updates with current configuration

configuration/client/dnscrypt-proxy.toml

@@ -1,5 +1,3 @@
-# This Client Configuration are made for dnscrypt-proxy and Thanks ookangzheng for sample configuration files
-# Based on https://github.com/ookangzheng/blahdns/blob/master/client-conf/dnscrypt/dnscrypt-proxy.toml
 server_names = ['ProviderName', 'ProviderNamev6-Ifexisted']
 listen_addresses = ['127.0.0.1:53', '[::1]:53']
 max_clients = 250
@@ -10,7 +8,7 @@ keepalive = 30
 # Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
 lb_strategy = 'fastest'
 fallback_resolver = '94.140.14.14:53'
-ignore_system_dns = false
+ignore_system_dns = true
 netprobe_timeout = 30
 cache = false
 cache_size = 512
@@ -19,6 +17,18 @@ cache_max_ttl = 1800
 cache_neg_min_ttl = 2
 cache_neg_max_ttl = 6
 
+# Use servers reachable over IPv4
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+ipv6_servers = true
+
+# Use servers implementing the DNSCrypt protocol
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol
+doh_servers = false
+
 [static]
 ## Publickey: YOURPUBKEY
 [static.'ProviderName']

configuration/doh-server.conf

@@ -1,4 +1,3 @@
-# Original author : aaflalo.me https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/#Configuration
 # HTTP listen port
 listen = [
     "127.0.0.1:8053",
@@ -24,6 +23,8 @@ path = "/dns-query"
 upstream = [
     "tcp:127.0.0.1:5353",
     "udp:127.0.0.1:5353",
+    "tcp:[::1]:5353",
+    "udp:[::1]:5353"
 ]
 
 # Upstream timeout
@@ -34,3 +35,26 @@ tries = 10
 
 # Enable logging
 verbose = false
+
+# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
+# Note: http uri/useragent log cannot be controlled by this config
+log_guessed_client_ip = false
+
+# By default, non global IP addresses are never forwarded to upstream servers.
+# This is to prevent two things from happening:
+#   1. the upstream server knowing your private LAN addresses;
+#   2. the upstream server unable to provide geographically near results,
+#      or even fail to provide any result.
+# However, if you are deploying a split tunnel corporation network
+# environment, or for any other reason you want to inhibit this
+# behavior and allow local (eg RFC1918) address to be forwarded,
+# change the following option to "true".
+ecs_allow_non_global_ip = false
+
+# If ECS is added to the request, let the full IP address or
+# cap it to 24 or 128 mask. This option is to be used only on private
+# networks where knwoledge of the terminal endpoint may be required for
+# security purposes (eg. DNS Firewalling). Not a good option on the
+# internet where IP address may be used to identify the user and
+# not only the approximate location.
+ecs_use_precise_ip = false

configuration/haproxy.cfg

@@ -11,13 +11,18 @@ global
         # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
         # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
         # set default parameters to the intermediate configuration
-        ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-        ssl-default-server-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 
-# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
-        ssl-dh-param-file /path/to/dhparam
+    tune.ssl.default-dh-param 4096
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-dh-param-file /path/to/dhparam
+
 
 defaults
 #       enables tcplog so disabled
@@ -39,47 +44,52 @@ defaults
 
 # TCP LB (443)
 frontend 443-in
-          bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
-          bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+          bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
+          bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
           mode tcp
 
         # DoT
-        use_backend dns-dot if { ssl_fc_sni dot.domain.pem }
+        use_backend dns-dot if { ssl_fc_sni dot.DOMAIN }
 
 # TCP LB (853)
 frontend 853-in
-	bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
-	bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
-	mode tcp
+        bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
+        bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem
+        mode tcp
 
-	# DoT
-	use_backend dns-dot if { ssl_fc_sni dot.domain }
+        # DoT
+        use_backend dns-dot if { ssl_fc_sni dot.DOMAIN }
+
+backend dns-dot
+        mode tcp
+        server dot 127.0.0.1:5353 check
 
 # TCP LB (443)
 frontend 443-in-doh
-	bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2
-        bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2
+        bind :80
+        bind 104.244.78.187:443 strict-sni tfo ssl crt /etc/haproxy/certs alpn h2,http/2
+        bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs  alpn h2,http/2
 
         mode http
 
+        http-request redirect scheme https unless { ssl_fc }
+        rspidel (Server|x-powered-by|x-frontend)
         http-response set-header Strict-Transport-Security max-age=63072000
-	http-response set-header X-Frontend lv1
+        http-response set-header X-Frontend lv1
 
-	use_backend check if { path /check }
+        use_backend check if { path /check }
 
-	use_backend dns-doh if { hdr(host) -i doh.domain }
+        acl doh-frontend1 hdr(host) -i doh.lDOMAIN
 
-
-backend dns-dot
-	mode tcp
-	server dot 127.0.0.1:5353 check
+        use_backend http_nginx if dotweb-frontend1
+#       default_backend nginx
 
 backend dns-doh
-        mode http
-        server dns-doh 127.0.0.1:8053 check
+mode http
+server dns-doh 127.0.0.1:8053 check
+
+http-response set-header Strict-Transport-Security max-age=63072000
 
 backend check
         mode http
-        errorfile 503 /root/dns/check.http
-
-http-response set-header Strict-Transport-Security max-age=63072000
+        errorfile 503 /root/dns/check.http

configuration/kresd.conf

@@ -10,25 +10,30 @@ net.listen('::1', 5353, { kind = 'dns', freebind = true })
 
 -- Load useful modules
 modules = {
-	'hints > iterate',  -- Load /etc/hosts and allow custom root hints
-	'stats',            -- Track internal statistics
-	'predict',          -- Prefetch expiring/frequent records
+        'hints > iterate',  -- Load /etc/hosts and allow custom root hints
+        'stats',            -- Track internal statistics
+        'predict',          -- Prefetch expiring/frequent records
 }
 
--- Cache size https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#sizing
+--- Cache size https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#sizing
 -- "For personal and small office use-cases cache size around 100 MB is more than enough." -cz.nic
-cache.size = 100 * MB
+cache.size = 50 * MB
 
 -- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html
 -- This is Just a Blocklist
 policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.rpz',true))
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/adguard-dns.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-ultimate.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/pgl-adserver.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-social.rpz',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-regional.rpz',true)) 
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-regional.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/urlhaus-abuse_ch.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-xtreme.rpz',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/blahdns.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/1host-domains-pro.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/1host-wildcards-pro.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minop-cname-cloaking.rpz',true))
 policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/ad-cname-tracker.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/rpz-oisd.rpz',true))
+

download-filters.sh

@@ -1,13 +1,17 @@
 #!/bin/sh
-wget -O /etc/knot-resolver/list/minopallow.rpz https://github.com/minoplhy/dnsBlocklist/raw/main/rpz/allowlist.rpz
-wget -O /etc/knot-resolver/list/minopdeny.rpz https://github.com/minoplhy/dnsBlocklist/raw/main/rpz/denylist.rpz
-wget -O /etc/knot-resolver/list/energized-ultimate.rpz  https://block.energized.pro/ultimate/formats/rpz.txt 
+wget -O /etc/knot-resolver/list/minopallow.rpz https://git.kylz.nl/GitHub/DNSBlocklist/raw/branch/main/rpz/allowlist.rpz
+wget -O /etc/knot-resolver/list/adguard-exceptions.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/exceptions_rpz.txt
+wget -O /etc/knot-resolver/list/adguard-dns.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/dns_rpz.txt
+wget -O /etc/knot-resolver/list/minopdeny.rpz https://git.kylz.nl/GitHub/DNSBlocklist/raw/branch/main/rpz/denylist.rpz
+wget -O /etc/knot-resolver/list/energized-ultimate.rpz  https://block.energized.pro/ultimate/formats/rpz.txt
 wget -O /etc/knot-resolver/list/pgl-adserver.rpz https://pgl.yoyo.org/adservers/serverlist.php?hostformat=rpz&showintro=1&mimetype=plaintext
 wget -O /etc/knot-resolver/list/energized-social.rpz https://block.energized.pro/extensions/social/formats/rpz.txt
 wget -O /etc/knot-resolver/list/energized-regional.rpz https://block.energized.pro/extensions/regional/formats/rpz.txt
 wget -O /etc/knot-resolver/list/energized-xtreme.rpz https://block.energized.pro/extensions/xtreme/formats/rpz.txt
-wget -O /etc/knot-resolver/list/blahdns.rpz https://oooo.b-cdn.net/blahdns/blahdns_rpz.txt
+wget -O /etc/knot-resolver/list/1host-domains-pro.rpz https://sos-ch-dk-2.exo.io/noblt/1host/domains-pro_rpz.txt
+wget -O /etc/knot-resolver/list/1host-wildcards-pro.rpz https://sos-ch-dk-2.exo.io/noblt/1host/wildcards-pro_rpz.txt
 wget -O /etc/knot-resolver/list/urlhaus-abuse_ch.rpz https://urlhaus.abuse.ch/downloads/rpz
-wget -O /etc/knot-resolver/list/minop-cname-cloaking.rpz https://noblt.sos-ch-dk-2.exoscale-cdn.com/adguard/cname-original.rpz
-wget -O /etc/knot-resolver/list/ad-cname-tracker.rpz https://noblt.sos-ch-dk-2.exoscale-cdn.com/adguard/cname-tracker.rpz
+wget -O /etc/knot-resolver/list/minop-cname-cloaking.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/cname-original_rpz.txt
+wget -O /etc/knot-resolver/list/ad-cname-tracker.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/cname-tracker_rpz.txt
+wget -O /etc/knot-resolver/list/rpz-oisd.rpz https://rpz.oisd.nl/
 exit