commit 71c63560367a224483c4815cdcb144f3f67a17ce Author: bluemeda Date: Tue Feb 27 21:42:14 2018 +0700 initial release diff --git a/.gitattributes b/.gitattributes new file mode 100755 index 0000000..8980df1 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,8 @@ +# Declare files that will always have LF line endings on checkout. +META-INF/** text eol=lf +*.prop text eol=lf +*.sh text eol=lf +*.md text eol=lf + +# Denote all files that are truly binary and should not be modified. +system/** binary diff --git a/META-INF/com/google/android/update-binary b/META-INF/com/google/android/update-binary new file mode 100755 index 0000000..3f069a4 --- /dev/null +++ b/META-INF/com/google/android/update-binary @@ -0,0 +1,153 @@ +#!/sbin/sh +########################################################################################## +# +# Magisk Module Template Install Script +# by topjohnwu +# +########################################################################################## + +# Detect whether in boot mode +ps | grep zygote | grep -v grep >/dev/null && BOOTMODE=true || BOOTMODE=false +$BOOTMODE || ps -A 2>/dev/null | grep zygote | grep -v grep >/dev/null && BOOTMODE=true + +TMPDIR=/dev/tmp +INSTALLER=$TMPDIR/install +MAGISKBIN=/data/adb/magisk + +# Default permissions +umask 022 + +# Initial cleanup +rm -rf $TMPDIR 2>/dev/null +mkdir -p $INSTALLER + +# echo before loading util_functions +ui_print() { echo "$1"; } + +require_new_magisk() { + ui_print "*******************************" + ui_print " Please install Magisk v15.0+! " + ui_print "*******************************" + exit 1 +} + +########################################################################################## +# Environment +########################################################################################## + +OUTFD=$2 +ZIP=$3 + +mount /data 2>/dev/null + +# Utility functions must exist +[ -f $MAGISKBIN/util_functions.sh ] || require_new_magisk +# Load utility fuctions +. $MAGISKBIN/util_functions.sh + +# We can't alter magisk image live, use alternative image if required +$BOOTMODE && IMG=/data/adb/magisk_merge.img +# Always mount under tmp +MOUNTPATH=$TMPDIR/magisk_img + +# Preperation for flashable zips +get_outfd + +# Mount partitions +mount_partitions + +# Detect version and architecture +api_level_arch_detect + +# You can get the Android API version from $API, the CPU architecture from $ARCH +# Useful if you are creating Android version / platform dependent mods + +# Setup busybox and binaries +$BOOTMODE && boot_actions || recovery_actions + +########################################################################################## +# Preparation +########################################################################################## + +# Extract common files +unzip -o "$ZIP" module.prop config.sh 'common/*' -d $INSTALLER >&2 + +[ ! -f $INSTALLER/config.sh ] && abort "! Unable to extract zip file!" +# Load configurations +. $INSTALLER/config.sh + +# Check the installed magisk version +MIN_VER=`grep_prop minMagisk $INSTALLER/module.prop` +[ ! -z $MAGISK_VER_CODE -a $MAGISK_VER_CODE -ge $MIN_VER ] || require_new_magisk +MODID=`grep_prop id $INSTALLER/module.prop` +MODPATH=$MOUNTPATH/$MODID + +# Print mod name +print_modname + +# Please leave this message in your flashable zip for credits :) +ui_print "******************************" +ui_print "Powered by Magisk (@topjohnwu)" +ui_print "******************************" + +########################################################################################## +# Install +########################################################################################## + +# Get the variable reqSizeM. Use your own method to determine reqSizeM if needed +request_zip_size_check "$ZIP" + +# This function will mount $IMG to $MOUNTPATH, and resize the image based on $reqSizeM +mount_magisk_img + +# Create mod paths +rm -rf $MODPATH 2>/dev/null +mkdir -p $MODPATH + +# custom install begin +install_dnscrypt_proxy +# custom install end + +# Remove placeholder +rm -f $MODPATH/system/placeholder 2>/dev/null + +# Handle replace folders +for TARGET in $REPLACE; do + mktouch $MODPATH$TARGET/.replace +done + +# Auto Mount +$AUTOMOUNT && touch $MODPATH/auto_mount + +# prop files +$PROPFILE && cp -af $INSTALLER/common/system.prop $MODPATH/system.prop + +# Module info +cp -af $INSTALLER/module.prop $MODPATH/module.prop +if $BOOTMODE; then + # Update info for Magisk Manager + mktouch /sbin/.core/img/$MODID/update + cp -af $INSTALLER/module.prop /sbin/.core/img/$MODID/module.prop +fi + +# post-fs-data mode scripts +$POSTFSDATA && cp -af $INSTALLER/common/post-fs-data.sh $MODPATH/post-fs-data.sh + +# service mode scripts +$LATESTARTSERVICE && cp -af $INSTALLER/common/service.sh $MODPATH/service.sh + +ui_print "- Setting permissions" +set_permissions + +########################################################################################## +# Finalizing +########################################################################################## + +# Unmount magisk image and shrink if possible +unmount_magisk_img + +$BOOTMODE || recovery_cleanup +rm -rf $TMPDIR + +ui_print "- Done" +exit 0 diff --git a/META-INF/com/google/android/updater-script b/META-INF/com/google/android/updater-script new file mode 100755 index 0000000..11d5c96 --- /dev/null +++ b/META-INF/com/google/android/updater-script @@ -0,0 +1 @@ +#MAGISK diff --git a/README.md b/README.md new file mode 100755 index 0000000..95e9ca9 --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ +# Magisk Module Template + +This `README.md` will be shown in Magisk Manager. Place any information / changelog / notes you like. + +**Please update `README.md` if you want to submit your module to the online repo!** + +Github has its own online markdown editor with a preview feature, you can use it to update your `README.md`! If you need more advanced syntax, check the [Markdown Cheat Sheet](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet). + +For more information about modules and repos, please check the [official documentations](https://github.com/topjohnwu/Magisk/blob/master/docs/modules.md) diff --git a/binary/dnscrypt-proxy-arm b/binary/dnscrypt-proxy-arm new file mode 100755 index 0000000..384e7d5 Binary files /dev/null and b/binary/dnscrypt-proxy-arm differ diff --git a/binary/dnscrypt-proxy-arm64 b/binary/dnscrypt-proxy-arm64 new file mode 100755 index 0000000..f615a9e Binary files /dev/null and b/binary/dnscrypt-proxy-arm64 differ diff --git a/common/post-fs-data.sh b/common/post-fs-data.sh new file mode 100755 index 0000000..426ab83 --- /dev/null +++ b/common/post-fs-data.sh @@ -0,0 +1,7 @@ +#!/system/bin/sh +# Please don't hardcode /magisk/modname/... ; instead, please use $MODDIR/... +# This will make your scripts compatible even if Magisk change its mount point in the future +MODDIR=${0%/*} + +# This script will be executed in post-fs-data mode +# More info in the main Magisk thread diff --git a/common/service.sh b/common/service.sh new file mode 100755 index 0000000..d25caf1 --- /dev/null +++ b/common/service.sh @@ -0,0 +1,21 @@ +#!/system/bin/sh +# Please don't hardcode /magisk/modname/... ; instead, please use $MODDIR/... +# This will make your scripts compatible even if Magisk change its mount point in the future +MODDIR=${0%/*} + +# This script will be executed in late_start service mode +# More info in the main Magisk thread + +$MODDIR/system/xbin/dnscrypt-proxy -config $MODDIR/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml & +while true +do + ping -c 1 google.com + if [[ $? == 0 ]]; + then + iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53 + iptables-t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53 + break; + else + sleep 5 + fi +done \ No newline at end of file diff --git a/common/system.prop b/common/system.prop new file mode 100755 index 0000000..3d42789 --- /dev/null +++ b/common/system.prop @@ -0,0 +1,3 @@ +# This file will be read by resetprop +# Example: Change dpi +# ro.sf.lcd_density=320 diff --git a/config.sh b/config.sh new file mode 100755 index 0000000..7848223 --- /dev/null +++ b/config.sh @@ -0,0 +1,131 @@ +########################################################################################## +# +# Magisk Module Template Config Script +# by topjohnwu +# +########################################################################################## +########################################################################################## +# +# Instructions: +# +# 1. Place your files into system folder (delete the placeholder file) +# 2. Fill in your module's info into module.prop +# 3. Configure the settings in this file (config.sh) +# 4. If you need boot scripts, add them into common/post-fs-data.sh or common/service.sh +# 5. Add your additional or modified system properties into common/system.prop +# +########################################################################################## + +########################################################################################## +# Configs +########################################################################################## + +# Set to true if you need to enable Magic Mount +# Most mods would like it to be enabled +AUTOMOUNT=true + +# Set to true if you need to load system.prop +PROPFILE=false + +# Set to true if you need post-fs-data script +POSTFSDATA=false + +# Set to true if you need late_start service script +LATESTARTSERVICE=true + +########################################################################################## +# Installation Message +########################################################################################## + +# Set what you want to show when installing your mod + +print_modname() { + ui_print "*******************************" + ui_print " Magisk Module Template " + ui_print "*******************************" +} + +########################################################################################## +# Replace list +########################################################################################## + +# List all directories you want to directly replace in the system +# Check the documentations for more info about how Magic Mount works, and why you need this + +# This is an example +REPLACE=" +/system/app/Youtube +/system/priv-app/SystemUI +/system/priv-app/Settings +/system/framework +" + +# Construct your own list here, it will override the example above +# !DO NOT! remove this if you don't need to replace anything, leave it empty as it is now +REPLACE=" +" + +########################################################################################## +# Permissions +########################################################################################## + +set_permissions() { + # Only some special files require specific permissions + # The default permissions should be good enough for most cases + + # Here are some examples for the set_perm functions: + + # set_perm_recursive (default: u:object_r:system_file:s0) + # set_perm_recursive $MODPATH/system/lib 0 0 0755 0644 + + # set_perm (default: u:object_r:system_file:s0) + # set_perm $MODPATH/system/bin/app_process32 0 2000 0755 u:object_r:zygote_exec:s0 + # set_perm $MODPATH/system/bin/dex2oat 0 2000 0755 u:object_r:dex2oat_exec:s0 + # set_perm $MODPATH/system/lib/libart.so 0 0 0644 + + # The following is default permissions, DO NOT remove + set_perm_recursive $MODPATH 0 0 0755 0644 + set_perm $MODPATH/system/xbin/dnscrypt-proxy 0 0 0755 +} + +########################################################################################## +# Custom Functions +########################################################################################## + +# This file (config.sh) will be sourced by the main flash script after util_functions.sh +# If you need custom logic, please add them here as functions, and call these functions in +# update-binary. Refrain from adding code directly into update-binary, as it will make it +# difficult for you to migrate your modules to newer template versions. +# Make update-binary as clean as possible, try to only do function calls in it. + +install_dnscrypt_proxy(){ + if [ "$ARCH" == "arm" ];then + BINARY_PATH=$INSTALLER/binary/dnscrypt-proxy-arm + elif [ "$ARCH" == "arm64" ];then + BINARY_PATH=$INSTALLER/binary/dnscrypt-proxy-arm64 + fi + + CONFIG_PATH=$INSTALLER/config + unzip -o "$ZIP" 'config/*' 'binary/*' -d $INSTALLER 2>/dev/null + + ui_print "* Creating binary path" + mkdir -p $MODPATH/system/xbin 2>/dev/null + + ui_print "* Creating config path" + mkdir -p $MODPATH/system/etc/dnscrypt-proxy 2>/dev/null + + if [ -f "$BINARY_PATH" ]; then + ui_print "Copying binary for $ARCH" + cp -af $BINARY_PATH $MODPATH/system/xbin/dnscrypt-proxy + else + abort "Binary file for $ARCH is missing!" + fi + + if [ -d "$CONFIG_PATH" ]; then + ui_print "Copying config files" + cp -af $CONFIG_PATH/* $MODPATH/system/etc/dnscrypt-proxy + else + abort "Config file is missing!" + fi + +} diff --git a/config/LICENSE b/config/LICENSE new file mode 100644 index 0000000..dcff33a --- /dev/null +++ b/config/LICENSE @@ -0,0 +1,18 @@ +/* + * ISC License + * + * Copyright (c) 2018 + * Frank Denis + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml new file mode 100644 index 0000000..98535a9 --- /dev/null +++ b/config/dnscrypt-proxy.toml @@ -0,0 +1,381 @@ + +############################################## +# # +# dnscrypt-proxy configuration # +# # +############################################## + +## This is an example configuration file. +## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml" +## +## Online documentation is available here: https://dnscrypt.info/doc + + + +################################## +# Global settings # +################################## + +## List of servers to use +## If this line is commented, all registered servers matching the require_* filters +## will be used +## The proxy will automatically pick the fastest, working servers from the list. + +# server_names = ['scaleway-fr', 'google', 'yandex'] + + +## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. +## To only use systemd activation sockets, use an empty set: [] + +listen_addresses = ['127.0.0.1:53', '[::1]:53'] + + +## Maximum number of simultaneous client connections to accept + +max_clients = 250 + + +## Require servers (from static + remote sources) to satisfy specific properties + +# Use servers reachable over IPv4 +ipv4_servers = true + +# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity +ipv6_servers = false + +# Use servers implementing the DNSCrypt protocol +dnscrypt_servers = true + +# Use servers implementing the DNS-over-HTTPS protocol +doh_servers = true + + +## Require servers defined by remote sources to satisfy specific properties + +# Server must support DNS security extensions (DNSSEC) +require_dnssec = false + +# Server must not log user queries (declarative) +require_nolog = true + +# Server must not enforce its own blacklist (for parental control, ads blocking...) +require_nofilter = true + + + +## Always use TCP to connect to upstream servers + +force_tcp = false + + +## How long a DNS query will wait for a response, in milliseconds + +timeout = 2500 + + +## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' + +# lb_strategy = 'p2' + + +## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) + +# log_level = 2 + + +## log file for the application + +# log_file = 'dnscrypt-proxy.log' + + +## Use the system logger (syslog on Unix, Event Log on Windows) + +# use_syslog = true + + +## Delay, in minutes, after which certificates are reloaded + +cert_refresh_delay = 240 + + +## Fallback resolver +## This is a normal, non-encrypted DNS resolver, that will be only used +## for one-shot queries when retrieving the initial resolvers list, and +## only if the system DNS configuration doesn't work. +## No user application queries will ever be leaked through this resolver, +## and it will not be used after IP addresses of resolvers URLs have been found. +## It will never be used if lists have already been cached, and if stamps +## don't include host names without IP addresses. +## It will not be used if the configured system DNS works. +## A resolver supporting DNSSEC is recommended. This may become mandatory. + +fallback_resolver = '9.9.9.9:53' + + +## Never try to use the system DNS settings; unconditionally use the +## fallback resolver. + +ignore_system_dns = false + + + +######################### +# Filters # +######################### + +## Immediately respond to IPv6-related queries with an empty response +## This makes things faster when there is no IPv6 connectivity, but can +## also cause reliability issues with some stub resolvers. In +## particular, enabling this on macOS is not recommended. + +block_ipv6 = false + + + +################################################################################## +# Route queries for specific domains to a dedicated set of servers # +################################################################################## + +## Example map entries (one entry per line): +## example.com 9.9.9.9 +## example.net 9.9.9.9,8.8.8.8 + +# forwarding_rules = 'forwarding-rules.txt' + + + +############################### +# Cloaking rules # +############################### + +## Cloaking returns a predefined address for a specific name. +## In addition to acting as a HOSTS file, it can also return the IP address +## of a different name. It will also do CNAME flattening. +## +## Example map entries (one entry per line) +## example.com 10.1.1.1 +## www.google.com forcesafesearch.google.com + +# cloaking_rules = 'cloaking-rules.txt' + + + +########################### +# DNS cache # +########################### + +## Enable a DNS cache to reduce latency and outgoing traffic + +cache = true + + +## Cache size + +cache_size = 256 + + +## Minimum TTL for cached entries + +cache_min_ttl = 600 + + +## Maxmimum TTL for cached entries + +cache_max_ttl = 86400 + + +## TTL for negatively cached entries + +cache_neg_ttl = 60 + + + +############################### +# Query logging # +############################### + +## Log client queries to a file + +[query_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'query.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + ## Do not log these query types, to reduce verbosity. Keep empty to log everything. + + # ignored_qtypes = ['DNSKEY', 'NS'] + + + +############################################ +# Suspicious queries logging # +############################################ + +## Log queries for nonexistent zones +## These queries can reveal the presence of malware, broken/obsolete applications, +## and devices signaling their presence to 3rd parties. + +[nx_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'nx.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + +###################################################### +# Pattern-based blocking (blacklists) # +###################################################### + +## Blacklists are made of one pattern per line. Example of valid patterns: +## +## example.com +## *sex* +## ads.* +## ads*.example.* +## ads*.example[0-9]*.com +## +## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/ +## A script to build blacklists from public feeds can be found in the +## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code. + +[blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################################### +# Pattern-based IP blocking (IP blacklists) # +########################################################### + +## IP blacklists are made of one pattern per line. Example of valid patterns: +## +## 127.* +## fe80:abcd:* +## 192.168.1.4 + +[ip_blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'ip-blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'ip-blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################## +# Time access restrictions # +########################################## + +## One or more weekly schedules can be defined here. +## Patterns in the name-based blocklist can optionally be followed with @schedule_name +## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. +## +## For example, the following rule in a blacklist file: +## *.youtube.* @time-to-sleep +## would block access to Youtube only during the days, and period of the days +## define by the 'time-to-sleep' schedule. +## +## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 +## {after= '9:00', before='18:00'} matches 9:00-18:00 + +[schedules] + + # [schedules.'time-to-sleep'] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] + + # [schedules.'work'] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] + + + +######################### +# Servers # +######################### + +## Remote lists of available servers +## Multiple sources can be used simultaneously, but every source +## requires a dedicated cache file. +## +## Refer to the documentation for URLs of public sources. +## +## A prefix can be prepended to server names in order to +## avoid collisions if different sources share the same for +## different servers. In that case, names listed in `server_names` +## must include the prefixes. +## +## A cache file can be specified without a URL in order to maintain lists +## locally. + +[sources] + + ## An example of a remote source + + [sources.'public-resolvers'] + url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' + cache_file = '/system/etc/dnscrypt-proxy/public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + prefix = '' + + ## Another example source, with resolvers censoring some websites not approriate for children + ## This is a subset of the `public-resolvers` list, so enabling both is useless + + # [sources.'parental-control'] + # url = 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md' + # cache_file = 'parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + + + +## Optional, local, static list of additional servers +## Mostly useful for testing your own servers. + +[static] + + [static.'google'] + stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs' diff --git a/config/example-blacklist.txt b/config/example-blacklist.txt new file mode 100644 index 0000000..7f3d215 --- /dev/null +++ b/config/example-blacklist.txt @@ -0,0 +1,37 @@ + +########################### +# Blacklist # +########################### + +## Rules for name-based query blocking, one per line +## +## Example of valid patterns: +## +## ads.* | matches anything with an "ads." prefix +## *.example.com | matches example.com and all names within that zone such as www.example.com +## example.com | identical to the above +## *sex* | matches any name containing that substring +## ads[0-9]* | matches "ads" followed by one or more digits +## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster + +ad.* +ads.* +banner.* +banners.* +creatives.* +oas.* +oascentral.* +stats.* +tag.* +telemetry.* +tracker.* +*.local +eth0.me +*.workgroup + + + +## Time-based rules + +# *.youtube.* @time-to-sleep +# facebook.com @work diff --git a/config/example-cloaking-rules.txt b/config/example-cloaking-rules.txt new file mode 100644 index 0000000..1e3e062 --- /dev/null +++ b/config/example-cloaking-rules.txt @@ -0,0 +1,22 @@ +################################ +# Cloaking rules # +################################ + +# The following example rules force "safe" (without adult content) search +# results from Google, Bing and Youtube. +# +# This has to be enabled with the `cloaking_rules` parameter in the main +# configuration file + + +www.google.com forcesafesearch.google.com +www.google.fr forcesafesearch.google.com + +www.bing.com strict.bing.com + +www.youtube.com restrictmoderate.youtube.com +m.youtube.com restrictmoderate.youtube.com +youtubei.googleapis.com restrictmoderate.youtube.com +youtube.googleapis.com restrictmoderate.youtube.com +www.youtube-nocookie.com restrictmoderate.youtube.com + diff --git a/config/example-dnscrypt-proxy.toml b/config/example-dnscrypt-proxy.toml new file mode 100644 index 0000000..21cb988 --- /dev/null +++ b/config/example-dnscrypt-proxy.toml @@ -0,0 +1,383 @@ + +############################################## +# # +# dnscrypt-proxy configuration # +# # +############################################## + +## This is an example configuration file. +## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml" +## +## Online documentation is available here: https://dnscrypt.info/doc + + + +################################## +# Global settings # +################################## + +## List of servers to use +## If this line is commented, all registered servers matching the require_* filters +## will be used +## The proxy will automatically pick the fastest, working servers from the list. +## Remove the leading # first to enable this; lines starting with # are ignored. + +# server_names = ['scaleway-fr', 'google', 'yandex'] + + +## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. +## To only use systemd activation sockets, use an empty set: [] + +listen_addresses = ['127.0.0.1:53', '[::1]:53'] + + +## Maximum number of simultaneous client connections to accept + +max_clients = 250 + + +## Require servers (from static + remote sources) to satisfy specific properties + +# Use servers reachable over IPv4 +ipv4_servers = true + +# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity +ipv6_servers = false + +# Use servers implementing the DNSCrypt protocol +dnscrypt_servers = true + +# Use servers implementing the DNS-over-HTTPS protocol +doh_servers = true + + +## Require servers defined by remote sources to satisfy specific properties + +# Server must support DNS security extensions (DNSSEC) +require_dnssec = false + +# Server must not log user queries (declarative) +require_nolog = true + +# Server must not enforce its own blacklist (for parental control, ads blocking...) +require_nofilter = true + + + +## Always use TCP to connect to upstream servers + +force_tcp = false + + +## How long a DNS query will wait for a response, in milliseconds + +timeout = 2500 + + +## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' + +# lb_strategy = 'p2' + + +## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) + +# log_level = 2 + + +## log file for the application + +# log_file = 'dnscrypt-proxy.log' + + +## Use the system logger (syslog on Unix, Event Log on Windows) + +# use_syslog = true + + +## Delay, in minutes, after which certificates are reloaded + +cert_refresh_delay = 240 + + +## Fallback resolver +## This is a normal, non-encrypted DNS resolver, that will be only used +## for one-shot queries when retrieving the initial resolvers list, and +## only if the system DNS configuration doesn't work. +## No user application queries will ever be leaked through this resolver, +## and it will not be used after IP addresses of resolvers URLs have been found. +## It will never be used if lists have already been cached, and if stamps +## don't include host names without IP addresses. +## It will not be used if the configured system DNS works. +## A resolver supporting DNSSEC is recommended. This may become mandatory. + +fallback_resolver = '9.9.9.9:53' + + +## Never try to use the system DNS settings; unconditionally use the +## fallback resolver. + +ignore_system_dns = false + + + +######################### +# Filters # +######################### + +## Immediately respond to IPv6-related queries with an empty response +## This makes things faster when there is no IPv6 connectivity, but can +## also cause reliability issues with some stub resolvers. In +## particular, enabling this on macOS is not recommended. + +block_ipv6 = false + + + +################################################################################## +# Route queries for specific domains to a dedicated set of servers # +################################################################################## + +## Example map entries (one entry per line): +## example.com 9.9.9.9 +## example.net 9.9.9.9,8.8.8.8 + +# forwarding_rules = 'forwarding-rules.txt' + + + +############################### +# Cloaking rules # +############################### + +## Cloaking returns a predefined address for a specific name. +## In addition to acting as a HOSTS file, it can also return the IP address +## of a different name. It will also do CNAME flattening. +## +## Example map entries (one entry per line) +## example.com 10.1.1.1 +## www.google.com forcesafesearch.google.com + +# cloaking_rules = 'cloaking-rules.txt' + + + +########################### +# DNS cache # +########################### + +## Enable a DNS cache to reduce latency and outgoing traffic + +cache = true + + +## Cache size + +cache_size = 256 + + +## Minimum TTL for cached entries + +cache_min_ttl = 600 + + +## Maximum TTL for cached entries + +cache_max_ttl = 86400 + + +## TTL for negatively cached entries + +cache_neg_ttl = 60 + + + +############################### +# Query logging # +############################### + +## Log client queries to a file + +[query_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'query.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + ## Do not log these query types, to reduce verbosity. Keep empty to log everything. + + # ignored_qtypes = ['DNSKEY', 'NS'] + + + +############################################ +# Suspicious queries logging # +############################################ + +## Log queries for nonexistent zones +## These queries can reveal the presence of malware, broken/obsolete applications, +## and devices signaling their presence to 3rd parties. + +[nx_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'nx.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + +###################################################### +# Pattern-based blocking (blacklists) # +###################################################### + +## Blacklists are made of one pattern per line. Example of valid patterns: +## +## example.com +## *sex* +## ads.* +## ads*.example.* +## ads*.example[0-9]*.com +## +## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/ +## A script to build blacklists from public feeds can be found in the +## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code. + +[blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################################### +# Pattern-based IP blocking (IP blacklists) # +########################################################### + +## IP blacklists are made of one pattern per line. Example of valid patterns: +## +## 127.* +## fe80:abcd:* +## 192.168.1.4 + +[ip_blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'ip-blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'ip-blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################## +# Time access restrictions # +########################################## + +## One or more weekly schedules can be defined here. +## Patterns in the name-based blocklist can optionally be followed with @schedule_name +## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. +## +## For example, the following rule in a blacklist file: +## *.youtube.* @time-to-sleep +## would block access to Youtube only during the days, and period of the days +## define by the 'time-to-sleep' schedule. +## +## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 +## {after= '9:00', before='18:00'} matches 9:00-18:00 + +[schedules] + + # [schedules.'time-to-sleep'] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] + + # [schedules.'work'] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] + + + +######################### +# Servers # +######################### + +## Remote lists of available servers +## Multiple sources can be used simultaneously, but every source +## requires a dedicated cache file. +## +## Refer to the documentation for URLs of public sources. +## +## A prefix can be prepended to server names in order to +## avoid collisions if different sources share the same for +## different servers. In that case, names listed in `server_names` +## must include the prefixes. +## +## If the `url` property is missing, cache files and valid signatures +## must be already present; This doesn't prevent these cache files from +## expiring after `refresh_delay` hours. + +[sources] + + ## An example of a remote source + + [sources.'public-resolvers'] + url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' + cache_file = 'public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + prefix = '' + + ## Another example source, with resolvers censoring some websites not appropriate for children + ## This is a subset of the `public-resolvers` list, so enabling both is useless + + # [sources.'parental-control'] + # url = 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md' + # cache_file = 'parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + + + +## Optional, local, static list of additional servers +## Mostly useful for testing your own servers. + +[static] + + # [static.'google'] + # stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs' diff --git a/config/example-forwarding-rules.txt b/config/example-forwarding-rules.txt new file mode 100644 index 0000000..24cd586 --- /dev/null +++ b/config/example-forwarding-rules.txt @@ -0,0 +1,12 @@ +################################## +# Forwarding rules # +################################## + +## This is used to route specific domain names to specific servers. +## The general format is: [, ...] +## Addresses can be IPv4 and IPv6, and include a non-standard port number. + +## In order to enable this feature, the "forwarding_rules" property needs to +## be set to that file name in the main configuration file. + +example.com 9.9.9.9,8.8.8.8 diff --git a/module.prop b/module.prop new file mode 100755 index 0000000..f285a3b --- /dev/null +++ b/module.prop @@ -0,0 +1,7 @@ +id=dnscrypt-proxy +name=DNSCrypt-Proxy 2 +version=v1 +versionCode=1 +author=bluemeda +description=A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTP/2. +minMagisk=1500