mirror of https://github.com/trailofbits/algo
DNS-over-HTTPS (#875)
parent
4bd59bebf4
commit
c82bd8c5ff
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
listen_port: "{% if local_dns|d(false)|bool == true %}5353{% else %}53{% endif %}"
|
||||||
|
# the version used if the latest unavailable (in case of Github API rate limited)
|
||||||
|
dnscrypt_proxy_version: 2.0.10
|
||||||
|
apparmor_enabled: true
|
||||||
|
dns_encryption: true
|
||||||
|
dns_encryption_provider: "*"
|
@ -0,0 +1,23 @@
|
|||||||
|
#include <tunables/global>
|
||||||
|
|
||||||
|
/usr/sbin/dnscrypt-proxy {
|
||||||
|
#include <abstractions/base>
|
||||||
|
#include <abstractions/nameservice>
|
||||||
|
#include <abstractions/openssl>
|
||||||
|
|
||||||
|
capability chown,
|
||||||
|
capability dac_override,
|
||||||
|
capability net_bind_service,
|
||||||
|
capability setgid,
|
||||||
|
capability setuid,
|
||||||
|
capability sys_resource,
|
||||||
|
|
||||||
|
/etc/dnscrypt-proxy.toml r,
|
||||||
|
/etc/ld.so.cache r,
|
||||||
|
/usr/sbin/dnscrypt-proxy mr,
|
||||||
|
/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv r,
|
||||||
|
/usr/local/lib/{@{multiarch}/,}libldns.so* mr,
|
||||||
|
/usr/local/lib/{@{multiarch}/,}libsodium.so* mr,
|
||||||
|
/run/dnscrypt-proxy.pid rw,
|
||||||
|
/run/systemd/notify rw,
|
||||||
|
}
|
@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# PROVIDE: dnscrypt-proxy
|
||||||
|
# REQUIRE: LOGIN
|
||||||
|
# BEFORE: securelevel
|
||||||
|
# KEYWORD: shutdown
|
||||||
|
|
||||||
|
# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy':
|
||||||
|
#
|
||||||
|
# dnscrypt_proxy_enable="YES"
|
||||||
|
# dnscrypt_proxy_flags="<set as needed>"
|
||||||
|
#
|
||||||
|
# See rsync(1) for rsyncd_flags
|
||||||
|
#
|
||||||
|
|
||||||
|
. /etc/rc.subr
|
||||||
|
|
||||||
|
name="dnscrypt-proxy"
|
||||||
|
rcvar=dnscrypt_proxy_enable
|
||||||
|
load_rc_config "$name"
|
||||||
|
pidfile="/var/run/$name.pid"
|
||||||
|
start_cmd=dnscrypt_proxy_start
|
||||||
|
stop_postcmd=dnscrypt_proxy_stop
|
||||||
|
|
||||||
|
: ${dnscrypt_proxy_enable="NO"}
|
||||||
|
: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
|
||||||
|
|
||||||
|
dnscrypt_proxy_start() {
|
||||||
|
echo "Starting dnscrypt-proxy..."
|
||||||
|
touch ${pidfile}
|
||||||
|
/usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags}
|
||||||
|
}
|
||||||
|
|
||||||
|
dnscrypt_proxy_stop() {
|
||||||
|
[ -f ${pidfile} ] && rm ${pidfile}
|
||||||
|
}
|
||||||
|
|
||||||
|
run_rc_command "$1"
|
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
- name: daemon reload
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
|
||||||
|
- name: restart dnscrypt-proxy
|
||||||
|
service:
|
||||||
|
name: dnscrypt-proxy
|
||||||
|
state: restarted
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- role: common
|
||||||
|
tags: common
|
@ -0,0 +1,51 @@
|
|||||||
|
---
|
||||||
|
- name: FreeBSD | Ensure that the required directories exist
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
with_items:
|
||||||
|
- "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/"
|
||||||
|
- /usr/dnscrypt-proxy/
|
||||||
|
|
||||||
|
- name: Required tools installed
|
||||||
|
package:
|
||||||
|
name: gtar
|
||||||
|
|
||||||
|
- name: FreeBSD | Retrive the latest versions
|
||||||
|
uri:
|
||||||
|
url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest
|
||||||
|
register: dnscrypt_proxy_latest
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: FreeBSD | Set default dnscrypt-proxy assets
|
||||||
|
set_fact:
|
||||||
|
dnscrypt_proxy_latest:
|
||||||
|
json:
|
||||||
|
assets:
|
||||||
|
- name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
||||||
|
browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
||||||
|
when: dnscrypt_proxy_latest.failed
|
||||||
|
|
||||||
|
- name: FreeBSD | Download the latest archive
|
||||||
|
get_url:
|
||||||
|
url: "{{ item['browser_download_url'] }}"
|
||||||
|
dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
||||||
|
mode: '0755'
|
||||||
|
force: true
|
||||||
|
with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}"
|
||||||
|
no_log: true
|
||||||
|
when: '"freebsd_amd64" in item.name'
|
||||||
|
notify: restart dnscrypt-proxy
|
||||||
|
|
||||||
|
- name: FreeBSD | Extract the latest archive
|
||||||
|
unarchive:
|
||||||
|
remote_src: true
|
||||||
|
src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz
|
||||||
|
dest: /usr/dnscrypt-proxy
|
||||||
|
|
||||||
|
- name: FreeBSD | Configure rc script
|
||||||
|
copy:
|
||||||
|
src: rc.dnscrypt-proxy.sh
|
||||||
|
dest: /usr/local/etc/rc.d/dnscrypt-proxy
|
||||||
|
mode: "0755"
|
||||||
|
notify: restart dnscrypt-proxy
|
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
- name: Include tasks for Ubuntu
|
||||||
|
include_tasks: ubuntu.yml
|
||||||
|
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||||
|
|
||||||
|
- name: Include tasks for FreeBSD
|
||||||
|
include_tasks: freebsd.yml
|
||||||
|
when: ansible_distribution == 'FreeBSD'
|
||||||
|
|
||||||
|
- name: dnscrypt-proxy configured
|
||||||
|
template:
|
||||||
|
src: dnscrypt-proxy.toml.j2
|
||||||
|
dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml"
|
||||||
|
notify:
|
||||||
|
- restart dnscrypt-proxy
|
||||||
|
|
||||||
|
- name: dnscrypt-proxy enabled and started
|
||||||
|
service:
|
||||||
|
name: dnscrypt-proxy
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- meta: flush_handlers
|
@ -0,0 +1,48 @@
|
|||||||
|
---
|
||||||
|
- name: Add the repository
|
||||||
|
apt_repository:
|
||||||
|
state: present
|
||||||
|
codename: artful
|
||||||
|
repo: ppa:shevchuk/dnscrypt-proxy
|
||||||
|
|
||||||
|
- name: Install dnscrypt-proxy
|
||||||
|
apt:
|
||||||
|
name: dnscrypt-proxy
|
||||||
|
state: latest
|
||||||
|
update_cache: true
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Ubuntu | Unbound profile for apparmor configured
|
||||||
|
copy:
|
||||||
|
src: apparmor.profile.dnscrypt-proxy
|
||||||
|
dest: /etc/apparmor.d/usr.sbin.dnscrypt-proxy
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0600
|
||||||
|
notify: restart dnscrypt-proxy
|
||||||
|
|
||||||
|
- name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy
|
||||||
|
command: aa-enforce usr.sbin.dnscrypt-proxy
|
||||||
|
changed_when: false
|
||||||
|
tags: apparmor
|
||||||
|
when: apparmor_enabled|default(false)|bool == true
|
||||||
|
|
||||||
|
- name: Ubuntu | Ensure that the dnscrypt-proxy service directory exist
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/dnscrypt-proxy.service.d/
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Ubuntu | Setup the cgroup limitations for dnscrypt-proxy
|
||||||
|
copy:
|
||||||
|
dest: /etc/systemd/system/dnscrypt-proxy.service.d/100-CustomLimitations.conf
|
||||||
|
content: |
|
||||||
|
[Service]
|
||||||
|
MemoryLimit=16777216
|
||||||
|
CPUAccounting=true
|
||||||
|
CPUQuota=5%
|
||||||
|
notify:
|
||||||
|
- daemon-reload
|
||||||
|
- restart dnscrypt-proxy
|
@ -0,0 +1,465 @@
|
|||||||
|
|
||||||
|
##############################################
|
||||||
|
# #
|
||||||
|
# dnscrypt-proxy configuration #
|
||||||
|
# #
|
||||||
|
##############################################
|
||||||
|
|
||||||
|
## This is an example configuration file.
|
||||||
|
## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
|
||||||
|
##
|
||||||
|
## Online documentation is available here: https://dnscrypt.info/doc
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
##################################
|
||||||
|
# Global settings #
|
||||||
|
##################################
|
||||||
|
|
||||||
|
## List of servers to use
|
||||||
|
##
|
||||||
|
## Servers from the "public-resolvers" source (see down below) can
|
||||||
|
## be viewed here: https://dnscrypt.info/public-servers
|
||||||
|
##
|
||||||
|
## If this line is commented, all registered servers matching the require_* filters
|
||||||
|
## will be used.
|
||||||
|
##
|
||||||
|
## The proxy will automatically pick the fastest, working servers from the list.
|
||||||
|
## Remove the leading # first to enable this; lines starting with # are ignored.
|
||||||
|
|
||||||
|
server_names = ['{{ dns_encryption_provider }}'{% if ipv6_support|d(false)|bool == true and dns_encryption_provider == "cloudflare" %}, '{{ dns_encryption_provider }}-ipv6' {% endif %} ]
|
||||||
|
|
||||||
|
|
||||||
|
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
|
||||||
|
## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
|
||||||
|
|
||||||
|
listen_addresses = ['{{ local_service_ip }}:{{ listen_port }}']
|
||||||
|
|
||||||
|
|
||||||
|
## Maximum number of simultaneous client connections to accept
|
||||||
|
|
||||||
|
max_clients = 250
|
||||||
|
|
||||||
|
|
||||||
|
## Require servers (from static + remote sources) to satisfy specific properties
|
||||||
|
|
||||||
|
# Use servers reachable over IPv4
|
||||||
|
ipv4_servers = true
|
||||||
|
|
||||||
|
# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
|
||||||
|
ipv6_servers = {{ ipv6_support|default(false) | bool | lower }}
|
||||||
|
|
||||||
|
# Use servers implementing the DNSCrypt protocol
|
||||||
|
dnscrypt_servers = true
|
||||||
|
|
||||||
|
# Use servers implementing the DNS-over-HTTPS protocol
|
||||||
|
doh_servers = true
|
||||||
|
|
||||||
|
|
||||||
|
## Require servers defined by remote sources to satisfy specific properties
|
||||||
|
|
||||||
|
# Server must support DNS security extensions (DNSSEC)
|
||||||
|
require_dnssec = true
|
||||||
|
|
||||||
|
# Server must not log user queries (declarative)
|
||||||
|
require_nolog = true
|
||||||
|
|
||||||
|
# Server must not enforce its own blacklist (for parental control, ads blocking...)
|
||||||
|
require_nofilter = true
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Always use TCP to connect to upstream servers
|
||||||
|
|
||||||
|
force_tcp = false
|
||||||
|
|
||||||
|
|
||||||
|
## How long a DNS query will wait for a response, in milliseconds
|
||||||
|
|
||||||
|
timeout = 2500
|
||||||
|
|
||||||
|
|
||||||
|
## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
|
||||||
|
|
||||||
|
keepalive = 30
|
||||||
|
|
||||||
|
|
||||||
|
## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
|
||||||
|
|
||||||
|
lb_strategy = 'p2'
|
||||||
|
|
||||||
|
|
||||||
|
## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
|
||||||
|
|
||||||
|
log_level = 2
|
||||||
|
|
||||||
|
|
||||||
|
## log file for the application
|
||||||
|
|
||||||
|
# log_file = 'dnscrypt-proxy.log'
|
||||||
|
|
||||||
|
|
||||||
|
## Use the system logger (syslog on Unix, Event Log on Windows)
|
||||||
|
|
||||||
|
use_syslog = true
|
||||||
|
|
||||||
|
|
||||||
|
## Delay, in minutes, after which certificates are reloaded
|
||||||
|
|
||||||
|
cert_refresh_delay = 240
|
||||||
|
|
||||||
|
|
||||||
|
## DNSCrypt: Create a new, unique key for every single DNS query
|
||||||
|
## This may improve privacy but can also have a significant impact on CPU usage
|
||||||
|
## Only enable if you don't have a lot of network load
|
||||||
|
|
||||||
|
dnscrypt_ephemeral_keys = true
|
||||||
|
|
||||||
|
|
||||||
|
## DoH: Disable TLS session tickets - increases privacy but also latency
|
||||||
|
|
||||||
|
tls_disable_session_tickets = true
|
||||||
|
|
||||||
|
|
||||||
|
## DoH: Use a specific cipher suite instead of the server preference
|
||||||
|
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||||
|
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
|
##
|
||||||
|
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
|
||||||
|
## the following suite improves performance.
|
||||||
|
## This may also help on Intel CPUs running 32-bit operating systems.
|
||||||
|
##
|
||||||
|
## Keep tls_cipher_suite empty if you have issues fetching sources or
|
||||||
|
## connecting to some DoH servers. Google and Cloudflare are fine with it.
|
||||||
|
|
||||||
|
tls_cipher_suite = [49195]
|
||||||
|
|
||||||
|
|
||||||
|
## Fallback resolver
|
||||||
|
## This is a normal, non-encrypted DNS resolver, that will be only used
|
||||||
|
## for one-shot queries when retrieving the initial resolvers list, and
|
||||||
|
## only if the system DNS configuration doesn't work.
|
||||||
|
## No user application queries will ever be leaked through this resolver,
|
||||||
|
## and it will not be used after IP addresses of resolvers URLs have been found.
|
||||||
|
## It will never be used if lists have already been cached, and if stamps
|
||||||
|
## don't include host names without IP addresses.
|
||||||
|
## It will not be used if the configured system DNS works.
|
||||||
|
## A resolver supporting DNSSEC is recommended. This may become mandatory.
|
||||||
|
##
|
||||||
|
## People in China may need to use 114.114.114.114:53 here.
|
||||||
|
## Other popular options include 8.8.8.8 and 1.1.1.1.
|
||||||
|
|
||||||
|
fallback_resolver = '1.1.1.1:53'
|
||||||
|
|
||||||
|
|
||||||
|
## Never try to use the system DNS settings; unconditionally use the
|
||||||
|
## fallback resolver.
|
||||||
|
|
||||||
|
ignore_system_dns = true
|
||||||
|
|
||||||
|
|
||||||
|
## Automatic log files rotation
|
||||||
|
|
||||||
|
# Maximum log files size in MB
|
||||||
|
log_files_max_size = 10
|
||||||
|
|
||||||
|
# How long to keep backup files, in days
|
||||||
|
log_files_max_age = 7
|
||||||
|
|
||||||
|
# Maximum log files backups to keep (or 0 to keep all backups)
|
||||||
|
log_files_max_backups = 1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# Filters #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
## Immediately respond to IPv6-related queries with an empty response
|
||||||
|
## This makes things faster when there is no IPv6 connectivity, but can
|
||||||
|
## also cause reliability issues with some stub resolvers. In
|
||||||
|
## particular, enabling this on macOS is not recommended.
|
||||||
|
|
||||||
|
block_ipv6 = false
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
##################################################################################
|
||||||
|
# Route queries for specific domains to a dedicated set of servers #
|
||||||
|
##################################################################################
|
||||||
|
|
||||||
|
## Example map entries (one entry per line):
|
||||||
|
## example.com 9.9.9.9
|
||||||
|
## example.net 9.9.9.9,8.8.8.8,1.1.1.1
|
||||||
|
|
||||||
|
# forwarding_rules = 'forwarding-rules.txt'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
###############################
|
||||||
|
# Cloaking rules #
|
||||||
|
###############################
|
||||||
|
|
||||||
|
## Cloaking returns a predefined address for a specific name.
|
||||||
|
## In addition to acting as a HOSTS file, it can also return the IP address
|
||||||
|
## of a different name. It will also do CNAME flattening.
|
||||||
|
##
|
||||||
|
## Example map entries (one entry per line)
|
||||||
|
## example.com 10.1.1.1
|
||||||
|
## www.google.com forcesafesearch.google.com
|
||||||
|
|
||||||
|
# cloaking_rules = 'cloaking-rules.txt'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# DNS cache #
|
||||||
|
###########################
|
||||||
|
|
||||||
|
## Enable a DNS cache to reduce latency and outgoing traffic
|
||||||
|
|
||||||
|
cache = true
|
||||||
|
|
||||||
|
|
||||||
|
## Cache size
|
||||||
|
|
||||||
|
cache_size = 512
|
||||||
|
|
||||||
|
|
||||||
|
## Minimum TTL for cached entries
|
||||||
|
|
||||||
|
cache_min_ttl = 600
|
||||||
|
|
||||||
|
|
||||||
|
## Maximum TTL for cached entries
|
||||||
|
|
||||||
|
cache_max_ttl = 86400
|
||||||
|
|
||||||
|
|
||||||
|
## TTL for negatively cached entries
|
||||||
|
|
||||||
|
cache_neg_ttl = 60
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
###############################
|
||||||
|
# Query logging #
|
||||||
|
###############################
|
||||||
|
|
||||||
|
## Log client queries to a file
|
||||||
|
|
||||||
|
[query_log]
|
||||||
|
|
||||||
|
## Path to the query log file (absolute, or relative to the same directory as the executable file)
|
||||||
|
|
||||||
|
# file = 'query.log'
|
||||||
|
|
||||||
|
|
||||||
|
## Query log format (currently supported: tsv and ltsv)
|
||||||
|
|
||||||
|
format = 'tsv'
|
||||||
|
|
||||||
|
|
||||||
|
## Do not log these query types, to reduce verbosity. Keep empty to log everything.
|
||||||
|
|
||||||
|
# ignored_qtypes = ['DNSKEY', 'NS']
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Suspicious queries logging #
|
||||||
|
############################################
|
||||||
|
|
||||||
|
## Log queries for nonexistent zones
|
||||||
|
## These queries can reveal the presence of malware, broken/obsolete applications,
|
||||||
|
## and devices signaling their presence to 3rd parties.
|
||||||
|
|
||||||
|
[nx_log]
|
||||||
|
|
||||||
|
## Path to the query log file (absolute, or relative to the same directory as the executable file)
|
||||||
|
|
||||||
|
# file = 'nx.log'
|
||||||
|
|
||||||
|
|
||||||
|
## Query log format (currently supported: tsv and ltsv)
|
||||||
|
|
||||||
|
format = 'tsv'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################
|
||||||
|
# Pattern-based blocking (blacklists) #
|
||||||
|
######################################################
|
||||||
|
|
||||||
|
## Blacklists are made of one pattern per line. Example of valid patterns:
|
||||||
|
##
|
||||||
|
## example.com
|
||||||
|
## =example.com
|
||||||
|
## *sex*
|
||||||
|
## ads.*
|
||||||
|
## ads*.example.*
|
||||||
|
## ads*.example[0-9]*.com
|
||||||
|
##
|
||||||
|
## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
|
||||||
|
## A script to build blacklists from public feeds can be found in the
|
||||||
|
## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
|
||||||
|
|
||||||
|
[blacklist]
|
||||||
|
|
||||||
|
## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
|
||||||
|
|
||||||
|
# blacklist_file = 'blacklist.txt'
|
||||||
|
|
||||||
|
|
||||||
|
## Optional path to a file logging blocked queries
|
||||||
|
|
||||||
|
# log_file = 'blocked.log'
|
||||||
|
|
||||||
|
|
||||||
|
## Optional log format: tsv or ltsv (default: tsv)
|
||||||
|
|
||||||
|
# log_format = 'tsv'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
###########################################################
|
||||||
|
# Pattern-based IP blocking (IP blacklists) #
|
||||||
|
###########################################################
|
||||||
|
|
||||||
|
## IP blacklists are made of one pattern per line. Example of valid patterns:
|
||||||
|
##
|
||||||
|
## 127.*
|
||||||
|
## fe80:abcd:*
|
||||||
|
## 192.168.1.4
|
||||||
|
|
||||||
|
[ip_blacklist]
|
||||||
|
|
||||||
|
## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
|
||||||
|
|
||||||
|
# blacklist_file = 'ip-blacklist.txt'
|
||||||
|
|
||||||
|
|
||||||
|
## Optional path to a file logging blocked queries
|
||||||
|
|
||||||
|
# log_file = 'ip-blocked.log'
|
||||||
|
|
||||||
|
|
||||||
|
## Optional log format: tsv or ltsv (default: tsv)
|
||||||
|
|
||||||
|
# log_format = 'tsv'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################
|
||||||
|
# Pattern-based whitelisting (blacklists bypass) #
|
||||||
|
######################################################
|
||||||
|
|
||||||
|
## Whitelists support the same patterns as blacklists
|
||||||
|
## If a name matches a whitelist entry, the corresponding session
|
||||||
|
## will bypass names and IP filters.
|
||||||
|
##
|
||||||
|
## Time-based rules are also supported to make some websites only accessible at specific times of the day.
|
||||||
|
|
||||||
|
[whitelist]
|
||||||
|
|
||||||
|
## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
|
||||||
|
|
||||||
|
# whitelist_file = 'whitelist.txt'
|
||||||
|
|
||||||
|
|
||||||
|
## Optional path to a file logging whitelisted queries
|
||||||
|
|
||||||
|
# log_file = 'whitelisted.log'
|
||||||
|
|
||||||
|
|
||||||
|
## Optional log format: tsv or ltsv (default: tsv)
|
||||||
|
|
||||||
|
# log_format = 'tsv'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
##########################################
|
||||||
|
# Time access restrictions #
|
||||||
|
##########################################
|
||||||
|
|
||||||
|
## One or more weekly schedules can be defined here.
|
||||||
|
## Patterns in the name-based blocklist can optionally be followed with @schedule_name
|
||||||
|
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
|
||||||
|
##
|
||||||
|
## For example, the following rule in a blacklist file:
|
||||||
|
## *.youtube.* @time-to-sleep
|
||||||
|
## would block access to YouTube only during the days, and period of the days
|
||||||
|
## define by the 'time-to-sleep' schedule.
|
||||||
|
##
|
||||||
|
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
|
||||||
|
## {after= '9:00', before='18:00'} matches 9:00-18:00
|
||||||
|
|
||||||
|
[schedules]
|
||||||
|
|
||||||
|
# [schedules.'time-to-sleep']
|
||||||
|
# mon = [{after='21:00', before='7:00'}]
|
||||||
|
# tue = [{after='21:00', before='7:00'}]
|
||||||
|
# wed = [{after='21:00', before='7:00'}]
|
||||||
|
# thu = [{after='21:00', before='7:00'}]
|
||||||
|
# fri = [{after='23:00', before='7:00'}]
|
||||||
|
# sat = [{after='23:00', before='7:00'}]
|
||||||
|
# sun = [{after='21:00', before='7:00'}]
|
||||||
|
|
||||||
|
# [schedules.'work']
|
||||||
|
# mon = [{after='9:00', before='18:00'}]
|
||||||
|
# tue = [{after='9:00', before='18:00'}]
|
||||||
|
# wed = [{after='9:00', before='18:00'}]
|
||||||
|
# thu = [{after='9:00', before='18:00'}]
|
||||||
|
# fri = [{after='9:00', before='17:00'}]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# Servers #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
## Remote lists of available servers
|
||||||
|
## Multiple sources can be used simultaneously, but every source
|
||||||
|
## requires a dedicated cache file.
|
||||||
|
##
|
||||||
|
## Refer to the documentation for URLs of public sources.
|
||||||
|
##
|
||||||
|
## A prefix can be prepended to server names in order to
|
||||||
|
## avoid collisions if different sources share the same for
|
||||||
|
## different servers. In that case, names listed in `server_names`
|
||||||
|
## must include the prefixes.
|
||||||
|
##
|
||||||
|
## If the `urls` property is missing, cache files and valid signatures
|
||||||
|
## must be already present; This doesn't prevent these cache files from
|
||||||
|
## expiring after `refresh_delay` hours.
|
||||||
|
|
||||||
|
[sources]
|
||||||
|
|
||||||
|
## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
|
||||||
|
|
||||||
|
[sources.'public-resolvers']
|
||||||
|
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
|
||||||
|
cache_file = 'public-resolvers.md'
|
||||||
|
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
||||||
|
refresh_delay = 72
|
||||||
|
prefix = ''
|
||||||
|
|
||||||
|
## Another example source, with resolvers censoring some websites not appropriate for children
|
||||||
|
## This is a subset of the `public-resolvers` list, so enabling both is useless
|
||||||
|
|
||||||
|
# [sources.'parental-control']
|
||||||
|
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
|
||||||
|
# cache_file = 'parental-control.md'
|
||||||
|
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Optional, local, static list of additional servers
|
||||||
|
## Mostly useful for testing your own servers.
|
||||||
|
|
||||||
|
[static]
|
||||||
|
|
||||||
|
# [static.'google']
|
||||||
|
# stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
|
Loading…
Reference in New Issue