From fc6042cefd4e827f0854d6aa11e3ac6382e5b61b Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Mon, 11 Jan 2021 19:58:55 +0700 Subject: [PATCH] Create encrypted-dns.toml --- configuration/encrypted-dns.toml | 256 +++++++++++++++++++++++++++++++ 1 file changed, 256 insertions(+) create mode 100644 configuration/encrypted-dns.toml diff --git a/configuration/encrypted-dns.toml b/configuration/encrypted-dns.toml new file mode 100644 index 0000000..c670d3c --- /dev/null +++ b/configuration/encrypted-dns.toml @@ -0,0 +1,256 @@ +#################################################### +# # +# Encrypted DNS Server configuration # +# # +#################################################### + + + +################################## +# Global settings # +################################## + + +## IP addresses and ports to listen to, as well as their external IP +## If there is no NAT involved, `local` and `external` can be the same. +## As many addresses as needed can be configured here, IPv4 and/or IPv6. +## You should at least change the `external` IP address. + +### Example with both IPv4 and IPv6 addresses: +# listen_addrs = [ +# { local = "0.0.0.0:443", external = "198.51.100.1:443" }, +# { local = "[::]:443", external = "[2001:db8::1]:443" } +# ] + +listen_addrs = [ + { local = "0.0.0.0:8443", external = "**YourIP**:8443" }, + { local = "[::]:8443", external = "[**YourIP**]:8443" } +] + + +## Upstream DNS server and port + +upstream_addr = "127.0.0.1:5353" + + +## File name to save the state to + +state_file = "encrypted-dns.state" + + +## UDP timeout in seconds + +udp_timeout = 10 + + +## TCP timeout in seconds + +tcp_timeout = 10 + + +## Maximum active UDP sockets + +udp_max_active_connections = 1000 + + +## Maximum active TCP connections + +tcp_max_active_connections = 100 + + +## Optional IP address to connect to upstream servers from. +## Leave commented/undefined to automatically select it. + +# external_addr = "0.0.0.0" + + +## Built-in DNS cache capacity + +cache_capacity = 100000 + + +## DNS cache: minimum TTL + +cache_ttl_min = 3600 + + +## DNS cache: max TTL + +cache_ttl_max = 86400 + + +## DNS cache: error TTL + +cache_ttl_error = 600 + + +## DNS cache: to avoid bursts of traffic for popular queries when an +## RRSET expires, hold a TTL received from an upstream server for +## `client_ttl_holdon` seconds before decreasing it in client responses. + +client_ttl_holdon = 60 + + +## Run as a background process + +daemonize = false + + +## Log file + +# log_file = "/tmp/encrypted-dns.log" + + +## PID file + +pid_file = "/tmp/encrypted-dns.pid" + + +## User name to drop privileges to, when started as root. + +user = "DNSCrypt" + + +## Group name to drop privileges to, when started as root. + +group = "DNSCrypt" + + +## Path to chroot() to, when started as root. +## The path to the state file is relative to the chroot base. + +# chroot = "/var/empty" + + +## Queries sent to that name will return the client IP address. +## This can be very useful for debugging, or to check that relaying works. + +my_ip = "my.ip" + + +#################################### +# DNSCrypt settings # +#################################### + +[dnscrypt] + +## Provider name (with or without the `2.dnscrypt-cert.` prefix) + +provider_name = "**Your Preferred Name**" + + +## Does the server support DNSSEC? + +dnssec = true + + +## Does the server always returns correct answers (no filtering, including ad blocking)? + +no_filters = false + + +## Set to `true` if the server doesn't keep any information that can be used to identify users + +no_logs = true + + +## Key cache capacity, per certificate + +key_cache_capacity = 10000 + + + +############################### +# TLS settings # +############################### + +[tls] + +## Where to proxy TLS connections to (e.g. DoH server) + +# upstream_addr = "127.0.0.1:4343" + + + +####################################### +# Server-side filtering # +####################################### + +[filtering] + +## List of domains to block, one per line + +# domain_blacklist = "/etc/domain_blacklist.txt" + + +## List of undelegated TLDs +## This is the list of nonexistent TLDs that queries are frequently observed for, +## but will never resolve to anything. The server will immediately return a +## synthesized NXDOMAIN response instead of hitting root servers. + +# undelegated_list = "/etc/undelegated.txt" + + +## Ignore A and AAAA queries for unqualified host names. + +# ignore_unqualified_hostnames = true + + + +######################### +# Metrics # +######################### + +# [metrics] + +# type = "prometheus" +# listen_addr = "0.0.0.0:9100" +# path = "/metrics" + + + +################################ +# Anonymized DNS # +################################ + +[anonymized_dns] + +# Enable relaying support for Anonymized DNS + +enabled = false + + +# Allowed upstream ports +# This is a list of commonly used ports for encrypted DNS services + +allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ] + + +# Allow all ports >= 1024 in addition to the list above + +allow_non_reserved_ports = false + + +# Blacklisted upstream IP addresses + +blacklisted_ips = [ "93.184.216.34" ] + + + + +################################ +# Access control # +################################ + +[access_control] + +# Enable access control + +enabled = false + +# Only allow access to client queries including one of these random tokens +# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as +# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client. +# Example: `query_meta = ["token:Y2oHkDJNHz"]` + +tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]