dnscrypt-proxy.toml

1. ##############################################
2. # #
3. # dnscrypt-proxy configuration #
4. # #
5. ##############################################
6.  
7. ## This is an example configuration file.
8. ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
9. ##
10. ## Online documentation is available here: https://dnscrypt.info/doc
11.  
12.  
13.  
14. ##################################
15. # Global settings #
16. ##################################
17.  
18. log_file = 'dnscrypt-proxy.log'
19.  
20. daemonize = true
21.  
22. cert_ignore_timestamp = true
23.  
24. ## List of servers to use
25. ## If this line is commented, all registered servers matching the require_* filters
26. ## will be used
27. ## The proxy will automatically pick the fastest, working servers from the list.
28.  
29. server_names = ['cisco']
30.  
31.  
32. ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
33. ## To only use systemd activation sockets, use an empty set: []
34.  
35. listen_addresses = ['127.0.0.1:65053']
36.  
37.  
38. ## Maximum number of simultaneous client connections to accept
39.  
40. max_clients = 250
41.  
42.  
43. ## Require servers (from static + remote sources) to satisfy specific properties
44.  
45. # Use servers reachable over IPv4
46. ipv4_servers = true
47.  
48. # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
49. ipv6_servers = false
50.  
51. # Use servers implementing the DNSCrypt protocol
52. dnscrypt_servers = true
53.  
54. # Use servers implementing the DNS-over-HTTPS protocol
55. doh_servers = true
56.  
57.  
58. ## Require servers defined by remote sources to satisfy specific properties
59.  
60. # Server must support DNS security extensions (DNSSEC)
61. require_dnssec = false
62.  
63. # Server must not log user queries (declarative)
64. require_nolog = false
65.  
66. # Server must not enforce its own blacklist (for parental control, ads blocking...)
67. require_nofilter = false
68.  
69.  
70.  
71. ## Always use TCP to connect to upstream servers
72.  
73. force_tcp = false
74.  
75.  
76. ## How long a DNS query will wait for a response, in milliseconds
77.  
78. timeout = 2500
79.  
80.  
81. ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
82.  
83. # lb_strategy = 'p2'
84.  
85.  
86. ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
87.  
88. log_level = 1
89.  
90.  
91. ## log file for the application
92.  
93. # log_file = 'dnscrypt-proxy.log'
94.  
95.  
96. ## Use the system logger (syslog on Unix, Event Log on Windows)
97.  
98. use_syslog = true
99.  
100.  
101. ## Delay, in minutes, after which certificates are reloaded
102.  
103. cert_refresh_delay = 240
104.  
105.  
106. ## Fallback resolver
107. ## This is a normal, non-encrypted DNS resolver, that will be only used
108. ## for one-shot queries when retrieving the initial resolvers list, and
109. ## only if the system DNS configuration doesn't work.
110. ## No user application queries will ever be leaked through this resolver,
111. ## and it will not be used after IP addresses of resolvers URLs have been found.
112. ## It will never be used if lists have already been cached, and if stamps
113. ## don't include host names without IP addresses.
114. ## It will not be used if the configured system DNS works.
115. ## A resolver supporting DNSSEC is recommended. This may become mandatory.
116.  
117. fallback_resolver = '208.67.220.220:53'
118.  
119.  
120. ## Never try to use the system DNS settings; unconditionally use the
121. ## fallback resolver.
122.  
123. ignore_system_dns = true
124.  
125.  
126.  
127. #########################
128. # Filters #
129. #########################
130.  
131. ## Immediately respond to IPv6-related queries with an empty response
132. ## This makes things faster when there is no IPv6 connectivity, but can
133. ## also cause reliability issues with some stub resolvers. In
134. ## particular, enabling this on macOS is not recommended.
135.  
136. block_ipv6 = false
137.  
138.  
139.  
140. ##################################################################################
141. # Route queries for specific domains to a dedicated set of servers #
142. ##################################################################################
143.  
144. ## Example map entries (one entry per line):
145. ## example.com 9.9.9.9
146. ## example.net 9.9.9.9,8.8.8.8
147.  
148. # forwarding_rules = 'forwarding-rules.txt'
149.  
150.  
151.  
152. ###############################
153. # Cloaking rules #
154. ###############################
155.  
156. ## Cloaking returns a predefined address for a specific name.
157. ## In addition to acting as a HOSTS file, it can also return the IP address
158. ## of a different name. It will also do CNAME flattening.
159. ##
160. ## Example map entries (one entry per line)
161. ## example.com 10.1.1.1
162. ## www.google.com forcesafesearch.google.com
163.  
164. # cloaking_rules = 'cloaking-rules.txt'
165.  
166.  
167.  
168. ###########################
169. # DNS cache #
170. ###########################
171.  
172. ## Enable a DNS cache to reduce latency and outgoing traffic
173.  
174. cache = false
175.  
176.  
177. ## Cache size
178.  
179. cache_size = 256
180.  
181.  
182. ## Minimum TTL for cached entries
183.  
184. cache_min_ttl = 600
185.  
186.  
187. ## Maxmimum TTL for cached entries
188.  
189. cache_max_ttl = 86400
190.  
191.  
192. ## TTL for negatively cached entries
193.  
194. cache_neg_ttl = 60
195.  
196.  
197.  
198. ###############################
199. # Query logging #
200. ###############################
201.  
202. ## Log client queries to a file
203.  
204. [query_log]
205.  
206. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
207.  
208. # file = 'query.log'
209.  
210.  
211. ## Query log format (currently supported: tsv and ltsv)
212.  
213. format = 'tsv'
214.  
215.  
216. ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
217.  
218. # ignored_qtypes = ['DNSKEY', 'NS']
219.  
220.  
221.  
222. ############################################
223. # Suspicious queries logging #
224. ############################################
225.  
226. ## Log queries for nonexistent zones
227. ## These queries can reveal the presence of malware, broken/obsolete applications,
228. ## and devices signaling their presence to 3rd parties.
229.  
230. [nx_log]
231.  
232. ## Path to the query log file (absolute, or relative to the same directory as the executable file)
233.  
234. # file = 'nx.log'
235.  
236.  
237. ## Query log format (currently supported: tsv and ltsv)
238.  
239. format = 'tsv'
240.  
241.  
242.  
243. ######################################################
244. # Pattern-based blocking (blacklists) #
245. ######################################################
246.  
247. ## Blacklists are made of one pattern per line. Example of valid patterns:
248. ##
249. ## example.com
250. ## *sex*
251. ## ads.*
252. ## ads*.example.*
253. ## ads*.example[0-9]*.com
254. ##
255. ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
256. ## A script to build blacklists from public feeds can be found in the
257. ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
258.  
259. [blacklist]
260.  
261. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
262.  
263. # blacklist_file = 'blacklist.txt'
264.  
265.  
266. ## Optional path to a file logging blocked queries
267.  
268. # log_file = 'blocked.log'
269.  
270.  
271. ## Optional log format: tsv or ltsv (default: tsv)
272.  
273. # log_format = 'tsv'
274.  
275.  
276.  
277. ###########################################################
278. # Pattern-based IP blocking (IP blacklists) #
279. ###########################################################
280.  
281. ## IP blacklists are made of one pattern per line. Example of valid patterns:
282. ##
283. ## 127.*
284. ## fe80:abcd:*
285. ## 192.168.1.4
286.  
287. [ip_blacklist]
288.  
289. ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
290.  
291. # blacklist_file = 'ip-blacklist.txt'
292.  
293.  
294. ## Optional path to a file logging blocked queries
295.  
296. # log_file = 'ip-blocked.log'
297.  
298.  
299. ## Optional log format: tsv or ltsv (default: tsv)
300.  
301. # log_format = 'tsv'
302.  
303.  
304.  
305. ##########################################
306. # Time access restrictions #
307. ##########################################
308.  
309. ## One or more weekly schedules can be defined here.
310. ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
311. ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
312. ##
313. ## For example, the following rule in a blacklist file:
314. ## *.youtube.* @time-to-sleep
315. ## would block access to Youtube only during the days, and period of the days
316. ## define by the 'time-to-sleep' schedule.
317. ##
318. ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
319. ## {after= '9:00', before='18:00'} matches 9:00-18:00
320.  
321. [schedules]
322.  
323. # [schedules.'time-to-sleep']
324. # mon = [{after='21:00', before='7:00'}]
325. # tue = [{after='21:00', before='7:00'}]
326. # wed = [{after='21:00', before='7:00'}]
327. # thu = [{after='21:00', before='7:00'}]
328. # fri = [{after='23:00', before='7:00'}]
329. # sat = [{after='23:00', before='7:00'}]
330. # sun = [{after='21:00', before='7:00'}]
331.  
332. # [schedules.'work']
333. # mon = [{after='9:00', before='18:00'}]
334. # tue = [{after='9:00', before='18:00'}]
335. # wed = [{after='9:00', before='18:00'}]
336. # thu = [{after='9:00', before='18:00'}]
337. # fri = [{after='9:00', before='17:00'}]
338.  
339.  
340.  
341. #########################
342. # Servers #
343. #########################
344.  
345. ## Remote lists of available servers
346. ## Multiple sources can be used simultaneously, but every source
347. ## requires a dedicated cache file.
348. ##
349. ## Refer to the documentation for URLs of public sources.
350. ##
351. ## A prefix can be prepended to server names in order to
352. ## avoid collisions if different sources share the same for
353. ## different servers. In that case, names listed in `server_names`
354. ## must include the prefixes.
355. ##
356. ## A cache file can be specified without a URL in order to maintain lists
357. ## locally.
358.  
359. [sources]
360.  
361. ## An example of a remote source
362.  
363. [sources.'public-resolvers']
364. url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
365. cache_file = 'public-resolvers.md'
366. minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
367. refresh_delay = 72
368. prefix = ''
369.  
370. ## Another example source, with resolvers censoring some websites not approriate for children
371. ## This is a subset of the `public-resolvers` list, so enabling both is useless
372.  
373. # [sources.'parental-control']
374. # url = 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'
375. # cache_file = 'parental-control.md'
376. # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
377.  
378.  
379.  
380. ## Optional, local, static list of additional servers
381. ## Mostly useful for testing your own servers.
382.  
383. [static]
384.  
385. # [static.'google']
386. # stamp = 'sdns://AgUAAAAAAAAAACDyXGrcc5eNecJ8nomJCJ-q6eCLTEn6bHic0hWGUwYQaA5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs'