updates with current configuration

2024-11-24 10:16:54 +00:00 · 2021-05-27 07:14:18 +07:00 · 2021-05-27 07:14:18 +07:00 · f973f37a3a
commit f973f37a3a
parent e08570d856
5 changed files with 98 additions and 45 deletions
--- a/configuration/client/dnscrypt-proxy.toml
+++ b/configuration/client/dnscrypt-proxy.toml
@ -1,5 +1,3 @@
 # This Client Configuration are made for dnscrypt-proxy and Thanks ookangzheng for sample configuration files
 # Based on https://github.com/ookangzheng/blahdns/blob/master/client-conf/dnscrypt/dnscrypt-proxy.toml
 server_names = ['ProviderName', 'ProviderNamev6-Ifexisted']
 listen_addresses = ['127.0.0.1:53', '[::1]:53']
 max_clients = 250
@ -10,7 +8,7 @@ keepalive = 30
 # Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
 lb_strategy = 'fastest'
 fallback_resolver = '94.140.14.14:53'
-ignore_system_dns = false
+ignore_system_dns = true
 netprobe_timeout = 30
 cache = false
 cache_size = 512
@ -19,6 +17,18 @@ cache_max_ttl = 1800
 cache_neg_min_ttl = 2
 cache_neg_max_ttl = 6
 # Use servers reachable over IPv4
 ipv4_servers = true
 # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
 ipv6_servers = true
 # Use servers implementing the DNSCrypt protocol
 dnscrypt_servers = true
 # Use servers implementing the DNS-over-HTTPS protocol
 doh_servers = false
 [static]
 ## Publickey: YOURPUBKEY
 [static.'ProviderName']
--- a/configuration/doh-server.conf
+++ b/configuration/doh-server.conf
@ -1,4 +1,3 @@
 # Original author : aaflalo.me https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/#Configuration
 # HTTP listen port
 listen = [
    "127.0.0.1:8053",
@ -24,6 +23,8 @@ path = "/dns-query"
 upstream = [
    "tcp:127.0.0.1:5353",
    "udp:127.0.0.1:5353",
    "tcp:[::1]:5353",
    "udp:[::1]:5353"
 ]
 # Upstream timeout
@ -34,3 +35,26 @@ tries = 10
 # Enable logging
 verbose = false
 # Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
 # Note: http uri/useragent log cannot be controlled by this config
 log_guessed_client_ip = false
 # By default, non global IP addresses are never forwarded to upstream servers.
 # This is to prevent two things from happening:
 #   1. the upstream server knowing your private LAN addresses;
 #   2. the upstream server unable to provide geographically near results,
 #      or even fail to provide any result.
 # However, if you are deploying a split tunnel corporation network
 # environment, or for any other reason you want to inhibit this
 # behavior and allow local (eg RFC1918) address to be forwarded,
 # change the following option to "true".
 ecs_allow_non_global_ip = false
 # If ECS is added to the request, let the full IP address or
 # cap it to 24 or 128 mask. This option is to be used only on private
 # networks where knwoledge of the terminal endpoint may be required for
 # security purposes (eg. DNS Firewalling). Not a good option on the
 # internet where IP address may be used to identify the user and
 # not only the approximate location.
 ecs_use_precise_ip = false
--- a/configuration/haproxy.cfg
+++ b/configuration/haproxy.cfg
@ -11,14 +11,19 @@ global
        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
        # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
        # set default parameters to the intermediate configuration
-        ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+
-        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    tune.ssl.default-dh-param 4096
-        ssl-default-server-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl-dh-param-file /path/to/dhparam
 defaults
 #       enables tcplog so disabled
 #       log     global
@ -39,47 +44,52 @@ defaults
 # TCP LB (443)
 frontend 443-in
-          bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+          bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
-          bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+          bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
          mode tcp
        # DoT
-        use_backend dns-dot if { ssl_fc_sni dot.domain.pem }
+        use_backend dns-dot if { ssl_fc_sni dot.DOMAIN }
 # TCP LB (853)
 frontend 853-in
-	bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+        bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
-	bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+        bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
        mode tcp
        # DoT
-	use_backend dns-dot if { ssl_fc_sni dot.domain }
+        use_backend dns-dot if { ssl_fc_sni dot.DOMAIN }
 # TCP LB (443)
 frontend 443-in-doh
 	bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2
        bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2
        mode http
        http-response set-header Strict-Transport-Security max-age=63072000
 	http-response set-header X-Frontend lv1
 	use_backend check if { path /check }
 	use_backend dns-doh if { hdr(host) -i doh.domain }
 backend dns-dot
        mode tcp
        server dot 127.0.0.1:5353 check
 # TCP LB (443)
 frontend 443-in-doh
        bind :80
        bind 104.244.78.187:443 strict-sni tfo ssl crt /etc/haproxy/certs alpn h2,http/2
        bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs  alpn h2,http/2
        mode http
        http-request redirect scheme https unless { ssl_fc }
        rspidel (Server|x-powered-by|x-frontend)
        http-response set-header Strict-Transport-Security max-age=63072000
        http-response set-header X-Frontend lv1
        use_backend check if { path /check }
        acl doh-frontend1 hdr(host) -i doh.lDOMAIN
        use_backend http_nginx if dotweb-frontend1
 #       default_backend nginx
 backend dns-doh
 mode http
 server dns-doh 127.0.0.1:8053 check
 http-response set-header Strict-Transport-Security max-age=63072000
 backend check
        mode http
        errorfile 503 /root/dns/check.http
 http-response set-header Strict-Transport-Security max-age=63072000
--- a/configuration/kresd.conf
+++ b/configuration/kresd.conf
@ -15,13 +15,15 @@ modules = {
        'predict',          -- Prefetch expiring/frequent records
 }
-- Cache size https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#sizing
+--- Cache size https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#sizing
 -- "For personal and small office use-cases cache size around 100 MB is more than enough." -cz.nic
-cache.size = 100 * MB
+cache.size = 50 * MB
 -- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html
 -- This is Just a Blocklist
 policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.rpz',true))
 policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/adguard-dns.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-ultimate.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/pgl-adserver.rpz',true))
@ -29,6 +31,9 @@ policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-social.r
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-regional.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/urlhaus-abuse_ch.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-xtreme.rpz',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/blahdns.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/1host-domains-pro.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/1host-wildcards-pro.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minop-cname-cloaking.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/ad-cname-tracker.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/rpz-oisd.rpz',true))
--- a/download-filters.sh
+++ b/download-filters.sh
@ -1,13 +1,17 @@
 #!/bin/sh
-wget -O /etc/knot-resolver/list/minopallow.rpz https://github.com/minoplhy/dnsBlocklist/raw/main/rpz/allowlist.rpz
+wget -O /etc/knot-resolver/list/minopallow.rpz https://git.kylz.nl/GitHub/DNSBlocklist/raw/branch/main/rpz/allowlist.rpz
-wget -O /etc/knot-resolver/list/minopdeny.rpz https://github.com/minoplhy/dnsBlocklist/raw/main/rpz/denylist.rpz
+wget -O /etc/knot-resolver/list/adguard-exceptions.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/exceptions_rpz.txt
 wget -O /etc/knot-resolver/list/adguard-dns.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/dns_rpz.txt
 wget -O /etc/knot-resolver/list/minopdeny.rpz https://git.kylz.nl/GitHub/DNSBlocklist/raw/branch/main/rpz/denylist.rpz
 wget -O /etc/knot-resolver/list/energized-ultimate.rpz  https://block.energized.pro/ultimate/formats/rpz.txt
 wget -O /etc/knot-resolver/list/pgl-adserver.rpz https://pgl.yoyo.org/adservers/serverlist.php?hostformat=rpz&showintro=1&mimetype=plaintext
 wget -O /etc/knot-resolver/list/energized-social.rpz https://block.energized.pro/extensions/social/formats/rpz.txt
 wget -O /etc/knot-resolver/list/energized-regional.rpz https://block.energized.pro/extensions/regional/formats/rpz.txt
 wget -O /etc/knot-resolver/list/energized-xtreme.rpz https://block.energized.pro/extensions/xtreme/formats/rpz.txt
-wget -O /etc/knot-resolver/list/blahdns.rpz https://oooo.b-cdn.net/blahdns/blahdns_rpz.txt
+wget -O /etc/knot-resolver/list/1host-domains-pro.rpz https://sos-ch-dk-2.exo.io/noblt/1host/domains-pro_rpz.txt
 wget -O /etc/knot-resolver/list/1host-wildcards-pro.rpz https://sos-ch-dk-2.exo.io/noblt/1host/wildcards-pro_rpz.txt
 wget -O /etc/knot-resolver/list/urlhaus-abuse_ch.rpz https://urlhaus.abuse.ch/downloads/rpz
-wget -O /etc/knot-resolver/list/minop-cname-cloaking.rpz https://noblt.sos-ch-dk-2.exoscale-cdn.com/adguard/cname-original.rpz
+wget -O /etc/knot-resolver/list/minop-cname-cloaking.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/cname-original_rpz.txt
-wget -O /etc/knot-resolver/list/ad-cname-tracker.rpz https://noblt.sos-ch-dk-2.exoscale-cdn.com/adguard/cname-tracker.rpz
+wget -O /etc/knot-resolver/list/ad-cname-tracker.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/cname-tracker_rpz.txt
 wget -O /etc/knot-resolver/list/rpz-oisd.rpz https://rpz.oisd.nl/
 exit