###############################################

1.  
2. ##############################################
3. # #
4. # dnscrypt-proxy configuration #
5. # #
6. ##############################################
7.  
8. ## This is an example configuration file.
9. ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
10. ##
11. ## Online documentation is available here: https://dnscrypt.info/doc
12.  
13.  
14.  
15. ##################################
16. # Global settings #
17. ##################################
18.  
19. ## List of servers to use
20. ## If this line is commented, all registered servers matching the require_* filters
21. ## will be used
22. ## The proxy will automatically pick the fastest, working servers from the list.
23.  
24. # server_names = ['scaleway-fr', 'google', 'yandex']
25.  
26.  
27. ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
28. ## To only use systemd activation sockets, use an empty set: []
29.  
30. listen_addresses = []
31.  
32.  
33. ## Maximum number of simultaneous client connections to accept
34.  
35. max_clients = 250
36.  
37.  
38. ## Require servers (from static + remote sources) to satisfy specific properties
39.  
40. # Use servers reachable over IPv4
41. ipv4_servers = true
42.  
43. # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
44. ipv6_servers = true
45.  
46. # Use servers implementing the DNSCrypt protocol
47. dnscrypt_servers = true
48.  
49. # Use servers implementing the DNS-over-HTTPS protocol
50. doh_servers = true
51.  
52.  
53. ## Require servers defined by remote sources to satisfy specific properties
54.  
55. # Server must support DNS security extensions (DNSSEC)
56. require_dnssec = true
57.  
58. # Server must not log user queries (declarative)
59. require_nolog = true
60.  
61. # Server must not enforce its own blacklist (for parental control, ads blocking...)
62. require_nofilter = false
63.  
64.  
65.  
66. ## Always use TCP to connect to upstream servers
67.  
68. force_tcp = false
69.  
70.  
71. ## How long a DNS query will wait for a response, in milliseconds
72.  
73. timeout = 2500
74.  
75.  
76. ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
77.  
78. # lb_strategy = 'p2'
79.  
80.  
81. ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
82.  
83. # log_level = 2
84.  
85.  
86. ## log file for the application
87.  
88. # log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
89.  
90.  
91. ## Use the system logger (syslog on Unix, Event Log on Windows)
92.  
93. # use_syslog = true
94.  
95.  
96. ## Delay, in minutes, after which certificates are reloaded
97.  
98. cert_refresh_delay = 240
99.  
100.  
101. ## Fallback resolver
102. ## This is a normal, non-encrypted DNS resolver, that will be only used
103. ## for one-shot queries when retrieving the initial resolvers list, and
104. ## only if the system DNS configuration doesn't work.
105. ## No user application queries will ever be leaked through this resolver,
106. ## and it will not be used after IP addresses of resolvers URLs have been found.
107. ## It will never be used if lists have already been cached, and if stamps
108. ## don't include host names without IP addresses.
109. ## It will not be used if the configured system DNS works.
110. ## A resolver supporting DNSSEC is recommended. This may become mandatory.
111.  
112. fallback_resolver = '9.9.9.9:53'
113. # fallback_resolver = '208.67.222.222:53'
114.  
115. ## Never try to use the system DNS settings; unconditionally use the
116. ## fallback resolver.
117.  
118. ignore_system_dns = false
119.  
120.  
121.  
122. #########################
123. # Filters #
124. #########################
125.  
126. ## Immediately respond to IPv6-related queries with an empty response
127. ## This makes things faster when there is no IPv6 connectivity, but can
128. ## also cause reliability issues with some stub resolvers. In
129. ## particular, enabling this on macOS is not recommended.
130.  
131. block_ipv6 = false
132.  
133.  
134.  
135. ##################################################################################
136. # Route queries for specific domains to a dedicated set of servers #
137. ##################################################################################
138.  
139. ## Example map entries (one entry per line):
140. ## example.com 9.9.9.9
141. ## example.net 9.9.9.9,8.8.8.8
142.  
143. # forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
144.  
145.  
146.  
147. ###############################
148. # Cloaking rules #
149. ###############################
150.  
151. ## Cloaking returns a predefined address for a specific name.
152. ## In addition to acting as a HOSTS file, it can also return the IP address
153. ## of a different name. It will also do CNAME flattening.
154. ##
155. ## Example map entries (one entry per line)
156. ## example.com 10.1.1.1
157. ## www.google.com forcesafesearch.google.com
158.  
159. # cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
160.  
161.  
162.  
163. ###########################
164. # DNS cache #
165. ###########################
166.  
167. ## Enable a DNS cache to reduce latency and outgoing traffic
168.  
169. cache = true
170.  
171.  
172. ## Cache size
173.  
174. cache_size = 256
175.  
176.  
177. ## Minimum TTL for cached entries
178.  
179. cache_min_ttl = 600
180.  
181.  
182. ## Maxmimum TTL for cached entries
183.  
184. cache_max_ttl = 86400
185.  
186.  
187. ## TTL for negatively cached entries
188.  
189. cache_neg_ttl = 60
190.  
191.  
192.  
193. ###############################
194. # Query logging #
195. ###############################
196.  
197. ## Log client queries to a file
198.  
199. [query_log]
200.  
201. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
202.  
203. # file = '/var/log/dnscrypt-proxy/query.log'
204.  
205.  
206. ## Query log format (currently supported: tsv and ltsv)
207.  
208. format = 'tsv'
209.  
210.  
211. ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
212.  
213. # ignored_qtypes = ['DNSKEY', 'NS']
214.  
215.  
216.  
217. ############################################
218. # Suspicious queries logging #
219. ############################################
220.  
221. ## Log queries for nonexistent zones
222. ## These queries can reveal the presence of malware, broken/obsolete applications,
223. ## and devices signaling their presence to 3rd parties.
224.  
225. [nx_log]
226.  
227. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
228.  
229. # file = '/var/log/dnscrypt-proxy/nx.log'
230.  
231.  
232. ## Query log format (currently supported: tsv and ltsv)
233.  
234. format = 'tsv'
235.  
236.  
237.  
238. ######################################################
239. # Pattern-based blocking (blacklists) #
240. ######################################################
241.  
242. ## Blacklists are made of one pattern per line. Example of valid patterns:
243. ##
244. ## example.com
245. ## *sex*
246. ## ads.*
247. ## ads*.example.*
248. ## ads*.example[0-9]*.com
249. ##
250. ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
251. ## A script to build blacklists from public feeds can be found in the
252. ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
253.  
254. [blacklist]
255.  
256. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
257.  
258. # blacklist_file = '/etc/dnscrypt-proxy/blacklist.txt'
259.  
260.  
261. ## Optional path to a file logging blocked queries
262.  
263. # log_file = '/var/log/dnscrypt-proxy/blocked.log'
264.  
265.  
266. ## Optional log format: tsv or ltsv (default: tsv)
267.  
268. # log_format = 'tsv'
269.  
270.  
271.  
272. ###########################################################
273. # Pattern-based IP blocking (IP blacklists) #
274. ###########################################################
275.  
276. ## IP blacklists are made of one pattern per line. Example of valid patterns:
277. ##
278. ## 127.*
279. ## fe80:abcd:*
280. ## 192.168.1.4
281.  
282. [ip_blacklist]
283.  
284. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
285.  
286. # blacklist_file = '/etc/dnscrypt-proxy/ip-blacklist.txt'
287.  
288.  
289. ## Optional path to a file logging blocked queries
290.  
291. # log_file = '/var/log/dnscrypt-proxy/ip-blocked.log'
292.  
293.  
294. ## Optional log format: tsv or ltsv (default: tsv)
295.  
296. # log_format = 'tsv'
297.  
298.  
299.  
300. ##########################################
301. # Time access restrictions #
302. ##########################################
303.  
304. ## One or more weekly schedules can be defined here.
305. ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
306. ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
307. ##
308. ## For example, the following rule in a blacklist file:
309. ## *.youtube.* @time-to-sleep
310. ## would block access to Youtube only during the days, and period of the days
311. ## define by the 'time-to-sleep' schedule.
312. ##
313. ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
314. ## {after= '9:00', before='18:00'} matches 9:00-18:00
315.  
316. [schedules]
317.  
318. # [schedules.'time-to-sleep']
319. # mon = [{after='21:00', before='7:00'}]
320. # tue = [{after='21:00', before='7:00'}]
321. # wed = [{after='21:00', before='7:00'}]
322. # thu = [{after='21:00', before='7:00'}]
323. # fri = [{after='23:00', before='7:00'}]
324. # sat = [{after='23:00', before='7:00'}]
325. # sun = [{after='21:00', before='7:00'}]
326.  
327. # [schedules.'work']
328. # mon = [{after='9:00', before='18:00'}]
329. # tue = [{after='9:00', before='18:00'}]
330. # wed = [{after='9:00', before='18:00'}]
331. # thu = [{after='9:00', before='18:00'}]
332. # fri = [{after='9:00', before='17:00'}]
333.  
334.  
335.  
336. #########################
337. # Servers #
338. #########################
339.  
340. ## Remote lists of available servers
341. ## Multiple sources can be used simultaneously, but every source
342. ## requires a dedicated cache file.
343. ##
344. ## Refer to the documentation for URLs of public sources.
345. ##
346. ## A prefix can be prepended to server names in order to
347. ## avoid collisions if different sources share the same for
348. ## different servers. In that case, names listed in `server_names`
349. ## must include the prefixes.
350. ##
351. ## A cache file can be specified without a URL in order to maintain lists
352. ## locally.
353.  
354. [sources]
355.  
356. ## An example of a remote source
357.  
358. [sources.'public-resolvers']
359. url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
360. cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
361. minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
362. refresh_delay = 72
363. prefix = ''
364.  
365. ## Another example source, with resolvers censoring some websites not approriate for children
366. ## This is a subset of the `public-resolvers` list, so enabling both is useless
367.  
368. # [sources.'parental-control']
369. # url = 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'
370. # cache_file = '/var/cache/dnscrypt-proxy/parental-control.md'
371. # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
372.  
373.  
374.  
375. ## Optional, local, static list of additional servers
376. ## Mostly useful for testing your own servers.
377.  
378. [static]
379.  
380. # [static.'google']
381. # stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'