DNSCrypt-proxy's configuration

1.  
2. ##############################################
3. # #
4. # dnscrypt-proxy configuration #
5. # #
6. ##############################################
7.  
8. ## This is an example configuration file.
9. ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
10. ##
11. ## Online documentation is available here: https://dnscrypt.info/doc
12.  
13.  
14.  
15. ##################################
16. # Global settings #
17. ##################################
18.  
19. ## List of servers to use
20. ## If this line is commented, all registered servers matching the require_* filters
21. ## will be used
22. ## The proxy will automatically pick the fastest, working servers from the list.
23. ## Remove the leading # first to enable this; lines starting with # are ignored.
24.  
25. # If you are thinking of disabling family filtering, think of your future
26. # an hour will be lost in search for happiness
27. # then several hours will be felt feeling icky and smelly with a sore back from poor posture
28. # write in your journal instead to address the causes for why you are seeking this escape
29. # don't do it
30. # ~ the ben of a thousand pasts, to the future you
31. # server_names = ['adguard-dns-family-ipv6', 'adguard-dns-family'] # cisco-familyshield
32. # server_names = ['adguard-dns-ipv6', 'adguard-dns']
33. # server_names = ['cloudflare-ipv6', 'cloudflare'] # 1.1.1.1
34. server_names = ['cloudflare','cloudflare-ipv6']
35.  
36.  
37. ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
38. ## To only use systemd activation sockets, use an empty set: []
39.  
40. listen_addresses = ['127.0.0.1:53', '[::1]:53']
41.  
42.  
43. ## Maximum number of simultaneous client connections to accept
44.  
45. max_clients = 250
46.  
47.  
48. ## Require servers (from static + remote sources) to satisfy specific properties
49.  
50. # Use servers reachable over IPv4
51. ipv4_servers = true
52.  
53. # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
54. ipv6_servers = true
55.  
56. # Use servers implementing the DNSCrypt protocol
57. dnscrypt_servers = true
58.  
59. # Use servers implementing the DNS-over-HTTPS protocol
60. doh_servers = true
61.  
62.  
63. ## Require servers defined by remote sources to satisfy specific properties
64.  
65. # Server must support DNS security extensions (DNSSEC)
66. require_dnssec = true
67.  
68. # Server must not log user queries (declarative)
69. require_nolog = true
70.  
71. # Server must not enforce its own blacklist (for parental control, ads blocking...)
72. require_nofilter = false
73.  
74.  
75.  
76. ## Always use TCP to connect to upstream servers
77.  
78. force_tcp = false
79.  
80.  
81. ## How long a DNS query will wait for a response, in milliseconds
82.  
83. timeout = 2500
84.  
85.  
86. ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
87.  
88. # lb_strategy = 'p2'
89.  
90.  
91. ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
92.  
93. # log_level = 2
94.  
95.  
96. ## log file for the application
97.  
98. # log_file = 'dnscrypt-proxy.log'
99.  
100.  
101. ## Use the system logger (syslog on Unix, Event Log on Windows)
102.  
103. # use_syslog = true
104.  
105.  
106. ## Delay, in minutes, after which certificates are reloaded
107.  
108. cert_refresh_delay = 240
109.  
110.  
111. ## Fallback resolver
112. ## This is a normal, non-encrypted DNS resolver, that will be only used
113. ## for one-shot queries when retrieving the initial resolvers list, and
114. ## only if the system DNS configuration doesn't work.
115. ## No user application queries will ever be leaked through this resolver,
116. ## and it will not be used after IP addresses of resolvers URLs have been found.
117. ## It will never be used if lists have already been cached, and if stamps
118. ## don't include host names without IP addresses.
119. ## It will not be used if the configured system DNS works.
120. ## A resolver supporting DNSSEC is recommended. This may become mandatory.
121.  
122. fallback_resolver = '1.1.1.1:53'
123.  
124.  
125. ## Never try to use the system DNS settings; unconditionally use the
126. ## fallback resolver.
127.  
128. ignore_system_dns = false
129.  
130.  
131. ## Automatic log files rotation
132.  
133. # Maximum log files size in MB
134. log_files_max_size = 10
135.  
136. # How long to keep backup files, in days
137. log_files_max_age = 7
138.  
139. # Maximum log files backups to keep
140. log_files_max_backups = 1
141.  
142.  
143.  
144. #########################
145. # Filters #
146. #########################
147.  
148. ## Immediately respond to IPv6-related queries with an empty response
149. ## This makes things faster when there is no IPv6 connectivity, but can
150. ## also cause reliability issues with some stub resolvers. In
151. ## particular, enabling this on macOS is not recommended.
152.  
153. block_ipv6 = false
154.  
155.  
156.  
157. ##################################################################################
158. # Route queries for specific domains to a dedicated set of servers #
159. ##################################################################################
160.  
161. ## Example map entries (one entry per line):
162. ## example.com 9.9.9.9
163. ## example.net 9.9.9.9,8.8.8.8
164.  
165. # forwarding_rules = 'forwarding-rules.txt'
166.  
167.  
168.  
169. ###############################
170. # Cloaking rules #
171. ###############################
172.  
173. ## Cloaking returns a predefined address for a specific name.
174. ## In addition to acting as a HOSTS file, it can also return the IP address
175. ## of a different name. It will also do CNAME flattening.
176. ##
177. ## Example map entries (one entry per line)
178. ## example.com 10.1.1.1
179. ## www.google.com forcesafesearch.google.com
180.  
181. # cloaking_rules = 'cloaking-rules.txt'
182.  
183.  
184.  
185. ###########################
186. # DNS cache #
187. ###########################
188.  
189. ## Enable a DNS cache to reduce latency and outgoing traffic
190.  
191. cache = true
192.  
193.  
194. ## Cache size
195.  
196. cache_size = 256
197.  
198.  
199. ## Minimum TTL for cached entries
200.  
201. cache_min_ttl = 600
202.  
203.  
204. ## Maximum TTL for cached entries
205.  
206. cache_max_ttl = 86400
207.  
208.  
209. ## TTL for negatively cached entries
210.  
211. cache_neg_ttl = 60
212.  
213.  
214.  
215. ###############################
216. # Query logging #
217. ###############################
218.  
219. ## Log client queries to a file
220.  
221. [query_log]
222.  
223. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
224.  
225. # file = 'query.log'
226.  
227.  
228. ## Query log format (currently supported: tsv and ltsv)
229.  
230. format = 'tsv'
231.  
232.  
233. ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
234.  
235. # ignored_qtypes = ['DNSKEY', 'NS']
236.  
237.  
238.  
239. ############################################
240. # Suspicious queries logging #
241. ############################################
242.  
243. ## Log queries for nonexistent zones
244. ## These queries can reveal the presence of malware, broken/obsolete applications,
245. ## and devices signaling their presence to 3rd parties.
246.  
247. [nx_log]
248.  
249. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
250.  
251. # file = 'nx.log'
252.  
253.  
254. ## Query log format (currently supported: tsv and ltsv)
255.  
256. format = 'tsv'
257.  
258.  
259.  
260. ######################################################
261. # Pattern-based blocking (blacklists) #
262. ######################################################
263.  
264. ## Blacklists are made of one pattern per line. Example of valid patterns:
265. ##
266. ## example.com
267. ## *sex*
268. ## ads.*
269. ## ads*.example.*
270. ## ads*.example[0-9]*.com
271. ##
272. ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
273. ## A script to build blacklists from public feeds can be found in the
274. ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
275.  
276. [blacklist]
277.  
278. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
279.  
280. # blacklist_file = 'blacklist.txt'
281.  
282.  
283. ## Optional path to a file logging blocked queries
284.  
285. # log_file = 'blocked.log'
286.  
287.  
288. ## Optional log format: tsv or ltsv (default: tsv)
289.  
290. # log_format = 'tsv'
291.  
292.  
293.  
294. ###########################################################
295. # Pattern-based IP blocking (IP blacklists) #
296. ###########################################################
297.  
298. ## IP blacklists are made of one pattern per line. Example of valid patterns:
299. ##
300. ## 127.*
301. ## fe80:abcd:*
302. ## 192.168.1.4
303.  
304. [ip_blacklist]
305.  
306. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
307.  
308. # blacklist_file = 'ip-blacklist.txt'
309.  
310.  
311. ## Optional path to a file logging blocked queries
312.  
313. # log_file = 'ip-blocked.log'
314.  
315.  
316. ## Optional log format: tsv or ltsv (default: tsv)
317.  
318. # log_format = 'tsv'
319.  
320.  
321.  
322. ##########################################
323. # Time access restrictions #
324. ##########################################
325.  
326. ## One or more weekly schedules can be defined here.
327. ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
328. ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
329. ##
330. ## For example, the following rule in a blacklist file:
331. ## *.youtube.* @time-to-sleep
332. ## would block access to Youtube only during the days, and period of the days
333. ## define by the 'time-to-sleep' schedule.
334. ##
335. ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
336. ## {after= '9:00', before='18:00'} matches 9:00-18:00
337.  
338. [schedules]
339.  
340. # [schedules.'time-to-sleep']
341. # mon = [{after='21:00', before='7:00'}]
342. # tue = [{after='21:00', before='7:00'}]
343. # wed = [{after='21:00', before='7:00'}]
344. # thu = [{after='21:00', before='7:00'}]
345. # fri = [{after='23:00', before='7:00'}]
346. # sat = [{after='23:00', before='7:00'}]
347. # sun = [{after='21:00', before='7:00'}]
348.  
349. # [schedules.'work']
350. # mon = [{after='9:00', before='18:00'}]
351. # tue = [{after='9:00', before='18:00'}]
352. # wed = [{after='9:00', before='18:00'}]
353. # thu = [{after='9:00', before='18:00'}]
354. # fri = [{after='9:00', before='17:00'}]
355.  
356.  
357.  
358. #########################
359. # Servers #
360. #########################
361.  
362. ## Remote lists of available servers
363. ## Multiple sources can be used simultaneously, but every source
364. ## requires a dedicated cache file.
365. ##
366. ## Refer to the documentation for URLs of public sources.
367. ##
368. ## A prefix can be prepended to server names in order to
369. ## avoid collisions if different sources share the same for
370. ## different servers. In that case, names listed in `server_names`
371. ## must include the prefixes.
372. ##
373. ## If the `url` property is missing, cache files and valid signatures
374. ## must be already present; This doesn't prevent these cache files from
375. ## expiring after `refresh_delay` hours.
376.  
377. [sources]
378.  
379. ## An example of a remote source
380.  
381. [sources.'public-resolvers']
382. urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
383. cache_file = 'public-resolvers.md'
384. minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
385. refresh_delay = 72
386. prefix = ''
387.  
388. ## Another example source, with resolvers censoring some websites not appropriate for children
389. ## This is a subset of the `public-resolvers` list, so enabling both is useless
390.  
391. # [sources.'parental-control']
392. # url = 'https://download.dnscrypt.info/resolvres-list/v2/parental-control.md'
393. # cache_file = 'parental-control.md'
394. # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
395.  
396.  
397.  
398. ## Optional, local, static list of additional servers
399. ## Mostly useful for testing your own servers.
400.  
401. [static]
402. # [static.'adguard-dns-doh']
403. # stamp = 'sdns://AgMAAAAAAAAADzE3Ni4xMDMuMTMwLjEzMCD5_zfwLmMstzhwJcB-V5CKPTcbfJXYzdA5DeIx7ZQ6Eg9kbnMuYWRndWFyZC5jb20KL2Rucy1xdWVyeQ'
404. #
405. # [static.'cloudflare-ipv6']
406. # stamp = 'sdns://AgcAAAAAAAAAFlsyNjA2OjQ3MDA6NDcwMDo6MTExMV0gMWRvdDFkb3QxZG90MS5jbG91ZGZsYXJlLWRucy5jb20KL2Rucy1xdWVyeQ'
407. # [static.'google']
408. # stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'
409.