mirror of
https://github.com/m13253/dns-over-https.git
synced 2026-03-30 22:55:39 +00:00
967faec56c
* add ECS full size & limit filtering * add tls certification bypass in configuration * flush log lines * changes following pull request comments * with fmt and reorg of libs in client.go
141 lines
4.7 KiB
Plaintext
141 lines
4.7 KiB
Plaintext
# DNS listen port
|
|
listen = [
|
|
"127.0.0.1:53",
|
|
"127.0.0.1:5380",
|
|
"[::1]:53",
|
|
"[::1]:5380",
|
|
|
|
## To listen on both 0.0.0.0:53 and [::]:53, use the following line
|
|
# ":53",
|
|
]
|
|
|
|
# HTTP path for upstream resolver
|
|
|
|
[upstream]
|
|
|
|
# available selector: random or weighted_round_robin or lvs_weighted_round_robin
|
|
upstream_selector = "random"
|
|
|
|
# weight should in (0, 100], if upstream_selector is random, weight will be ignored
|
|
|
|
## Google's resolver, good ECS, good DNSSEC
|
|
#[[upstream.upstream_ietf]]
|
|
# url = "https://dns.google/dns-query"
|
|
# weight = 50
|
|
|
|
## CloudFlare's resolver, bad ECS, good DNSSEC
|
|
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
|
|
[[upstream.upstream_ietf]]
|
|
url = "https://cloudflare-dns.com/dns-query"
|
|
weight = 50
|
|
|
|
## CloudFlare's resolver, bad ECS, good DNSSEC
|
|
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
|
|
## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
|
|
#[[upstream.upstream_ietf]]
|
|
# url = "https://1.1.1.1/dns-query"
|
|
# weight = 50
|
|
|
|
## DNS.SB's resolver, good ECS, good DNSSEC
|
|
## The provider claims no logging: https://dns.sb/doh/
|
|
#[[upstream.upstream_ietf]]
|
|
# url = "https://doh.dns.sb/dns-query"
|
|
# weight = 50
|
|
|
|
## Quad9's resolver, bad ECS, good DNSSEC
|
|
## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
|
|
#[[upstream.upstream_ietf]]
|
|
# url = "https://9.9.9.9/dns-query"
|
|
# weight = 50
|
|
|
|
## CloudFlare's resolver for Tor, available only with Tor
|
|
## Remember to disable ECS below when using Tor!
|
|
## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
|
|
#[[upstream.upstream_ietf]]
|
|
# url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"
|
|
# weight = 50
|
|
|
|
|
|
[others]
|
|
# Bootstrap DNS server to resolve the address of the upstream resolver
|
|
# If multiple servers are specified, a random one will be chosen each time.
|
|
# If empty, use the system DNS settings.
|
|
# If you want to preload IP addresses in /etc/hosts instead of using a
|
|
# bootstrap server, please make this list empty.
|
|
bootstrap = [
|
|
|
|
# Google's resolver, good ECS, good DNSSEC
|
|
"8.8.8.8:53",
|
|
"8.8.4.4:53",
|
|
|
|
# CloudFlare's resolver, bad ECS, good DNSSEC
|
|
#"1.1.1.1:53",
|
|
#"1.0.0.1:53",
|
|
|
|
]
|
|
|
|
# The domain names here are directly passed to bootstrap servers listed above,
|
|
# allowing captive portal detection and systems without RTC to work.
|
|
# Only effective if at least one bootstrap server is configured.
|
|
passthrough = [
|
|
"captive.apple.com",
|
|
"connectivitycheck.gstatic.com",
|
|
"detectportal.firefox.com",
|
|
"msftconnecttest.com",
|
|
"nmcheck.gnome.org",
|
|
|
|
"pool.ntp.org",
|
|
"time.apple.com",
|
|
"time.asia.apple.com",
|
|
"time.euro.apple.com",
|
|
"time.nist.gov",
|
|
"time.windows.com",
|
|
]
|
|
|
|
# Timeout for upstream request in seconds
|
|
timeout = 30
|
|
|
|
# Disable HTTP Cookies
|
|
#
|
|
# Cookies may be useful if your upstream resolver is protected by some
|
|
# anti-DDoS services to identify clients.
|
|
# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
|
|
# to track uesrs and is not controlled by doh-client.
|
|
no_cookies = true
|
|
|
|
# Disable EDNS0-Client-Subnet (ECS)
|
|
#
|
|
# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
|
|
# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
|
|
# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
|
|
# the same configuration as most public DNS servers.
|
|
no_ecs = false
|
|
|
|
# Disable IPv6 when querying upstream
|
|
#
|
|
# Only enable this if you really have trouble connecting.
|
|
# Doh-client uses both IPv4 and IPv6 by default and should not have problems
|
|
# with an IPv4-only environment.
|
|
# Note that DNS listening and bootstrapping is not controlled by this option.
|
|
no_ipv6 = false
|
|
|
|
# Disable submitting User-Agent
|
|
#
|
|
# It is generally not recommended to disable submitting User-Agent because it
|
|
# is still possible to probe client version according to behavior differences,
|
|
# such as TLS handshaking, handling of malformed packets, and specific bugs.
|
|
# Additionally, User-Agent is an important way for the server to distinguish
|
|
# buggy, old, or insecure clients, and to workaround specific bugs.
|
|
# (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
|
|
# and older Firefox.)
|
|
no_user_agent = false
|
|
|
|
# Enable logging
|
|
verbose = false
|
|
|
|
# insecure_tls_skip_verification will disable necessary TLS security verification.
|
|
# This option is designed for testing or development purposes,
|
|
# turning on this option on public Internet may cause your connection
|
|
# vulnerable to MITM attack.
|
|
insecure_tls_skip_verify = false
|