123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572 |
- ##############################################
- # #
- # dnscrypt-proxy configuration #
- # #
- ##############################################
- ## This is an example configuration file.
- ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
- ##
- ## Online documentation is available here: https://dnscrypt.info/doc
- ##################################
- # Global settings #
- ##################################
- ## List of servers to use
- ##
- ## Servers from the "public-resolvers" source (see down below) can
- ## be viewed here: https://dnscrypt.info/public-servers
- ##
- ## If this line is commented, all registered servers matching the require_* filters
- ## will be used.
- ##
- ## The proxy will automatically pick the fastest, working servers from the list.
- ## Remove the leading # first to enable this; lines starting with # are ignored.
- server_names = ['cloudflare']
- ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
- listen_addresses = ['0.0.0.0:53']
- ## Maximum number of simultaneous client connections to accept
- max_clients = 250
- ## Switch to a different system user after listening sockets have been created.
- ## Note (1): this feature is currently unsupported on Windows.
- ## Note (2): this feature is not compatible with systemd socket activation.
- ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
- # user_name = 'proxy'
- ## Require servers (from static + remote sources) to satisfy specific properties
- # Use servers reachable over IPv4
- ipv4_servers = true
- # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
- ipv6_servers = false
- # Use servers implementing the DNSCrypt protocol
- dnscrypt_servers = false
- # Use servers implementing the DNS-over-HTTPS protocol
- doh_servers = true
- ## Require servers defined by remote sources to satisfy specific properties
- # Server must support DNS security extensions (DNSSEC)
- require_dnssec = false
- # Server must not log user queries (declarative)
- require_nolog = true
- # Server must not enforce its own blacklist (for parental control, ads blocking...)
- require_nofilter = true
- # Server names to avoid even if they match all criteria
- disabled_server_names = []
- ## Always use TCP to connect to upstream servers.
- ## This can be useful if you need to route everything through Tor.
- ## Otherwise, leave this to `false`, as it doesn't improve security
- ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
- ## only increase latency.
- force_tcp = true
- ## SOCKS proxy
- ## Uncomment the following line to route all TCP connections to a local Tor node
- ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
- # proxy = 'socks5://127.0.0.1:9050'
- ## HTTP/HTTPS proxy
- ## Only for DoH servers
- # http_proxy = 'http://127.0.0.1:8888'
- ## How long a DNS query will wait for a response, in milliseconds
- timeout = 2500
- ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
- keepalive = 30
- ## Response for blocked queries. Options are `refused`, `hinfo` (default) or
- ## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
- ## Using the `hinfo` option means that some responses will be lies.
- ## Unfortunately, the `hinfo` option appears to be required for Android 8+
- # blocked_query_response = 'refused'
- ## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
- # lb_strategy = 'p2'
- ## Set to `true` to constantly try to estimate the latency of all the resolvers
- ## and adjust the load-balancing parameters accordingly, or to `false` to disable.
- # lb_estimator = true
- ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
- # log_level = 2
- ## log file for the application
- log_file = '/dev/stdout'
- ## Use the system logger (syslog on Unix, Event Log on Windows)
- # use_syslog = true
- ## Delay, in minutes, after which certificates are reloaded
- cert_refresh_delay = 240
- ## DNSCrypt: Create a new, unique key for every single DNS query
- ## This may improve privacy but can also have a significant impact on CPU usage
- ## Only enable if you don't have a lot of network load
- # dnscrypt_ephemeral_keys = false
- ## DoH: Disable TLS session tickets - increases privacy but also latency
- # tls_disable_session_tickets = false
- ## DoH: Use a specific cipher suite instead of the server preference
- ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- ## 4865 = TLS_AES_128_GCM_SHA256
- ## 4867 = TLS_CHACHA20_POLY1305_SHA256
- ##
- ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
- ## the following suite improves performance.
- ## This may also help on Intel CPUs running 32-bit operating systems.
- ##
- ## Keep tls_cipher_suite empty if you have issues fetching sources or
- ## connecting to some DoH servers. Google and Cloudflare are fine with it.
- # tls_cipher_suite = [52392, 49199]
- ## Fallback resolver
- ## This is a normal, non-encrypted DNS resolver, that will be only used
- ## for one-shot queries when retrieving the initial resolvers list, and
- ## only if the system DNS configuration doesn't work.
- ## No user application queries will ever be leaked through this resolver,
- ## and it will not be used after IP addresses of resolvers URLs have been found.
- ## It will never be used if lists have already been cached, and if stamps
- ## don't include host names without IP addresses.
- ## It will not be used if the configured system DNS works.
- ## A resolver supporting DNSSEC is recommended. This may become mandatory.
- ##
- ## People in China may need to use 114.114.114.114:53 here.
- ## Other popular options include 8.8.8.8 and 1.1.1.1.
- fallback_resolver = '1.1.1.1:53'
- ## Never let dnscrypt-proxy try to use the system DNS settings;
- ## unconditionally use the fallback resolver.
- ignore_system_dns = true
- ## Maximum time (in seconds) to wait for network connectivity before
- ## initializing the proxy.
- ## Useful if the proxy is automatically started at boot, and network
- ## connectivity is not guaranteed to be immediately available.
- ## Use 0 to not test for connectivity at all (not recommended),
- ## and -1 to wait as much as possible.
- netprobe_timeout = 60
- ## Address and port to try initializing a connection to, just to check
- ## if the network is up. It can be any address and any port, even if
- ## there is nothing answering these on the other side. Just don't use
- ## a local address, as the goal is to check for Internet connectivity.
- ## On Windows, a datagram with a single, nul byte will be sent, only
- ## when the system starts.
- ## On other operating systems, the connection will be initialized
- ## but nothing will be sent at all.
- netprobe_address = '1.1.1.1:53'
- ## Offline mode - Do not use any remote encrypted servers.
- ## The proxy will remain fully functional to respond to queries that
- ## plugins can handle directly (forwarding, cloaking, ...)
- # offline_mode = false
- ## Additional data to attach to outgoing queries.
- ## These strings will be added as TXT records to queries.
- ## Do not use, except on servers explicitly asking for extra data
- ## to be present.
- # query_meta = ["key1:value1", "key2:value2", "key3:value3"]
- ## Automatic log files rotation
- # Maximum log files size in MB
- log_files_max_size = 10
- # How long to keep backup files, in days
- log_files_max_age = 7
- # Maximum log files backups to keep (or 0 to keep all backups)
- log_files_max_backups = 1
- #########################
- # Filters #
- #########################
- ## Immediately respond to IPv6-related queries with an empty response
- ## This makes things faster when there is no IPv6 connectivity, but can
- ## also cause reliability issues with some stub resolvers.
- ## Do not enable if you added a validating resolver such as dnsmasq in front
- ## of the proxy.
- block_ipv6 = false
- ##################################################################################
- # Route queries for specific domains to a dedicated set of servers #
- ##################################################################################
- ## Example map entries (one entry per line):
- ## example.com 9.9.9.9
- ## example.net 9.9.9.9,8.8.8.8,1.1.1.1
- # forwarding_rules = 'forwarding-rules.txt'
- ###############################
- # Cloaking rules #
- ###############################
- ## Cloaking returns a predefined address for a specific name.
- ## In addition to acting as a HOSTS file, it can also return the IP address
- ## of a different name. It will also do CNAME flattening.
- ##
- ## Example map entries (one entry per line)
- ## example.com 10.1.1.1
- ## www.google.com forcesafesearch.google.com
- #cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
- ###########################
- # DNS cache #
- ###########################
- ## Enable a DNS cache to reduce latency and outgoing traffic
- cache = true
- ## Cache size
- cache_size = 512
- ## Minimum TTL for cached entries
- cache_min_ttl = 600
- ## Maximum TTL for cached entries
- cache_max_ttl = 86400
- ## Minimum TTL for negatively cached entries
- cache_neg_min_ttl = 60
- ## Maximum TTL for negatively cached entries
- cache_neg_max_ttl = 600
- ###############################
- # Query logging #
- ###############################
- ## Log client queries to a file
- [query_log]
- ## Path to the query log file (absolute, or relative to the same directory as the executable file)
- file = 'query.log'
- ## Query log format (currently supported: tsv and ltsv)
- format = 'tsv'
- ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
- # ignored_qtypes = ['DNSKEY', 'NS']
- ############################################
- # Suspicious queries logging #
- ############################################
- ## Log queries for nonexistent zones
- ## These queries can reveal the presence of malware, broken/obsolete applications,
- ## and devices signaling their presence to 3rd parties.
- [nx_log]
- ## Path to the query log file (absolute, or relative to the same directory as the executable file)
- file = '/dev/stdout'
- ## Query log format (currently supported: tsv and ltsv)
- format = 'tsv'
- ######################################################
- # Pattern-based blocking (blacklists) #
- ######################################################
- ## Blacklists are made of one pattern per line. Example of valid patterns:
- ##
- ## example.com
- ## =example.com
- ## *sex*
- ## ads.*
- ## ads*.example.*
- ## ads*.example[0-9]*.com
- ##
- ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
- ## A script to build blacklists from public feeds can be found in the
- ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
- [blacklist]
- ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
- # blacklist_file = 'blacklist.txt'
- ## Optional path to a file logging blocked queries
- # log_file = 'blocked.log'
- ## Optional log format: tsv or ltsv (default: tsv)
- # log_format = 'tsv'
- ###########################################################
- # Pattern-based IP blocking (IP blacklists) #
- ###########################################################
- ## IP blacklists are made of one pattern per line. Example of valid patterns:
- ##
- ## 127.*
- ## fe80:abcd:*
- ## 192.168.1.4
- [ip_blacklist]
- ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
- # blacklist_file = 'ip-blacklist.txt'
- ## Optional path to a file logging blocked queries
- # log_file = 'ip-blocked.log'
- ## Optional log format: tsv or ltsv (default: tsv)
- # log_format = 'tsv'
- ######################################################
- # Pattern-based whitelisting (blacklists bypass) #
- ######################################################
- ## Whitelists support the same patterns as blacklists
- ## If a name matches a whitelist entry, the corresponding session
- ## will bypass names and IP filters.
- ##
- ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
- [whitelist]
- ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
- # whitelist_file = 'whitelist.txt'
- ## Optional path to a file logging whitelisted queries
- # log_file = 'whitelisted.log'
- ## Optional log format: tsv or ltsv (default: tsv)
- # log_format = 'tsv'
- ##########################################
- # Time access restrictions #
- ##########################################
- ## One or more weekly schedules can be defined here.
- ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
- ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
- ##
- ## For example, the following rule in a blacklist file:
- ## *.youtube.* @time-to-sleep
- ## would block access to YouTube only during the days, and period of the days
- ## define by the 'time-to-sleep' schedule.
- ##
- ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
- ## {after= '9:00', before='18:00'} matches 9:00-18:00
- [schedules]
- # [schedules.'time-to-sleep']
- # mon = [{after='21:00', before='7:00'}]
- # tue = [{after='21:00', before='7:00'}]
- # wed = [{after='21:00', before='7:00'}]
- # thu = [{after='21:00', before='7:00'}]
- # fri = [{after='23:00', before='7:00'}]
- # sat = [{after='23:00', before='7:00'}]
- # sun = [{after='21:00', before='7:00'}]
- # [schedules.'work']
- # mon = [{after='9:00', before='18:00'}]
- # tue = [{after='9:00', before='18:00'}]
- # wed = [{after='9:00', before='18:00'}]
- # thu = [{after='9:00', before='18:00'}]
- # fri = [{after='9:00', before='17:00'}]
- #########################
- # Servers #
- #########################
- ## Remote lists of available servers
- ## Multiple sources can be used simultaneously, but every source
- ## requires a dedicated cache file.
- ##
- ## Refer to the documentation for URLs of public sources.
- ##
- ## A prefix can be prepended to server names in order to
- ## avoid collisions if different sources share the same for
- ## different servers. In that case, names listed in `server_names`
- ## must include the prefixes.
- ##
- ## If the `urls` property is missing, cache files and valid signatures
- ## must be already present; This doesn't prevent these cache files from
- ## expiring after `refresh_delay` hours.
- [sources]
- ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
- [sources.'public-resolvers']
- urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
- cache_file = 'public-resolvers.md'
- minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
- prefix = ''
- ## Quad9 over DNSCrypt - https://quad9.net/
- # [sources.quad9-resolvers]
- # urls = ['https://www.quad9.net/quad9-resolvers.md']
- # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
- # cache_file = 'quad9-resolvers.md'
- # prefix = 'quad9-'
- ## Another example source, with resolvers censoring some websites not appropriate for children
- ## This is a subset of the `public-resolvers` list, so enabling both is useless
- # [sources.'parental-control']
- # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
- # cache_file = 'parental-control.md'
- # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
- ## Optional, local, static list of additional servers
- ## Mostly useful for testing your own servers.
- ################################
- # Anonymized DNS #
- ################################
- #[anonymized_dns]
- ## Define one or more routes, i.e. indirect ways to reach servers.
- ## A set of possible relay servers is assigned to each DNS resolver.
- ## A relay can be specified as a DNS Stamp (either a relay stamp, or a
- ## DNSCrypt stamp), an IP:port, a hostname:port, or a server name, if
- ## the server is in the servers_list.
- # routes = [
- # { server_name='comodo-02', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] },
- # { server_name='quad9-dnscrypt-ip4-nofilter-pri', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
- # ]
- [static]
- # [static.'myserver']
- # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
|