DNSserver/configuration/doh-server.conf

# HTTP listen port
listen = [
    "127.0.0.1:8053",
    "[::1]:8053",
]

# TLS certification file
# If left empty, plain-text HTTP will be used.
# You are recommended to leave empty and to use a server load balancer (e.g.
# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
# Stapling, which is necessary for client bootstrapping in a network
# environment with completely no traditional DNS service.
cert = ""

# TLS private key file
key = ""

# HTTP path for resolve application
path = "/dns-query"

# Upstream DNS resolver
# If multiple servers are specified, a random one will be chosen each time.
upstream = [
    "tcp:127.0.0.1:5353",
    "udp:127.0.0.1:5353",
    "tcp:[::1]:5353",
    "udp:[::1]:5353"
]

# Upstream timeout
timeout = 60

# Number of tries if upstream DNS fails
tries = 10

# Enable logging
verbose = false

# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
# Note: http uri/useragent log cannot be controlled by this config
log_guessed_client_ip = false

# By default, non global IP addresses are never forwarded to upstream servers.
# This is to prevent two things from happening:
#   1. the upstream server knowing your private LAN addresses;
#   2. the upstream server unable to provide geographically near results,
#      or even fail to provide any result.
# However, if you are deploying a split tunnel corporation network
# environment, or for any other reason you want to inhibit this
# behavior and allow local (eg RFC1918) address to be forwarded,
# change the following option to "true".
ecs_allow_non_global_ip = false

# If ECS is added to the request, let the full IP address or
# cap it to 24 or 128 mask. This option is to be used only on private
# networks where knwoledge of the terminal endpoint may be required for
# security purposes (eg. DNS Firewalling). Not a good option on the
# internet where IP address may be used to identify the user and
# not only the approximate location.
ecs_use_precise_ip = false
Create doh-server.conf 2021-01-01 12:24:38 +00:00			`# HTTP listen port`
			`listen = [`
			`"127.0.0.1:8053",`
			`"[::1]:8053",`
			`]`

			`# TLS certification file`
			`# If left empty, plain-text HTTP will be used.`
			`# You are recommended to leave empty and to use a server load balancer (e.g.`
			`# Caddy, Nginx) and set up TLS there, because this program does not do OCSP`
			`# Stapling, which is necessary for client bootstrapping in a network`
			`# environment with completely no traditional DNS service.`
			`cert = ""`

			`# TLS private key file`
			`key = ""`

			`# HTTP path for resolve application`
			`path = "/dns-query"`

			`# Upstream DNS resolver`
			`# If multiple servers are specified, a random one will be chosen each time.`
			`upstream = [`
			`"tcp:127.0.0.1:5353",`
			`"udp:127.0.0.1:5353",`
updates with current configuration 2021-05-27 00:14:18 +00:00			`"tcp:[::1]:5353",`
			`"udp:[::1]:5353"`
Create doh-server.conf 2021-01-01 12:24:38 +00:00			`]`

			`# Upstream timeout`
			`timeout = 60`

			`# Number of tries if upstream DNS fails`
			`tries = 10`

			`# Enable logging`
			`verbose = false`
updates with current configuration 2021-05-27 00:14:18 +00:00
			`# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP`
			`# Note: http uri/useragent log cannot be controlled by this config`
			`log_guessed_client_ip = false`

			`# By default, non global IP addresses are never forwarded to upstream servers.`
			`# This is to prevent two things from happening:`
			`# 1. the upstream server knowing your private LAN addresses;`
			`# 2. the upstream server unable to provide geographically near results,`
			`# or even fail to provide any result.`
			`# However, if you are deploying a split tunnel corporation network`
			`# environment, or for any other reason you want to inhibit this`
			`# behavior and allow local (eg RFC1918) address to be forwarded,`
			`# change the following option to "true".`
			`ecs_allow_non_global_ip = false`

			`# If ECS is added to the request, let the full IP address or`
			`# cap it to 24 or 128 mask. This option is to be used only on private`
			`# networks where knwoledge of the terminal endpoint may be required for`
			`# security purposes (eg. DNS Firewalling). Not a good option on the`
			`# internet where IP address may be used to identify the user and`
			`# not only the approximate location.`
			`ecs_use_precise_ip = false`