ejA0kkoN
-MXpGUXWcrVVk20M2A1CeO7HAulLRcklEdoHE3v46pjp0iZK0F9LyZX1U1ql+4QL3
-iQttoZ4tMg83lFHSt4G9PrpIhzXr9W4NW822faSvrIwwN/JbItUmRa7n/3+MkuJQ
-IGGNDayXAgMBAAECggEBANs0fmGSocuXvYL1Pi4+9qxnCOwIpTi97Zam0BwnZwcL
-Bw4FCyiwV4UdX1LoFIailT9i49rHLYzre4oZL6OKgdQjQCSTuQOOHLPWQbpdpWba
-w/C5/jr+pkemMZIfJ6BAGiArPt7Qj4oKpFhj1qUj5H9sYXkNTcOx8Fm25rLv6TT9
-O7wg0oCpyG+iBSbCYBp9mDMz8pfo4P3BhcFiyKCKeiAC6KuHU81dvuKeFB4XQK+X
-no2NqDqe6MBkmTqjNNy+wi1COR7lu34LPiWU5Hq5PdIEqBBUMjlMI6oYlhlgNTdx
-SvsqFz3Xs6kpAhJTrSiAqscPYosgaMQxo+LI26PJnikCgYEA9n0OERkm0wSBHnHY
-Kx8jaxNYg93jEzVnEgI/MBTJZqEyCs9fF6Imv737VawEN/BhesZZX7bGZQfDo8AT
-aiSa5upkkSGXEqTu5ytyoKFTb+dJ/qmx3+zP6dPVzDnc8WPYMoUg7vvjZkXXJgZX
-+oMlMUW1wWiDNI3wP19W9Is6xssCgYEA5GqkUBEns6eTFJV0JKqbEORJJ7lx5NZe
-cIx+jPpLkILG4mOKOg1TBx0wkxa9cELtsNsM+bPtu9OqRMhsfPBmsXDHhJwg0Z6G
-eDTfYYPkpRhwZvl6jBZn9sLVR9wfg2hE+n0lfV3mceg336KOkwAehDU84SWZ2e0S
-esqkpbHJa+UCgYA7PY0O8POSzcdWkNf6bS5vAqRIdSCpMjGGc4HKRYSuJNnJHVPm
-czNK7Bcm3QPaiexzvI4oYd5G09niVjyUSx3rl7P56Y/MjFVau+d90agjAfyXtyMo
-BVtnAGGnBtUiMvP4GGT06xcZMnnmCqpEbBaZQ/7N8Bdwnxh5sqlMdtX2hwKBgAhL
-hyQRO2vezgyVUN50A6WdZLq4lVZGIq/bqkzcWhopZaebDc4F5doASV9OGBsXkyI1
-EkePLTcA/NH6pVX0NQaEnfpG4To7k46R/PrBm3ATbyGONdEYjzX65VvytoJDKx4d
-pVrkKhZA5KaOdLcJ7hHHDSrv/qJXZbBn44rQ5guxAoGBAJ6oeUsUUETakxlmIhmK
-xuQmWqLf97BKt8r6Z8CqHKWK7vpG2OmgFYCQGaR7angQ8hmAOv6jM56XhoagDBoc
-UoaoEyo9/uCk6NRUkUMj7Tk/5UQSiWLceVH27w+icMFhf1b7EmmNfk+APsiathO5
-j4edf1AinVCPwRVVu1dtLL5P
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDAjCCAeoCCQCptj0+TjjIJjANBgkqhkiG9w0BAQsFADBDMREwDwYDVQQKDAhE
-TlNDcnlwdDEaMBgGA1UECwwRTG9jYWwgdGVzdCBzZXJ2ZXIxEjAQBgNVBAMMCWxv
-Y2FsaG9zdDAeFw0xOTExMTgxNDA2MzBaFw0zMzA3MjcxNDA2MzBaMEMxETAPBgNV
-BAoMCEROU0NyeXB0MRowGAYDVQQLDBFMb2NhbCB0ZXN0IHNlcnZlcjESMBAGA1UE
-AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2+4O
-hEIW328ve5OKDG2U83Ytk1hQbO6iv0MIDrvi+hITRzztWRFNvb9ADxQRSTuc8sgJ
-PW2fZPbTwWwrlVSPYxFHyx91AoxEDxulyNsPvrlYdMgC73P7rqwr0R1ZZXv1e3AK
-IpJ3XNkoxEUFAC2wAiKsA+YNBe+wWMHLK3geBh9ud/0ekNvwiWeIzRz45KHDiYla
-93owNJJKDTF6RlF1nK1VZNtDNgNQnjuxwLpS0XJJRHaBxN7+OqY6dImStBfS8mV9
-VNapfuEC94kLbaGeLTIPN5RR0reBvT66SIc16/VuDVvNtn2kr6yMMDfyWyLVJkWu
-5/9/jJLiUCBhjQ2slwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6Vz5HnGuy8jZz
-5i8ipbcDMCZNdpYYnxgD53hEKOfoSv7LaF0ztD8Kmg3s5LHv9EHlkK3+G6FWRGiP
-9f6IbtRITaiVQP3M13T78hpN5Qq5jgsqjR7ZcN7Etr6ZFd7G/0+mzqbyBuW/3szt
-RdX/YLy1csvjbZoNNuXGWRohXjg0Mjko2tRLmARvxA/gZV5zWycv3BD2BPzyCdS9
-MDMYSF0RPiL8+alfwLNqLcqMA5liHlmZa85uapQyoUI3ksKJkEgU53aD8cYhH9Yn
-6mVpsrvrcRLBiHlbi24QBolhFkCSRK8bXes8XDIPuD8iYRwlrVBwOakMFQWMqNfI
-IMOKJomU
------END CERTIFICATE-----

customize.sh

@@ -1,9 +1,9 @@
   ui_print " "
   ui_print "******************************"
   ui_print "*   dnscrypt-proxy-android   *"
-  ui_print "*           2.0.45           *"
+  ui_print "*            2.1.5           *"
   ui_print "******************************"
-  ui_print "*         quindecim          *"
+  ui_print "*            d3cim           *"
   ui_print "******************************"
   ui_print " "
 
@@ -27,7 +27,7 @@ mkdir -p $MODPATH/system/bin
 
 # Create the path for the configuration files
 ui_print "* Creating the config. path."
-mkdir -p /data/media/0/dnscrypt-proxy
+mkdir -p /storage/emulated/0/dnscrypt-proxy
 
 # Copy the binary files into the right folder
 if [ -f "$BINARY_PATH" ]; then
@@ -38,7 +38,7 @@ else
 fi
 
 # Backup an existing config file before proceed
-CONFIG_FILE="/data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml"
+CONFIG_FILE="/storage/emulated/0/dnscrypt-proxy/dnscrypt-proxy.toml"
 
 if [ -f "$CONFIG_FILE" ]; then
 ui_print "* Backing up the existing config. file before proceed."
@@ -47,8 +47,8 @@ fi
 
 # Copy the configuration files into the right folder
 if [ -d "$CONFIG_PATH" ]; then
-ui_print "* Copying config, example and license files."
-  cp -af $CONFIG_PATH/* /data/media/0/dnscrypt-proxy/
+ui_print "* Copying the configuration files into the dnscrypt-proxy folder."
+  cp -af $CONFIG_PATH/* /storage/emulated/0/dnscrypt-proxy/
 else
   abort "Configuration file (.toml) is missing!"
 fi
@@ -58,6 +58,10 @@ ui_print "* Setting up the right permissions to the dnscrypt-proxy binary file."
 set_perm_recursive $MODPATH 0 0 0755 0755
 set_perm $MODPATH/system/bin/dnscrypt-proxy 0 0 0755
 
+# Set Private DNS mode off
+ui_print "* Disabling Android 9+ Private DNS mode."
+settings put global private_dns_mode off
+
 # Cleanup unneeded binary files
 ui_print "* Cleaning up the unnecessary files."
 rm -r $MODPATH/binary

module.prop

@@ -1,6 +1,7 @@
 id=dnscrypt-proxy-android
 name=DNSCrypt-Proxy 2
-version=2.0.45
-versionCode=20450
-author=quindecim
-description=A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt. Using dnscrypt-proxy 2.0.45
+version=2.1.5
+versionCode=210500
+author=d3cim
+description=A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH). Using dnscrypt-proxy 2.1.5
+updateJson=https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/master/update.json

post-fs-data.sh

@@ -8,8 +8,14 @@ MODDIR=${0%/*}
 
 # This script will be executed in post-fs-data mode
 
-iptables -t nat -A OUTPUT -p tcp ! -d 91.239.100.100 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-iptables -t nat -A OUTPUT -p udp ! -d 91.239.100.100 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-# ip6tables -t nat -A OUTPUT -p tcp ! -d 91.239.100.100 --dport 53 -j DNAT --to-destination [::1]:5354
-# ip6tables -t nat -A OUTPUT -p udp ! -d 91.239.100.100 --dport 53 -j DNAT --to-destination [::1]:5354
+# Redirect DNS requests to localhost
+iptables -t nat -A OUTPUT -p tcp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+iptables -t nat -A OUTPUT -p udp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+# ip6tables -t nat -A OUTPUT -p tcp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination [::1]:5354
+# ip6tables -t nat -A OUTPUT -p udp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination [::1]:5354
 
+# Force disable IPv6 OS connections
+resetprop net.ipv6.conf.all.accept_redirects 0
+resetprop net.ipv6.conf.all.disable_ipv6 1
+resetprop net.ipv6.conf.default.accept_redirects 0
+resetprop net.ipv6.conf.default.disable_ipv6 1

service.sh

@@ -7,7 +7,5 @@
 MODDIR=${0%/*}
 
 	while ! [ `pgrep -x dnscrypt-proxy` ] ; do
-		$MODDIR/system/bin/dnscrypt-proxy -config /data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml && sleep 15;
+		$MODDIR/system/bin/dnscrypt-proxy -config /storage/emulated/0/dnscrypt-proxy/dnscrypt-proxy.toml && sleep 15;
 	done
-
-

uninstall.sh

@@ -0,0 +1,15 @@
+(
+while [ "$(getprop sys.boot_completed)" != "1" ] && [ ! -d "/storage/emulated/0/Android" ]; do
+  sleep 1
+done
+
+rm -rf /data/media/0/dnscrypt-proxy
+rm -rf /mnt/runtime/default/emulated/0/dnscrypt-proxy
+rm -rf /mnt/runtime/full/emulated/0/dnscrypt-proxy
+rm -rf /mnt/runtime/read/emulated/0/dnscrypt-proxy
+rm -rf /mnt/runtime/write/emulated/0/dnscrypt-proxy
+rm -rf /sdcard/dnscrypt-proxy
+rm -rf /storage/emulated/0/dnscrypt-proxy
+rm -rf /storage/self/primary/dnscrypt-proxy
+
+)&

update.json

@@ -0,0 +1,6 @@
+{
+    "version": "2.1.5",
+    "versionCode": 210500,
+    "zipUrl": "https://github.com/d3cim/dnscrypt-proxy-android/releases/download/2.1.5/dnscrypt-proxy-android-v2.1.5.zip",
+    "changelog": "https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/2.1.5/CHANGELOG.md"
+}