Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##############################################
- # #
- # dnscrypt-proxy configuration #
- # #
- ##############################################
- ## This is an example configuration file.
- ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
- ##
- ## Online documentation is available here: https://dnscrypt.info/doc
- ##################################
- # Global settings #
- ##################################
- ## List of servers to use
- ##
- ## Servers from the "public-resolvers" source (see down below) can
- ## be viewed here: https://dnscrypt.info/public-servers
- ##
- ## If this line is commented, all registered servers matching the require_* filters
- ## will be used.
- ##
- ## The proxy will automatically pick the fastest, working servers from the list.
- ## Remove the leading # first to enable this; lines starting with # are ignored.
- server_names = ['soltysiak', 'securedns', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.nl-ns0', 'dnscrypt.ca-1', 'dnscrypt.ca-2', 'cloudflare']
- ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
- ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
- listen_addresses = ['127.0.0.1:5353']
- ## Maximum number of simultaneous client connections to accept
- max_clients = 250
- ## Require servers (from static + remote sources) to satisfy specific properties
- # Use servers reachable over IPv4
- ipv4_servers = true
- # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
- ipv6_servers = false
- # Use servers implementing the DNSCrypt protocol
- dnscrypt_servers = true
- # Use servers implementing the DNS-over-HTTPS protocol
- doh_servers = true
- ## Require servers defined by remote sources to satisfy specific properties
- # Server must support DNS security extensions (DNSSEC)
- require_dnssec = true
- # Server must not log user queries (declarative)
- require_nolog = true
- # Server must not enforce its own blacklist (for parental control, ads blocking...)
- require_nofilter = true
- ## Always use TCP to connect to upstream servers.
- ## This can be can be useful if you need to route everything through Tor.
- ## Otherwise, leave this to `false`, as it doesn't improve security
- ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
- ## only increase latency.
- force_tcp = false
- ## HTTP / SOCKS proxy
- ## Uncomment the following line to route all TCP connections to a local Tor node
- ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
- # proxy = "socks5://127.0.0.1:9050"
- ## How long a DNS query will wait for a response, in milliseconds
- timeout = 2500
- ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
- keepalive = 30
- ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
- lb_strategy = 'p2'
- ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
- log_level = 2
- ## log file for the application
- log_file = 'dnscrypt-proxy-v2.log'
- ## Use the system logger (syslog on Unix, Event Log on Windows)
- use_syslog = true
- ## Delay, in minutes, after which certificates are reloaded
- cert_refresh_delay = 240
- ## DNSCrypt: Create a new, unique key for every single DNS query
- ## This may improve privacy but can also have a significant impact on CPU usage
- ## Only enable if you don't have a lot of network load
- dnscrypt_ephemeral_keys = false
- ## DoH: Disable TLS session tickets - increases privacy but also latency
- tls_disable_session_tickets = false
- ## DoH: Use a specific cipher suite instead of the server preference
- ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- ##
- ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
- ## the following suite improves performance.
- ## This may also help on Intel CPUs running 32-bit operating systems.
- ##
- ## Keep tls_cipher_suite empty if you have issues fetching sources or
- ## connecting to some DoH servers. Google and Cloudflare are fine with it.
- tls_cipher_suite = [52392, 49199]
- ## Fallback resolver
- ## This is a normal, non-encrypted DNS resolver, that will be only used
- ## for one-shot queries when retrieving the initial resolvers list, and
- ## only if the system DNS configuration doesn't work.
- ## No user application queries will ever be leaked through this resolver,
- ## and it will not be used after IP addresses of resolvers URLs have been found.
- ## It will never be used if lists have already been cached, and if stamps
- ## don't include host names without IP addresses.
- ## It will not be used if the configured system DNS works.
- ## A resolver supporting DNSSEC is recommended. This may become mandatory.
- ##
- ## People in China may need to use 114.114.114.114:53 here.
- ## Other popular options include 8.8.8.8 and 1.1.1.1.
- fallback_resolver = '9.9.9.9:53'
- ## Never let dnscrypt-proxy try to use the system DNS settings;
- ## unconditionally use the fallback resolver.
- ignore_system_dns = false
- ## Maximum time (in seconds) to wait for network connectivity before
- ## initializing the proxy.
- ## Useful if the proxy is automatically started at boot, and network
- ## connectivity is not guaranteed to be immediately available.
- ## Use 0 to disable.
- netprobe_timeout = 30
- ## Automatic log files rotation
- # Maximum log files size in MB
- log_files_max_size = 10
- # How long to keep backup files, in days
- log_files_max_age = 7
- # Maximum log files backups to keep (or 0 to keep all backups)
- log_files_max_backups = 1
- #########################
- # Filters #
- #########################
- ## Immediately respond to IPv6-related queries with an empty response
- ## This makes things faster when there is no IPv6 connectivity, but can
- ## also cause reliability issues with some stub resolvers.
- ## Do not enable if you added a validating resolver such as dnsmasq in front
- ## of the proxy.
- block_ipv6 = false
- ##################################################################################
- # Route queries for specific domains to a dedicated set of servers #
- ##################################################################################
- ## Example map entries (one entry per line):
- ## example.com 9.9.9.9
- ## example.net 9.9.9.9,8.8.8.8,1.1.1.1
- # forwarding_rules = 'forwarding-rules.txt'
- ###############################
- # Cloaking rules #
- ###############################
- ## Cloaking returns a predefined address for a specific name.
- ## In addition to acting as a HOSTS file, it can also return the IP address
- ## of a different name. It will also do CNAME flattening.
- ##
- ## Example map entries (one entry per line)
- ## example.com 10.1.1.1
- ## www.google.com forcesafesearch.google.com
- # cloaking_rules = 'cloaking-rules.txt'
- ###########################
- # DNS cache #
- ###########################
- ## Enable a DNS cache to reduce latency and outgoing traffic
- cache = true
- ## Cache size
- cache_size = 4096
- ## Minimum TTL for cached entries
- cache_min_ttl = 600
- ## Maximum TTL for cached entries
- cache_max_ttl = 86400
- ## Minimum TTL for negatively cached entries
- cache_neg_min_ttl = 60
- ## Maximum TTL for negatively cached entries
- cache_neg_max_ttl = 600
- ###############################
- # Query logging #
- ###############################
- ## Log client queries to a file
- [query_log]
- ## Path to the query log file (absolute, or relative to the same directory as the executable file)
- # file = 'query.log'
- ## Query log format (currently supported: tsv and ltsv)
- format = 'tsv'
- ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
- # ignored_qtypes = ['DNSKEY', 'NS']
- ############################################
- # Suspicious queries logging #
- ############################################
- ## Log queries for nonexistent zones
- ## These queries can reveal the presence of malware, broken/obsolete applications,
- ## and devices signaling their presence to 3rd parties.
- [nx_log]
- ## Path to the query log file (absolute, or relative to the same directory as the executable file)
- # file = 'nx.log'
- ## Query log format (currently supported: tsv and ltsv)
- format = 'tsv'
- ######################################################
- # Pattern-based blocking (blacklists) #
- ######################################################
- ## Blacklists are made of one pattern per line. Example of valid patterns:
- ##
- ## example.com
- ## =example.com
- ## *sex*
- ## ads.*
- ## ads*.example.*
- ## ads*.example[0-9]*.com
- ##
- ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
- ## A script to build blacklists from public feeds can be found in the
- ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
- [blacklist]
- ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
- # blacklist_file = 'blacklist.txt'
- ## Optional path to a file logging blocked queries
- # log_file = 'blocked.log'
- ## Optional log format: tsv or ltsv (default: tsv)
- # log_format = 'tsv'
- ###########################################################
- # Pattern-based IP blocking (IP blacklists) #
- ###########################################################
- ## IP blacklists are made of one pattern per line. Example of valid patterns:
- ##
- ## 127.*
- ## fe80:abcd:*
- ## 192.168.1.4
- [ip_blacklist]
- ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
- # blacklist_file = 'ip-blacklist.txt'
- ## Optional path to a file logging blocked queries
- # log_file = 'ip-blocked.log'
- ## Optional log format: tsv or ltsv (default: tsv)
- # log_format = 'tsv'
- ######################################################
- # Pattern-based whitelisting (blacklists bypass) #
- ######################################################
- ## Whitelists support the same patterns as blacklists
- ## If a name matches a whitelist entry, the corresponding session
- ## will bypass names and IP filters.
- ##
- ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
- [whitelist]
- ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
- # whitelist_file = 'whitelist.txt'
- ## Optional path to a file logging whitelisted queries
- # log_file = 'whitelisted.log'
- ## Optional log format: tsv or ltsv (default: tsv)
- # log_format = 'tsv'
- ##########################################
- # Time access restrictions #
- ##########################################
- ## One or more weekly schedules can be defined here.
- ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
- ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
- ##
- ## For example, the following rule in a blacklist file:
- ## *.youtube.* @time-to-sleep
- ## would block access to YouTube only during the days, and period of the days
- ## define by the 'time-to-sleep' schedule.
- ##
- ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
- ## {after= '9:00', before='18:00'} matches 9:00-18:00
- [schedules]
- # [schedules.'time-to-sleep']
- # mon = [{after='21:00', before='7:00'}]
- # tue = [{after='21:00', before='7:00'}]
- # wed = [{after='21:00', before='7:00'}]
- # thu = [{after='21:00', before='7:00'}]
- # fri = [{after='23:00', before='7:00'}]
- # sat = [{after='23:00', before='7:00'}]
- # sun = [{after='21:00', before='7:00'}]
- # [schedules.'work']
- # mon = [{after='9:00', before='18:00'}]
- # tue = [{after='9:00', before='18:00'}]
- # wed = [{after='9:00', before='18:00'}]
- # thu = [{after='9:00', before='18:00'}]
- # fri = [{after='9:00', before='17:00'}]
- #########################
- # Servers #
- #########################
- ## Remote lists of available servers
- ## Multiple sources can be used simultaneously, but every source
- ## requires a dedicated cache file.
- ##
- ## Refer to the documentation for URLs of public sources.
- ##
- ## A prefix can be prepended to server names in order to
- ## avoid collisions if different sources share the same for
- ## different servers. In that case, names listed in `server_names`
- ## must include the prefixes.
- ##
- ## If the `urls` property is missing, cache files and valid signatures
- ## must be already present; This doesn't prevent these cache files from
- ## expiring after `refresh_delay` hours.
- [sources]
- ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
- [sources.'public-resolvers']
- urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
- cache_file = 'public-resolvers.md'
- minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
- refresh_delay = 72
- prefix = ''
- ## Another example source, with resolvers censoring some websites not appropriate for children
- ## This is a subset of the `public-resolvers` list, so enabling both is useless
- # [sources.'parental-control']
- # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
- # cache_file = 'parental-control.md'
- # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
- ## Optional, local, static list of additional servers
- ## Mostly useful for testing your own servers.
- [static]
- # [static.'google']
- # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement