#################################################### # # # Encrypted DNS Server configuration # # # #################################################### ################################## # Global settings # ################################## ## IP addresses and ports to listen to, as well as their external IP ## If there is no NAT involved, `local` and `external` can be the same. ## As many addresses as needed can be configured here, IPv4 and/or IPv6. listen_addrs = [ { local = "0.0.0.0:443", external = "@EXTERNAL_IPV4@" } ] ## Upstream DNS server and port upstream_addr = "127.0.0.1:553" ## File name to save the state to state_file = "/opt/encrypted-dns/etc/keys/state/encrypted-dns.state" ## UDP timeout in seconds udp_timeout = 10 ## TCP timeout in seconds tcp_timeout = 10 ## Maximum active UDP sockets udp_max_active_connections = 1000 ## Maximum active TCP connections tcp_max_active_connections = 100 ## Optional IP address to connect to upstream servers from. ## Leave commented/undefined to automatically select it. # external_addr = "0.0.0.0" ## Built-in DNS cache capacity cache_capacity = 50000 ## DNS cache: minimum TTL cache_ttl_min = 600 ## DNS cache: max TTL cache_ttl_max = 86400 ## DNS cache: error TTL cache_ttl_error = 600 ## Run as a background process daemonize = false ## Log file # log_file = "/tmp/encrypted-dns.log" ## PID file # pid_file = "/tmp/encrypted-dns.pid" ## User name to drop privileges to, when started as root. # user = "_encrypted-dns" ## Group name to drop privileges to, when started as root. # group = "_encrypted-dns" ## Path to chroot() to, when started as root. ## The path to the state file is relative to the chroot base. # chroot = "/var/empty" #################################### # DNSCrypt settings # #################################### [dnscrypt] ## Provider name (with or without the `2.dnscrypt-cert.` prefix) provider_name = "@PROVIDER_NAME@" ## Does the server support DNSSEC? dnssec = true ## Does the server always returns correct answers (no filtering, including ad blocking)? no_filters = true ## Set to `true` if the server doesn't keep any information that can be used to identify users no_logs = true ## Key cache capacity, per certificate key_cache_capacity = 10000 ############################### # TLS settings # ############################### [tls] ## Where to prooxy TLS connections to (e.g. DoH server) # upstream_addr = "127.0.0.1:4343" @TLS_PROXY_CONFIGURATION@ ####################################### # Server-side filtering # ####################################### [filtering] @DOMAIN_BLACKLIST_CONFIGURATION@ ######################### # Metrics # ######################### [metrics] type = "prometheus" listen_addr = "@METRICS_ADDRESS@" path = "/metrics" ################################ # Anonymized DNS # ################################ [anonymized_dns] # Enable relaying support for Anonymized DNS enabled = @ANONDNS_ENABLED@ # Allowed upstream ports allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ] # Allow all ports >= 1024 in addition to the list above allow_non_reserved_ports = false # Blacklisted upstream IP addresses blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ]