From 77f81cc8c2aeb8b0efac16ea1e110910d7225242 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 17 Dec 2020 11:04:53 +0100 Subject: [PATCH] Add recommendation for fallback resolvers in the example config This is the same recommendation as https://github.com/DNSCrypt/dnscrypt-proxy/blob/c4d9860577e8f5e984bbfc3649dce1a4f1b9cd48/dnscrypt-proxy/serversInfo.go#L429-L432 that has been here for a while as a comment, but having it in the configuration file gives it more visibility. --- dnscrypt-proxy/example-dnscrypt-proxy.toml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml index aaeb8c38..e1b98858 100644 --- a/dnscrypt-proxy/example-dnscrypt-proxy.toml +++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml @@ -209,12 +209,16 @@ cert_refresh_delay = 240 ## These are normal, non-encrypted DNS resolvers, that will be only used ## for one-shot queries when retrieving the initial resolvers list, and ## only if the system DNS configuration doesn't work. +## ## No user application queries will ever be leaked through these resolvers, ## and they will not be used after IP addresses of resolvers URLs have been found. ## They will never be used if lists have already been cached, and if stamps ## don't include host names without IP addresses. +## ## They will not be used if the configured system DNS works. -## Resolvers supporting DNSSEC are recommended. +## Resolvers supporting DNSSEC are recommended, and, if you are using +## DoH, fallback resolvers should ideally be operated by a different entity than +## the DoH servers you will be using, especially if you have IPv6 enabled. ## ## People in China may need to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8 and 1.1.1.1.