############################################## # # # dnscrypt-proxy configuration # # # ############################################## ################################## # Global settings # ################################## ## List of servers to use ## If this line is commented, all registered servers will be used # server_names = ['scaleway-fr', 'google', 'yandex'] server_names =['google'] ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. ## To only use systemd activation sockets, use an empty set: [] listen_addresses = ['127.0.0.1:53', '[::1]:53'] ## Maximum number of simultaneous client connections to accept max_clients = 100 ## Require servers (from static definitions and from remote sources) to satisfy specific properties # Use servers reachable over IPv4 ipv4_servers = true # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity ipv6_servers = false ## Require servers defined by remote sources to satisfy specific properties # Server must support DNS security extensions require_dnssec = false # Server must not log user queries require_nolog = true # Server must not enforce its own blacklist (for parental control, ads blocking...) require_nofilter = true ## Whether to the server as a background process (linux only) ## Do not set to true if you are using systemd daemonize = false ## Always use TCP to connect to upstream servers force_tcp = false ## How long a DNS query will wait for a response, in milliseconds timeout = 2500 # Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) # log_level = 2 # log file for the application # log_file = 'dnscrypt-proxy.log' # Use the system logger (syslog on Unix, Event Log on Windows) # use_syslog = true ## Delay, in minutes, after which certificates are reloaded cert_refresh_delay = 30 ######################### # Filters # ######################### ## Immediately respond to IPv6-related queries with an empty response ## This makes things faster when there is no IPv6 connectivity, but can ## also cause reliability issues with some stub resolvers. In ## particular, enabling this on macOS is not recommended. block_ipv6 = false ################################################################################## # Route queries for specific domains to a dedicated set of servers # ################################################################################## ## Example map entries (one entry per line): ## example.com 9.9.9.9 ## example.net 9.9.9.9,8.8.8.8 # forwarding_rules = 'forwarding-rules.txt' ########################### # DNS cache # ########################### ## Enable a DNS cache to reduce latency and outgoing traffic cache = true ## Cache size cache_size = 256 ## Minimum TTL for cached entries cache_min_ttl = 600 ## Maxmimum TTL for cached entries cache_max_ttl = 86400 ## TTL for negatively cached entries cache_neg_ttl = 60 ############################### # Query logging # ############################### ## Log client queries to a file [query_log] ## Path to the query log file (absolute, or relative to the same directory as the executable file) # file = 'query.log' ## Query log format (currently supported: tsv and ltsv) format = 'tsv' ## Do not log these query types, to reduce verbosity. Keep empty to log everything. # ignored_qtypes = ['DNSKEY', 'NS'] ############################################ # Suspicious queries logging # ############################################ ## Log queries for nonexistent zones [nx_log] ## Path to the query log file (absolute, or relative to the same directory as the executable file) # file = 'nx.log' ## Query log format (currently supported: tsv and ltsv) format = 'tsv' ###################################################### # Pattern-based blocking (blacklists) # ###################################################### ## Blacklists are made of one pattern per line. Example of valid patterns: ## ## example.com ## *sex* ## ads.* ## ads*.example.* ## ads*.example[0-9]*.com [blacklist] ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) # blacklist_file = 'blacklist.txt' ## Optional path to a file logging blocked queries # log_file = 'blocked.log' ## Optional log format: tsv or ltsv (default: tsv) # log_format = 'tsv' ########################################################### # Pattern-based IP blocking (IP blacklists) # ########################################################### ## IP blacklists are made of one pattern per line. Example of valid patterns: ## ## 127.* ## fe80:abcd:* ## 192.168.1.4 [ip_blacklist] ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) # blacklist_file = 'ip-blacklist.txt' ## Optional path to a file logging blocked queries # log_file = 'ip-blocked.log' ## Optional log format: tsv or ltsv (default: tsv) # log_format = 'tsv' ######################### # Servers # ######################### ## Remote lists of available servers [sources] [sources.'public-resolvers'] url = 'http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' cache_file = 'public-resolvers.md' format = 'v2' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 168 prefix = '' ## Optional, local, static list of additional servers ## Mostly useful for testing your own servers. [static] [static.'google'] stamp = 'sdns://AgEAAAAAAAAADTIxNi41OC4yMDUuNzgg8lxq3HOXjXnCfJ6JiQifqungi0xJ-mx4nNIVhlMGEGgOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'