1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
|
######################################################
# #
# Sample configuration file for dnscrypt-proxy #
# #
######################################################
############## Resolver settings ##############
## [CHANGE THIS] Short name of the resolver to use
## Usually the only thing you need to change in this configuration file.
## This corresponds to the first column in the dnscrypt-resolvers.csv file.
## Alternatively, "random" (without quotes) picks a random random resolver
## accessible over IPv4, that doesn't log and supports DNSSEC.
ResolverName random
## Full path to the list of available DNSCrypt resolvers (dnscrypt-resolvers.csv)
## An up-to-date list is available here:
## https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv
## and the dnscrypt-update-resolvers.sh script can be used in order to
## automatically download and verify updates.
# ResolversList /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv
## Manual settings, only for a custom resolver not present in the CSV file
# ProviderName 2.dnscrypt.resolver.example
# ProviderKey E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D
# ResolverAddress 203.0.113.1:443
############## Process options ##############
## [NOT AVAILABLE ON WINDOWS] Run the proxy as a background process.
## Unless you are using systemd, you probably want to change this to "yes"
## after having verified that the rest of the configuration works as expected.
Daemonize yes
## Write the PID number to a file
PidFile /var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid
## [NOT AVAILABLE ON WINDOWS] Start the process, bind the required ports, and
## run the server as a less-privileged system user.
## The value for this parameter is a user name.
# User nobody
User dnscrypt
############## Network/protocol settings ##############
## Local address and port to listen to.
## A 127.0.0.x address is recommended for local use, but 0.0.0.0 or
## a specific interface address can be used on a router, or to
## configure a single machine to act as a DNS proxy for different
## devices.
## If the socket is created by systemd, the proxy cannot change the address
## using this option. You should edit systemd's dnscrypt-proxy.socket file
## instead.
LocalAddress 127.0.0.1:53
## Cache DNS responses to avoid outgoing traffic when the same queries
## are repeated multiple times in a row.
LocalCache on
## Creates a new key pair for every query.
## This prevents logging servers from correlating client public keys with
## IP addresses. However, this option implies extra CPU load, and is not
## very useful with trusted/non-logging servers.
EphemeralKeys off
## Maximum number of active requests waiting for a response.
## Keep it reasonable relative to the expected number of clients.
# MaxActiveRequests 250
## This is the maximum payload size allowed when using the UDP protocol.
## The default is safe, and rarely needs to be changed.
# EDNSPayloadSize 1252
## Ignore the time stamps when checking the certificates
## Do not enable this option ever, unless you know that you need it.
# IgnoreTimestamps no
## Do not send queries using UDP. Only use TCP.
## Even if some resolvers mitigate this, DNS over TCP is almost always slower
## than UDP and doesn't offer additional security.
## Only enable this option if UDP doesn't work on your network.
# TCPOnly no
## Forward queries for specific zones to one or more non-DNSCrypt resolvers.
## For instance, this can be used to redirect queries for local domains to
## the router, or queries for an internal domain to an internal DNS server.
## Multiple whitespace-delimited zones and IP addresses can be specified.
## Do not enable this unless you absolutely know you need it.
## If you see useless queries to these zones, you'd better block them with
## the BlackList feature instead of sending them in clear text to the router.
## This uses a plugin that requires dnscrypt-proxy to be compiled with
## the ldns library.
# Forward domains:"test private localdomain lan" to:"192.168.100.254"
############## Logging ##############
## Log the received DNS queries to a file, so you can watch in real-time what
## is happening on the network.
## The value for this parameter is a full path to the log file.
## The file name can be prefixed with ltsv: in order to store logs using the
## LTSV format (ex: ltsv:/tmp/dns-queries.log).
# QueryLogFile /tmp/dns-queries.log
## Log file to write server errors and information to.
## If you use this tool for privacy, keeping logs of any kind is usually not
## a good idea.
LogFile /var/log/dnscrypt-proxy/dnscrypt-proxy.log
## Don't log events with priority above this log level after the service has
## been started up. Default is 6.
## Valid values are between 0 (critical) to 7 (debug-level messages).
# LogLevel 6
## [NOT AVAILABLE ON WINDOWS] Send server logs to the syslog daemon
## Log entries can optionally be prefixed with a string.
# Syslog off
# SyslogPrefix dnscrypt
############## Local filtering ##############
## If your network doesn't support IPv6, chances are that your
## applications are still constantly trying to resolve IPv6 addresses,
## causing unnecessary slowdowns.
## This causes the proxy to immediately reply to IPv6 requests,
## without having to send a useless request to upstream resolvers, and
## having to wait for a response.
## This uses a plugin that requires dnscrypt-proxy to be compiled with
## the ldns library.
BlockIPv6 no
## Want to filter ads, malware, sensitive or inappropriate websites and
## domain names? This feature can block lists of IP addresses and names
## matching a list of patterns. The list of rules remains private, and
## the filtering process directly happens on your own network. In order
## to filter IP addresses, the list of IPs has to be put into a text
## file, with one IP address per line. Lists of domain names can also be
## blocked as well. Put the list into a text file, one domain per line.
## Domains can include wildcards (*) in order to match patterns. For
## example *sex* will match any name that contains the sex substring, and
## ads.* will match anything starting with ads. The Internet has plenty
## of free feeds of IP addresses and domain names used for malware,
## phishing and spam that you can use with this feature.
##
## This uses a plugin that requires dnscrypt-proxy to be compiled with
## the ldns library.
##
## To enable, uncomment one of the following definitions:
## Block query names matching the rules stored in that file:
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt"
## Block responses whose IP addresses match IPs stored in that file:
# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt"
## Block both domain names and IP addresses:
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt"
## Same as the above + log the blocked queries in a file.
## The log file can be prefixed with ltsv: (ex: ltsv:/tmp/log.txt) in order to
## store logs using the LTSV format.
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" logfile:"/var/log/dnscrypt-blocked.log"
# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"
############## User identification ##############
## Use a client public key for identification
## By default, the client uses a randomized key pair in order to make tracking
## more difficult. This option does the opposite and uses a static key pair, so
## that DNS providers can offer premium services to queries signed with a known
## set of public keys. A client cannot decrypt the received responses without
## also knowing the secret key.
## The value for this property is the path to a file containing the secret key,
## encoded as a hexadecimal string. The corresponding public key is computed
## automatically.
# ClientKey /etc/dnscrypt-client-secret.key
############## Monitoring ##############
## Do not actually start the proxy, but check that a valid certificate can be
## retrieved from the server and that it will remain valid for the specified
## time period. The process exit code is 0 if a valid certificate can be used,
## 2 if no valid certificates can be used, 3 if a timeout occurred, and 4 if a
## currently valid certificate is going to expire before the given margin.
## Useful in a cron job to monitor your own dnscrypt-servers.
## The margin is specified in minutes.
# Test 2880
############## Recursive configuration ##############
## A configuration file can include other configuration files by inserting
## the `Include` directive anywhere (the full path required, no quotes):
# Include /etc/dnscrypt-proxy-common.conf
|
