You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
docker-dns/encrypted-dns.toml.in

258 lines
5.0 KiB

3 years ago
####################################################
# #
# Encrypted DNS Server configuration #
# #
####################################################
##################################
# Global settings #
##################################
## IP addresses and ports to listen to, as well as their external IP
## If there is no NAT involved, `local` and `external` can be the same.
## As many addresses as needed can be configured here, IPv4 and/or IPv6.
## You should at least change the `external` IP address.
### Example with both IPv4 and IPv6 addresses:
# listen_addrs = [
# { local = "0.0.0.0:443", external = "198.51.100.1:443" },
# { local = "[::]:443", external = "[2001:db8::1]:443" }
# ]
listen_addrs = [
@LISTEN_ADDRESSES@
]
## Upstream DNS server and port
upstream_addr = "172.30.0.3:53"
## File name to save the state to
state_file = "/opt/encrypted-dns/etc/keys/state/encrypted-dns.state"
## UDP timeout in seconds
udp_timeout = 10
## TCP timeout in seconds
tcp_timeout = 10
## Maximum active UDP sockets
udp_max_active_connections = 1000
## Maximum active TCP connections
tcp_max_active_connections = 100
## Optional IP address to connect to upstream servers from.
## Leave commented/undefined to automatically select it.
# external_addr = "0.0.0.0"
## Built-in DNS cache capacity
cache_capacity = 150000
## DNS cache: minimum TTL
cache_ttl_min = 3600
## DNS cache: max TTL
cache_ttl_max = 86400
## DNS cache: error TTL
cache_ttl_error = 600
## DNS cache: to avoid bursts of traffic for popular queries when an
## RRSET expires, hold a TTL received from an upstream server for
## `client_ttl_holdon` seconds before decreasing it in client responses.
client_ttl_holdon = 60
## Run as a background process
daemonize = false
## Log file
# log_file = "/tmp/encrypted-dns.log"
## PID file
# pid_file = "/tmp/encrypted-dns.pid"
## User name to drop privileges to, when started as root.
user = "_encrypted-dns"
## Group name to drop privileges to, when started as root.
group = "_encrypted-dns"
## Path to chroot() to, when started as root.
## The path to the state file is relative to the chroot base.
# chroot = "/var/empty"
## Queries sent to that name will return the client IP address.
## This can be very useful for debugging, or to check that relaying works.
# my_ip = "my.ip"
####################################
# DNSCrypt settings #
####################################
[dnscrypt]
## Provider name (with or without the `2.dnscrypt-cert.` prefix)
provider_name = "@PROVIDER_NAME@"
## Does the server support DNSSEC?
dnssec = true
## Does the server always returns correct answers (no filtering, including ad blocking)?
no_filters = true
## Set to `true` if the server doesn't keep any information that can be used to identify users
no_logs = true
## Key cache capacity, per certificate
key_cache_capacity = 10000
###############################
# TLS settings #
###############################
[tls]
## Where to proxy TLS connections to (e.g. DoH server)
# upstream_addr = "127.0.0.1:4343"
@TLS_PROXY_CONFIGURATION@
#######################################
# Server-side filtering #
#######################################
[filtering]
## List of domains to block, one per line
@DOMAIN_BLACKLIST_CONFIGURATION@
## List of undelegated TLDs
## This is the list of nonexistent TLDs that queries are frequently observed for,
## but will never resolve to anything. The server will immediately return a
## synthesized NXDOMAIN response instead of hitting root servers.
undelegated_list = "/opt/encrypted-dns/etc/undelegated.txt"
## Ignore A and AAAA queries for unqualified host names.
ignore_unqualified_hostnames = true
#########################
# Metrics #
#########################
[metrics]
type = "prometheus"
listen_addr = "@METRICS_ADDRESS@"
path = "/metrics"
################################
# Anonymized DNS #
################################
[anonymized_dns]
# Enable relaying support for Anonymized DNS
enabled = @ANONDNS_ENABLED@
# Allowed upstream ports
# This is a list of commonly used ports for encrypted DNS services
allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]
# Allow all ports >= 1024 in addition to the list above
allow_non_reserved_ports = false
# Blacklisted upstream IP addresses
blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ]
################################
# Access control #
################################
[access_control]
# Enable access control
enabled = false
# Only allow access to client queries including one of these random tokens
# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
# Example: `query_meta = ["token:Y2oHkDJNHz"]`
tokens = ["IQdjF6Cqt2fZuVMF", "CUKJAloBTkTRm2aH", "ZlRuzSNoALoAvxyB"]