TVT618

DNSCrypt-proxy's configuration

Aug 27th, 2020
28
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. ##############################################
  3. # #
  4. # dnscrypt-proxy configuration #
  5. # #
  6. ##############################################
  7.  
  8. ## This is an example configuration file.
  9. ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
  10. ##
  11. ## Online documentation is available here: https://dnscrypt.info/doc
  12.  
  13.  
  14.  
  15. ##################################
  16. # Global settings #
  17. ##################################
  18.  
  19. ## List of servers to use
  20. ## If this line is commented, all registered servers matching the require_* filters
  21. ## will be used
  22. ## The proxy will automatically pick the fastest, working servers from the list.
  23. ## Remove the leading # first to enable this; lines starting with # are ignored.
  24.  
  25. # If you are thinking of disabling family filtering, think of your future
  26. # an hour will be lost in search for happiness
  27. # then several hours will be felt feeling icky and smelly with a sore back from poor posture
  28. # write in your journal instead to address the causes for why you are seeking this escape
  29. # don't do it
  30. # ~ the ben of a thousand pasts, to the future you
  31. # server_names = ['adguard-dns-family-ipv6', 'adguard-dns-family'] # cisco-familyshield
  32. # server_names = ['adguard-dns-ipv6', 'adguard-dns']
  33. # server_names = ['cloudflare-ipv6', 'cloudflare'] # 1.1.1.1
  34. server_names = ['cloudflare','cloudflare-ipv6']
  35.  
  36.  
  37. ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
  38. ## To only use systemd activation sockets, use an empty set: []
  39.  
  40. listen_addresses = ['127.0.0.1:53', '[::1]:53']
  41.  
  42.  
  43. ## Maximum number of simultaneous client connections to accept
  44.  
  45. max_clients = 250
  46.  
  47.  
  48. ## Require servers (from static + remote sources) to satisfy specific properties
  49.  
  50. # Use servers reachable over IPv4
  51. ipv4_servers = true
  52.  
  53. # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
  54. ipv6_servers = true
  55.  
  56. # Use servers implementing the DNSCrypt protocol
  57. dnscrypt_servers = true
  58.  
  59. # Use servers implementing the DNS-over-HTTPS protocol
  60. doh_servers = true
  61.  
  62.  
  63. ## Require servers defined by remote sources to satisfy specific properties
  64.  
  65. # Server must support DNS security extensions (DNSSEC)
  66. require_dnssec = true
  67.  
  68. # Server must not log user queries (declarative)
  69. require_nolog = true
  70.  
  71. # Server must not enforce its own blacklist (for parental control, ads blocking...)
  72. require_nofilter = false
  73.  
  74.  
  75.  
  76. ## Always use TCP to connect to upstream servers
  77.  
  78. force_tcp = false
  79.  
  80.  
  81. ## How long a DNS query will wait for a response, in milliseconds
  82.  
  83. timeout = 2500
  84.  
  85.  
  86. ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
  87.  
  88. # lb_strategy = 'p2'
  89.  
  90.  
  91. ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
  92.  
  93. # log_level = 2
  94.  
  95.  
  96. ## log file for the application
  97.  
  98. # log_file = 'dnscrypt-proxy.log'
  99.  
  100.  
  101. ## Use the system logger (syslog on Unix, Event Log on Windows)
  102.  
  103. # use_syslog = true
  104.  
  105.  
  106. ## Delay, in minutes, after which certificates are reloaded
  107.  
  108. cert_refresh_delay = 240
  109.  
  110.  
  111. ## Fallback resolver
  112. ## This is a normal, non-encrypted DNS resolver, that will be only used
  113. ## for one-shot queries when retrieving the initial resolvers list, and
  114. ## only if the system DNS configuration doesn't work.
  115. ## No user application queries will ever be leaked through this resolver,
  116. ## and it will not be used after IP addresses of resolvers URLs have been found.
  117. ## It will never be used if lists have already been cached, and if stamps
  118. ## don't include host names without IP addresses.
  119. ## It will not be used if the configured system DNS works.
  120. ## A resolver supporting DNSSEC is recommended. This may become mandatory.
  121.  
  122. fallback_resolver = '1.1.1.1:53'
  123.  
  124.  
  125. ## Never try to use the system DNS settings; unconditionally use the
  126. ## fallback resolver.
  127.  
  128. ignore_system_dns = false
  129.  
  130.  
  131. ## Automatic log files rotation
  132.  
  133. # Maximum log files size in MB
  134. log_files_max_size = 10
  135.  
  136. # How long to keep backup files, in days
  137. log_files_max_age = 7
  138.  
  139. # Maximum log files backups to keep
  140. log_files_max_backups = 1
  141.  
  142.  
  143.  
  144. #########################
  145. # Filters #
  146. #########################
  147.  
  148. ## Immediately respond to IPv6-related queries with an empty response
  149. ## This makes things faster when there is no IPv6 connectivity, but can
  150. ## also cause reliability issues with some stub resolvers. In
  151. ## particular, enabling this on macOS is not recommended.
  152.  
  153. block_ipv6 = false
  154.  
  155.  
  156.  
  157. ##################################################################################
  158. # Route queries for specific domains to a dedicated set of servers #
  159. ##################################################################################
  160.  
  161. ## Example map entries (one entry per line):
  162. ## example.com 9.9.9.9
  163. ## example.net 9.9.9.9,8.8.8.8
  164.  
  165. # forwarding_rules = 'forwarding-rules.txt'
  166.  
  167.  
  168.  
  169. ###############################
  170. # Cloaking rules #
  171. ###############################
  172.  
  173. ## Cloaking returns a predefined address for a specific name.
  174. ## In addition to acting as a HOSTS file, it can also return the IP address
  175. ## of a different name. It will also do CNAME flattening.
  176. ##
  177. ## Example map entries (one entry per line)
  178. ## example.com 10.1.1.1
  179. ## www.google.com forcesafesearch.google.com
  180.  
  181. # cloaking_rules = 'cloaking-rules.txt'
  182.  
  183.  
  184.  
  185. ###########################
  186. # DNS cache #
  187. ###########################
  188.  
  189. ## Enable a DNS cache to reduce latency and outgoing traffic
  190.  
  191. cache = true
  192.  
  193.  
  194. ## Cache size
  195.  
  196. cache_size = 256
  197.  
  198.  
  199. ## Minimum TTL for cached entries
  200.  
  201. cache_min_ttl = 600
  202.  
  203.  
  204. ## Maximum TTL for cached entries
  205.  
  206. cache_max_ttl = 86400
  207.  
  208.  
  209. ## TTL for negatively cached entries
  210.  
  211. cache_neg_ttl = 60
  212.  
  213.  
  214.  
  215. ###############################
  216. # Query logging #
  217. ###############################
  218.  
  219. ## Log client queries to a file
  220.  
  221. [query_log]
  222.  
  223. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
  224.  
  225. # file = 'query.log'
  226.  
  227.  
  228. ## Query log format (currently supported: tsv and ltsv)
  229.  
  230. format = 'tsv'
  231.  
  232.  
  233. ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
  234.  
  235. # ignored_qtypes = ['DNSKEY', 'NS']
  236.  
  237.  
  238.  
  239. ############################################
  240. # Suspicious queries logging #
  241. ############################################
  242.  
  243. ## Log queries for nonexistent zones
  244. ## These queries can reveal the presence of malware, broken/obsolete applications,
  245. ## and devices signaling their presence to 3rd parties.
  246.  
  247. [nx_log]
  248.  
  249. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
  250.  
  251. # file = 'nx.log'
  252.  
  253.  
  254. ## Query log format (currently supported: tsv and ltsv)
  255.  
  256. format = 'tsv'
  257.  
  258.  
  259.  
  260. ######################################################
  261. # Pattern-based blocking (blacklists) #
  262. ######################################################
  263.  
  264. ## Blacklists are made of one pattern per line. Example of valid patterns:
  265. ##
  266. ## example.com
  267. ## *sex*
  268. ## ads.*
  269. ## ads*.example.*
  270. ## ads*.example[0-9]*.com
  271. ##
  272. ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
  273. ## A script to build blacklists from public feeds can be found in the
  274. ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
  275.  
  276. [blacklist]
  277.  
  278. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
  279.  
  280. # blacklist_file = 'blacklist.txt'
  281.  
  282.  
  283. ## Optional path to a file logging blocked queries
  284.  
  285. # log_file = 'blocked.log'
  286.  
  287.  
  288. ## Optional log format: tsv or ltsv (default: tsv)
  289.  
  290. # log_format = 'tsv'
  291.  
  292.  
  293.  
  294. ###########################################################
  295. # Pattern-based IP blocking (IP blacklists) #
  296. ###########################################################
  297.  
  298. ## IP blacklists are made of one pattern per line. Example of valid patterns:
  299. ##
  300. ## 127.*
  301. ## fe80:abcd:*
  302. ## 192.168.1.4
  303.  
  304. [ip_blacklist]
  305.  
  306. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
  307.  
  308. # blacklist_file = 'ip-blacklist.txt'
  309.  
  310.  
  311. ## Optional path to a file logging blocked queries
  312.  
  313. # log_file = 'ip-blocked.log'
  314.  
  315.  
  316. ## Optional log format: tsv or ltsv (default: tsv)
  317.  
  318. # log_format = 'tsv'
  319.  
  320.  
  321.  
  322. ##########################################
  323. # Time access restrictions #
  324. ##########################################
  325.  
  326. ## One or more weekly schedules can be defined here.
  327. ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
  328. ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
  329. ##
  330. ## For example, the following rule in a blacklist file:
  331. ## *.youtube.* @time-to-sleep
  332. ## would block access to Youtube only during the days, and period of the days
  333. ## define by the 'time-to-sleep' schedule.
  334. ##
  335. ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
  336. ## {after= '9:00', before='18:00'} matches 9:00-18:00
  337.  
  338. [schedules]
  339.  
  340. # [schedules.'time-to-sleep']
  341. # mon = [{after='21:00', before='7:00'}]
  342. # tue = [{after='21:00', before='7:00'}]
  343. # wed = [{after='21:00', before='7:00'}]
  344. # thu = [{after='21:00', before='7:00'}]
  345. # fri = [{after='23:00', before='7:00'}]
  346. # sat = [{after='23:00', before='7:00'}]
  347. # sun = [{after='21:00', before='7:00'}]
  348.  
  349. # [schedules.'work']
  350. # mon = [{after='9:00', before='18:00'}]
  351. # tue = [{after='9:00', before='18:00'}]
  352. # wed = [{after='9:00', before='18:00'}]
  353. # thu = [{after='9:00', before='18:00'}]
  354. # fri = [{after='9:00', before='17:00'}]
  355.  
  356.  
  357.  
  358. #########################
  359. # Servers #
  360. #########################
  361.  
  362. ## Remote lists of available servers
  363. ## Multiple sources can be used simultaneously, but every source
  364. ## requires a dedicated cache file.
  365. ##
  366. ## Refer to the documentation for URLs of public sources.
  367. ##
  368. ## A prefix can be prepended to server names in order to
  369. ## avoid collisions if different sources share the same for
  370. ## different servers. In that case, names listed in `server_names`
  371. ## must include the prefixes.
  372. ##
  373. ## If the `url` property is missing, cache files and valid signatures
  374. ## must be already present; This doesn't prevent these cache files from
  375. ## expiring after `refresh_delay` hours.
  376.  
  377. [sources]
  378.  
  379. ## An example of a remote source
  380.  
  381. [sources.'public-resolvers']
  382. urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  383. cache_file = 'public-resolvers.md'
  384. minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  385. refresh_delay = 72
  386. prefix = ''
  387.  
  388. ## Another example source, with resolvers censoring some websites not appropriate for children
  389. ## This is a subset of the `public-resolvers` list, so enabling both is useless
  390.  
  391. # [sources.'parental-control']
  392. # url = 'https://download.dnscrypt.info/resolvres-list/v2/parental-control.md'
  393. # cache_file = 'parental-control.md'
  394. # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  395.  
  396.  
  397.  
  398. ## Optional, local, static list of additional servers
  399. ## Mostly useful for testing your own servers.
  400.  
  401. [static]
  402. # [static.'adguard-dns-doh']
  403. # stamp = 'sdns://AgMAAAAAAAAADzE3Ni4xMDMuMTMwLjEzMCD5_zfwLmMstzhwJcB-V5CKPTcbfJXYzdA5DeIx7ZQ6Eg9kbnMuYWRndWFyZC5jb20KL2Rucy1xdWVyeQ'
  404. #
  405. # [static.'cloudflare-ipv6']
  406. # stamp = 'sdns://AgcAAAAAAAAAFlsyNjA2OjQ3MDA6NDcwMDo6MTExMV0gMWRvdDFkb3QxZG90MS5jbG91ZGZsYXJlLWRucy5jb20KL2Rucy1xdWVyeQ'
  407. # [static.'google']
  408. # stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'
  409.  
RAW Paste Data