encrypted-dns-server/example-encrypted-dns.toml

####################################################
#                                                  #
#        Encrypted DNS Server configuration        #
#                                                  #
####################################################


##################################
#         Global settings        #
##################################


## IP addresses and ports to listen to, as well as their external IP
## If there is no NAT involved, `local` and `external` can be the same.
## As many addresses as needed can be configured here, IPv4 and/or IPv6.
## You should at least change the `external` IP address.

### Example with both IPv4 and IPv6 addresses:
# listen_addrs = [
#     { local = "0.0.0.0:443",    external = "198.51.100.1:443" },
#     { local = "[::]:443",       external = "[2001:db8::1]:443" }
# ]

listen_addrs = [
    { local = "0.0.0.0:443",    external = "198.51.100.1:443" }
]


## Upstream DNS server and port

upstream_addr = "9.9.9.9:53"


## File name to save the state to

state_file = "encrypted-dns.state"


## UDP timeout in seconds

udp_timeout = 10


## TCP timeout in seconds

tcp_timeout = 10


## Maximum active UDP sockets

udp_max_active_connections = 1000


## Maximum active TCP connections

tcp_max_active_connections = 250


## Optional IP address to connect to upstream servers from.
## Leave commented/undefined to automatically select it.

# external_addr = "0.0.0.0"


## Built-in DNS cache capacity

cache_capacity = 100000


## DNS cache: minimum TTL

cache_ttl_min = 3600


## DNS cache: max TTL

cache_ttl_max = 86400


## DNS cache: error TTL

cache_ttl_error = 600


## DNS cache: to avoid bursts of traffic for popular queries when an
## RRSET expires, hold a TTL received from an upstream server for
## `client_ttl_holdon` seconds before decreasing it in client responses.

client_ttl_holdon = 60


## Run as a background process

daemonize = false


## Log file, when running as a background process

# log_file = "/tmp/encrypted-dns.log"


## PID file

# pid_file = "/tmp/encrypted-dns.pid"


## User name to drop privileges to, when started as root.

# user = "nobody"


## Group name to drop privileges to, when started as root.

# group = "nogroup"


## Path to chroot() to, when started as root.
## The path to the state file is relative to the chroot base.

# chroot = "/var/empty"


## Queries sent to that name will return the client IP address.
## This can be very useful for debugging, or to check that relaying works.

my_ip = "my.ip"


####################################
#         DNSCrypt settings        #
####################################

[dnscrypt]

## Provider name (with or without the `2.dnscrypt-cert.` prefix)

provider_name = "secure.dns.test"


## Does the server support DNSSEC?

dnssec = true


## Does the server always returns correct answers (no filtering, including ad blocking)?

no_filters = true


## Set to `true` if the server doesn't keep any information that can be used to identify users

no_logs = true


## Key cache capacity, per certificate

key_cache_capacity = 10000


###############################
#         TLS settings        #
###############################

[tls]

## Where to proxy TLS connections to (e.g. DoH server)

# upstream_addr = "127.0.0.1:4343"


#######################################
#        Server-side filtering        #
#######################################

[filtering]

## List of domains to block, one per line

# domain_blacklist = "/etc/domain_blacklist.txt"


## List of undelegated TLDs
## This is the list of nonexistent TLDs that queries are frequently observed for,
## but will never resolve to anything. The server will immediately return a
## synthesized NXDOMAIN response instead of hitting root servers.

# undelegated_list = "/etc/undelegated.txt"


## Ignore A and AAAA queries for unqualified host names.

# ignore_unqualified_hostnames = true


#########################
#        Metrics        #
#########################

# [metrics]

# type = "prometheus"
# listen_addr = "0.0.0.0:9100"
# path = "/metrics"


################################
#        Anonymized DNS        #
################################

[anonymized_dns]

# Enable relaying support for Anonymized DNS

enabled = false


# Allowed upstream ports
# This is a list of commonly used ports for encrypted DNS services

allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]


# Allow all ports >= 1024 in addition to the list above

allow_non_reserved_ports = false


# Blacklisted upstream IP addresses

blacklisted_ips = [ "93.184.216.34" ]


################################
#        Access control        #
################################

[access_control]

# Enable access control

enabled = false

# Only allow access to client queries including one of these random tokens
# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
# Example: `query_meta = ["token:Y2oHkDJNHz"]`

tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]
Move to TOML (1) 2019-09-19 12:09:00 +02:00			`####################################################`
			`# #`
			`# Encrypted DNS Server configuration #`
			`# #`
			`####################################################`


CRLF 2019-09-21 01:07:50 +02:00
Move to TOML (1) 2019-09-19 12:09:00 +02:00			`##################################`
			`# Global settings #`
			`##################################`


Change the format of how IP addresses are specified 2019-09-22 13:44:45 +02:00			`## IP addresses and ports to listen to, as well as their external IP`
			## If there is no NAT involved, `local` and `external` can be the same.
			`## As many addresses as needed can be configured here, IPv4 and/or IPv6.`
encrypted-dns.toml -> example-encrypted-dns.toml 2019-10-01 17:35:31 +02:00			## You should at least change the `external` IP address.

			`### Example with both IPv4 and IPv6 addresses:`
			`# listen_addrs = [`
			`# { local = "0.0.0.0:443", external = "198.51.100.1:443" },`
			`# { local = "[::]:443", external = "[2001:db8::1]:443" }`
			`# ]`
Move to TOML (1) 2019-09-19 12:09:00 +02:00
Change the format of how IP addresses are specified 2019-09-22 13:44:45 +02:00			`listen_addrs = [`
encrypted-dns.toml -> example-encrypted-dns.toml 2019-10-01 17:35:31 +02:00			`{ local = "0.0.0.0:443", external = "198.51.100.1:443" }`
Change the format of how IP addresses are specified 2019-09-22 13:44:45 +02:00			`]`
Move to TOML (1) 2019-09-19 12:09:00 +02:00

Reorder 2019-09-22 14:41:05 +02:00			`## Upstream DNS server and port`

			`upstream_addr = "9.9.9.9:53"`
Move to TOML (1) 2019-09-19 12:09:00 +02:00

			`## File name to save the state to`

			`state_file = "encrypted-dns.state"`


			`## UDP timeout in seconds`

			`udp_timeout = 10`


			`## TCP timeout in seconds`

			`tcp_timeout = 10`


			`## Maximum active UDP sockets`

			`udp_max_active_connections = 1000`


			`## Maximum active TCP connections`

Bump the example number of allowed TCP connections 2022-06-24 12:09:17 +02:00			`tcp_max_active_connections = 250`
Move to TOML (1) 2019-09-19 12:09:00 +02:00

Update comment 2019-10-19 11:40:25 +02:00			`## Optional IP address to connect to upstream servers from.`
			`## Leave commented/undefined to automatically select it.`
Reorder 2019-09-22 14:41:05 +02:00
Update comment 2019-10-19 11:40:25 +02:00			`# external_addr = "0.0.0.0"`
Reorder 2019-09-22 14:41:05 +02:00

Clarify 2019-09-21 01:07:19 +02:00			`## Built-in DNS cache capacity`
Add a simple built-in DNS cache (TTL is not handled yet) 2019-09-21 00:53:20 +02:00
Double the default cache size, which remains fairly small 2019-10-26 22:19:51 +02:00			`cache_capacity = 100000`
Add a simple built-in DNS cache (TTL is not handled yet) 2019-09-21 00:53:20 +02:00

Make DNS cache TTLs configurable 2019-09-21 12:18:27 +02:00			`## DNS cache: minimum TTL`

Bump example cache_ttl_min up 2019-10-01 08:07:17 +02:00			`cache_ttl_min = 3600`
Make DNS cache TTLs configurable 2019-09-21 12:18:27 +02:00

			`## DNS cache: max TTL`

			`cache_ttl_max = 86400`


			`## DNS cache: error TTL`

			`cache_ttl_error = 600`


client_ttl_jitter -> client_ttl_holdon 2020-05-05 17:27:28 +02:00			`## DNS cache: to avoid bursts of traffic for popular queries when an`
			`## RRSET expires, hold a TTL received from an upstream server for`
			## `client_ttl_holdon` seconds before decreasing it in client responses.
Add decreasing TTLs with jitter when a TTL becomes low Fixes #33 2020-04-24 22:56:29 +02:00
client_ttl_jitter -> client_ttl_holdon 2020-05-05 17:27:28 +02:00			`client_ttl_holdon = 60`
Add decreasing TTLs with jitter when a TTL becomes low Fixes #33 2020-04-24 22:56:29 +02:00

Revert "Remove daemonization, it's always been broken" This reverts commit 4f2272593121de111b0b187047e505381077690b. 2021-06-20 00:55:47 +02:00			`## Run as a background process`

			`daemonize = false`


			`## Log file, when running as a background process`

			`# log_file = "/tmp/encrypted-dns.log"`


Improved daemonization 2019-09-21 16:19:39 +02:00			`## PID file`

			`# pid_file = "/tmp/encrypted-dns.pid"`


Drop privileges 2019-09-19 12:57:24 +02:00			`## User name to drop privileges to, when started as root.`

			`# user = "nobody"`


			`## Group name to drop privileges to, when started as root.`

Change the example group name 2019-12-22 01:59:44 +01:00			`# group = "nogroup"`
Drop privileges 2019-09-19 12:57:24 +02:00

			`## Path to chroot() to, when started as root.`
Update the documentation 2019-09-20 12:03:49 +02:00			`## The path to the state file is relative to the chroot base.`
Drop privileges 2019-09-19 12:57:24 +02:00
Update the documentation 2019-09-20 12:03:49 +02:00			`# chroot = "/var/empty"`
Drop privileges 2019-09-19 12:57:24 +02:00

Add my_ip feature 2020-04-20 16:24:18 +02:00			`## Queries sent to that name will return the client IP address.`
			`## This can be very useful for debugging, or to check that relaying works.`

			`my_ip = "my.ip"`

Move to TOML (1) 2019-09-19 12:09:00 +02:00
			`####################################`
			`# DNSCrypt settings #`
			`####################################`

			`[dnscrypt]`

Import from dnscrypt-wrapper 2019-09-20 11:25:24 +02:00			## Provider name (with or without the `2.dnscrypt-cert.` prefix)
Move to TOML (1) 2019-09-19 12:09:00 +02:00
			`provider_name = "secure.dns.test"`


Change the format of how IP addresses are specified 2019-09-22 13:44:45 +02:00			`## Does the server support DNSSEC?`

			`dnssec = true`


			`## Does the server always returns correct answers (no filtering, including ad blocking)?`

			`no_filters = true`


			## Set to `true` if the server doesn't keep any information that can be used to identify users

			`no_logs = true`


ADd a key cache and improve logging 2019-09-20 10:39:42 +02:00			`## Key cache capacity, per certificate`

			`key_cache_capacity = 10000`


Move to TOML (1) 2019-09-19 12:09:00 +02:00
			`###############################`
			`# TLS settings #`
			`###############################`

			`[tls]`

Typo 2019-12-11 15:14:43 +01:00			`## Where to proxy TLS connections to (e.g. DoH server)`
Move to TOML (1) 2019-09-19 12:09:00 +02:00
Drop privileges 2019-09-19 12:57:24 +02:00			`# upstream_addr = "127.0.0.1:4343"`
Implement support for server-side blacklists 2019-09-25 15:51:13 +02:00


			`#######################################`
			`# Server-side filtering #`
			`#######################################`

			`[filtering]`

up 2019-10-02 11:43:43 +02:00			`## List of domains to block, one per line`
Prometheus metrics 2019-10-01 20:58:51 +02:00
up 2019-10-02 11:43:43 +02:00			`# domain_blacklist = "/etc/domain_blacklist.txt"`
Prometheus metrics 2019-10-01 20:58:51 +02:00

Add the ability to return synthetic response for undelegated TLDs 2019-12-07 19:51:37 +01:00			`## List of undelegated TLDs`
			`## This is the list of nonexistent TLDs that queries are frequently observed for,`
			`## but will never resolve to anything. The server will immediately return a`
			`## synthesized NXDOMAIN response instead of hitting root servers.`

			`# undelegated_list = "/etc/undelegated.txt"`


Add ignore_unqualified_hostnames 2019-12-07 23:25:32 +01:00			`## Ignore A and AAAA queries for unqualified host names.`

			`# ignore_unqualified_hostnames = true`

Prometheus metrics 2019-10-01 20:58:51 +02:00
CRLF 2019-12-07 23:42:40 +01:00
up 2019-10-02 11:43:43 +02:00			`#########################`
			`# Metrics #`
			`#########################`
Prometheus metrics 2019-10-01 20:58:51 +02:00
up 2019-10-02 11:43:43 +02:00			`# [metrics]`
CRLF 2019-10-02 12:05:49 +02:00
up 2019-10-02 11:43:43 +02:00			`# type = "prometheus"`
			`# listen_addr = "0.0.0.0:9100"`
			`# path = "/metrics"`
Prepare a new configuration section for Anonymized DNS 2019-10-13 22:47:57 +02:00


			`################################`
			`# Anonymized DNS #`
			`################################`

			`[anonymized_dns]`

Anonymized DNS is here 2019-10-14 11:10:55 +02:00			`# Enable relaying support for Anonymized DNS`

Prepare a new configuration section for Anonymized DNS 2019-10-13 22:47:57 +02:00			`enabled = false`
Anonymized DNS is here 2019-10-14 11:10:55 +02:00

			`# Allowed upstream ports`
Add a reasonable default set of ports + a new option 2019-10-17 22:44:43 +02:00			`# This is a list of commonly used ports for encrypted DNS services`
Anonymized DNS is here 2019-10-14 11:10:55 +02:00
Add a reasonable default set of ports + a new option 2019-10-17 22:44:43 +02:00			`allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]`


			`# Allow all ports >= 1024 in addition to the list above`

			`allow_non_reserved_ports = false`
Anonymized DNS is here 2019-10-14 11:10:55 +02:00

			`# Blacklisted upstream IP addresses`

Remove CRLF 2019-10-14 11:22:39 +02:00			`blacklisted_ips = [ "93.184.216.34" ]`
Implement access control 2020-03-20 10:43:54 +01:00



			`################################`
			`# Access control #`
			`################################`

			`[access_control]`

Bump 2020-03-20 11:11:44 +01:00			`# Enable access control`
Implement access control 2020-03-20 10:43:54 +01:00
			`enabled = false`

			`# Only allow access to client queries including one of these random tokens`
			# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
			# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
			# Example: `query_meta = ["token:Y2oHkDJNHz"]`

			`tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]`