-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathdnscrypt-proxy.toml
147 lines (100 loc) · 4.67 KB
/
dnscrypt-proxy.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# binary downloads:
# https://github.com/DNSCrypt/dnscrypt-proxy/releases/
# shortcut access for this file:
# curl https://raw.githubusercontent.com/alecmuffett/dohot/master/dnscrypt-proxy.toml >dnscrypt-proxy.toml
# reference/docs for this file:
# https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
# ------------------------------------------------------------------
# dohot notes:
# 1/ this configuration expects dnscrypt-proxy version 2.0.44 or
# higher; if you are locked into using a lower version than that,
# it MUST be at/above version 2.0.39, and you will need to amend
# the URLs in the "[sources]" section to use the "/v2/" PATHNAMES
# file format, as annotated in that section.
# 2/ gradually this configuration is being pared-down to only set
# values which are relevant and are necessary for clarity, or for
# dohot to work efficiently; all the rest are inherited defaults
# ------------------------------------------------------------------
# listen on port 53, all interfaces
listen_addresses = [ '0.0.0.0:53' ]
# use the following DoH providers from the 'public-resolvers' list;
# see the URL below for details, add the names here...
# 1/ https://dnscrypt.info/public-servers
# 2/ https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md
# 3/ https://download.dnscrypt.info/resolvers-list/v3/onion-services.md
# UPDATE 2021-02: if you comment-out "server_names" (recommended)
# then you will greatly increase the size of your load-balancing DoH
# pool; however doing so MAY restrict access to `onion-cloudflare`
# because of source ordering issues. I'm looking to fix this somehow.
# server_names = [ 'a-and-a', 'cloudflare', 'dnslify-doh', 'google', 'iij', 'nextdns', 'onion-cloudflare', 'powerdns-doh', 't53' ]
disabled_server_names = []
# we want frequent stats on latency, etc, so we poll/log every hour
cert_refresh_delay = 60
# what kinds of server do we want to resolve from?
doh_servers = true
ipv4_servers = false
ipv6_servers = false
dnscrypt_servers = false
# imma assume IPv4 only, feel free to tweak this if you are IPv6-capable
block_ipv6 = true
# don't let weird queries & typos leak upstream
block_unqualified = true
block_undelegated = true
# the goal of using tor is to not care about server logging, so why limit ourselves?
require_nolog = false
# but we *do* want integrity
require_dnssec = true
# and we *probably* want DoH servers that advertise themselves as unfiltered
require_nofilter = true
# use tor
force_tcp = true
proxy = 'socks5://127.0.0.1:9050'
# how long a dns query will wait for a response, in milliseconds (max recommended)
timeout = 10000
# loadbalancing
lb_strategy = 'p2'
# logging
log_level = 2
use_syslog = true
log_files_max_size = 64
log_files_max_age = 7
log_files_max_backups = 4
# less linkability / more privacy at slight performance impact;
# see the notes in the `example-dnscrypt-proxy.toml`
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199]
# this server MUST be able to probe the internet, so we should
# configure our firewall so that it's the only one which can use port
# 53; DNSCrypt-proxy will only use these in limited circumstances...
fallback_resolvers = ['1.1.1.1:53', '8.8.8.8:53']
netprobe_address = '8.8.8.8:53'
netprobe_timeout = 60
ignore_system_dns = true
# let's be explicit about caching...
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
# no i am not configuring this resolver as a local DoH listener,
# to do so requires a TLS certificate and that's a world of pain
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
# NOTE: IF YOU ARE USING AN OLDER VERSION OF `DNSCRYPT-PROXY` (VERSIONS <= 2.0.42)
# THEN YOU WILL NEED TO CHANGE THE URLS TO READ"...resolvers-list/v2/public-resolvers.md"
# - for details, see:
# https://github.com/alecmuffett/dohot/issues/1 *and*
# https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md *and*
# https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md
[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'public-resolvers.md'
[sources.'onion-services']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v3/onion-services.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'onion-services.md'