# /etc/dnscrypt-proxy/dnscrypt-proxy-out-china.toml ################################## # Global settings # ##################################
## List of servers to use ## ## Servers from the "public-resolvers" source (see down below) can ## be viewed here: https://dnscrypt.info/public-servers ## ## The proxy will automatically pick working servers from this list. ## Note that the require_* filters do NOT apply when using this setting. ## ## By default, this list is empty and all registered servers matching the ## require_* filters will be used instead. ## ## Remove the leading # first to enable this; lines starting with # are ignored.
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. ## Example with both IPv4 and IPv6: ## listen_addresses = ['127.0.0.1:53', '[::1]:53'] ## ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']` ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
listen_addresses = ['127.0.0.1:5534']
## Maximum number of simultaneous client connections to accept
max_clients = 250
## Switch to a different system user after listening sockets have been created. ## Note (1): this feature is currently unsupported on Windows. ## Note (2): this feature is not compatible with systemd socket activation. ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
# user_name = 'nobody'
## Require servers (from remote sources) to satisfy specific properties
# Use servers reachable over IPv4 ipv4_servers = true
# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity ipv6_servers = false
# Use servers implementing the DNSCrypt protocol dnscrypt_servers = true
# Use servers implementing the DNS-over-HTTPS protocol doh_servers = true
# Use servers implementing the Oblivious DoH protocol odoh_servers = false
## Require servers defined by remote sources to satisfy specific properties
# Server must support DNS security extensions (DNSSEC) require_dnssec = false
# Server must not log user queries (declarative) require_nolog = true
# Server must not enforce its own blocklist (for parental control, ads blocking...) require_nofilter = true
# Server names to avoid even if they match all criteria disabled_server_names = []
## Always use TCP to connect to upstream servers. ## This can be useful if you need to route everything through Tor. ## Otherwise, leave this to `false`, as it doesn't improve security ## (dnscrypt-proxy will always encrypt everything even using UDP), and can ## only increase latency.
force_tcp = false
## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC) ## Note that, like DNSCrypt but unlike other HTTP versions, this uses ## UDP and (usually) port 443 instead of TCP.
http3 = false
## SOCKS proxy ## Uncomment the following line to route all TCP connections to a local Tor node ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
## How long a DNS query will wait for a response, in milliseconds. ## If you have a network with *a lot* of latency, you may need to ## increase this. Startup may be slower if you do so. ## Don't increase it too much. 10000 is the highest reasonable value.
timeout = 5000
## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds
keepalive = 30
## Log file for the application, as an alternative to sending logs to ## the standard system logging service (syslog/Windows event log). ## ## This file is different from other log files, and will not be ## automatically rotated by the application.
## When using a log file, only keep logs from the most recent launch.
# log_file_latest = true
## Use the system logger (syslog on Unix, Event Log on Windows)
use_syslog = true
## Delay, in minutes, after which certificates are reloaded
cert_refresh_delay = 240
## Bootstrap resolvers ## ## These are normal, non-encrypted DNS resolvers, that will be only used ## for one-shot queries when retrieving the initial resolvers list and if ## the system DNS configuration doesn't work. ## ## No user queries will ever be leaked through these resolvers, and they will ## not be used after IP addresses of DoH resolvers have been found (if you are ## using DoH). ## ## They will never be used if lists have already been cached, and if the stamps ## of the configured servers already include IP addresses (which is the case for ## most of DoH servers, and for all DNSCrypt servers and relays). ## ## They will not be used if the configured system DNS works, or after the ## proxy already has at least one usable secure resolver. ## ## Resolvers supporting DNSSEC are recommended, and, if you are using ## DoH, bootstrap resolvers should ideally be operated by a different entity ## than the DoH servers you will be using, especially if you have IPv6 enabled. ## ## People in China may want to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1. ## ## If more than one resolver is specified, they will be tried in sequence. ## ## TL;DR: put valid standard resolver addresses here. Your actual queries will ## not be sent there. If you're using DNSCrypt or Anonymized DNS and your ## lists are up to date, these resolvers will not even be used.
## When internal DNS resolution is required, for example to retrieve ## the resolvers list: ## ## - queries will be sent to dnscrypt-proxy itself, if it is already ## running with active servers (*) ## - or else, queries will be sent to fallback servers ## - finally, if `ignore_system_dns` is `false`, queries will be sent ## to the system DNS ## ## (*) this is incompatible with systemd sockets. ## `listen_addrs` must not be empty.
ignore_system_dns = true
## Maximum time (in seconds) to wait for network connectivity before ## initializing the proxy. ## Useful if the proxy is automatically started at boot, and network ## connectivity is not guaranteed to be immediately available. ## Use 0 to not test for connectivity at all (not recommended), ## and -1 to wait as much as possible.
netprobe_timeout = 60
## Address and port to try initializing a connection to, just to check ## if the network is up. It can be any address and any port, even if ## there is nothing answering these on the other side. Just don't use ## a local address, as the goal is to check for Internet connectivity. ## On Windows, a datagram with a single, nul byte will be sent, only ## when the system starts. ## On other operating systems, the connection will be initialized ## but nothing will be sent at all.
netprobe_address = '9.9.9.9:53'
## Automatic log files rotation
# Maximum log files size in MB - Set to 0 for unlimited. log_files_max_size = 10
# How long to keep backup files, in days log_files_max_age = 7
# Maximum log files backups to keep (or 0 to keep all backups) log_files_max_backups = 1
## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you ## configure dnscrypt-proxy to do any kind of filtering (including the filters ## below and blocklists). ## You can still choose resolvers that do DNSSEC validation.
## Immediately respond to IPv6-related queries with an empty response ## This makes things faster when there is no IPv6 connectivity, but can ## also cause reliability issues with some stub resolvers.
block_ipv6 = false
## Immediately respond to A and AAAA queries for host names without a domain name ## This also prevents "dotless domain names" from being resolved upstream.
block_unqualified = true
## Immediately respond to queries for local zones instead of leaking them to ## upstream resolvers (always causing errors or timeouts).
block_undelegated = true
## TTL for synthetic responses sent when a request has been blocked (due to ## IPv6 or blocklists).
reject_ttl = 10
########################### # DNS cache # ###########################
## Enable a DNS cache to reduce latency and outgoing traffic
## Path to the query log file (absolute, or relative to the same directory as the config file) ## Can be set to /dev/stdout in order to log to the standard output.
## Log queries for nonexistent zones ## These queries can reveal the presence of malware, broken/obsolete applications, ## and devices signaling their presence to 3rd parties.
[nx_log]
## Path to the query log file (absolute, or relative to the same directory as the config file)
file = '/var/log/dnscrypt-proxy/nx-out-china.log'
## Query log format (currently supported: tsv and ltsv)
## Remote lists of available servers ## Multiple sources can be used simultaneously, but every source ## requires a dedicated cache file. ## ## Refer to the documentation for URLs of public sources. ## ## A prefix can be prepended to server names in order to ## avoid collisions if different sources share the same for ## different servers. In that case, names listed in `server_names` ## must include the prefixes. ## ## If the `urls` property is missing, cache files and valid signatures ## must already be present. This doesn't prevent these cache files from ## expiring after `refresh_delay` hours. ## `refreshed_delay` must be in the [24..168] interval. ## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers. ## The maximum delay of 168 hours (1 week) ensures cache freshness.
[sources]
### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
######################################### # Servers with known bugs # #########################################
[broken_implementations]
## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't ## truncate responses larger than questions as expected by the DNSCrypt protocol. ## This prevents large responses from being received over UDP and over relays. ## ## Older versions of the `dnsdist` server software had a bug with queries larger ## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but ## some server may still run an outdated version. ## ## The list below enables workarounds to make non-relayed usage more reliable ## until the servers are fixed.
Comments