shell-things/etc/dnscrypt-proxy/dnscrypt-proxy.toml

96 lines
4.6 KiB
TOML

# Empty listen_addresses to use systemd socket activation (Debian)
listen_addresses = []
# When not using socket activation (Arch), 127.0.2.1:53 is what the Debian
# socket seems to give for all of my systems so I want to listen on it for
# compatibility + I want to run Unbound in front of DNSCrypt-proxy
# (see etc/unbound/unbound.conf.d/dnscrypt-proxy.conf)
#listen_addresses = ['127.0.2.1:53']
# mikaela.internal / my hosts file
#cloaking_rules = '/etc/dnscrypt-proxy/hosts-mikaela.txt'
# When server_names isn't specified the criteria below disabled_server_names
# gets used, if it's specified, this overrides the criteria.
# Quad9, I had this line on one family computer which regardless of bad
# network conditions (Huawei router forgetting IPv6 + CGN + NAT) failed less
# queries than another, so I decided this is worth having noted somewhere.
#server_names = ['public-quad9-dnscrypt-ip4-filter-pri', 'public-quad9-dnscrypt-ip4-filter-alt', 'public-quad9-dnscrypt-ip6-filter-pri', 'public-quad9-dnscrypt-ip6-filter-alt', 'public-quad9-doh-ip4-filter-pri', 'public-quad9-doh-ip4-filter-alt', 'public-quad9-doh-ip6-filter-pri', 'public-quad9-doh-ip6-filter-alt']
# Server names to never use even if they match the criteria below. I think
# Cloudflare is too big and as it gets selected by default everywhere other
# resolvers won't even get attempted. There is also Mozilla planning to send
# all Firefox DNS queries to them.
# However through Tor Cloudflare never seems to be the fastest so I am
# leaving this commented.
# This is unsupported in the Debian's version 2.0.19.
#disabled_server_names = ['public-cloudflare-ipv6', 'public-cloudflare']
# Requirements for which servers to use
ipv4_servers = true
ipv6_servers = true
block_ipv6 = false
require_dnssec = true
require_nofilter = true
require_nolog = true
# Resolver to use for the initial queries, DNSSEC capable one recommended.
# China: 114.114.114.114:53 according to the example file. Default is
# currently 9.9.9.9 and I can follow the defaults.
#fallback_resolver = '149.112.112.112:53'
# Ensure syslog
use_syslog = true
# Cert reload time in minutes (see refresh_delay under sources for them)
cert_refresh_delay = 240
# Shouldn't take that much MEM and I imagine it's subject to TTL anyway.
cache = true
cache_size = 10000
# Load-balancing
# fastest (first in 2.0.24+)= always fastest, p2 = random between two fastest, ph = random
# from the fastest half of the configured list, random = any random
# https://github.com/jedisct1/dnscrypt-proxy/wiki/Load-Balancing-Options
lb_strategy = 'p2'
# Tor if necessary
#force_tcp = true
# Experience: this port shouldn't have IsolateDestAddr/IsolateDestPort or
# Tor may be unhappy due to the amount of circuits opened. Different ports
# are already isolated from each other and I think dnscrypt-proxy should
# mostly be connecting to the top fastest servers with lb_strategy p2
#proxy = "socks5://dnscrypt-proxy:randompasswordhere123613413671@127.0.0.1:9052"
# Logging to be enabled by hand on systems needing them
#[query_log]
# file = '/var/log/dnscrypt-proxy/query.log'
#[nx_log]
# file = '/var/log/dnscrypt-proxy/nx.log'
[sources]
[sources.'public-resolvers']
#url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md', 'https://cdn.staticaly.com/gh/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://evilvibes.com/list/public-resolvers.md']
cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = 'public-'
[sources.'opennic']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/opennic.md', 'https://download.dnscrypt.info/resolvers-list/v2/opennic.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
cache_file = '/var/cache/dnscrypt-proxy/opennic.md'
prefix = 'opennic-'
# 2.0.23 recommended so onions won't be attempted without proxy enabled
# (5c9edfccfe67474bee2836ada67f955f10e43357)
# I won't uncomment this until I have updated version everywhere.
#[sources.'onion-services']
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v2/onion-services.md']
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
# cache_file = '/var/cache/dnscrypt-proxy/onion-services.md'
# prefix = 'onion-'