dnscrypt-proxy config

1.  
2. ##############################################
3. # #
4. # dnscrypt-proxy configuration #
5. # #
6. ##############################################
7.  
8. ## This is an example configuration file.
9. ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
10. ##
11. ## Online documentation is available here: https://dnscrypt.info/doc
12.  
13.  
14.  
15. ##################################
16. # Global settings #
17. ##################################
18.  
19. ## List of servers to use
20. ##
21. ## Servers from the "public-resolvers" source (see down below) can
22. ## be viewed here: https://dnscrypt.info/public-servers
23. ##
24. ## If this line is commented, all registered servers matching the require_* filters
25. ## will be used.
26. ##
27. ## The proxy will automatically pick the fastest, working servers from the list.
28. ## Remove the leading # first to enable this; lines starting with # are ignored.
29.  
30. server_names = ['your-server-1', 'your-server-2']
31.  
32. ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
33. ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
34.  
35. listen_addresses = ["127.0.0.1:53", "[::1]:53"]
36.  
37.  
38. ## Maximum number of simultaneous client connections to accept
39.  
40. max_clients = 250
41.  
42.  
43. ## Switch to a different system user after listening sockets have been created.
44. ## Note (1): this feature is currently unsupported on Windows.
45. ## Note (2): this feature is not compatible with systemd socket activation.
46. ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
47.  
48. # user_name = 'nobody'
49.  
50.  
51. ## Require servers (from static + remote sources) to satisfy specific properties
52.  
53. # Use servers reachable over IPv4
54. ipv4_servers = true
55.  
56. # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
57. ipv6_servers = false
58.  
59. # Use servers implementing the DNSCrypt protocol
60. dnscrypt_servers = true
61.  
62. # Use servers implementing the DNS-over-HTTPS protocol
63. doh_servers = false
64.  
65.  
66. ## Require servers defined by remote sources to satisfy specific properties
67.  
68. # Server must support DNS security extensions (DNSSEC)
69. require_dnssec = false
70.  
71. # Server must not log user queries (declarative)
72. require_nolog = true
73.  
74. # Server must not enforce its own blacklist (for parental control, ads blocking...)
75. require_nofilter = true
76.  
77. # Server names to avoid even if they match all criteria
78. disabled_server_names = []
79.  
80.  
81. ## Always use TCP to connect to upstream servers.
82. ## This can be useful if you need to route everything through Tor.
83. ## Otherwise, leave this to `false`, as it doesn't improve security
84. ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
85. ## only increase latency.
86.  
87. force_tcp = false
88.  
89.  
90. ## SOCKS proxy
91. ## Uncomment the following line to route all TCP connections to a local Tor node
92. ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
93.  
94. # proxy = "socks5://127.0.0.1:9050"
95.  
96.  
97. ## HTTP/HTTPS proxy
98. ## Only for DoH servers
99.  
100. # http_proxy = "http://127.0.0.1:8888"
101.  
102.  
103. ## How long a DNS query will wait for a response, in milliseconds
104.  
105. timeout = 4000
106.  
107.  
108. ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
109.  
110. keepalive = 120
111.  
112.  
113. ## Use the REFUSED return code for blocked responses
114. ## Setting this to `false` means that some responses will be lies.
115. ## Unfortunately, `false` appears to be required for Android 8+
116.  
117. refused_code_in_responses = false
118.  
119.  
120. ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
121.  
122. # lb_strategy = 'p2'
123.  
124.  
125. ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
126.  
127. log_level = 0
128.  
129.  
130. ## log file for the application
131.  
132. log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
133.  
134.  
135. ## Use the system logger (syslog on Unix, Event Log on Windows)
136.  
137. use_syslog = false
138.  
139.  
140. ## Delay, in minutes, after which certificates are reloaded
141.  
142. cert_refresh_delay = 240
143.  
144.  
145. ## DNSCrypt: Create a new, unique key for every single DNS query
146. ## This may improve privacy but can also have a significant impact on CPU usage
147. ## Only enable if you don't have a lot of network load
148.  
149. # dnscrypt_ephemeral_keys = false
150.  
151.  
152. ## DoH: Disable TLS session tickets - increases privacy but also latency
153.  
154. # tls_disable_session_tickets = false
155.  
156.  
157. ## DoH: Use a specific cipher suite instead of the server preference
158. ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
159. ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
160. ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
161. ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
162. ##
163. ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
164. ## the following suite improves performance.
165. ## This may also help on Intel CPUs running 32-bit operating systems.
166. ##
167. ## Keep tls_cipher_suite empty if you have issues fetching sources or
168. ## connecting to some DoH servers. Google and Cloudflare are fine with it.
169.  
170. # tls_cipher_suite = [52392, 49199]
171.  
172.  
173. ## Fallback resolver
174. ## This is a normal, non-encrypted DNS resolver, that will be only used
175. ## for one-shot queries when retrieving the initial resolvers list, and
176. ## only if the system DNS configuration doesn't work.
177. ## No user application queries will ever be leaked through this resolver,
178. ## and it will not be used after IP addresses of resolvers URLs have been found.
179. ## It will never be used if lists have already been cached, and if stamps
180. ## don't include host names without IP addresses.
181. ## It will not be used if the configured system DNS works.
182. ## A resolver supporting DNSSEC is recommended. This may become mandatory.
183. ##
184. ## People in China may need to use 114.114.114.114:53 here.
185. ## Other popular options include 8.8.8.8 and 9.9.9.9.
186.  
187. fallback_resolver = '1.1.1.1:53'
188.  
189.  
190. ## Never let dnscrypt-proxy try to use the system DNS settings;
191. ## unconditionally use the fallback resolver.
192.  
193. ignore_system_dns = true
194.  
195.  
196. ## Maximum time (in seconds) to wait for network connectivity before
197. ## initializing the proxy.
198. ## Useful if the proxy is automatically started at boot, and network
199. ## connectivity is not guaranteed to be immediately available.
200. ## Use 0 to disable.
201.  
202. netprobe_timeout = 60
203.  
204.  
205. ## Offline mode - Do not use any remote encrypted servers.
206. ## The proxy will remain fully functional to respond to queries that
207. ## plugins can handle directly (forwarding, cloaking, ...)
208.  
209. # offline_mode = false
210.  
211.  
212. ## Automatic log files rotation
213.  
214. # Maximum log files size in MB
215. log_files_max_size = 1
216.  
217. # How long to keep backup files, in days
218. log_files_max_age = 1
219.  
220. # Maximum log files backups to keep (or 0 to keep all backups)
221. log_files_max_backups = 1
222.  
223.  
224.  
225. #########################
226. # Filters #
227. #########################
228.  
229. ## Immediately respond to IPv6-related queries with an empty response
230. ## This makes things faster when there is no IPv6 connectivity, but can
231. ## also cause reliability issues with some stub resolvers.
232. ## Do not enable if you added a validating resolver such as dnsmasq in front
233. ## of the proxy.
234.  
235. block_ipv6 = false
236.  
237.  
238.  
239. ##################################################################################
240. # Route queries for specific domains to a dedicated set of servers #
241. ##################################################################################
242.  
243. ## Example map entries (one entry per line):
244. ## example.com 9.9.9.9
245. ## example.net 9.9.9.9,8.8.8.8,1.1.1.1
246.  
247. # forwarding_rules = 'forwarding-rules.txt'
248.  
249.  
250.  
251. ###############################
252. # Cloaking rules #
253. ###############################
254.  
255. ## Cloaking returns a predefined address for a specific name.
256. ## In addition to acting as a HOSTS file, it can also return the IP address
257. ## of a different name. It will also do CNAME flattening.
258. ##
259. ## Example map entries (one entry per line)
260. ## example.com 10.1.1.1
261. ## www.google.com forcesafesearch.google.com
262.  
263. # cloaking_rules = 'cloaking-rules.txt'
264.  
265.  
266.  
267. ###########################
268. # DNS cache #
269. ###########################
270.  
271. ## Enable a DNS cache to reduce latency and outgoing traffic
272.  
273. cache = true
274.  
275.  
276. ## Cache size
277.  
278. cache_size = 2048
279.  
280.  
281. ## Minimum TTL for cached entries
282.  
283. cache_min_ttl = 600
284.  
285.  
286. ## Maximum TTL for cached entries
287.  
288. cache_max_ttl = 86400
289.  
290.  
291. ## Minimum TTL for negatively cached entries
292.  
293. cache_neg_min_ttl = 60
294.  
295.  
296. ## Maximum TTL for negatively cached entries
297.  
298. cache_neg_max_ttl = 600
299.  
300.  
301.  
302. ###############################
303. # Query logging #
304. ###############################
305.  
306. ## Log client queries to a file
307.  
308. [query_log]
309.  
310. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
311.  
312. # file = 'query.log'
313.  
314.  
315. ## Query log format (currently supported: tsv and ltsv)
316.  
317. format = 'tsv'
318.  
319.  
320. ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
321.  
322. # ignored_qtypes = ['DNSKEY', 'NS']
323.  
324.  
325.  
326. ############################################
327. # Suspicious queries logging #
328. ############################################
329.  
330. ## Log queries for nonexistent zones
331. ## These queries can reveal the presence of malware, broken/obsolete applications,
332. ## and devices signaling their presence to 3rd parties.
333.  
334. [nx_log]
335.  
336. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
337.  
338. # file = 'nx.log'
339.  
340.  
341. ## Query log format (currently supported: tsv and ltsv)
342.  
343. format = 'tsv'
344.  
345.  
346.  
347. ######################################################
348. # Pattern-based blocking (blacklists) #
349. ######################################################
350.  
351. ## Blacklists are made of one pattern per line. Example of valid patterns:
352. ##
353. ## example.com
354. ## =example.com
355. ## *sex*
356. ## ads.*
357. ## ads*.example.*
358. ## ads*.example[0-9]*.com
359. ##
360. ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
361. ## A script to build blacklists from public feeds can be found in the
362. ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
363.  
364. [blacklist]
365.  
366. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
367.  
368. # blacklist_file = 'blacklist.txt'
369.  
370.  
371. ## Optional path to a file logging blocked queries
372.  
373. # log_file = 'blocked.log'
374.  
375.  
376. ## Optional log format: tsv or ltsv (default: tsv)
377.  
378. # log_format = 'tsv'
379.  
380.  
381.  
382. ###########################################################
383. # Pattern-based IP blocking (IP blacklists) #
384. ###########################################################
385.  
386. ## IP blacklists are made of one pattern per line. Example of valid patterns:
387. ##
388. ## 127.*
389. ## fe80:abcd:*
390. ## 192.168.1.4
391.  
392. [ip_blacklist]
393.  
394. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
395.  
396. # blacklist_file = 'ip-blacklist.txt'
397.  
398.  
399. ## Optional path to a file logging blocked queries
400.  
401. # log_file = 'ip-blocked.log'
402.  
403.  
404. ## Optional log format: tsv or ltsv (default: tsv)
405.  
406. # log_format = 'tsv'
407.  
408.  
409.  
410. ######################################################
411. # Pattern-based whitelisting (blacklists bypass) #
412. ######################################################
413.  
414. ## Whitelists support the same patterns as blacklists
415. ## If a name matches a whitelist entry, the corresponding session
416. ## will bypass names and IP filters.
417. ##
418. ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
419.  
420. [whitelist]
421.  
422. ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
423.  
424. # whitelist_file = 'whitelist.txt'
425.  
426.  
427. ## Optional path to a file logging whitelisted queries
428.  
429. # log_file = 'whitelisted.log'
430.  
431.  
432. ## Optional log format: tsv or ltsv (default: tsv)
433.  
434. # log_format = 'tsv'
435.  
436.  
437.  
438. ##########################################
439. # Time access restrictions #
440. ##########################################
441.  
442. ## One or more weekly schedules can be defined here.
443. ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
444. ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
445. ##
446. ## For example, the following rule in a blacklist file:
447. ## *.youtube.* @time-to-sleep
448. ## would block access to YouTube only during the days, and period of the days
449. ## define by the 'time-to-sleep' schedule.
450. ##
451. ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
452. ## {after= '9:00', before='18:00'} matches 9:00-18:00
453.  
454. [schedules]
455.  
456. # [schedules.'time-to-sleep']
457. # mon = [{after='21:00', before='7:00'}]
458. # tue = [{after='21:00', before='7:00'}]
459. # wed = [{after='21:00', before='7:00'}]
460. # thu = [{after='21:00', before='7:00'}]
461. # fri = [{after='23:00', before='7:00'}]
462. # sat = [{after='23:00', before='7:00'}]
463. # sun = [{after='21:00', before='7:00'}]
464.  
465. # [schedules.'work']
466. # mon = [{after='9:00', before='18:00'}]
467. # tue = [{after='9:00', before='18:00'}]
468. # wed = [{after='9:00', before='18:00'}]
469. # thu = [{after='9:00', before='18:00'}]
470. # fri = [{after='9:00', before='17:00'}]
471.  
472.  
473.  
474. #########################
475. # Servers #
476. #########################
477.  
478. ## Remote lists of available servers
479. ## Multiple sources can be used simultaneously, but every source
480. ## requires a dedicated cache file.
481. ##
482. ## Refer to the documentation for URLs of public sources.
483. ##
484. ## A prefix can be prepended to server names in order to
485. ## avoid collisions if different sources share the same for
486. ## different servers. In that case, names listed in `server_names`
487. ## must include the prefixes.
488. ##
489. ## If the `urls` property is missing, cache files and valid signatures
490. ## must be already present; This doesn't prevent these cache files from
491. ## expiring after `refresh_delay` hours.
492.  
493. [sources]
494.  
495. ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
496.  
497. [sources.'public-resolvers']
498. urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
499. cache_file = 'public-resolvers.md'
500. minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
501. refresh_delay = 72
502. prefix = ''
503.  
504. ## Quad9 over DNSCrypt - https://quad9.net/
505.  
506. # [sources.quad9-resolvers]
507. #urls = ["https://www.quad9.net/quad9-resolvers.md"]
508. # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
509. # cache_file = "quad9-resolvers.md"
510. # refresh_delay = 72
511. # prefix = "quad9-"
512.  
513. ## Another example source, with resolvers censoring some websites not appropriate for children
514. ## This is a subset of the `public-resolvers` list, so enabling both is useless
515.  
516. # [sources.'parental-control']
517. # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
518. # cache_file = 'parental-control.md'
519. # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
520.  
521.  
522.  
523. ## Optional, local, static list of additional servers
524. ## Mostly useful for testing your own servers.
525.  
526. [static]
527.  
528. # [static.'google']
529. # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'