2019-09-19 12:09:00 +02:00
|
|
|
####################################################
|
|
|
|
# #
|
|
|
|
# Encrypted DNS Server configuration #
|
|
|
|
# #
|
|
|
|
####################################################
|
|
|
|
|
|
|
|
|
2019-09-21 01:07:50 +02:00
|
|
|
|
2019-09-19 12:09:00 +02:00
|
|
|
##################################
|
|
|
|
# Global settings #
|
|
|
|
##################################
|
|
|
|
|
|
|
|
|
2019-09-22 13:44:45 +02:00
|
|
|
## IP addresses and ports to listen to, as well as their external IP
|
|
|
|
## If there is no NAT involved, `local` and `external` can be the same.
|
|
|
|
## As many addresses as needed can be configured here, IPv4 and/or IPv6.
|
2019-10-01 17:35:31 +02:00
|
|
|
## You should at least change the `external` IP address.
|
|
|
|
|
|
|
|
### Example with both IPv4 and IPv6 addresses:
|
|
|
|
# listen_addrs = [
|
|
|
|
# { local = "0.0.0.0:443", external = "198.51.100.1:443" },
|
|
|
|
# { local = "[::]:443", external = "[2001:db8::1]:443" }
|
|
|
|
# ]
|
2019-09-19 12:09:00 +02:00
|
|
|
|
2019-09-22 13:44:45 +02:00
|
|
|
listen_addrs = [
|
2019-10-01 17:35:31 +02:00
|
|
|
{ local = "0.0.0.0:443", external = "198.51.100.1:443" }
|
2019-09-22 13:44:45 +02:00
|
|
|
]
|
2019-09-19 12:09:00 +02:00
|
|
|
|
|
|
|
|
2019-09-22 14:41:05 +02:00
|
|
|
## Upstream DNS server and port
|
|
|
|
|
|
|
|
upstream_addr = "9.9.9.9:53"
|
2019-09-19 12:09:00 +02:00
|
|
|
|
|
|
|
|
|
|
|
## File name to save the state to
|
|
|
|
|
|
|
|
state_file = "encrypted-dns.state"
|
|
|
|
|
|
|
|
|
|
|
|
## UDP timeout in seconds
|
|
|
|
|
|
|
|
udp_timeout = 10
|
|
|
|
|
|
|
|
|
|
|
|
## TCP timeout in seconds
|
|
|
|
|
|
|
|
tcp_timeout = 10
|
|
|
|
|
|
|
|
|
|
|
|
## Maximum active UDP sockets
|
|
|
|
|
|
|
|
udp_max_active_connections = 1000
|
|
|
|
|
|
|
|
|
|
|
|
## Maximum active TCP connections
|
|
|
|
|
2022-06-24 12:09:17 +02:00
|
|
|
tcp_max_active_connections = 250
|
2019-09-19 12:09:00 +02:00
|
|
|
|
|
|
|
|
2019-10-19 11:40:25 +02:00
|
|
|
## Optional IP address to connect to upstream servers from.
|
|
|
|
## Leave commented/undefined to automatically select it.
|
2019-09-22 14:41:05 +02:00
|
|
|
|
2019-10-19 11:40:25 +02:00
|
|
|
# external_addr = "0.0.0.0"
|
2019-09-22 14:41:05 +02:00
|
|
|
|
|
|
|
|
2019-09-21 01:07:19 +02:00
|
|
|
## Built-in DNS cache capacity
|
2019-09-21 00:53:20 +02:00
|
|
|
|
2019-10-26 22:19:51 +02:00
|
|
|
cache_capacity = 100000
|
2019-09-21 00:53:20 +02:00
|
|
|
|
|
|
|
|
2019-09-21 12:18:27 +02:00
|
|
|
## DNS cache: minimum TTL
|
|
|
|
|
2019-10-01 08:07:17 +02:00
|
|
|
cache_ttl_min = 3600
|
2019-09-21 12:18:27 +02:00
|
|
|
|
|
|
|
|
|
|
|
## DNS cache: max TTL
|
|
|
|
|
|
|
|
cache_ttl_max = 86400
|
|
|
|
|
|
|
|
|
|
|
|
## DNS cache: error TTL
|
|
|
|
|
|
|
|
cache_ttl_error = 600
|
|
|
|
|
|
|
|
|
2020-05-05 17:27:28 +02:00
|
|
|
## DNS cache: to avoid bursts of traffic for popular queries when an
|
|
|
|
## RRSET expires, hold a TTL received from an upstream server for
|
|
|
|
## `client_ttl_holdon` seconds before decreasing it in client responses.
|
2020-04-24 22:56:29 +02:00
|
|
|
|
2020-05-05 17:27:28 +02:00
|
|
|
client_ttl_holdon = 60
|
2020-04-24 22:56:29 +02:00
|
|
|
|
|
|
|
|
2021-06-20 00:55:47 +02:00
|
|
|
## Run as a background process
|
|
|
|
|
|
|
|
daemonize = false
|
|
|
|
|
|
|
|
|
|
|
|
## Log file, when running as a background process
|
|
|
|
|
|
|
|
# log_file = "/tmp/encrypted-dns.log"
|
|
|
|
|
|
|
|
|
2019-09-21 16:19:39 +02:00
|
|
|
## PID file
|
|
|
|
|
|
|
|
# pid_file = "/tmp/encrypted-dns.pid"
|
|
|
|
|
|
|
|
|
2019-09-19 12:57:24 +02:00
|
|
|
## User name to drop privileges to, when started as root.
|
|
|
|
|
|
|
|
# user = "nobody"
|
|
|
|
|
|
|
|
|
|
|
|
## Group name to drop privileges to, when started as root.
|
|
|
|
|
2019-12-22 01:59:44 +01:00
|
|
|
# group = "nogroup"
|
2019-09-19 12:57:24 +02:00
|
|
|
|
|
|
|
|
|
|
|
## Path to chroot() to, when started as root.
|
2019-09-20 12:03:49 +02:00
|
|
|
## The path to the state file is relative to the chroot base.
|
2019-09-19 12:57:24 +02:00
|
|
|
|
2019-09-20 12:03:49 +02:00
|
|
|
# chroot = "/var/empty"
|
2019-09-19 12:57:24 +02:00
|
|
|
|
|
|
|
|
2020-04-20 16:24:18 +02:00
|
|
|
## Queries sent to that name will return the client IP address.
|
|
|
|
## This can be very useful for debugging, or to check that relaying works.
|
|
|
|
|
|
|
|
my_ip = "my.ip"
|
|
|
|
|
2019-09-19 12:09:00 +02:00
|
|
|
|
|
|
|
####################################
|
|
|
|
# DNSCrypt settings #
|
|
|
|
####################################
|
|
|
|
|
|
|
|
[dnscrypt]
|
|
|
|
|
2019-09-20 11:25:24 +02:00
|
|
|
## Provider name (with or without the `2.dnscrypt-cert.` prefix)
|
2019-09-19 12:09:00 +02:00
|
|
|
|
|
|
|
provider_name = "secure.dns.test"
|
|
|
|
|
|
|
|
|
2019-09-22 13:44:45 +02:00
|
|
|
## Does the server support DNSSEC?
|
|
|
|
|
|
|
|
dnssec = true
|
|
|
|
|
|
|
|
|
|
|
|
## Does the server always returns correct answers (no filtering, including ad blocking)?
|
|
|
|
|
|
|
|
no_filters = true
|
|
|
|
|
|
|
|
|
|
|
|
## Set to `true` if the server doesn't keep any information that can be used to identify users
|
|
|
|
|
|
|
|
no_logs = true
|
|
|
|
|
|
|
|
|
2019-09-20 10:39:42 +02:00
|
|
|
## Key cache capacity, per certificate
|
|
|
|
|
|
|
|
key_cache_capacity = 10000
|
|
|
|
|
|
|
|
|
2019-09-19 12:09:00 +02:00
|
|
|
|
|
|
|
###############################
|
|
|
|
# TLS settings #
|
|
|
|
###############################
|
|
|
|
|
|
|
|
[tls]
|
|
|
|
|
2019-12-11 15:14:43 +01:00
|
|
|
## Where to proxy TLS connections to (e.g. DoH server)
|
2019-09-19 12:09:00 +02:00
|
|
|
|
2019-09-19 12:57:24 +02:00
|
|
|
# upstream_addr = "127.0.0.1:4343"
|
2019-09-25 15:51:13 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
# Server-side filtering #
|
|
|
|
#######################################
|
|
|
|
|
|
|
|
[filtering]
|
|
|
|
|
2019-10-02 11:43:43 +02:00
|
|
|
## List of domains to block, one per line
|
2019-10-01 20:58:51 +02:00
|
|
|
|
2019-10-02 11:43:43 +02:00
|
|
|
# domain_blacklist = "/etc/domain_blacklist.txt"
|
2019-10-01 20:58:51 +02:00
|
|
|
|
|
|
|
|
2019-12-07 19:51:37 +01:00
|
|
|
## List of undelegated TLDs
|
|
|
|
## This is the list of nonexistent TLDs that queries are frequently observed for,
|
|
|
|
## but will never resolve to anything. The server will immediately return a
|
|
|
|
## synthesized NXDOMAIN response instead of hitting root servers.
|
|
|
|
|
|
|
|
# undelegated_list = "/etc/undelegated.txt"
|
|
|
|
|
|
|
|
|
2019-12-07 23:25:32 +01:00
|
|
|
## Ignore A and AAAA queries for unqualified host names.
|
|
|
|
|
|
|
|
# ignore_unqualified_hostnames = true
|
|
|
|
|
2019-10-01 20:58:51 +02:00
|
|
|
|
2019-12-07 23:42:40 +01:00
|
|
|
|
2019-10-02 11:43:43 +02:00
|
|
|
#########################
|
|
|
|
# Metrics #
|
|
|
|
#########################
|
2019-10-01 20:58:51 +02:00
|
|
|
|
2019-10-02 11:43:43 +02:00
|
|
|
# [metrics]
|
2019-10-02 12:05:49 +02:00
|
|
|
|
2019-10-02 11:43:43 +02:00
|
|
|
# type = "prometheus"
|
|
|
|
# listen_addr = "0.0.0.0:9100"
|
|
|
|
# path = "/metrics"
|
2019-10-13 22:47:57 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
################################
|
|
|
|
# Anonymized DNS #
|
|
|
|
################################
|
|
|
|
|
|
|
|
[anonymized_dns]
|
|
|
|
|
2019-10-14 11:10:55 +02:00
|
|
|
# Enable relaying support for Anonymized DNS
|
|
|
|
|
2019-10-13 22:47:57 +02:00
|
|
|
enabled = false
|
2019-10-14 11:10:55 +02:00
|
|
|
|
|
|
|
|
|
|
|
# Allowed upstream ports
|
2019-10-17 22:44:43 +02:00
|
|
|
# This is a list of commonly used ports for encrypted DNS services
|
2019-10-14 11:10:55 +02:00
|
|
|
|
2019-10-17 22:44:43 +02:00
|
|
|
allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]
|
|
|
|
|
|
|
|
|
|
|
|
# Allow all ports >= 1024 in addition to the list above
|
|
|
|
|
|
|
|
allow_non_reserved_ports = false
|
2019-10-14 11:10:55 +02:00
|
|
|
|
|
|
|
|
|
|
|
# Blacklisted upstream IP addresses
|
|
|
|
|
2019-10-14 11:22:39 +02:00
|
|
|
blacklisted_ips = [ "93.184.216.34" ]
|
2020-03-20 10:43:54 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
################################
|
|
|
|
# Access control #
|
|
|
|
################################
|
|
|
|
|
|
|
|
[access_control]
|
|
|
|
|
2020-03-20 11:11:44 +01:00
|
|
|
# Enable access control
|
2020-03-20 10:43:54 +01:00
|
|
|
|
|
|
|
enabled = false
|
|
|
|
|
|
|
|
# Only allow access to client queries including one of these random tokens
|
|
|
|
# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
|
|
|
|
# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
|
|
|
|
# Example: `query_meta = ["token:Y2oHkDJNHz"]`
|
|
|
|
|
|
|
|
tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]
|
|
|
|
|