2021-01-01 12:24:38 +00:00
|
|
|
# HTTP listen port
|
|
|
|
listen = [
|
|
|
|
"127.0.0.1:8053",
|
|
|
|
"[::1]:8053",
|
|
|
|
]
|
|
|
|
|
|
|
|
# TLS certification file
|
|
|
|
# If left empty, plain-text HTTP will be used.
|
|
|
|
# You are recommended to leave empty and to use a server load balancer (e.g.
|
|
|
|
# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
|
|
|
|
# Stapling, which is necessary for client bootstrapping in a network
|
|
|
|
# environment with completely no traditional DNS service.
|
|
|
|
cert = ""
|
|
|
|
|
|
|
|
# TLS private key file
|
|
|
|
key = ""
|
|
|
|
|
|
|
|
# HTTP path for resolve application
|
|
|
|
path = "/dns-query"
|
|
|
|
|
|
|
|
# Upstream DNS resolver
|
|
|
|
# If multiple servers are specified, a random one will be chosen each time.
|
|
|
|
upstream = [
|
|
|
|
"tcp:127.0.0.1:5353",
|
|
|
|
"udp:127.0.0.1:5353",
|
2021-05-27 00:14:18 +00:00
|
|
|
"tcp:[::1]:5353",
|
|
|
|
"udp:[::1]:5353"
|
2021-01-01 12:24:38 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
# Upstream timeout
|
|
|
|
timeout = 60
|
|
|
|
|
|
|
|
# Number of tries if upstream DNS fails
|
|
|
|
tries = 10
|
|
|
|
|
|
|
|
# Enable logging
|
|
|
|
verbose = false
|
2021-05-27 00:14:18 +00:00
|
|
|
|
|
|
|
# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
|
|
|
|
# Note: http uri/useragent log cannot be controlled by this config
|
|
|
|
log_guessed_client_ip = false
|
|
|
|
|
|
|
|
# By default, non global IP addresses are never forwarded to upstream servers.
|
|
|
|
# This is to prevent two things from happening:
|
|
|
|
# 1. the upstream server knowing your private LAN addresses;
|
|
|
|
# 2. the upstream server unable to provide geographically near results,
|
|
|
|
# or even fail to provide any result.
|
|
|
|
# However, if you are deploying a split tunnel corporation network
|
|
|
|
# environment, or for any other reason you want to inhibit this
|
|
|
|
# behavior and allow local (eg RFC1918) address to be forwarded,
|
|
|
|
# change the following option to "true".
|
|
|
|
ecs_allow_non_global_ip = false
|
|
|
|
|
|
|
|
# If ECS is added to the request, let the full IP address or
|
|
|
|
# cap it to 24 or 128 mask. This option is to be used only on private
|
|
|
|
# networks where knwoledge of the terminal endpoint may be required for
|
|
|
|
# security purposes (eg. DNS Firewalling). Not a good option on the
|
|
|
|
# internet where IP address may be used to identify the user and
|
|
|
|
# not only the approximate location.
|
|
|
|
ecs_use_precise_ip = false
|