initial release

.gitattributes

@@ -0,0 +1,8 @@
+# Declare files that will always have LF line endings on checkout.
+META-INF/** text eol=lf
+*.prop text eol=lf
+*.sh text eol=lf
+*.md text eol=lf
+
+# Denote all files that are truly binary and should not be modified.
+system/** binary

META-INF/com/google/android/update-binary

@@ -0,0 +1,153 @@
+#!/sbin/sh
+##########################################################################################
+#
+# Magisk Module Template Install Script
+# by topjohnwu
+#
+##########################################################################################
+
+# Detect whether in boot mode
+ps | grep zygote | grep -v grep >/dev/null && BOOTMODE=true || BOOTMODE=false
+$BOOTMODE || ps -A 2>/dev/null | grep zygote | grep -v grep >/dev/null && BOOTMODE=true
+
+TMPDIR=/dev/tmp
+INSTALLER=$TMPDIR/install
+MAGISKBIN=/data/adb/magisk
+
+# Default permissions
+umask 022
+
+# Initial cleanup
+rm -rf $TMPDIR 2>/dev/null
+mkdir -p $INSTALLER
+
+# echo before loading util_functions
+ui_print() { echo "$1"; }
+
+require_new_magisk() {
+  ui_print "*******************************"
+  ui_print " Please install Magisk v15.0+! "
+  ui_print "*******************************"
+  exit 1
+}
+
+##########################################################################################
+# Environment
+##########################################################################################
+
+OUTFD=$2
+ZIP=$3
+
+mount /data 2>/dev/null
+
+# Utility functions must exist
+[ -f $MAGISKBIN/util_functions.sh ] || require_new_magisk
+# Load utility fuctions
+. $MAGISKBIN/util_functions.sh
+
+# We can't alter magisk image live, use alternative image if required
+$BOOTMODE && IMG=/data/adb/magisk_merge.img
+# Always mount under tmp
+MOUNTPATH=$TMPDIR/magisk_img
+
+# Preperation for flashable zips
+get_outfd
+
+# Mount partitions
+mount_partitions
+
+# Detect version and architecture
+api_level_arch_detect
+
+# You can get the Android API version from $API, the CPU architecture from $ARCH
+# Useful if you are creating Android version / platform dependent mods
+
+# Setup busybox and binaries
+$BOOTMODE && boot_actions || recovery_actions
+
+##########################################################################################
+# Preparation
+##########################################################################################
+
+# Extract common files
+unzip -o "$ZIP" module.prop config.sh 'common/*' -d $INSTALLER >&2
+
+[ ! -f $INSTALLER/config.sh ] && abort "! Unable to extract zip file!"
+# Load configurations
+. $INSTALLER/config.sh
+
+# Check the installed magisk version
+MIN_VER=`grep_prop minMagisk $INSTALLER/module.prop`
+[ ! -z $MAGISK_VER_CODE -a $MAGISK_VER_CODE -ge $MIN_VER ] || require_new_magisk
+MODID=`grep_prop id $INSTALLER/module.prop`
+MODPATH=$MOUNTPATH/$MODID
+
+# Print mod name
+print_modname
+
+# Please leave this message in your flashable zip for credits :)
+ui_print "******************************"
+ui_print "Powered by Magisk (@topjohnwu)"
+ui_print "******************************"
+
+##########################################################################################
+# Install
+##########################################################################################
+
+# Get the variable reqSizeM. Use your own method to determine reqSizeM if needed
+request_zip_size_check "$ZIP"
+
+# This function will mount $IMG to $MOUNTPATH, and resize the image based on $reqSizeM
+mount_magisk_img
+
+# Create mod paths
+rm -rf $MODPATH 2>/dev/null
+mkdir -p $MODPATH
+
+# custom install begin
+install_dnscrypt_proxy
+# custom install end
+
+# Remove placeholder
+rm -f $MODPATH/system/placeholder 2>/dev/null
+
+# Handle replace folders
+for TARGET in $REPLACE; do
+  mktouch $MODPATH$TARGET/.replace
+done
+
+# Auto Mount
+$AUTOMOUNT && touch $MODPATH/auto_mount
+
+# prop files
+$PROPFILE && cp -af $INSTALLER/common/system.prop $MODPATH/system.prop
+
+# Module info
+cp -af $INSTALLER/module.prop $MODPATH/module.prop
+if $BOOTMODE; then
+  # Update info for Magisk Manager
+  mktouch /sbin/.core/img/$MODID/update
+  cp -af $INSTALLER/module.prop /sbin/.core/img/$MODID/module.prop
+fi
+
+# post-fs-data mode scripts
+$POSTFSDATA && cp -af $INSTALLER/common/post-fs-data.sh $MODPATH/post-fs-data.sh
+
+# service mode scripts
+$LATESTARTSERVICE && cp -af $INSTALLER/common/service.sh $MODPATH/service.sh
+
+ui_print "- Setting permissions"
+set_permissions
+
+##########################################################################################
+# Finalizing
+##########################################################################################
+
+# Unmount magisk image and shrink if possible
+unmount_magisk_img
+
+$BOOTMODE || recovery_cleanup
+rm -rf $TMPDIR
+
+ui_print "- Done"
+exit 0

META-INF/com/google/android/updater-script

@@ -0,0 +1 @@
+#MAGISK

README.md

@@ -0,0 +1,9 @@
+# Magisk Module Template
+
+This `README.md` will be shown in Magisk Manager. Place any information / changelog / notes you like.
+
+**Please update `README.md` if you want to submit your module to the online repo!**
+
+Github has its own online markdown editor with a preview feature, you can use it to update your `README.md`! If you need more advanced syntax, check the [Markdown Cheat Sheet](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet).
+
+For more information about modules and repos, please check the [official documentations](https://github.com/topjohnwu/Magisk/blob/master/docs/modules.md)

common/post-fs-data.sh

@@ -0,0 +1,7 @@
+#!/system/bin/sh
+# Please don't hardcode /magisk/modname/... ; instead, please use $MODDIR/...
+# This will make your scripts compatible even if Magisk change its mount point in the future
+MODDIR=${0%/*}
+
+# This script will be executed in post-fs-data mode
+# More info in the main Magisk thread

common/service.sh

@@ -0,0 +1,21 @@
+#!/system/bin/sh
+# Please don't hardcode /magisk/modname/... ; instead, please use $MODDIR/...
+# This will make your scripts compatible even if Magisk change its mount point in the future
+MODDIR=${0%/*}
+
+# This script will be executed in late_start service mode
+# More info in the main Magisk thread
+
+$MODDIR/system/xbin/dnscrypt-proxy -config $MODDIR/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml &
+while true
+do
+	ping -c 1 google.com
+	if [[ $? == 0 ]];
+	then
+		iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
+		iptables-t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
+		break;
+	else
+		sleep 5
+	fi
+done

common/system.prop

@@ -0,0 +1,3 @@
+# This file will be read by resetprop
+# Example: Change dpi
+# ro.sf.lcd_density=320

config.sh

@@ -0,0 +1,131 @@
+##########################################################################################
+#
+# Magisk Module Template Config Script
+# by topjohnwu
+#
+##########################################################################################
+##########################################################################################
+#
+# Instructions:
+#
+# 1. Place your files into system folder (delete the placeholder file)
+# 2. Fill in your module's info into module.prop
+# 3. Configure the settings in this file (config.sh)
+# 4. If you need boot scripts, add them into common/post-fs-data.sh or common/service.sh
+# 5. Add your additional or modified system properties into common/system.prop
+#
+##########################################################################################
+
+##########################################################################################
+# Configs
+##########################################################################################
+
+# Set to true if you need to enable Magic Mount
+# Most mods would like it to be enabled
+AUTOMOUNT=true
+
+# Set to true if you need to load system.prop
+PROPFILE=false
+
+# Set to true if you need post-fs-data script
+POSTFSDATA=false
+
+# Set to true if you need late_start service script
+LATESTARTSERVICE=true
+
+##########################################################################################
+# Installation Message
+##########################################################################################
+
+# Set what you want to show when installing your mod
+
+print_modname() {
+  ui_print "*******************************"
+  ui_print "     Magisk Module Template    "
+  ui_print "*******************************"
+}
+
+##########################################################################################
+# Replace list
+##########################################################################################
+
+# List all directories you want to directly replace in the system
+# Check the documentations for more info about how Magic Mount works, and why you need this
+
+# This is an example
+REPLACE="
+/system/app/Youtube
+/system/priv-app/SystemUI
+/system/priv-app/Settings
+/system/framework
+"
+
+# Construct your own list here, it will override the example above
+# !DO NOT! remove this if you don't need to replace anything, leave it empty as it is now
+REPLACE="
+"
+
+##########################################################################################
+# Permissions
+##########################################################################################
+
+set_permissions() {
+  # Only some special files require specific permissions
+  # The default permissions should be good enough for most cases
+
+  # Here are some examples for the set_perm functions:
+
+  # set_perm_recursive  <dirname>                <owner> <group> <dirpermission> <filepermission> <contexts> (default: u:object_r:system_file:s0)
+  # set_perm_recursive  $MODPATH/system/lib       0       0       0755            0644
+
+  # set_perm  <filename>                         <owner> <group> <permission> <contexts> (default: u:object_r:system_file:s0)
+  # set_perm  $MODPATH/system/bin/app_process32   0       2000    0755         u:object_r:zygote_exec:s0
+  # set_perm  $MODPATH/system/bin/dex2oat         0       2000    0755         u:object_r:dex2oat_exec:s0
+  # set_perm  $MODPATH/system/lib/libart.so       0       0       0644
+
+  # The following is default permissions, DO NOT remove
+  set_perm_recursive  $MODPATH  0  0  0755  0644
+  set_perm $MODPATH/system/xbin/dnscrypt-proxy 0 0 0755
+}
+
+##########################################################################################
+# Custom Functions
+##########################################################################################
+
+# This file (config.sh) will be sourced by the main flash script after util_functions.sh
+# If you need custom logic, please add them here as functions, and call these functions in
+# update-binary. Refrain from adding code directly into update-binary, as it will make it
+# difficult for you to migrate your modules to newer template versions.
+# Make update-binary as clean as possible, try to only do function calls in it.
+
+install_dnscrypt_proxy(){
+  if [ "$ARCH" == "arm" ];then
+    BINARY_PATH=$INSTALLER/binary/dnscrypt-proxy-arm
+  elif [ "$ARCH" == "arm64" ];then
+    BINARY_PATH=$INSTALLER/binary/dnscrypt-proxy-arm64
+  fi
+
+  CONFIG_PATH=$INSTALLER/config
+  unzip -o "$ZIP" 'config/*' 'binary/*' -d $INSTALLER 2>/dev/null
+
+  ui_print "* Creating binary path"
+  mkdir -p $MODPATH/system/xbin 2>/dev/null
+
+  ui_print "* Creating config path"
+  mkdir -p $MODPATH/system/etc/dnscrypt-proxy 2>/dev/null
+
+  if [ -f "$BINARY_PATH" ]; then
+    ui_print "Copying binary for $ARCH"
+    cp -af $BINARY_PATH $MODPATH/system/xbin/dnscrypt-proxy
+  else
+    abort "Binary file for $ARCH is missing!"
+  fi
+
+  if [ -d "$CONFIG_PATH" ]; then
+    ui_print "Copying config files"
+    cp -af $CONFIG_PATH/* $MODPATH/system/etc/dnscrypt-proxy
+  else
+    abort "Config file is missing!"
+  fi
+
+}

config/LICENSE

@@ -0,0 +1,18 @@
+/*
+ * ISC License
+ *
+ * Copyright (c) 2018
+ * Frank Denis <j at pureftpd dot org>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */

config/dnscrypt-proxy.toml

@@ -0,0 +1,381 @@
+
+##############################################
+#                                            #
+#        dnscrypt-proxy configuration        #
+#                                            #
+##############################################
+
+## This is an example configuration file.
+## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
+##
+## Online documentation is available here: https://dnscrypt.info/doc
+
+
+
+##################################
+#         Global settings        #
+##################################
+
+## List of servers to use
+## If this line is commented, all registered servers matching the require_* filters
+## will be used
+## The proxy will automatically pick the fastest, working servers from the list.
+
+# server_names = ['scaleway-fr', 'google', 'yandex']
+
+
+## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
+## To only use systemd activation sockets, use an empty set: []
+
+listen_addresses = ['127.0.0.1:53', '[::1]:53']
+
+
+## Maximum number of simultaneous client connections to accept
+
+max_clients = 250
+
+
+## Require servers (from static + remote sources) to satisfy specific properties
+
+# Use servers reachable over IPv4
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+ipv6_servers = false
+
+# Use servers implementing the DNSCrypt protocol
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol
+doh_servers = true
+
+
+## Require servers defined by remote sources to satisfy specific properties
+
+# Server must support DNS security extensions (DNSSEC)
+require_dnssec = false
+
+# Server must not log user queries (declarative)
+require_nolog = true
+
+# Server must not enforce its own blacklist (for parental control, ads blocking...)
+require_nofilter = true
+
+
+
+## Always use TCP to connect to upstream servers
+
+force_tcp = false
+
+
+## How long a DNS query will wait for a response, in milliseconds
+
+timeout = 2500
+
+
+## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
+
+# lb_strategy = 'p2'
+
+
+## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
+
+# log_level = 2
+
+
+## log file for the application
+
+# log_file = 'dnscrypt-proxy.log'
+
+
+## Use the system logger (syslog on Unix, Event Log on Windows)
+
+# use_syslog = true
+
+
+## Delay, in minutes, after which certificates are reloaded
+
+cert_refresh_delay = 240
+
+
+## Fallback resolver
+## This is a normal, non-encrypted DNS resolver, that will be only used
+## for one-shot queries when retrieving the initial resolvers list, and
+## only if the system DNS configuration doesn't work.
+## No user application queries will ever be leaked through this resolver,
+## and it will not be used after IP addresses of resolvers URLs have been found.
+## It will never be used if lists have already been cached, and if stamps
+## don't include host names without IP addresses.
+## It will not be used if the configured system DNS works.
+## A resolver supporting DNSSEC is recommended. This may become mandatory.
+
+fallback_resolver = '9.9.9.9:53'
+
+
+## Never try to use the system DNS settings; unconditionally use the
+## fallback resolver.
+
+ignore_system_dns = false
+
+
+
+#########################
+#        Filters        #
+#########################
+
+## Immediately respond to IPv6-related queries with an empty response
+## This makes things faster when there is no IPv6 connectivity, but can
+## also cause reliability issues with some stub resolvers. In
+## particular, enabling this on macOS is not recommended.
+
+block_ipv6 = false
+
+
+
+##################################################################################
+#        Route queries for specific domains to a dedicated set of servers        #
+##################################################################################
+
+## Example map entries (one entry per line):
+## example.com 9.9.9.9
+## example.net 9.9.9.9,8.8.8.8
+
+# forwarding_rules = 'forwarding-rules.txt'
+
+
+
+###############################
+#        Cloaking rules       #
+###############################
+
+## Cloaking returns a predefined address for a specific name.
+## In addition to acting as a HOSTS file, it can also return the IP address
+## of a different name. It will also do CNAME flattening.
+##
+## Example map entries (one entry per line)
+## example.com     10.1.1.1
+## www.google.com  forcesafesearch.google.com
+
+# cloaking_rules = 'cloaking-rules.txt'
+
+
+
+###########################
+#        DNS cache        #
+###########################
+
+## Enable a DNS cache to reduce latency and outgoing traffic
+
+cache = true
+
+
+## Cache size
+
+cache_size = 256
+
+
+## Minimum TTL for cached entries
+
+cache_min_ttl = 600
+
+
+## Maxmimum TTL for cached entries
+
+cache_max_ttl = 86400
+
+
+## TTL for negatively cached entries
+
+cache_neg_ttl = 60
+
+
+
+###############################
+#        Query logging        #
+###############################
+
+## Log client queries to a file
+
+[query_log]
+
+  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+
+  # file = 'query.log'
+
+
+  ## Query log format (currently supported: tsv and ltsv)
+
+  format = 'tsv'
+
+
+  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+
+  # ignored_qtypes = ['DNSKEY', 'NS']
+
+
+
+############################################
+#        Suspicious queries logging        #
+############################################
+
+## Log queries for nonexistent zones
+## These queries can reveal the presence of malware, broken/obsolete applications,
+## and devices signaling their presence to 3rd parties.
+
+[nx_log]
+
+  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+
+  # file = 'nx.log'
+
+
+  ## Query log format (currently supported: tsv and ltsv)
+
+  format = 'tsv'
+
+
+
+######################################################
+#        Pattern-based blocking (blacklists)        #
+######################################################
+
+## Blacklists are made of one pattern per line. Example of valid patterns:
+##
+##   example.com
+##   *sex*
+##   ads.*
+##   ads*.example.*
+##   ads*.example[0-9]*.com
+##
+## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
+## A script to build blacklists from public feeds can be found in the
+## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
+
+[blacklist]
+
+  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+
+  # blacklist_file = 'blacklist.txt'
+
+
+  ## Optional path to a file logging blocked queries
+
+  # log_file = 'blocked.log'
+
+
+  ## Optional log format: tsv or ltsv (default: tsv)
+
+  # log_format = 'tsv'
+
+
+
+###########################################################
+#        Pattern-based IP blocking (IP blacklists)        #
+###########################################################
+
+## IP blacklists are made of one pattern per line. Example of valid patterns:
+##
+##   127.*
+##   fe80:abcd:*
+##   192.168.1.4
+
+[ip_blacklist]
+
+  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+
+  # blacklist_file = 'ip-blacklist.txt'
+
+
+  ## Optional path to a file logging blocked queries
+
+  # log_file = 'ip-blocked.log'
+
+
+  ## Optional log format: tsv or ltsv (default: tsv)
+
+  # log_format = 'tsv'
+
+
+
+##########################################
+#        Time access restrictions        #
+##########################################
+
+## One or more weekly schedules can be defined here.
+## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
+##
+## For example, the following rule in a blacklist file:
+## *.youtube.* @time-to-sleep
+## would block access to Youtube only during the days, and period of the days
+## define by the 'time-to-sleep' schedule.
+##
+## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
+## {after= '9:00', before='18:00'} matches 9:00-18:00
+
+[schedules]
+
+  # [schedules.'time-to-sleep']
+  # mon = [{after='21:00', before='7:00'}]
+  # tue = [{after='21:00', before='7:00'}]
+  # wed = [{after='21:00', before='7:00'}]
+  # thu = [{after='21:00', before='7:00'}]
+  # fri = [{after='23:00', before='7:00'}]
+  # sat = [{after='23:00', before='7:00'}]
+  # sun = [{after='21:00', before='7:00'}]
+
+  # [schedules.'work']
+  # mon = [{after='9:00', before='18:00'}]
+  # tue = [{after='9:00', before='18:00'}]
+  # wed = [{after='9:00', before='18:00'}]
+  # thu = [{after='9:00', before='18:00'}]
+  # fri = [{after='9:00', before='17:00'}]
+
+
+
+#########################
+#        Servers        #
+#########################
+
+## Remote lists of available servers
+## Multiple sources can be used simultaneously, but every source
+## requires a dedicated cache file.
+##
+## Refer to the documentation for URLs of public sources.
+##
+## A prefix can be prepended to server names in order to
+## avoid collisions if different sources share the same for
+## different servers. In that case, names listed in `server_names`
+## must include the prefixes.
+##
+## A cache file can be specified without a URL in order to maintain lists
+## locally.
+
+[sources]
+
+  ## An example of a remote source
+
+  [sources.'public-resolvers']
+  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
+  cache_file = '/system/etc/dnscrypt-proxy/public-resolvers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
+
+  ## Another example source, with resolvers censoring some websites not approriate for children
+  ## This is a subset of the `public-resolvers` list, so enabling both is useless
+
+  #  [sources.'parental-control']
+  #  url = 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'
+  #  cache_file = 'parental-control.md'
+  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+
+
+## Optional, local, static list of additional servers
+## Mostly useful for testing your own servers.
+
+[static]
+
+  [static.'google']
+  stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'

config/example-blacklist.txt

@@ -0,0 +1,37 @@
+
+###########################
+#        Blacklist        #
+###########################
+
+## Rules for name-based query blocking, one per line
+##
+## Example of valid patterns:
+##
+## ads.*         | matches anything with an "ads." prefix
+## *.example.com | matches example.com and all names within that zone such as www.example.com
+## example.com   | identical to the above
+## *sex*         | matches any name containing that substring
+## ads[0-9]*     | matches "ads" followed by one or more digits
+## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
+
+ad.*
+ads.*
+banner.*
+banners.*
+creatives.*
+oas.*
+oascentral.*
+stats.*
+tag.*
+telemetry.*
+tracker.*
+*.local
+eth0.me
+*.workgroup
+
+
+
+## Time-based rules
+
+# *.youtube.*  @time-to-sleep
+# facebook.com @work

config/example-cloaking-rules.txt

@@ -0,0 +1,22 @@
+################################
+#        Cloaking rules        #
+################################
+
+# The following example rules force "safe" (without adult content) search
+# results from Google, Bing and Youtube.
+#
+# This has to be enabled with the `cloaking_rules` parameter in the main
+# configuration file
+
+
+www.google.com           forcesafesearch.google.com
+www.google.fr            forcesafesearch.google.com
+
+www.bing.com             strict.bing.com
+
+www.youtube.com          restrictmoderate.youtube.com
+m.youtube.com            restrictmoderate.youtube.com
+youtubei.googleapis.com  restrictmoderate.youtube.com
+youtube.googleapis.com   restrictmoderate.youtube.com
+www.youtube-nocookie.com restrictmoderate.youtube.com
+

config/example-dnscrypt-proxy.toml

@@ -0,0 +1,383 @@
+
+##############################################
+#                                            #
+#        dnscrypt-proxy configuration        #
+#                                            #
+##############################################
+
+## This is an example configuration file.
+## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
+##
+## Online documentation is available here: https://dnscrypt.info/doc
+
+
+
+##################################
+#         Global settings        #
+##################################
+
+## List of servers to use
+## If this line is commented, all registered servers matching the require_* filters
+## will be used
+## The proxy will automatically pick the fastest, working servers from the list.
+## Remove the leading # first to enable this; lines starting with # are ignored.
+
+# server_names = ['scaleway-fr', 'google', 'yandex']
+
+
+## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
+## To only use systemd activation sockets, use an empty set: []
+
+listen_addresses = ['127.0.0.1:53', '[::1]:53']
+
+
+## Maximum number of simultaneous client connections to accept
+
+max_clients = 250
+
+
+## Require servers (from static + remote sources) to satisfy specific properties
+
+# Use servers reachable over IPv4
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+ipv6_servers = false
+
+# Use servers implementing the DNSCrypt protocol
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol
+doh_servers = true
+
+
+## Require servers defined by remote sources to satisfy specific properties
+
+# Server must support DNS security extensions (DNSSEC)
+require_dnssec = false
+
+# Server must not log user queries (declarative)
+require_nolog = true
+
+# Server must not enforce its own blacklist (for parental control, ads blocking...)
+require_nofilter = true
+
+
+
+## Always use TCP to connect to upstream servers
+
+force_tcp = false
+
+
+## How long a DNS query will wait for a response, in milliseconds
+
+timeout = 2500
+
+
+## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
+
+# lb_strategy = 'p2'
+
+
+## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
+
+# log_level = 2
+
+
+## log file for the application
+
+# log_file = 'dnscrypt-proxy.log'
+
+
+## Use the system logger (syslog on Unix, Event Log on Windows)
+
+# use_syslog = true
+
+
+## Delay, in minutes, after which certificates are reloaded
+
+cert_refresh_delay = 240
+
+
+## Fallback resolver
+## This is a normal, non-encrypted DNS resolver, that will be only used
+## for one-shot queries when retrieving the initial resolvers list, and
+## only if the system DNS configuration doesn't work.
+## No user application queries will ever be leaked through this resolver,
+## and it will not be used after IP addresses of resolvers URLs have been found.
+## It will never be used if lists have already been cached, and if stamps
+## don't include host names without IP addresses.
+## It will not be used if the configured system DNS works.
+## A resolver supporting DNSSEC is recommended. This may become mandatory.
+
+fallback_resolver = '9.9.9.9:53'
+
+
+## Never try to use the system DNS settings; unconditionally use the
+## fallback resolver.
+
+ignore_system_dns = false
+
+
+
+#########################
+#        Filters        #
+#########################
+
+## Immediately respond to IPv6-related queries with an empty response
+## This makes things faster when there is no IPv6 connectivity, but can
+## also cause reliability issues with some stub resolvers. In
+## particular, enabling this on macOS is not recommended.
+
+block_ipv6 = false
+
+
+
+##################################################################################
+#        Route queries for specific domains to a dedicated set of servers        #
+##################################################################################
+
+## Example map entries (one entry per line):
+## example.com 9.9.9.9
+## example.net 9.9.9.9,8.8.8.8
+
+# forwarding_rules = 'forwarding-rules.txt'
+
+
+
+###############################
+#        Cloaking rules       #
+###############################
+
+## Cloaking returns a predefined address for a specific name.
+## In addition to acting as a HOSTS file, it can also return the IP address
+## of a different name. It will also do CNAME flattening.
+##
+## Example map entries (one entry per line)
+## example.com     10.1.1.1
+## www.google.com  forcesafesearch.google.com
+
+# cloaking_rules = 'cloaking-rules.txt'
+
+
+
+###########################
+#        DNS cache        #
+###########################
+
+## Enable a DNS cache to reduce latency and outgoing traffic
+
+cache = true
+
+
+## Cache size
+
+cache_size = 256
+
+
+## Minimum TTL for cached entries
+
+cache_min_ttl = 600
+
+
+## Maximum TTL for cached entries
+
+cache_max_ttl = 86400
+
+
+## TTL for negatively cached entries
+
+cache_neg_ttl = 60
+
+
+
+###############################
+#        Query logging        #
+###############################
+
+## Log client queries to a file
+
+[query_log]
+
+  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+
+  # file = 'query.log'
+
+
+  ## Query log format (currently supported: tsv and ltsv)
+
+  format = 'tsv'
+
+
+  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+
+  # ignored_qtypes = ['DNSKEY', 'NS']
+
+
+
+############################################
+#        Suspicious queries logging        #
+############################################
+
+## Log queries for nonexistent zones
+## These queries can reveal the presence of malware, broken/obsolete applications,
+## and devices signaling their presence to 3rd parties.
+
+[nx_log]
+
+  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+
+  # file = 'nx.log'
+
+
+  ## Query log format (currently supported: tsv and ltsv)
+
+  format = 'tsv'
+
+
+
+######################################################
+#        Pattern-based blocking (blacklists)        #
+######################################################
+
+## Blacklists are made of one pattern per line. Example of valid patterns:
+##
+##   example.com
+##   *sex*
+##   ads.*
+##   ads*.example.*
+##   ads*.example[0-9]*.com
+##
+## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
+## A script to build blacklists from public feeds can be found in the
+## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
+
+[blacklist]
+
+  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+
+  # blacklist_file = 'blacklist.txt'
+
+
+  ## Optional path to a file logging blocked queries
+
+  # log_file = 'blocked.log'
+
+
+  ## Optional log format: tsv or ltsv (default: tsv)
+
+  # log_format = 'tsv'
+
+
+
+###########################################################
+#        Pattern-based IP blocking (IP blacklists)        #
+###########################################################
+
+## IP blacklists are made of one pattern per line. Example of valid patterns:
+##
+##   127.*
+##   fe80:abcd:*
+##   192.168.1.4
+
+[ip_blacklist]
+
+  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+
+  # blacklist_file = 'ip-blacklist.txt'
+
+
+  ## Optional path to a file logging blocked queries
+
+  # log_file = 'ip-blocked.log'
+
+
+  ## Optional log format: tsv or ltsv (default: tsv)
+
+  # log_format = 'tsv'
+
+
+
+##########################################
+#        Time access restrictions        #
+##########################################
+
+## One or more weekly schedules can be defined here.
+## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
+##
+## For example, the following rule in a blacklist file:
+## *.youtube.* @time-to-sleep
+## would block access to Youtube only during the days, and period of the days
+## define by the 'time-to-sleep' schedule.
+##
+## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
+## {after= '9:00', before='18:00'} matches 9:00-18:00
+
+[schedules]
+
+  # [schedules.'time-to-sleep']
+  # mon = [{after='21:00', before='7:00'}]
+  # tue = [{after='21:00', before='7:00'}]
+  # wed = [{after='21:00', before='7:00'}]
+  # thu = [{after='21:00', before='7:00'}]
+  # fri = [{after='23:00', before='7:00'}]
+  # sat = [{after='23:00', before='7:00'}]
+  # sun = [{after='21:00', before='7:00'}]
+
+  # [schedules.'work']
+  # mon = [{after='9:00', before='18:00'}]
+  # tue = [{after='9:00', before='18:00'}]
+  # wed = [{after='9:00', before='18:00'}]
+  # thu = [{after='9:00', before='18:00'}]
+  # fri = [{after='9:00', before='17:00'}]
+
+
+
+#########################
+#        Servers        #
+#########################
+
+## Remote lists of available servers
+## Multiple sources can be used simultaneously, but every source
+## requires a dedicated cache file.
+##
+## Refer to the documentation for URLs of public sources.
+##
+## A prefix can be prepended to server names in order to
+## avoid collisions if different sources share the same for
+## different servers. In that case, names listed in `server_names`
+## must include the prefixes.
+##
+## If the `url` property is missing, cache files and valid signatures
+## must be already present; This doesn't prevent these cache files from
+## expiring after `refresh_delay` hours.
+
+[sources]
+
+  ## An example of a remote source
+
+  [sources.'public-resolvers']
+  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
+  cache_file = 'public-resolvers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
+
+  ## Another example source, with resolvers censoring some websites not appropriate for children
+  ## This is a subset of the `public-resolvers` list, so enabling both is useless
+
+  #  [sources.'parental-control']
+  #  url = 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'
+  #  cache_file = 'parental-control.md'
+  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+
+
+## Optional, local, static list of additional servers
+## Mostly useful for testing your own servers.
+
+[static]
+
+  # [static.'google']
+  # stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'

config/example-forwarding-rules.txt

@@ -0,0 +1,12 @@
+##################################
+#        Forwarding rules        #
+##################################
+
+## This is used to route specific domain names to specific servers.
+## The general format is: <domain> <server address> [, <server address>...]
+## Addresses can be IPv4 and IPv6, and include a non-standard port number.
+
+## In order to enable this feature, the "forwarding_rules" property needs to
+## be set to that file name in the main configuration file.
+
+example.com     9.9.9.9,8.8.8.8

module.prop

@@ -0,0 +1,7 @@
+id=dnscrypt-proxy
+name=DNSCrypt-Proxy 2
+version=v1
+versionCode=1
+author=bluemeda
+description=A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTP/2.
+minMagisk=1500