Guest User

dnscrypt-proxy.toml

a guest
Sep 17th, 2020
130
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. ##############################################
  3. #                                            #
  4. #        dnscrypt-proxy configuration        #
  5. #                                            #
  6. ##############################################
  7.  
  8. ## This is an example configuration file.
  9. ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
  10. ##
  11. ## Online documentation is available here: https://dnscrypt.info/doc
  12.  
  13.  
  14.  
  15. ##################################
  16. #         Global settings        #
  17. ##################################
  18.  
  19. ## List of servers to use
  20. ##
  21. ## Servers from the "public-resolvers" source (see down below) can
  22. ## be viewed here: https://dnscrypt.info/public-servers
  23. ##
  24. ## If this line is commented, all registered servers matching the require_* filters
  25. ## will be used.
  26. ##
  27. ## The proxy will automatically pick the fastest, working servers from the list.
  28. ## Remove the leading # first to enable this; lines starting with # are ignored.
  29.  
  30. server_names = ['containerpi-ipv6', 'dnscrypt.eu-dk-ipv6', 'dnscrypt.uk-ipv6', 'ffmuc.net-v6', 'ibksturm-ipv6', 'quad9-dnscrypt-ip6-nofilter-pri', 'scaleway-ams-ipv6', 'securedns-ipv6', 'skyfighter-dns-ipv6']
  31. #server_names = ['containerpi-ipv6', 'dnscrypt.eu-dk-ipv6', 'dnscrypt.uk-ipv6', 'ffmuc.net-v6', 'ibksturm-ipv6', 'quad9-dnscrypt-ip6-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'scaleway-ams-ipv6', 'securedns-ipv6', 'skyfighter-dns-ipv6']
  32. #server_names = ['containerpi-ipv6', 'dnscrypt.eu-dk-ipv6', 'dnscrypt.uk-ipv6', 'ffmuc.net-v6', 'ibksturm-ipv6', 'quad9-dnscrypt-ip6-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'scaleway-ams-ipv6', 'securedns-ipv6', 'skyfighter-dns-ipv6']
  33. #server_names = ['containerpi-ipv6', 'dnscrypt.eu-dk-ipv6', 'dnscrypt.uk-ipv6', 'ffmuc.net-v6', 'ibksturm-ipv6', 'quad9-dnscrypt-ip6-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'scaleway-ams-ipv6', 'securedns-ipv6', 'skyfighter-dns-ipv6', 'v.dnscrypt.uk-ipv6']
  34. #server_names = ['containerpi-ipv6', 'dnscrypt.eu-dk-ipv6', 'dnscrypt.one-ipv6', 'dnscrypt.uk-ipv6', 'dnswarden-dc1-ipv6', 'dnswarden-dc2-ipv6', 'dnswarden-dc3-ipv6', 'ffmuc.net-v6', 'ibksturm-ipv6', 'quad9-dnscrypt-ip6-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'scaleway-ams-ipv6', 'securedns-ipv6', 'skyfighter-dns-ipv6', 'v.dnscrypt.uk-ipv6']
  35. #server_names = ['containerpi-ipv6', 'developerli-de-ipv6','developerli-fr-ipv6', 'dnscrypt.eu-dk-ipv6',  'dnscrypt.nl-ns0-ipv6', 'dnscrypt.one-ipv6', 'dnscrypt.uk-ipv6', 'dnswarden-dc1-ipv6', 'dnswarden-dc2-ipv6', 'dnswarden-dc3-ipv6', 'ffmuc-ipv6', 'ibksturm-ipv6', 'quad9-dnscrypt-ip6-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'scaleway-ams-ipv6', 'securedns-ipv6', 'skyfighter-dns-ipv6']
  36.  
  37.  
  38. ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
  39. ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
  40.  
  41. #listen_addresses = ['127.0.0.1:53', '[::1]:53']
  42. listen_addresses = []
  43.  
  44.  
  45. ## Maximum number of simultaneous client connections to accept
  46.  
  47. max_clients = 32
  48.  
  49.  
  50. ## Switch to a different system user after listening sockets have been created.
  51. ## Note (1): this feature is currently unsupported on Windows.
  52. ## Note (2): this feature is not compatible with systemd socket activation.
  53. ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
  54.  
  55. # user_name = 'nobody'
  56.  
  57.  
  58. ## Require servers (from static + remote sources) to satisfy specific properties
  59.  
  60. # Use servers reachable over IPv4
  61. ipv4_servers = false
  62.  
  63. # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
  64. ipv6_servers = true
  65.  
  66. # Use servers implementing the DNSCrypt protocol
  67. dnscrypt_servers = true
  68.  
  69. # Use servers implementing the DNS-over-HTTPS protocol
  70. doh_servers = false
  71.  
  72.  
  73. ## Require servers defined by remote sources to satisfy specific properties
  74.  
  75. # Server must support DNS security extensions (DNSSEC)
  76. require_dnssec = true
  77.  
  78. # Server must not log user queries (declarative)
  79. require_nolog = true
  80.  
  81. # Server must not enforce its own blacklist (for parental control, ads blocking...)
  82. require_nofilter = true
  83.  
  84. # Server names to avoid even if they match all criteria
  85. disabled_server_names = []
  86.  
  87.  
  88. ## Always use TCP to connect to upstream servers.
  89. ## This can be useful if you need to route everything through Tor.
  90. ## Otherwise, leave this to `false`, as it doesn't improve security
  91. ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
  92. ## only increase latency.
  93.  
  94. force_tcp = false
  95.  
  96.  
  97. ## SOCKS proxy
  98. ## Uncomment the following line to route all TCP connections to a local Tor node
  99. ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
  100.  
  101. # proxy = "socks5://127.0.0.1:9050"
  102.  
  103.  
  104. ## HTTP/HTTPS proxy
  105. ## Only for DoH servers
  106.  
  107. # http_proxy = "http://127.0.0.1:8888"
  108.  
  109.  
  110. ## How long a DNS query will wait for a response, in milliseconds
  111.  
  112. timeout = 2500
  113.  
  114.  
  115. ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
  116.  
  117. keepalive = 30
  118.  
  119.  
  120. ## Use the REFUSED return code for blocked responses
  121. ## Setting this to `false` means that some responses will be lies.
  122. ## Unfortunately, `false` appears to be required for Android 8+
  123.  
  124. refused_code_in_responses = false
  125.  
  126.  
  127. ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
  128.  
  129. # lb_strategy = 'p2'
  130.  
  131.  
  132. ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
  133.  
  134. # log_level = 2
  135.  
  136.  
  137. ## log file for the application
  138.  
  139. # log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
  140.  
  141.  
  142. ## Use the system logger (syslog on Unix, Event Log on Windows)
  143.  
  144. use_syslog = true
  145.  
  146.  
  147. ## Delay, in minutes, after which certificates are reloaded
  148.  
  149. cert_refresh_delay = 240
  150.  
  151.  
  152. ## DNSCrypt: Create a new, unique key for every single DNS query
  153. ## This may improve privacy but can also have a significant impact on CPU usage
  154. ## Only enable if you don't have a lot of network load
  155.  
  156. # dnscrypt_ephemeral_keys = false
  157.  
  158.  
  159. ## DoH: Disable TLS session tickets - increases privacy but also latency
  160.  
  161. # tls_disable_session_tickets = false
  162.  
  163.  
  164. ## DoH: Use a specific cipher suite instead of the server preference
  165. ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  166. ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  167. ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
  168. ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  169. ##
  170. ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
  171. ## the following suite improves performance.
  172. ## This may also help on Intel CPUs running 32-bit operating systems.
  173. ##
  174. ## Keep tls_cipher_suite empty if you have issues fetching sources or
  175. ## connecting to some DoH servers. Google and Cloudflare are fine with it.
  176.  
  177. # tls_cipher_suite = [52392, 49199]
  178.  
  179.  
  180. ## Fallback resolver
  181. ## This is a normal, non-encrypted DNS resolver, that will be only used
  182. ## for one-shot queries when retrieving the initial resolvers list, and
  183. ## only if the system DNS configuration doesn't work.
  184. ## No user application queries will ever be leaked through this resolver,
  185. ## and it will not be used after IP addresses of resolvers URLs have been found.
  186. ## It will never be used if lists have already been cached, and if stamps
  187. ## don't include host names without IP addresses.
  188. ## It will not be used if the configured system DNS works.
  189. ## A resolver supporting DNSSEC is recommended. This may become mandatory.
  190. ##
  191. ## People in China may need to use 114.114.114.114:53 here.
  192. ## Other popular options include 8.8.8.8 and 1.1.1.1.
  193.  
  194. fallback_resolver = '9.9.9.9:53'
  195.  
  196.  
  197. ## Never let dnscrypt-proxy try to use the system DNS settings;
  198. ## unconditionally use the fallback resolver.
  199.  
  200. ignore_system_dns = true
  201.  
  202.  
  203. ## Maximum time (in seconds) to wait for network connectivity before
  204. ## initializing the proxy.
  205. ## Useful if the proxy is automatically started at boot, and network
  206. ## connectivity is not guaranteed to be immediately available.
  207. ## Use 0 to disable.
  208.  
  209. netprobe_timeout = 30
  210.  
  211.  
  212. ## Offline mode - Do not use any remote encrypted servers.
  213. ## The proxy will remain fully functional to respond to queries that
  214. ## plugins can handle directly (forwarding, cloaking, ...)
  215.  
  216. # offline_mode = false
  217.  
  218.  
  219. ## Automatic log files rotation
  220.  
  221. # Maximum log files size in MB
  222. log_files_max_size = 4
  223.  
  224. # How long to keep backup files, in days
  225. log_files_max_age = 7
  226.  
  227. # Maximum log files backups to keep (or 0 to keep all backups)
  228. log_files_max_backups = 1
  229.  
  230.  
  231.  
  232. #########################
  233. #        Filters        #
  234. #########################
  235.  
  236. ## Immediately respond to IPv6-related queries with an empty response
  237. ## This makes things faster when there is no IPv6 connectivity, but can
  238. ## also cause reliability issues with some stub resolvers.
  239. ## Do not enable if you added a validating resolver such as dnsmasq in front
  240. ## of the proxy.
  241.  
  242. block_ipv6 = false
  243.  
  244.  
  245.  
  246. ##################################################################################
  247. #        Route queries for specific domains to a dedicated set of servers        #
  248. ##################################################################################
  249.  
  250. ## Example map entries (one entry per line):
  251. ## example.com 9.9.9.9
  252. ## example.net 9.9.9.9,8.8.8.8,1.1.1.1
  253.  
  254. # forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
  255.  
  256.  
  257.  
  258. ###############################
  259. #        Cloaking rules       #
  260. ###############################
  261.  
  262. ## Cloaking returns a predefined address for a specific name.
  263. ## In addition to acting as a HOSTS file, it can also return the IP address
  264. ## of a different name. It will also do CNAME flattening.
  265. ##
  266. ## Example map entries (one entry per line)
  267. ## example.com     10.1.1.1
  268. ## www.google.com  forcesafesearch.google.com
  269.  
  270. # cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
  271.  
  272.  
  273.  
  274. ###########################
  275. #        DNS cache        #
  276. ###########################
  277.  
  278. ## Enable a DNS cache to reduce latency and outgoing traffic
  279.  
  280. cache = true
  281.  
  282.  
  283. ## Cache size
  284.  
  285. cache_size = 512
  286.  
  287.  
  288. ## Minimum TTL for cached entries
  289.  
  290. cache_min_ttl = 600
  291.  
  292.  
  293. ## Maximum TTL for cached entries
  294.  
  295. cache_max_ttl = 86400
  296.  
  297.  
  298. ## Minimum TTL for negatively cached entries
  299.  
  300. cache_neg_min_ttl = 60
  301.  
  302.  
  303. ## Maximum TTL for negatively cached entries
  304.  
  305. cache_neg_max_ttl = 600
  306.  
  307.  
  308.  
  309. ###############################
  310. #        Query logging        #
  311. ###############################
  312.  
  313. ## Log client queries to a file
  314.  
  315. [query_log]
  316.  
  317.   ## Path to the query log file (absolute, or relative to the same directory as the executable file)
  318.  
  319.   # file = '/var/log/dnscrypt-proxy/query.log'
  320.  
  321.  
  322.   ## Query log format (currently supported: tsv and ltsv)
  323.  
  324.   format = 'tsv'
  325.  
  326.  
  327.   ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
  328.  
  329.   # ignored_qtypes = ['DNSKEY', 'NS']
  330.  
  331.  
  332.  
  333. ############################################
  334. #        Suspicious queries logging        #
  335. ############################################
  336.  
  337. ## Log queries for nonexistent zones
  338. ## These queries can reveal the presence of malware, broken/obsolete applications,
  339. ## and devices signaling their presence to 3rd parties.
  340.  
  341. [nx_log]
  342.  
  343.   ## Path to the query log file (absolute, or relative to the same directory as the executable file)
  344.  
  345.   # file = '/var/log/dnscrypt-proxy/nx.log'
  346.  
  347.  
  348.   ## Query log format (currently supported: tsv and ltsv)
  349.  
  350.   format = 'tsv'
  351.  
  352.  
  353.  
  354. ######################################################
  355. #        Pattern-based blocking (blacklists)        #
  356. ######################################################
  357.  
  358. ## Blacklists are made of one pattern per line. Example of valid patterns:
  359. ##
  360. ##   example.com
  361. ##   =example.com
  362. ##   *sex*
  363. ##   ads.*
  364. ##   ads*.example.*
  365. ##   ads*.example[0-9]*.com
  366. ##
  367. ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
  368. ## A script to build blacklists from public feeds can be found in the
  369. ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
  370.  
  371. [blacklist]
  372.  
  373.   ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
  374.  
  375.   blacklist_file = '/etc/dnscrypt-proxy/blacklist.txt'
  376.  
  377.  
  378.   ## Optional path to a file logging blocked queries
  379.  
  380.   # log_file = '/var/log/dnscrypt-proxy/blocked.log'
  381.  
  382.  
  383.   ## Optional log format: tsv or ltsv (default: tsv)
  384.  
  385.   # log_format = 'tsv'
  386.  
  387.  
  388.  
  389. ###########################################################
  390. #        Pattern-based IP blocking (IP blacklists)        #
  391. ###########################################################
  392.  
  393. ## IP blacklists are made of one pattern per line. Example of valid patterns:
  394. ##
  395. ##   127.*
  396. ##   fe80:abcd:*
  397. ##   192.168.1.4
  398.  
  399. [ip_blacklist]
  400.  
  401.   ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
  402.  
  403.   # blacklist_file = '/etc/dnscrypt-proxy/ip-blacklist.txt'
  404.  
  405.  
  406.   ## Optional path to a file logging blocked queries
  407.  
  408.   # log_file = '/var/log/dnscrypt-proxy/ip-blocked.log'
  409.  
  410.  
  411.   ## Optional log format: tsv or ltsv (default: tsv)
  412.  
  413.   # log_format = 'tsv'
  414.  
  415.  
  416.  
  417. ######################################################
  418. #   Pattern-based whitelisting (blacklists bypass)   #
  419. ######################################################
  420.  
  421. ## Whitelists support the same patterns as blacklists
  422. ## If a name matches a whitelist entry, the corresponding session
  423. ## will bypass names and IP filters.
  424. ##
  425. ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
  426.  
  427. [whitelist]
  428.  
  429.   ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
  430.  
  431.   # whitelist_file = '/etc/dnscrypt-proxy/whitelist.txt'
  432.  
  433.  
  434.   ## Optional path to a file logging whitelisted queries
  435.  
  436.   # log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  437.  
  438.  
  439.   ## Optional log format: tsv or ltsv (default: tsv)
  440.  
  441.   # log_format = 'tsv'
  442.  
  443.  
  444.  
  445. ##########################################
  446. #        Time access restrictions        #
  447. ##########################################
  448.  
  449. ## One or more weekly schedules can be defined here.
  450. ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
  451. ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
  452. ##
  453. ## For example, the following rule in a blacklist file:
  454. ## *.youtube.* @time-to-sleep
  455. ## would block access to YouTube only during the days, and period of the days
  456. ## define by the 'time-to-sleep' schedule.
  457. ##
  458. ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
  459. ## {after= '9:00', before='18:00'} matches 9:00-18:00
  460.  
  461. [schedules]
  462.  
  463.   # [schedules.'time-to-sleep']
  464.   # mon = [{after='21:00', before='7:00'}]
  465.   # tue = [{after='21:00', before='7:00'}]
  466.   # wed = [{after='21:00', before='7:00'}]
  467.   # thu = [{after='21:00', before='7:00'}]
  468.   # fri = [{after='23:00', before='7:00'}]
  469.   # sat = [{after='23:00', before='7:00'}]
  470.   # sun = [{after='21:00', before='7:00'}]
  471.  
  472.   # [schedules.'work']
  473.   # mon = [{after='9:00', before='18:00'}]
  474.   # tue = [{after='9:00', before='18:00'}]
  475.   # wed = [{after='9:00', before='18:00'}]
  476.   # thu = [{after='9:00', before='18:00'}]
  477.   # fri = [{after='9:00', before='17:00'}]
  478.  
  479.  
  480.  
  481. #########################
  482. #        Servers        #
  483. #########################
  484.  
  485. ## Remote lists of available servers
  486. ## Multiple sources can be used simultaneously, but every source
  487. ## requires a dedicated cache file.
  488. ##
  489. ## Refer to the documentation for URLs of public sources.
  490. ##
  491. ## A prefix can be prepended to server names in order to
  492. ## avoid collisions if different sources share the same for
  493. ## different servers. In that case, names listed in `server_names`
  494. ## must include the prefixes.
  495. ##
  496. ## If the `urls` property is missing, cache files and valid signatures
  497. ## must be already present; This doesn't prevent these cache files from
  498. ## expiring after `refresh_delay` hours.
  499.  
  500. [sources]
  501.  
  502.   ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
  503.  
  504.   [sources.'public-resolvers']
  505. #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  506. #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md']
  507. #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  508.  
  509.   cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  510.   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  511.   refresh_delay = 72
  512.   prefix = ''
  513.  
  514.   ## Quad9 over DNSCrypt - https://quad9.net/
  515.  
  516.   # [sources.quad9-resolvers]
  517.   # urls = ["https://www.quad9.net/quad9-resolvers.md"]
  518.   # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
  519.   # cache_file = "quad9-resolvers.md"
  520.   # refresh_delay = 72
  521.   # prefix = "quad9-"
  522.  
  523.   ## Another example source, with resolvers censoring some websites not appropriate for children
  524.   ## This is a subset of the `public-resolvers` list, so enabling both is useless
  525.  
  526.   #  [sources.'parental-control']
  527.   #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
  528.   #  cache_file = '/var/cache/dnscrypt-proxy/parental-control.md'
  529.   #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  530.  
  531.  
  532.  
  533. ## Optional, local, static list of additional servers
  534. ## Mostly useful for testing your own servers.
  535.  
  536. [static]
  537.  
  538.   # [static.'google']
  539.   # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
  540.  
RAW Paste Data Copied