#################################################### # # # Encrypted DNS Server configuration # # # #################################################### ################################## # Global settings # ################################## ## IP addresses and ports to listen to, as well as their external IP ## If there is no NAT involved, `local` and `external` can be the same. ## As many addresses as needed can be configured here, IPv4 and/or IPv6. ## You should at least change the `external` IP address. ### Example with both IPv4 and IPv6 addresses: # listen_addrs = [ # { local = "0.0.0.0:443", external = "198.51.100.1:443" }, # { local = "[::]:443", external = "[2001:db8::1]:443" } # ] listen_addrs = [ @LISTEN_ADDRESSES@ ] ## Upstream DNS server and port upstream_addr = "127.0.0.1:553" ## File name to save the state to state_file = "/opt/encrypted-dns/etc/keys/state/encrypted-dns.state" ## UDP timeout in seconds udp_timeout = 10 ## TCP timeout in seconds tcp_timeout = 10 ## Maximum active UDP sockets udp_max_active_connections = 1000 ## Maximum active TCP connections tcp_max_active_connections = 100 ## Optional IP address to connect to upstream servers from. ## Leave commented/undefined to automatically select it. # external_addr = "0.0.0.0" ## Built-in DNS cache capacity cache_capacity = 150000 ## DNS cache: minimum TTL cache_ttl_min = 3600 ## DNS cache: max TTL cache_ttl_max = 86400 ## DNS cache: error TTL cache_ttl_error = 600 ## DNS cache: to avoid bursts of traffic for popular queries when an ## RRSET expires, hold a TTL received from an upstream server for ## `client_ttl_holdon` seconds before decreasing it in client responses. client_ttl_holdon = 60 ## Run as a background process daemonize = false ## Log file # log_file = "/tmp/encrypted-dns.log" ## PID file # pid_file = "/tmp/encrypted-dns.pid" ## User name to drop privileges to, when started as root. user = "_encrypted-dns" ## Group name to drop privileges to, when started as root. group = "_encrypted-dns" ## Path to chroot() to, when started as root. ## The path to the state file is relative to the chroot base. # chroot = "/var/empty" ## Queries sent to that name will return the client IP address. ## This can be very useful for debugging, or to check that relaying works. # my_ip = "my.ip" #################################### # DNSCrypt settings # #################################### [dnscrypt] ## Provider name (with or without the `2.dnscrypt-cert.` prefix) provider_name = "@PROVIDER_NAME@" ## Does the server support DNSSEC? dnssec = true ## Does the server always returns correct answers (no filtering, including ad blocking)? no_filters = true ## Set to `true` if the server doesn't keep any information that can be used to identify users no_logs = true ## Key cache capacity, per certificate key_cache_capacity = 10000 ############################### # TLS settings # ############################### [tls] ## Where to proxy TLS connections to (e.g. DoH server) # upstream_addr = "127.0.0.1:4343" @TLS_PROXY_CONFIGURATION@ ####################################### # Server-side filtering # ####################################### [filtering] ## List of domains to block, one per line @DOMAIN_BLACKLIST_CONFIGURATION@ ## List of undelegated TLDs ## This is the list of nonexistent TLDs that queries are frequently observed for, ## but will never resolve to anything. The server will immediately return a ## synthesized NXDOMAIN response instead of hitting root servers. undelegated_list = "/opt/encrypted-dns/etc/undelegated.txt" ## Ignore A and AAAA queries for unqualified host names. ignore_unqualified_hostnames = true ######################### # Metrics # ######################### [metrics] type = "prometheus" listen_addr = "@METRICS_ADDRESS@" path = "/metrics" ################################ # Anonymized DNS # ################################ [anonymized_dns] # Enable relaying support for Anonymized DNS enabled = @ANONDNS_ENABLED@ # Allowed upstream ports # This is a list of commonly used ports for encrypted DNS services allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ] # Allow all ports >= 1024 in addition to the list above allow_non_reserved_ports = false # Blacklisted upstream IP addresses blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ] ################################ # Access control # ################################ [access_control] # Enable access control enabled = false # Only allow access to client queries including one of these random tokens # Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as # `query_meta = ["token:..."]` -- Replace ... with the token to use by the client. # Example: `query_meta = ["token:Y2oHkDJNHz"]` tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]