# Empty listen_addresses to use systemd socket activation (Debian) listen_addresses = [] # When not using socket activation (Arch), 127.0.2.1:53 is what the Debian # socket seems to give for all of my systems so I want to listen on it for # compatibility + I want to run Unbound in front of DNSCrypt-proxy # (see etc/unbound/unbound.conf.d/dnscrypt-proxy.conf) #listen_addresses = ['127.0.2.1:53'] # mikaela.internal / my hosts file #cloaking_rules = '/etc/dnscrypt-proxy/hosts-mikaela.txt' # When server_names isn't specified the criteria below disabled_server_names # gets used, if it's specified, this overrides the criteria. # Quad9, I had this line on one family computer which regardless of bad # network conditions (Huawei router forgetting IPv6 + CGN + NAT) failed less # queries than another, so I decided this is worth having noted somewhere. #server_names = ['public-quad9-dnscrypt-ip4-filter-pri', 'public-quad9-dnscrypt-ip4-filter-alt', 'public-quad9-dnscrypt-ip6-filter-pri', 'public-quad9-dnscrypt-ip6-filter-alt', 'public-quad9-doh-ip4-filter-pri', 'public-quad9-doh-ip4-filter-alt', 'public-quad9-doh-ip6-filter-pri', 'public-quad9-doh-ip6-filter-alt'] # Server names to never use even if they match the criteria below. I think # Cloudflare is too big and as it gets selected by default everywhere other # resolvers won't even get attempted. There is also Mozilla planning to send # all Firefox DNS queries to them. # However through Tor Cloudflare never seems to be the fastest so I am # leaving this commented. # This is unsupported in the Debian's version 2.0.19. #disabled_server_names = ['public-cloudflare-ipv6', 'public-cloudflare'] # Requirements for which servers to use ipv4_servers = true ipv6_servers = true block_ipv6 = false require_dnssec = true require_nofilter = true require_nolog = true # Resolver to use for the initial queries, DNSSEC capable one recommended. # China: 114.114.114.114:53 according to the example file. Default is # currently 9.9.9.9 and I can follow the defaults. #fallback_resolver = '149.112.112.112:53' # Ensure syslog use_syslog = true # Cert reload time in minutes (see refresh_delay under sources for them) cert_refresh_delay = 240 # Shouldn't take that much MEM and I imagine it's subject to TTL anyway. cache = true cache_size = 10000 # Load-balancing # fastest (first in 2.0.24+)= always fastest, p2 = random between two fastest, ph = random # from the fastest half of the configured list, random = any random # https://github.com/jedisct1/dnscrypt-proxy/wiki/Load-Balancing-Options lb_strategy = 'p2' # Tor if necessary #force_tcp = true # Experience: this port shouldn't have IsolateDestAddr/IsolateDestPort or # Tor may be unhappy due to the amount of circuits opened. Different ports # are already isolated from each other and I think dnscrypt-proxy should # mostly be connecting to the top fastest servers with lb_strategy p2 #proxy = "socks5://dnscrypt-proxy:randompasswordhere123613413671@127.0.0.1:9052" # Logging to be enabled by hand on systems needing them #[query_log] # file = '/var/log/dnscrypt-proxy/query.log' #[nx_log] # file = '/var/log/dnscrypt-proxy/nx.log' [sources] [sources.'public-resolvers'] #url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md', 'https://cdn.staticaly.com/gh/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://evilvibes.com/list/public-resolvers.md'] cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = 'public-' [sources.'opennic'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/opennic.md', 'https://download.dnscrypt.info/resolvers-list/v2/opennic.md'] minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 cache_file = '/var/cache/dnscrypt-proxy/opennic.md' prefix = 'opennic-' # 2.0.23 recommended so onions won't be attempted without proxy enabled # (5c9edfccfe67474bee2836ada67f955f10e43357) # I won't uncomment this until I have updated version everywhere. #[sources.'onion-services'] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v2/onion-services.md'] # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # cache_file = '/var/cache/dnscrypt-proxy/onion-services.md' # prefix = 'onion-'