diff --git a/Cargo.toml b/Cargo.toml
index d905890..72e51d2 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@ name = "encrypted-dns"
 version = "0.1.6"
 authors = ["Frank Denis <github@pureftpd.org>"]
 edition = "2018"
-description = "A modern encrypted DNS server (DNSCrypt, Anonymized DNSCrypt, DoH)"
+description = "A modern encrypted DNS server (DNSCrypt v2, Anonymized DNSCrypt, DoH)"
 keywords = ["dnscrypt", "encryption", "dns", "doh", "proxy"]
 license = "MIT"
 homepage = "https://github.com/jedisct1/encrypted-dns-server"
@@ -13,13 +13,13 @@ readme = "README.md"
 
 [dependencies]
 byteorder = "1.3.2"
-clap = { version="2.33.0", features=["wrap_help", "nightly"] }
+clap = { version="2.33.0", default-features = false, features=["wrap_help", "nightly"] }
 clockpro-cache = "0.1.8"
 coarsetime = "0.1.11"
 daemonize-simple = "0.1.2"
 derivative = "1.0.3"
 dnsstamps = "0.1.1"
-env_logger = "0.6.2"
+env_logger = { version="0.6.2", default-features = false, features = ["humantime"]}
 failure = "0.1.5"
 futures-preview = { version = "=0.3.0-alpha.18", features = ["async-await", "nightly", "cfg-target-has-atomic"] }
 jemallocator = "0.3.2"
diff --git a/README.md b/README.md
index 24a971c..ff744b5 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,9 @@ That resolver can run locally and only respond to `127.0.0.1`. External resolver
 
 In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. [rust-doh](https://github.com/jedisct1/rust-doh) is the recommended DoH proxy server. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management.
 
-Review the [`encrypted-dns.toml`](https://raw.githubusercontent.com/jedisct1/encrypted-dns-server/master/encrypted-dns.toml) configuration file. This is where all the parameters can be configured, including the IP addresses to listen to. You should probably at least change the `provider_name` setting.
+Review the [`encrypted-dns.toml`](https://raw.githubusercontent.com/jedisct1/encrypted-dns-server/master/encrypted-dns.toml) configuration file. This is where all the parameters can be configured, including the IP addresses to listen to.
+
+You should probably at least change the `listen_addresses` and `provider_name` settings.
 
 Start the proxy. It will automatically create a new provider key pair if there isn't any.
 
diff --git a/encrypted-dns.toml b/encrypted-dns.toml
index 1d2c454..a53fe7e 100644
--- a/encrypted-dns.toml
+++ b/encrypted-dns.toml
@@ -11,10 +11,14 @@
 ##################################
 
 
-## IP addresses and ports to listen to
-
-listen_addrs = ["0.0.0.0:443", "[::1]:4443"]
+## IP addresses and ports to listen to, as well as their external IP
+## If there is no NAT involved, `local` and `external` can be the same.
+## As many addresses as needed can be configured here, IPv4 and/or IPv6.
 
+listen_addrs = [
+    { local = "0.0.0.0:443",    external = "198.51.100.1:443" },
+    { local = "[::]:443",       external = "[2001:db8::1]:443" }
+]
 
 ## IP address to connect to upstream servers from
 
@@ -114,6 +118,21 @@ daemonize = false
 provider_name = "secure.dns.test"
 
 
+## Does the server support DNSSEC?
+
+dnssec = true
+
+
+## Does the server always returns correct answers (no filtering, including ad blocking)?
+
+no_filters = true
+
+
+## Set to `true` if the server doesn't keep any information that can be used to identify users
+
+no_logs = true
+
+
 ## Key cache capacity, per certificate
 
 key_cache_capacity = 10000
diff --git a/src/config.rs b/src/config.rs
index ef90b1d..a53bd1e 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -13,6 +13,9 @@ use tokio::prelude::*;
 pub struct DNSCryptConfig {
     pub provider_name: String,
     pub key_cache_capacity: usize,
+    pub dnssec: bool,
+    pub no_filters: bool,
+    pub no_logs: bool,
 }
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -20,9 +23,15 @@ pub struct TLSConfig {
     pub upstream_addr: Option<SocketAddr>,
 }
 
+#[derive(Serialize, Deserialize, Debug)]
+pub struct ListenAddrConfig {
+    pub local: SocketAddr,
+    pub external: SocketAddr,
+}
+
 #[derive(Serialize, Deserialize, Debug)]
 pub struct Config {
-    pub listen_addrs: Vec<SocketAddr>,
+    pub listen_addrs: Vec<ListenAddrConfig>,
     pub external_addr: IpAddr,
     pub upstream_addr: SocketAddr,
     pub state_file: PathBuf,
diff --git a/src/main.rs b/src/main.rs
index 042bfcd..6d44d19 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -388,6 +388,12 @@ fn main() -> Result<(), Error> {
                 .takes_value(true)
                 .help("Path to the dnscrypt-wrapper secret key"),
         )
+        .arg(
+            Arg::with_name("dry-run")
+                .long("dry-run")
+                .takes_value(false)
+                .help("Only print the connection information and quit"),
+        )
         .get_matches();
 
     let config_path = matches.value_of("config").unwrap();
@@ -448,21 +454,29 @@ fn main() -> Result<(), Error> {
     };
     let provider_kp = state.provider_kp;
     for listen_addr_s in &config.listen_addrs {
-        info!("Server address: {}", listen_addr_s);
+        info!("Public server address: {}", listen_addr_s.external);
         info!("Provider public key: {}", provider_kp.pk.as_string());
         info!("Provider name: {}", provider_name);
-        let stamp = dnsstamps::DNSCryptBuilder::new(dnsstamps::DNSCryptProvider::new(
+        let mut stamp = dnsstamps::DNSCryptBuilder::new(dnsstamps::DNSCryptProvider::new(
             provider_name.clone(),
             provider_kp.pk.as_bytes().to_vec(),
         ))
-        .with_addr(listen_addr_s.to_string())
-        .with_informal_property(InformalProperty::DNSSEC)
-        .with_informal_property(InformalProperty::NoFilters)
-        .with_informal_property(InformalProperty::NoLogs)
-        .serialize()
-        .unwrap();
+        .with_addr(listen_addr_s.external.to_string());
+        if config.dnscrypt.dnssec {
+            stamp = stamp.with_informal_property(InformalProperty::DNSSEC);
+        }
+        if config.dnscrypt.no_filters {
+            stamp = stamp.with_informal_property(InformalProperty::NoFilters);
+        }
+        if config.dnscrypt.no_logs {
+            stamp = stamp.with_informal_property(InformalProperty::NoLogs);
+        }
+        let stamp = stamp.serialize().unwrap();
         info!("DNS Stamp: {}", stamp);
     }
+    if matches.is_present("dry-run") {
+        return Ok(());
+    }
     let dnscrypt_encryption_params_set = state
         .dnscrypt_encryption_params_set
         .into_iter()
@@ -488,7 +502,7 @@ fn main() -> Result<(), Error> {
         ))),
         provider_name,
         provider_kp,
-        listen_addrs: config.listen_addrs,
+        listen_addrs: config.listen_addrs.iter().map(|x| x.local).collect(),
         upstream_addr: config.upstream_addr,
         tls_upstream_addr: config.tls.upstream_addr,
         external_addr,