example-dnscrypt-proxy.toml 14.3 KB
Newer Older
Frank Denis's avatar
Frank Denis committed
1

Frank Denis's avatar
Frank Denis committed
2 3 4 5 6
##############################################
#                                            #
#        dnscrypt-proxy configuration        #
#                                            #
##############################################
Frank Denis's avatar
Frank Denis committed
7

8 9
## This is an example configuration file.
## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
10 11
##
## Online documentation is available here: https://dnscrypt.info/doc
12

Frank Denis's avatar
Frank Denis committed
13

Frank Denis's avatar
Frank Denis committed
14 15 16 17

##################################
#         Global settings        #
##################################
Frank Denis's avatar
Frank Denis committed
18 19

## List of servers to use
Frank Denis's avatar
Frank Denis committed
20 21 22 23
##
## Servers from the "public-resolvers" source (see down below) can
## be viewed here: https://dnscrypt.info/public-servers
##
Frank Denis's avatar
Frank Denis committed
24
## If this line is commented, all registered servers matching the require_* filters
Frank Denis's avatar
Frank Denis committed
25 26
## will be used.
##
Frank Denis's avatar
Frank Denis committed
27
## The proxy will automatically pick the fastest, working servers from the list.
Frank Denis's avatar
Frank Denis committed
28
## Remove the leading # first to enable this; lines starting with # are ignored.
Frank Denis's avatar
Frank Denis committed
29

Frank Denis's avatar
Frank Denis committed
30
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
Frank Denis's avatar
Frank Denis committed
31

Frank Denis's avatar
Frank Denis committed
32

Frank Denis's avatar
Frank Denis committed
33
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
34
## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
Frank Denis's avatar
Frank Denis committed
35

36
listen_addresses = ['127.0.0.1:53', '[::1]:53']
Frank Denis's avatar
Frank Denis committed
37

Frank Denis's avatar
Frank Denis committed
38

39 40
## Maximum number of simultaneous client connections to accept

Frank Denis's avatar
Frank Denis committed
41
max_clients = 250
42

43

44 45 46 47 48
## Switch to a non-privileged system user after listening sockets have been created.
## Two processes will be running.
## The first one will keep root privileges, but is only a supervisor, that does nothing
## except create the sockets, manage the service, and restart it if it crashes.
## The second process is the service itself, and that one will always run as a different
49 50 51
## user.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
52

Frank Denis's avatar
Frank Denis committed
53
# user_name = 'nobody'
54

55

Frank Denis's avatar
Frank Denis committed
56
## Require servers (from static + remote sources) to satisfy specific properties
57 58 59 60 61 62 63

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false

64 65 66 67 68 69
# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

70

71 72
## Require servers defined by remote sources to satisfy specific properties

Frank Denis's avatar
Frank Denis committed
73
# Server must support DNS security extensions (DNSSEC)
74 75
require_dnssec = false

Frank Denis's avatar
Frank Denis committed
76
# Server must not log user queries (declarative)
Frank Denis's avatar
Frank Denis committed
77 78 79 80
require_nolog = true

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = true
81 82


83 84 85 86 87
## Always use TCP to connect to upstream servers.
## This can be can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.
Frank Denis's avatar
Frank Denis committed
88

Frank Denis's avatar
Frank Denis committed
89 90
force_tcp = false

Frank Denis's avatar
Frank Denis committed
91

92 93 94 95 96 97 98 99
## HTTP / SOCKS proxy
## Uncomment the following line to route all TCP connections to a local Tor node
## Tor doesn't support UDP, so set `force_tcp` to `true` as well.

# proxy = "socks5://127.0.0.1:9050"



Frank Denis's avatar
Frank Denis committed
100
## How long a DNS query will wait for a response, in milliseconds
Frank Denis's avatar
Frank Denis committed
101

Frank Denis's avatar
Frank Denis committed
102 103
timeout = 2500

Frank Denis's avatar
Frank Denis committed
104

105 106
## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

Frank Denis's avatar
Frank Denis committed
107
keepalive = 30
108 109


110
## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
111 112 113 114

# lb_strategy = 'p2'


115
## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
116 117 118 119

# log_level = 2


120
## log file for the application
121

122
# log_file = 'dnscrypt-proxy.log'
123 124


125
## Use the system logger (syslog on Unix, Event Log on Windows)
126 127 128 129

# use_syslog = true


Frank Denis's avatar
Frank Denis committed
130 131
## Delay, in minutes, after which certificates are reloaded

132
cert_refresh_delay = 240
Frank Denis's avatar
Frank Denis committed
133

Frank Denis's avatar
Frank Denis committed
134

135 136 137 138 139 140 141
## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

# dnscrypt_ephemeral_keys = false


Frank Denis's avatar
Frank Denis committed
142
## DoH: Disable TLS session tickets - increases privacy but also latency
143

Frank Denis's avatar
Frank Denis committed
144
# tls_disable_session_tickets = false
145 146


147
## DoH: Use a specific cipher suite instead of the server preference
148 149 150 151
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
Frank Denis's avatar
Frank Denis committed
152
##
153
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
Frank Denis's avatar
Frank Denis committed
154
## the following suite improves performance.
155
## This may also help on Intel CPUs running 32-bit operating systems.
156
##
Frank Denis's avatar
Frank Denis committed
157
## Keep tls_cipher_suite empty if you have issues fetching sources or
158
## connecting to some DoH servers. Google and Cloudflare are fine with it.
159

Frank Denis's avatar
Frank Denis committed
160
# tls_cipher_suite = [52392, 49199]
161 162


163
## Fallback resolver
Frank Denis's avatar
Frank Denis committed
164
## This is a normal, non-encrypted DNS resolver, that will be only used
165 166 167 168
## for one-shot queries when retrieving the initial resolvers list, and
## only if the system DNS configuration doesn't work.
## No user application queries will ever be leaked through this resolver,
## and it will not be used after IP addresses of resolvers URLs have been found.
Frank Denis's avatar
Frank Denis committed
169 170 171
## It will never be used if lists have already been cached, and if stamps
## don't include host names without IP addresses.
## It will not be used if the configured system DNS works.
172
## A resolver supporting DNSSEC is recommended. This may become mandatory.
173 174
##
## People in China may need to use 114.114.114.114:53 here.
175
## Other popular options include 8.8.8.8 and 1.1.1.1.
176

177
fallback_resolver = '9.9.9.9:53'
178

Frank Denis's avatar
Frank Denis committed
179

Frank Denis's avatar
Frank Denis committed
180 181
## Never let dnscrypt-proxy try to use the system DNS settings;
## unconditionally use the fallback resolver.
182 183 184

ignore_system_dns = false

Frank Denis's avatar
Frank Denis committed
185

Frank Denis's avatar
Frank Denis committed
186 187 188 189
## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.
## Useful if the proxy is automatically started at boot, and network
## connectivity is not guaranteed to be immediately available.
190 191 192 193 194
## Use 0 to disable.

netprobe_timeout = 30


Frank Denis's avatar
Frank Denis committed
195 196 197 198 199 200 201
## Offline mode - Do not use any remote encrypted servers.
## The proxy will remain fully functional to respond to queries that
## plugins can handle directly (forwarding, cloaking, ...)

# offline_mode = false


202 203 204 205 206
## Automatic log files rotation

# Maximum log files size in MB
log_files_max_size = 10

Frank Denis's avatar
Frank Denis committed
207
# How long to keep backup files, in days
208 209
log_files_max_age = 7

210
# Maximum log files backups to keep (or 0 to keep all backups)
Frank Denis's avatar
Frank Denis committed
211
log_files_max_backups = 1
212 213


Frank Denis's avatar
Frank Denis committed
214

Frank Denis's avatar
Frank Denis committed
215 216 217
#########################
#        Filters        #
#########################
218 219

## Immediately respond to IPv6-related queries with an empty response
220
## This makes things faster when there is no IPv6 connectivity, but can
221 222 223
## also cause reliability issues with some stub resolvers.
## Do not enable if you added a validating resolver such as dnsmasq in front
## of the proxy.
224 225 226

block_ipv6 = false

Frank Denis's avatar
Frank Denis committed
227

Frank Denis's avatar
Frank Denis committed
228 229 230 231 232

##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################

233
## Example map entries (one entry per line):
234
## example.com 9.9.9.9
Frank Denis's avatar
Frank Denis committed
235
## example.net 9.9.9.9,8.8.8.8,1.1.1.1
Frank Denis's avatar
Frank Denis committed
236

237
# forwarding_rules = 'forwarding-rules.txt'
238 239


Frank Denis's avatar
Frank Denis committed
240

241 242 243 244
###############################
#        Cloaking rules       #
###############################

245 246 247
## Cloaking returns a predefined address for a specific name.
## In addition to acting as a HOSTS file, it can also return the IP address
## of a different name. It will also do CNAME flattening.
248 249
##
## Example map entries (one entry per line)
250 251
## example.com     10.1.1.1
## www.google.com  forcesafesearch.google.com
252 253 254 255 256

# cloaking_rules = 'cloaking-rules.txt'



Frank Denis's avatar
Frank Denis committed
257 258 259
###########################
#        DNS cache        #
###########################
260

Frank Denis's avatar
Frank Denis committed
261
## Enable a DNS cache to reduce latency and outgoing traffic
262 263 264 265

cache = true


266 267
## Cache size

268
cache_size = 512
269 270 271 272


## Minimum TTL for cached entries

273
cache_min_ttl = 600
274 275


Frank Denis's avatar
Frank Denis committed
276
## Maximum TTL for cached entries
277 278 279 280

cache_max_ttl = 86400


281
## Minimum TTL for negatively cached entries
282

283 284 285 286 287 288
cache_neg_min_ttl = 60


## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600
289 290


Frank Denis's avatar
Frank Denis committed
291

Frank Denis's avatar
Frank Denis committed
292 293 294 295 296
###############################
#        Query logging        #
###############################

## Log client queries to a file
Frank Denis's avatar
Frank Denis committed
297 298

[query_log]
Frank Denis's avatar
Frank Denis committed
299

300
  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
Frank Denis's avatar
Frank Denis committed
301

302
  # file = 'query.log'
Frank Denis's avatar
Frank Denis committed
303

Frank Denis's avatar
Frank Denis committed
304

305
  ## Query log format (currently supported: tsv and ltsv)
Frank Denis's avatar
Frank Denis committed
306

307
  format = 'tsv'
Frank Denis's avatar
Frank Denis committed
308 309


310
  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
311

312
  # ignored_qtypes = ['DNSKEY', 'NS']
313

Frank Denis's avatar
Frank Denis committed
314

Frank Denis's avatar
Frank Denis committed
315

316 317 318 319 320
############################################
#        Suspicious queries logging        #
############################################

## Log queries for nonexistent zones
Frank Denis's avatar
Frank Denis committed
321 322
## These queries can reveal the presence of malware, broken/obsolete applications,
## and devices signaling their presence to 3rd parties.
323 324 325

[nx_log]

326
  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
327

328
  # file = 'nx.log'
329 330


331
  ## Query log format (currently supported: tsv and ltsv)
332

333
  format = 'tsv'
334 335


Frank Denis's avatar
Frank Denis committed
336

Frank Denis's avatar
Frank Denis committed
337 338 339 340 341
######################################################
#        Pattern-based blocking (blacklists)        #
######################################################

## Blacklists are made of one pattern per line. Example of valid patterns:
342
##
Frank Denis's avatar
Frank Denis committed
343
##   example.com
344
##   =example.com
Frank Denis's avatar
Frank Denis committed
345 346 347 348
##   *sex*
##   ads.*
##   ads*.example.*
##   ads*.example[0-9]*.com
Frank Denis's avatar
Frank Denis committed
349 350 351 352
##
## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
## A script to build blacklists from public feeds can be found in the
## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
Frank Denis's avatar
Frank Denis committed
353

354
[blacklist]
Frank Denis's avatar
Frank Denis committed
355

356
  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
Frank Denis's avatar
Frank Denis committed
357

358
  # blacklist_file = 'blacklist.txt'
359 360


361
  ## Optional path to a file logging blocked queries
362

363
  # log_file = 'blocked.log'
364 365


366
  ## Optional log format: tsv or ltsv (default: tsv)
367

368
  # log_format = 'tsv'
Frank Denis's avatar
Frank Denis committed
369

Frank Denis's avatar
Frank Denis committed
370 371


Frank Denis's avatar
Frank Denis committed
372 373 374 375 376 377 378 379 380 381 382 383
###########################################################
#        Pattern-based IP blocking (IP blacklists)        #
###########################################################

## IP blacklists are made of one pattern per line. Example of valid patterns:
##
##   127.*
##   fe80:abcd:*
##   192.168.1.4

[ip_blacklist]

384
  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
Frank Denis's avatar
Frank Denis committed
385

386
  # blacklist_file = 'ip-blacklist.txt'
Frank Denis's avatar
Frank Denis committed
387 388


389
  ## Optional path to a file logging blocked queries
Frank Denis's avatar
Frank Denis committed
390

391
  # log_file = 'ip-blocked.log'
Frank Denis's avatar
Frank Denis committed
392 393


394
  ## Optional log format: tsv or ltsv (default: tsv)
Frank Denis's avatar
Frank Denis committed
395

396
  # log_format = 'tsv'
Frank Denis's avatar
Frank Denis committed
397 398 399



Frank Denis's avatar
Frank Denis committed
400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427
######################################################
#   Pattern-based whitelisting (blacklists bypass)   #
######################################################

## Whitelists support the same patterns as blacklists
## If a name matches a whitelist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.

[whitelist]

  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)

  # whitelist_file = 'whitelist.txt'


  ## Optional path to a file logging whitelisted queries

  # log_file = 'whitelisted.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



Frank Denis's avatar
Frank Denis committed
428 429 430 431 432 433 434 435 436 437
##########################################
#        Time access restrictions        #
##########################################

## One or more weekly schedules can be defined here.
## Patterns in the name-based blocklist can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
## For example, the following rule in a blacklist file:
## *.youtube.* @time-to-sleep
438
## would block access to YouTube only during the days, and period of the days
Frank Denis's avatar
Frank Denis committed
439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463
## define by the 'time-to-sleep' schedule.
##
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
## {after= '9:00', before='18:00'} matches 9:00-18:00

[schedules]

  # [schedules.'time-to-sleep']
  # mon = [{after='21:00', before='7:00'}]
  # tue = [{after='21:00', before='7:00'}]
  # wed = [{after='21:00', before='7:00'}]
  # thu = [{after='21:00', before='7:00'}]
  # fri = [{after='23:00', before='7:00'}]
  # sat = [{after='23:00', before='7:00'}]
  # sun = [{after='21:00', before='7:00'}]

  # [schedules.'work']
  # mon = [{after='9:00', before='18:00'}]
  # tue = [{after='9:00', before='18:00'}]
  # wed = [{after='9:00', before='18:00'}]
  # thu = [{after='9:00', before='18:00'}]
  # fri = [{after='9:00', before='17:00'}]



Frank Denis's avatar
Frank Denis committed
464 465 466
#########################
#        Servers        #
#########################
Frank Denis's avatar
Frank Denis committed
467

468
## Remote lists of available servers
Frank Denis's avatar
Frank Denis committed
469
## Multiple sources can be used simultaneously, but every source
470 471 472
## requires a dedicated cache file.
##
## Refer to the documentation for URLs of public sources.
Frank Denis's avatar
Frank Denis committed
473
##
474
## A prefix can be prepended to server names in order to
Frank Denis's avatar
Frank Denis committed
475 476 477
## avoid collisions if different sources share the same for
## different servers. In that case, names listed in `server_names`
## must include the prefixes.
478
##
479
## If the `urls` property is missing, cache files and valid signatures
Frank Denis's avatar
Frank Denis committed
480 481
## must be already present; This doesn't prevent these cache files from
## expiring after `refresh_delay` hours.
482

483
[sources]
Frank Denis's avatar
Frank Denis committed
484

Frank Denis's avatar
Frank Denis committed
485
  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
Frank Denis's avatar
Frank Denis committed
486

Frank Denis's avatar
Frank Denis committed
487
  [sources.'public-resolvers']
488
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
Frank Denis's avatar
Frank Denis committed
489
  cache_file = 'public-resolvers.md'
490
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
491
  refresh_delay = 72
492
  prefix = ''
493

Frank Denis's avatar
Frank Denis committed
494
  ## Another example source, with resolvers censoring some websites not appropriate for children
495
  ## This is a subset of the `public-resolvers` list, so enabling both is useless
Frank Denis's avatar
Frank Denis committed
496

497
  #  [sources.'parental-control']
498
  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
499 500
  #  cache_file = 'parental-control.md'
  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
501

Frank Denis's avatar
Frank Denis committed
502 503


Frank Denis's avatar
Frank Denis committed
504
## Optional, local, static list of additional servers
505
## Mostly useful for testing your own servers.
Frank Denis's avatar
Frank Denis committed
506

Frank Denis's avatar
Frank Denis committed
507 508
[static]

509
  # [static.'google']
510
  # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'