├── .gitignore
├── .nvchecker.toml
├── .SRCINFO
├── dnscrypt-proxy.service
├── PKGBUILD
├── dnscrypt-proxy.install
├── README.md
└── dnscrypt-proxy.toml
/.gitignore:
--------------------------------------------------------------------------------
1 | *.zst
2 | dnscrypt-proxy/
3 |
--------------------------------------------------------------------------------
/.nvchecker.toml:
--------------------------------------------------------------------------------
1 | [dnscrypt-proxy]
2 | source = "git"
3 | git = "https://github.com/DNSCrypt/dnscrypt-proxy.git"
4 |
--------------------------------------------------------------------------------
/.SRCINFO:
--------------------------------------------------------------------------------
1 | pkgbase = Hardened-Anonymized-DNSCrypt-Proxy
2 | pkgdesc = Eradicate Surveillance From Your Network Stack
3 | pkgver = 2.1.14.r107.g6cb6faf8
4 | pkgrel = 1
5 | url = https://github.com/D357R0Y3R/Hardened-Anonymized-DNSCrypt-Proxy
6 | install = dnscrypt-proxy.install
7 | arch = x86_64
8 | license = ISC
9 | makedepends = git
10 | makedepends = go
11 | depends = glibc
12 | optdepends = python-urllib3: for generate-domains-blocklist
13 | provides = dnscrypt-proxy
14 | conflicts = dnscrypt-proxy
15 | options = !lto
16 | source = git+https://github.com/dnscrypt/dnscrypt-proxy.git
17 | source = dnscrypt-proxy.toml
18 | source = dnscrypt-proxy.service
19 | sha512sums = SKIP
20 | sha512sums = e1cc2ca7b03b0814df5e218bf151e673a39edb374fdcd9b89d91728cfe0921524192aa7183cc486b969f79ebf05f373e084e2fb2ac17cadf4a81726cf943dc5f
21 | sha512sums = 50e6c878115c96e72f6118008e92871957a699d89bd0b85c80af45e6880a30b0832995e4718ab585b086049cc64e2b0759f8f4263ef814d74929933534403f92
22 |
23 | pkgname = Hardened-Anonymized-DNSCrypt-Proxy
24 |
--------------------------------------------------------------------------------
/dnscrypt-proxy.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=DNSCrypt-proxy client
3 | Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
4 | Wants=network-online.target nss-lookup.target
5 | Before=nss-lookup.target
6 |
7 | [Service]
8 | AmbientCapabilities=CAP_NET_BIND_SERVICE
9 | CacheDirectory=dnscrypt-proxy
10 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE
11 | DynamicUser=yes
12 | ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
13 | LockPersonality=yes
14 | LogsDirectory=dnscrypt-proxy
15 | MemoryDenyWriteExecute=true
16 | NonBlocking=true
17 | NoNewPrivileges=true
18 | PrivateDevices=true
19 | ProtectControlGroups=yes
20 | ProtectHome=yes
21 | ProtectHostname=yes
22 | ProtectKernelLogs=yes
23 | ProtectKernelModules=yes
24 | ProtectKernelTunables=yes
25 | ProtectSystem=strict
26 | RestrictAddressFamilies=AF_INET AF_INET6
27 | RestrictNamespaces=true
28 | RestrictRealtime=true
29 | RuntimeDirectory=dnscrypt-proxy
30 | StateDirectory=dnscrypt-proxy
31 | SystemCallArchitectures=native
32 | SystemCallFilter=@system-service
33 |
34 | [Install]
35 | WantedBy=multi-user.target
36 |
--------------------------------------------------------------------------------
/PKGBUILD:
--------------------------------------------------------------------------------
1 | # Maintainer: D357R0Y3R <109698175+D357R0Y3R@users.noreply.github.com>
2 |
3 | pkgname=Hardened-Anonymized-DNSCrypt-Proxy
4 | _pkgname=dnscrypt-proxy
5 | pkgver=2.1.14.r107.g6cb6faf8
6 | pkgrel=1
7 | pkgdesc="Eradicate Surveillance From Your Network Stack"
8 | arch=(x86_64)
9 | url="https://github.com/D357R0Y3R/Hardened-Anonymized-DNSCrypt-Proxy"
10 | license=(ISC)
11 | depends=(glibc)
12 | makedepends=(
13 | git
14 | go
15 | )
16 | optdepends=('python-urllib3: for generate-domains-blocklist')
17 | provides=(dnscrypt-proxy)
18 | conflicts=(dnscrypt-proxy)
19 | install=$_pkgname.install
20 | # NOTE: LTO breaks reproducibility :(
21 | options=(!lto)
22 | source=(
23 | git+https://github.com/dnscrypt/$_pkgname.git
24 | $_pkgname.toml
25 | $_pkgname.service
26 | )
27 | sha512sums=('SKIP'
28 | 'e1cc2ca7b03b0814df5e218bf151e673a39edb374fdcd9b89d91728cfe0921524192aa7183cc486b969f79ebf05f373e084e2fb2ac17cadf4a81726cf943dc5f'
29 | '50e6c878115c96e72f6118008e92871957a699d89bd0b85c80af45e6880a30b0832995e4718ab585b086049cc64e2b0759f8f4263ef814d74929933534403f92')
30 |
31 | pkgver() {
32 | cd "$_pkgname"
33 | git describe --long | sed 's/\([^-]*-g\)/r\1/;s/-/./g'
34 | }
35 |
36 | build() {
37 | cd $_pkgname/$_pkgname
38 | export CGO_CPPFLAGS="$CPPFLAGS"
39 | export CGO_CFLAGS="$CFLAGS"
40 | export CGO_CXXFLAGS="$CXXFLAGS"
41 | export CGO_LDFLAGS="$LDFLAGS"
42 | export GOPATH="$srcdir"
43 | export GOFLAGS="-buildmode=pie -mod=readonly -modcacherw"
44 |
45 | go build -ldflags "-compressdwarf=false -linkmode external" .
46 | }
47 |
48 | check() {
49 | cd $_pkgname
50 | go test ./...
51 | }
52 |
53 | package() {
54 | local _config
55 | cd $_pkgname
56 | # executable
57 | install -vDm 755 $_pkgname/$_pkgname -t "$pkgdir/usr/bin/"
58 | # config files
59 | install -vDm 644 ../$_pkgname.toml "$pkgdir/etc/$_pkgname/$_pkgname.toml"
60 | for _config in {{allowed,blocked}-{ips,names},{cloaking,forwarding}-rules,captive-portals}.txt; do
61 | install -vDm 644 $_pkgname/example-$_config "$pkgdir/etc/$_pkgname/$_config"
62 | done
63 | # utils
64 | install -vDm 644 utils/generate-domains-blocklist/*.{conf,txt} -t "$pkgdir/usr/share/$_pkgname/utils/generate-domains-blocklist"
65 | install -vDm 755 utils/generate-domains-blocklist/generate-domains-blocklist.py "$pkgdir/usr/bin/generate-domains-blocklist"
66 | # systemd service/socket
67 | install -vDm 644 ../$_pkgname.service -t "$pkgdir/usr/lib/systemd/system/"
68 | # license
69 | install -vDm 644 LICENSE -t "$pkgdir/usr/share/licenses/$_pkgname"
70 | # docs
71 | install -vDm 644 {ChangeLog,README.md} -t "$pkgdir/usr/share/doc/$_pkgname"
72 | }
73 | # vim:set ts=2 sw=2 et:
74 |
--------------------------------------------------------------------------------
/dnscrypt-proxy.install:
--------------------------------------------------------------------------------
1 | post_install() {
2 | echo -e "--------------------------------------------------"
3 | echo -e "| Hardened-Anonymized-DNSCrypt-Proxy |"
4 | echo -e "| Eradicate Surveillance From Your Network Stack |"
5 | echo -e "--------------------------------------------------"
6 | echo -e "--------------------------------------"
7 | echo -e "| Disabling SystemD-Resolved Service |"
8 | echo -e "--------------------------------------"
9 | systemctl daemon-reload && systemctl disable --now systemd-resolved -f
10 | echo -e "---------------------------------------------------"
11 | echo -e "| Initializing Hardened-Anonymized-DNSCrypt-Proxy |"
12 | echo -e "---------------------------------------------------"
13 | systemctl daemon-reload && systemctl enable --now dnscrypt-proxy -f
14 | echo -e "--------------------------------------------------------------"
15 | echo -e "| Applying Hardened-Anonymized-DNSCrypt-Proxy Configurations |"
16 | echo -e "--------------------------------------------------------------"
17 | mv /etc/ppp/ip-up.d/00-dns.sh /etc/ppp/ip-up.d/00-dns.sh.backup
18 | touch /etc/ppp/ip-up.d/00-dns.sh && chattr +i /etc/ppp/ip-up.d/00-dns.sh
19 | chattr -i /etc/resolv* && rm -rf /etc/resolv* /etc/NetworkManager/conf.d/*
20 | rm -rf /etc/NetworkManager/NetworkManager* /var/lib/NetworkManager/*conf
21 | echo -e "[main]\ndns=none\nrc-manager=unmanaged\n" &>>/etc/NetworkManager/NetworkManager.conf
22 | echo -e "[device]\nwifi.scan-rand-mac-address=yes" &>>/etc/NetworkManager/NetworkManager.conf
23 | echo -e "ethernet.cloned-mac-address=random" &>>/etc/NetworkManager/NetworkManager.conf
24 | echo -e "wifi.cloned-mac-address=random" &>>/etc/NetworkManager/NetworkManager.conf
25 | echo -e "[connectivity]\n.set.enabled=false" &>>/var/lib/NetworkManager/NetworkManager-intern.conf
26 | echo -e "nameserver 127.0.0.1\noptions edns0\noptions single-request-reopen" &>/etc/resolv.conf && chattr +i /etc/resolv*
27 | #echo -e "---------------------------------------------------------"
28 | #echo -e "| Generating Certificate For EncryptedClientHello (ECH) |"
29 | #echo -e "---------------------------------------------------------"
30 | #openssl req -x509 -noenc -newkey rsa:4096 -sha512 -subj / -keyout /etc/dnscrypt-proxy/localhost.pem -out /etc/dnscrypt-proxy/localhost.pem
31 | #chmod 644 /etc/dnscrypt-proxy/localhost*
32 | #echo -e "----------------------------------------------------------"
33 | #echo -e "| Successfully Configured EncryptedClientHello (ECH) |"
34 | #echo -e "| Now Add Browser DoH [https://127.0.0.1:3000/dns-query] |"
35 | #echo -e "| Visit Full DoH Address On Browser Startup & Accept |"
36 | #echo -e "----------------------------------------------------------"
37 | echo -e "-------------------------------------------"
38 | echo -e "| Configuring & Restarting NetworkManager |"
39 | echo -e "-------------------------------------------"
40 | systemctl daemon-reload && systemctl restart --now NetworkManager -f && sleep 15
41 | echo -e "------------------------------------------------------"
42 | echo -e "| Checking Hardened-Anonymized-DNSCrypt-Proxy Status |"
43 | echo -e "------------------------------------------------------"
44 | dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml --show-certs
45 | systemctl daemon-reload && systemctl restart --now dnscrypt-proxy -f
46 | echo -e "--------------------------------------"
47 | echo -e "| Hardened-Anonymized-DNSCrypt-Proxy |"
48 | echo -e "| Successfully Configured ! |"
49 | echo -e "--------------------------------------"
50 | }
51 |
52 | pre_remove() {
53 | echo -e "--------------------------------------------------"
54 | echo -e "| Hardened-Anonymized-DNSCrypt-Proxy |"
55 | echo -e "| Eradicate Surveillance From Your Network Stack |"
56 | echo -e "--------------------------------------------------"
57 | echo -e "------------------------------------------------"
58 | echo -e "| Disabling Hardened-Anonymized-DNSCrypt-Proxy |"
59 | echo -e "------------------------------------------------"
60 | systemctl daemon-reload && systemctl disable --now dnscrypt-proxy -f
61 | echo -e "---------------------------------------------------------------"
62 | echo -e "| Reverting Hardened-Anonymized-DNSCrypt-Proxy Configurations |"
63 | echo -e "---------------------------------------------------------------"
64 | chattr -i /etc/ppp/ip-up.d/00-dns.sh
65 | mv /etc/ppp/ip-up.d/00-dns.sh.backup /etc/ppp/ip-up.d/00-dns.sh
66 | rm -rf /etc/dnscrypt-proxy
67 | echo -e "-------------------------------------------"
68 | echo -e "| Configuring & Restarting NetworkManager |"
69 | echo -e "-------------------------------------------"
70 | chattr -i /etc/resolv* && rm -rf /etc/resolv* /etc/NetworkManager/conf.d/*
71 | rm -rf /etc/NetworkManager/NetworkManager* /var/lib/NetworkManager/*conf
72 | echo -e "[device]\nwifi.scan-rand-mac-address=yes" &>>/etc/NetworkManager/NetworkManager.conf
73 | echo -e "ethernet.cloned-mac-address=random" &>>/etc/NetworkManager/NetworkManager.conf
74 | echo -e "wifi.cloned-mac-address=random" &>>/etc/NetworkManager/NetworkManager.conf
75 | echo -e "[connectivity]\n.set.enabled=false" &>>/var/lib/NetworkManager/NetworkManager-intern.conf
76 | echo -e "# Generated by NetworkManager\nnameserver $(routel | grep default | awk '{print $2}')" &>/etc/resolv.conf
77 | systemctl daemon-reload && systemctl restart --now NetworkManager -f
78 | echo -e "--------------------------------------"
79 | echo -e "| Hardened-Anonymized-DNSCrypt-Proxy |"
80 | echo -e "| Successfully Deconfigured ! |"
81 | echo -e "--------------------------------------"
82 | }
83 |
84 | post_upgrade() {
85 | echo -e "--------------------------------------------------"
86 | echo -e "| Hardened-Anonymized-DNSCrypt-Proxy |"
87 | echo -e "| Eradicate Surveillance From Your Network Stack |"
88 | echo -e "--------------------------------------------------"
89 | echo -e "-------------------------------------------------"
90 | echo -e "| Restarting Hardened-Anonymized-DNSCrypt-Proxy |"
91 | echo -e "-------------------------------------------------"
92 | systemctl daemon-reload && systemctl disable --now dnscrypt-proxy -f
93 | echo -e "--------------------------------------------------"
94 | echo -e "| Restarting NetworkManager & Necessary Services |"
95 | echo -e "--------------------------------------------------"
96 | systemctl daemon-reload && systemctl enable --now dnscrypt-proxy -f
97 | systemctl daemon-reload && systemctl restart --now NetworkManager -f && sleep 15
98 | echo -e "------------------------------------------------------"
99 | echo -e "| Checking Hardened-Anonymized-DNSCrypt-Proxy Status |"
100 | echo -e "------------------------------------------------------"
101 | dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml --show-certs
102 | echo -e "--------------------------------------"
103 | echo -e "| Hardened-Anonymized-DNSCrypt-Proxy |"
104 | echo -e "| Successfully Updated ! |"
105 | echo -e "--------------------------------------"
106 | }
107 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ```
4 | ██░ ██ ▄▄▄ ██▀███ ▓█████▄ ▓█████ ███▄ █ ▓█████ ▓█████▄
5 | ▓██░ ██▒▒████▄ ▓██ ▒ ██▒▒██▀ ██▌▓█ ▀ ██ ▀█ █ ▓█ ▀ ▒██▀ ██▌
6 | ▒██▀▀██░▒██ ▀█▄ ▓██ ░▄█ ▒░██ █▌▒███ ▓██ ▀█ ██▒▒███ ░██ █▌
7 | ░▓█ ░██ ░██▄▄▄▄██ ▒██▀▀█▄ ░▓█▄ ▌▒▓█ ▄ ▓██▒ ▐▌██▒▒▓█ ▄ ░▓█▄ ▌
8 | ░▓█▒░██▓ ▓█ ▓██▒░██▓ ▒██▒░▒████▓ ░▒████▒▒██░ ▓██░░▒████▒░▒████▓
9 | ▒ ░░▒░▒ ▒▒ ▓▒█░░ ▒▓ ░▒▓░ ▒▒▓ ▒ ░░ ▒░ ░░ ▒░ ▒ ▒ ░░ ▒░ ░ ▒▒▓ ▒
10 |
11 | ▄▄▄ ███▄ █ ▒█████ ███▄ █▓██ ██▓ ███▄ ▄███▓ ██▓▒███████▒▓█████ ▓█████▄
12 | ▒████▄ ██ ▀█ █ ▒██▒ ██▒ ██ ▀█ █ ▒██ ██▒▓██▒▀█▀ ██▒▓██▒▒ ▒ ▒ ▄▀░▓█ ▀ ▒██▀ ██▌
13 | ▒██ ▀█▄ ▓██ ▀█ ██▒▒██░ ██▒▓██ ▀█ ██▒ ▒██ ██░▓██ ▓██░▒██▒░ ▒ ▄▀▒░ ▒███ ░██ █▌
14 | ░██▄▄▄▄██ ▓██▒ ▐▌██▒▒██ ██░▓██▒ ▐▌██▒ ░ ▐██▓░▒██ ▒██ ░██░ ▄▀▒ ░▒▓█ ▄ ░▓█▄ ▌
15 | ▓█ ▓██▒▒██░ ▓██░░ ████▓▒░▒██░ ▓██░ ░ ██▒▓░▒██▒ ░██▒░██░▒███████▒░▒████▒░▒████▓
16 |
17 | ▓█████▄ ███▄ █ ██████ ▄████▄ ██▀███ ▓██ ██▓ ██▓███ ▄▄▄█████▓
18 | ▒██▀ ██▌ ██ ▀█ █ ▒██ ▒ ▒██▀ ▀█ ▓██ ▒ ██▒▒██ ██▒▓██░ ██▒▓ ██▒ ▓▒
19 | ░██ █▌▓██ ▀█ ██▒░ ▓██▄ ▒▓█ ▄ ▓██ ░▄█ ▒ ▒██ ██░▓██░ ██▓▒▒ ▓██░ ▒░
20 | ░▓█▄ ▌▓██▒ ▐▌██▒ ▒ ██▒▒▓▓▄ ▄██▒▒██▀▀█▄ ░ ▐██▓░▒██▄█▓▒ ▒░ ▓██▓ ░
21 | ░▒████▓ ▒██░ ▓██░▒██████▒▒▒ ▓███▀ ░░██▓ ▒██▒ ░ ██▒▓░▒██▒ ░ ░ ▒██▒ ░
22 |
23 | ██▓███ ██▀███ ▒█████ ▒██ ██▒▓██ ██▓
24 | ▓██░ ██▒▓██ ▒ ██▒▒██▒ ██▒▒▒ █ █ ▒░ ▒██ ██▒
25 | ▓██░ ██▓▒▓██ ░▄█ ▒▒██░ ██▒░░ █ ░ ▒██ ██░
26 | ▒██▄█▓▒ ▒▒██▀▀█▄ ▒██ ██░ ░ █ █ ▒ ░ ▐██▓░
27 | ▒██▒ ░ ░░██▓ ▒██▒░ ████▓▒░▒██▒ ▒██▒ ░ ██▒▓░
28 | ```
29 |
30 | # 🛡️ Hardened-Anonymized-DNSCrypt-Proxy
31 |
32 | [](LICENSE)
33 | [](https://archlinux.org)
34 | [](https://dnscrypt.info)
35 | [](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en)
36 | [](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt)
37 |
38 | ### *「 Eradicate Surveillance From Your Network Stack 」*
39 |
40 |
41 |
42 | ---
43 |
44 |
163 | Click to expand resolver list (20 nodes across 12 countries)
164 |
165 | | Resolver | Country | Region |
166 | |:---------|:-------:|:------:|
167 | | `ams-dnscrypt-nl` | 🇳🇱 NLD | Europe |
168 | | `d0wn-tz-ns1` | 🇹🇿 TZA | Africa |
169 | | `dct-nl` | 🇳🇱 NLD | Europe |
170 | | `dct-ru` | 🇷🇺 RUS | Europe |
171 | | `dnscrypt.be` | 🇧🇪 BEL | Europe |
172 | | `dnscrypt.pl` | 🇵🇱 POL | Europe |
173 | | `dnscrypt.uk-ipv4` | 🇬🇧 GBR | Europe |
174 | | `dnswarden-uncensor-dc-swiss` | 🇨🇭 CHE | Europe |
175 | | `meganerd` | 🇳🇱 NLD | Europe |
176 | | `openinternet` | 🇺🇸 USA | North America |
177 | | `plan9dns-fl` | 🇺🇸 USA | North America |
178 | | `plan9dns-mx` | 🇲🇽 MEX | North America |
179 | | `plan9dns-nj` | 🇺🇸 USA | North America |
180 | | `pryv8boi` | 🇩🇪 DEU | Europe |
181 | | `sby-limotelu` | 🇮🇩 IDN | Asia |
182 | | `scaleway-ams` | 🇳🇱 NLD | Europe |
183 | | `scaleway-fr` | 🇫🇷 FRA | Europe |
184 | | `serbica` | 🇳🇱 NLD | Europe |
185 | | `techsaviours.org-dnscrypt` | 🇩🇪 DEU | Europe |
186 | | `v.dnscrypt.uk-ipv4` | 🇬🇧 GBR | Europe |
187 |
188 |
189 |
190 | ---
191 |
192 | ## 🚀 Deployment
193 |
194 | ### Installation Vector
195 |
196 | ```bash
197 | # Clone the repository
198 | git clone https://github.com/D357R0Y3R/Hardened-Anonymized-DNSCrypt-Proxy
199 |
200 | # Navigate to project root
201 | cd Hardened-Anonymized-DNSCrypt-Proxy
202 |
203 | # Build package (clean, rebuild, force, sync, skip checksums)
204 | makepkg -Ccrfs --noconfirm
205 |
206 | # Deploy to system
207 | sudo pacman -U *.zst
208 | ```
209 |
210 | ### Removal Procedure
211 |
212 | ```bash
213 | # Purge package + dependencies + configs (recursive, nosave, cascade, unneeded)
214 | sudo pacman -Rcnsu Hardened-Anonymized-DNSCrypt-Proxy
215 | ```
216 |
217 | ---
218 |
219 | ## 🛠️ Post-Installation Configuration
220 |
221 | ### Configuration File Location
222 |
223 | ```
224 | /etc/dnscrypt-proxy/dnscrypt-proxy.toml
225 | ```
226 |
227 | ### Service Management
228 |
229 | ```bash
230 | # Check service status
231 | systemctl status dnscrypt-proxy
232 |
233 | # Restart after config changes
234 | sudo systemctl restart dnscrypt-proxy
235 |
236 | # View real-time logs
237 | journalctl -fu dnscrypt-proxy
238 | ```
239 |
240 | > 📚 **Advanced Configuration**: Consult the [Official Wiki](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration)
241 |
242 | ---
243 |
244 | ## 🧱 Filters [Optional Module]
245 |
246 | The integrated filtering engine provides granular control over DNS resolution:
247 |
248 | | Filter Type | Function | Use Case |
249 | |:------------|:---------|:---------|
250 | | **Blocklists** | Pattern-based domain blocking | Ads, trackers, malware, telemetry |
251 | | **Allowlists** | Whitelist override | False positive mitigation |
252 | | **IP Blocklists** | Response IP filtering | Malicious IP blocking |
253 | | **Cloaking** | Custom A/AAAA responses | Local DNS overrides |
254 |
255 | > 📖 Documentation: [DNSCrypt-Proxy Filters Wiki](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters)
256 |
257 | ---
258 |
259 | ## 🔍 Verification & Testing
260 |
261 | ### DNS Leak Test
262 |
263 | | Tool | URL | Tests |
264 | |:-----|:----|:------|
265 | | **dnscheck.tools** | [dnscheck.tools](https://dnscheck.tools) | Leak detection, DNSSEC validation, resolver identification |
266 |
267 | ### Local Verification Commands
268 |
269 | ```bash
270 | # Verify listening socket
271 | ss -tulnp | grep 53
272 |
273 | # Test DNSSEC validation
274 | dig +dnssec cloudflare.com
275 |
276 | # Query via dnscrypt-proxy
277 | dig @127.0.0.1 example.com
278 |
279 | # Check resolver being used
280 | dig +short txt whoami.ds.akahelp.net
281 | ```
282 |
283 | ---
284 |
285 | ## 📊 Security Considerations
286 |
287 | ```
288 | ┌────────────────────────────────────────────────────────────────┐
289 | │ THREAT MODEL COVERAGE │
290 | ├────────────────────────────────────────────────────────────────┤
291 | │ ✅ DNS Query Encryption (X25519-XSalsa20Poly1305) │
292 | │ ✅ DNS Response Authentication (DNSSEC / Ed25519) │
293 | │ ✅ Traffic Analysis Mitigation (Anonymized DNS Routes) │
294 | │ ✅ Temporal Correlation Defense (Ephemeral Keys) │
295 | │ ✅ IPv6 Leak Prevention (AAAA Query Blocking) │
296 | │ ✅ Resolver Logging Mitigation (No-Log Policy Resolvers) │
297 | └────────────────────────────────────────────────────────────────┘
298 | ```
299 |
300 | ---
301 |
302 | ## 🙏 Acknowledgments
303 |
304 |
322 |
323 | ---
324 |
325 |
326 |
327 | ### 🔐 *"Privacy is not about having something to hide. Privacy is about having something to protect."*
328 |
329 |
330 |
331 | [](https://github.com/D357R0Y3R/Hardened-Anonymized-DNSCrypt-Proxy)
332 | [](https://github.com/D357R0Y3R/Hardened-Anonymized-DNSCrypt-Proxy)
333 |
334 | Made with 🖤 for the privacy-conscious community
335 |
336 |
337 |
--------------------------------------------------------------------------------
/dnscrypt-proxy.toml:
--------------------------------------------------------------------------------
1 | ##############################################
2 | # #
3 | # dnscrypt-proxy configuration #
4 | # #
5 | ##############################################
6 |
7 | ## This is an example configuration file.
8 | ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
9 | ##
10 | ## Online documentation is available here: https://dnscrypt.info/doc
11 |
12 |
13 | ###############################################################################
14 | # Global settings #
15 | ###############################################################################
16 |
17 | ## List of servers to use
18 | ##
19 | ## Servers from the "public-resolvers" source (see down below) can
20 | ## be viewed here: https://dnscrypt.info/public-servers
21 | ##
22 | ## The proxy will automatically pick working servers from this list.
23 | ## Note that the require_* filters do NOT apply when using this setting.
24 | ##
25 | ## By default, this list is empty and all registered servers matching the
26 | ## require_* filters will be used instead.
27 | ##
28 | ## Remove the leading # first to enable this; lines starting with # are ignored.
29 |
30 | server_names = ['ams-dnscrypt-nl', 'd0wn-tz-ns1', 'dct-nl', 'dct-ru', 'dnscrypt.be', 'dnscrypt.pl', 'dnscrypt.uk-ipv4', 'dnswarden-uncensor-dc-swiss', 'meganerd', 'openinternet', 'plan9dns-fl', 'plan9dns-mx', 'plan9dns-nj', 'pryv8boi', 'sby-limotelu', 'scaleway-ams', 'scaleway-fr', 'serbica', 'techsaviours.org-dnscrypt', 'v.dnscrypt.uk-ipv4']
31 |
32 |
33 | ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
34 | ## Example with both IPv4 and IPv6:
35 | ## listen_addresses = ['127.0.0.1:53', '[::1]:53']
36 | ##
37 | ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
38 | ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
39 |
40 | listen_addresses = ['127.0.0.1:53']
41 |
42 |
43 | ## Maximum number of simultaneous client connections to accept
44 |
45 | max_clients = 250
46 |
47 |
48 | ## Switch to a different system user after listening sockets have been created.
49 | ## Note (1): this feature is currently unsupported on Windows.
50 | ## Note (2): this feature is not compatible with systemd socket activation.
51 | ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
52 |
53 | # user_name = 'nobody'
54 |
55 |
56 | ###############################################################################
57 | # Server Selection #
58 | ###############################################################################
59 |
60 | ## Require servers (from remote sources) to satisfy specific properties
61 |
62 | # Use servers reachable over IPv4
63 | ipv4_servers = true
64 |
65 | # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
66 | ipv6_servers = false
67 |
68 | # Use servers implementing the DNSCrypt protocol
69 | dnscrypt_servers = true
70 |
71 | # Use servers implementing the DNS-over-HTTPS protocol
72 | doh_servers = false
73 |
74 | # Use servers implementing the Oblivious DoH protocol
75 | odoh_servers = false
76 |
77 |
78 | ## Require servers defined by remote sources to satisfy specific properties
79 |
80 | # Server must support DNS security extensions (DNSSEC)
81 | require_dnssec = true
82 |
83 | # Server must not log user queries (declarative)
84 | require_nolog = true
85 |
86 | # Server must not enforce its own blocklist (for parental control, ads blocking...)
87 | require_nofilter = true
88 |
89 | # Server names to avoid even if they match all criteria
90 | disabled_server_names = []
91 |
92 |
93 | ###############################################################################
94 | # Connection Settings #
95 | ###############################################################################
96 |
97 | ## Always use TCP to connect to upstream servers.
98 | ## This can be useful if you need to route everything through Tor.
99 | ## Otherwise, leave this to `false`, as it doesn't improve security
100 | ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
101 | ## only increase latency.
102 |
103 | force_tcp = true
104 |
105 |
106 | ## Enable *experimental* support for HTTP/3 (HTTP over QUIC)
107 | ## Note that, like DNSCrypt but unlike other HTTP versions, this uses
108 | ## UDP and (usually) port 443 instead of TCP.
109 |
110 | http3 = false
111 |
112 | ## When http3 is true, always try HTTP/3 first for DoH servers.
113 | ## If the HTTP/3 connection fails, fallback to HTTP/2 and don't try
114 | ## HTTP/3 again for that server. By default, HTTP/3 is only used for
115 | ## servers that advertise support via the Alt-Svc header.
116 | ##
117 | ## WARNING: This setting is disabled by default because it will make
118 | ## connections significantly slower for servers that don't support HTTP/3.
119 | ## This is primarily a workaround for server operators who haven't
120 | ## configured their servers to send proper Alt-Svc headers. The better
121 | ## solution is to reach out to these operators and encourage them to
122 | ## fix their servers to correctly advertise HTTP/3 support.
123 |
124 | http3_probe = false
125 |
126 |
127 | ## SOCKS proxy
128 | ## Uncomment the following line to route all TCP connections to a local Tor node
129 | ## Tor doesn't support UDP, so set `force_tcp` to `true` as well. When passing
130 | ## a random username and password to Tor's socks5 connection, dnscrypt-proxy gets
131 | ## an isolated circuit so it will not share an exit node with other applications.
132 | ## Note: the random username and password used by dnscrypt-proxy should not
133 | ## actually be defined in Tor's configuration.
134 |
135 | # proxy = 'socks5://dnscrypt:dnscrypt@127.0.0.1:9050'
136 |
137 |
138 | ## HTTP/HTTPS proxy
139 | ## Only for DoH servers
140 |
141 | # http_proxy = 'http://127.0.0.1:8888'
142 |
143 |
144 | ## How long a DNS query will wait for a response, in milliseconds.
145 | ## If you have a network with *a lot* of latency, you may need to
146 | ## increase this. Startup may be slower if you do so.
147 | ## Don't increase it too much. 10000 is the highest reasonable value.
148 | ## A timeout below 5000 is not recommended.
149 |
150 | timeout = 5000
151 |
152 |
153 | ## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds
154 |
155 | keepalive = 30
156 |
157 |
158 | ## Add EDNS-client-subnet information to outgoing queries
159 | ##
160 | ## Multiple networks can be listed; they will be randomly chosen.
161 | ## These networks don't have to match your actual networks.
162 |
163 | # edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']
164 |
165 |
166 | ## Response for blocked queries. Options are `refused`, `hinfo` (default) or
167 | ## an IP response. To give an IP response, use the format `a:,aaaa:`.
168 | ## Using the `hinfo` option means that some responses will be lies.
169 | ## Unfortunately, the `hinfo` option appears to be required for Android 8+
170 |
171 | blocked_query_response = 'refused'
172 |
173 |
174 | ###############################################################################
175 | # Load Balancing & Performance #
176 | ###############################################################################
177 |
178 | ## Load-balancing strategy: 'wp2' (default), 'p2', 'ph', 'p', 'first', or 'random'
179 | ## 'wp2' (default): Weighted Power of Two - selects the better performing server
180 | ## from two random candidates based on real-time RTT and success rates.
181 | ## 'p2': Randomly choose 1 of the fastest 2 servers by latency.
182 | ## 'ph': Randomly choose from fastest half of servers.
183 | ## 'p': Randomly choose from fastest n servers (e.g., 'p3' for fastest 3).
184 | ## 'first': Always use the fastest server.
185 | ## 'random': Randomly choose from all servers.
186 | ## The response quality still depends on the server itself.
187 |
188 | # lb_strategy = 'wp2'
189 |
190 | ## Set to `true` to constantly try to estimate the latency of all the resolvers
191 | ## and adjust the load-balancing parameters accordingly, or to `false` to disable.
192 | ## Default is `true` that makes 'p2' `lb_strategy` work well.
193 |
194 | # lb_estimator = true
195 |
196 | ## Dynamically reduce query timeout as the number of concurrent connections
197 | ## approaches max_clients to prevent overload. Value must be between 0.0 and 1.0.
198 | ## 0.0 = no reduction, 1.0 = maximum reduction.
199 | ## Uses a quartic curve to keep timeout high at low load and reduce sharply near limit.
200 | ## For example, with timeout=5000ms, max_clients=250, and timeout_load_reduction=0.75:
201 | ## - At 125 connections (50% load): timeout remains ~4765ms (95.3%)
202 | ## - At 187 connections (75% load): timeout reduces to ~3826ms (76.5%)
203 | ## - At 225 connections (90% load): timeout reduces to ~2539ms (50.8%)
204 | ## - At 250 connections (100% load): timeout reduces to ~1250ms (25%)
205 | ## This helps maintain responsiveness under high load by failing fast.
206 |
207 | # timeout_load_reduction = 0.75
208 |
209 | ## Set to `true` to enable hot reloading of configuration files (like allowed-names.txt,
210 | ## blocked-names.txt, etc.) when they are modified. This can increase CPU and memory usage.
211 | ## Default is `false` (hot reloading is disabled).
212 |
213 | # enable_hot_reload = false
214 |
215 |
216 | ###############################################################################
217 | # Logging #
218 | ###############################################################################
219 |
220 | ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
221 |
222 | # log_level = 2
223 |
224 |
225 | ## Log file for the application, as an alternative to sending logs to
226 | ## the standard system logging service (syslog/Windows event log).
227 | ##
228 | ## This file is different from other log files, and will not be
229 | ## automatically rotated by the application.
230 |
231 | # log_file = 'dnscrypt-proxy.log'
232 |
233 |
234 | ## When using a log file, only keep logs from the most recent launch.
235 |
236 | # log_file_latest = true
237 |
238 |
239 | ## Use the system logger (syslog on Unix, Event Log on Windows)
240 |
241 | # use_syslog = true
242 |
243 |
244 | ## Automatic log files rotation
245 |
246 | # Maximum log files size in MB - Set to 0 for unlimited.
247 | log_files_max_size = 10
248 |
249 | # How long to keep backup files, in days
250 | log_files_max_age = 7
251 |
252 | # Maximum log files backups to keep (or 0 to keep all backups)
253 | log_files_max_backups = 1
254 |
255 |
256 | ###############################################################################
257 | # Certificate Management #
258 | ###############################################################################
259 |
260 | ## The maximum concurrency to reload certificates from the resolvers.
261 | ## Default is 10.
262 |
263 | # cert_refresh_concurrency = 10
264 |
265 |
266 | ## Delay, in minutes, after which certificates are reloaded
267 |
268 | cert_refresh_delay = 240
269 |
270 |
271 | ## Initially don't check DNSCrypt server certificates for expiration, and
272 | ## only start checking them after a first successful connection to a resolver.
273 | ## This can be useful on routers with no battery-backed clock.
274 |
275 | # cert_ignore_timestamp = false
276 |
277 |
278 | ## DNSCrypt: Create a new, unique key for every single DNS query
279 | ## This may improve privacy but can also have a significant impact on CPU usage
280 | ## Only enable if you don't have a lot of network load
281 |
282 | dnscrypt_ephemeral_keys = true
283 |
284 |
285 | ## DoH: Disable TLS session tickets - increases privacy but also latency
286 |
287 | # tls_disable_session_tickets = false
288 |
289 |
290 | ## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference
291 | ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
292 | ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
293 | ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
294 | ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
295 | ##
296 | ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
297 | ## uncommenting the following line may improve performance.
298 | ## This may also help on Intel CPUs running 32-bit operating systems.
299 | ## However, this can cause issues fetching sources or connecting to some HTTP servers,
300 | ## and should not be set on regular CPUs.
301 | ##
302 | ## Keep tls_cipher_suite undefined to let the app automatically choose secure parameters.
303 |
304 | # tls_cipher_suite = [52392, 49199]
305 |
306 |
307 | ## Log TLS key material to a file, for debugging purposes only.
308 | ## This file will contain the TLS master key, which can be used to decrypt
309 | ## all TLS traffic to/from DoH servers.
310 | ## Never ever enable except for debugging purposes with a tool such as mitmproxy.
311 |
312 | # tls_key_log_file = '/tmp/keylog.txt'
313 |
314 |
315 | ###############################################################################
316 | # Startup & Network #
317 | ###############################################################################
318 |
319 | ## Bootstrap resolvers
320 | ##
321 | ## These are normal, non-encrypted DNS resolvers, that will be only used
322 | ## for one-shot queries when retrieving the initial resolvers list and if
323 | ## the system DNS configuration doesn't work.
324 | ##
325 | ## No user queries will ever be leaked through these resolvers, and they will
326 | ## not be used after IP addresses of DoH resolvers have been found (if you are
327 | ## using DoH).
328 | ##
329 | ## They will never be used if lists have already been cached, and if the stamps
330 | ## of the configured servers already include IP addresses (which is the case for
331 | ## most of DoH servers, and for all DNSCrypt servers and relays).
332 | ##
333 | ## They will not be used if the configured system DNS works, or after the
334 | ## proxy already has at least one usable secure resolver.
335 | ##
336 | ## Resolvers supporting DNSSEC are recommended, and, if you are using
337 | ## DoH, bootstrap resolvers should ideally be operated by a different entity
338 | ## than the DoH servers you will be using, especially if you have IPv6 enabled.
339 | ##
340 | ## People in China may want to use 114.114.114.114:53 here.
341 | ## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
342 | ##
343 | ## If more than one resolver is specified, they will be tried in sequence.
344 | ##
345 | ## TL;DR: put valid standard resolver addresses here. Your actual queries will
346 | ## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
347 | ## lists are up to date, these resolvers will not even be used.
348 |
349 | bootstrap_resolvers = ['9.9.9.9:53']
350 |
351 |
352 | ## When internal DNS resolution is required, for example to retrieve
353 | ## the resolvers list:
354 | ##
355 | ## - queries will be sent to dnscrypt-proxy itself, if it is already
356 | ## running with active servers (*)
357 | ## - or else, queries will be sent to fallback servers
358 | ## - finally, if `ignore_system_dns` is `false`, queries will be sent
359 | ## to the system DNS
360 | ##
361 | ## (*) this is incompatible with systemd sockets.
362 | ## `listen_addresses` must not be empty.
363 |
364 | ignore_system_dns = true
365 |
366 |
367 | ## Maximum time (in seconds) to wait for network connectivity before
368 | ## initializing the proxy.
369 | ## Useful if the proxy is automatically started at boot, and network
370 | ## connectivity is not guaranteed to be immediately available.
371 | ## Use 0 to not test for connectivity at all (not recommended),
372 | ## and -1 to wait as much as possible.
373 |
374 | netprobe_timeout = -1
375 |
376 | ## Address and port to try initializing a connection to, just to check
377 | ## if the network is up. It can be any address and any port, even if
378 | ## there is nothing answering these on the other side. Just don't use
379 | ## a local address, as the goal is to check for Internet connectivity.
380 | ## On Windows, a datagram with a single, nul byte will be sent, only
381 | ## when the system starts.
382 | ## On other operating systems, the connection will be initialized
383 | ## but nothing will be sent at all.
384 |
385 | netprobe_address = '9.9.9.9:53'
386 |
387 |
388 | ## Offline mode - Do not use any remote encrypted servers.
389 | ## The proxy will remain fully functional to respond to queries that
390 | ## plugins can handle directly (forwarding, cloaking, ...)
391 |
392 | # offline_mode = false
393 |
394 |
395 | ## Additional data to attach to outgoing queries.
396 | ## These strings will be added as TXT records to queries.
397 | ## Do not use, except on servers explicitly asking for extra data
398 | ## to be present.
399 | ## encrypted-dns-server can be configured to use this for access control
400 | ## in the [access_control] section
401 |
402 | # query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
403 |
404 |
405 | ###############################################################################
406 | # Filters #
407 | ###############################################################################
408 |
409 | ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
410 | ## configure dnscrypt-proxy to do any kind of filtering (including the filters
411 | ## below and blocklists).
412 | ## You can still choose resolvers that do DNSSEC validation.
413 |
414 |
415 | ## Immediately respond to IPv6-related queries with an empty response
416 | ## This makes things faster when there is no IPv6 connectivity, but can
417 | ## also cause reliability issues with some stub resolvers.
418 |
419 | block_ipv6 = true
420 |
421 |
422 | ## Immediately respond to A and AAAA queries for host names without a domain name
423 | ## This also prevents "dotless domain names" from being resolved upstream.
424 |
425 | block_unqualified = true
426 |
427 |
428 | ## Immediately respond to queries for local zones instead of leaking them to
429 | ## upstream resolvers (always causing errors or timeouts).
430 |
431 | block_undelegated = true
432 |
433 |
434 | ## TTL for synthetic responses sent when a request has been blocked (due to
435 | ## IPv6 or blocklists).
436 |
437 | reject_ttl = 10
438 |
439 |
440 | ###############################################################################
441 | # Forwarding #
442 | ###############################################################################
443 |
444 | ## Route queries for specific domains to a dedicated set of servers
445 |
446 | ## See the `example-forwarding-rules.txt` file for an example
447 |
448 | # forwarding_rules = 'forwarding-rules.txt'
449 |
450 |
451 | ###############################################################################
452 | # Cloaking #
453 | ###############################################################################
454 |
455 | ## Cloaking returns a predefined address for a specific name.
456 | ## In addition to acting as a HOSTS file, it can also return the IP address
457 | ## of a different name. It will also do CNAME flattening.
458 | ## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled
459 | ## for cloaking rules that do not contain wild cards.
460 | ##
461 | ## See the `example-cloaking-rules.txt` file for an example
462 |
463 | # cloaking_rules = 'cloaking-rules.txt'
464 |
465 | ## TTL used when serving entries in cloaking-rules.txt
466 |
467 | # cloak_ttl = 600
468 | # cloak_ptr = false
469 |
470 |
471 | ###############################################################################
472 | # DNS Cache #
473 | ###############################################################################
474 |
475 | ## Enable a DNS cache to reduce latency and outgoing traffic
476 |
477 | cache = true
478 |
479 |
480 | ## Cache size
481 |
482 | cache_size = 4096
483 |
484 |
485 | ## Minimum TTL for cached entries
486 |
487 | cache_min_ttl = 2400
488 |
489 |
490 | ## Maximum TTL for cached entries
491 |
492 | cache_max_ttl = 86400
493 |
494 |
495 | ## Minimum TTL for negatively cached entries
496 |
497 | cache_neg_min_ttl = 60
498 |
499 |
500 | ## Maximum TTL for negatively cached entries
501 |
502 | cache_neg_max_ttl = 600
503 |
504 |
505 | ###############################################################################
506 | # Captive portal handling #
507 | ###############################################################################
508 |
509 | [captive_portals]
510 |
511 | ## A file that contains a set of names used by operating systems to
512 | ## check for connectivity and captive portals, along with hard-coded
513 | ## IP addresses to return.
514 |
515 | # map_file = 'example-captive-portals.txt'
516 |
517 |
518 | ###############################################################################
519 | # Local DoH server #
520 | ###############################################################################
521 |
522 | [local_doh]
523 |
524 | ## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
525 | ## requiring a direct connection to a DoH server in order to enable some
526 | ## features will enable these, without bypassing your DNS proxy.
527 |
528 | ## Addresses that the local DoH server should listen to
529 |
530 | # listen_addresses = ['127.0.0.1:3000']
531 |
532 |
533 | ## Path of the DoH URL. This is not a file, but the part after the hostname
534 | ## in the URL. By convention, `/dns-query` is frequently chosen.
535 | ## For each `listen_address` the complete URL to access the server will be:
536 | ## `https://` (ex: `https://127.0.0.1/dns-query`)
537 |
538 | # path = '/dns-query'
539 |
540 |
541 | ## Certificate file and key - Note that the certificate has to be trusted.
542 | ## Can be generated using the following command:
543 | ## openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout localhost.pem -out localhost.pem
544 | ## See the documentation (wiki) for more information.
545 |
546 | # cert_file = 'localhost.pem'
547 | # cert_key_file = 'localhost.pem'
548 |
549 |
550 | ###############################################################################
551 | # Query logging #
552 | ###############################################################################
553 |
554 | [query_log]
555 |
556 | ## Path to the query log file (absolute, or relative to the same directory as the config file)
557 | ## Can be set to /dev/stdout in order to log to the standard output.
558 |
559 | # file = 'query.log'
560 |
561 |
562 | ## Query log format (currently supported: tsv and ltsv)
563 |
564 | format = 'tsv'
565 |
566 |
567 | ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
568 |
569 | # ignored_qtypes = ['DNSKEY', 'NS']
570 |
571 |
572 | ###############################################################################
573 | # Suspicious queries logging #
574 | ###############################################################################
575 |
576 | [nx_log]
577 |
578 | ## Log queries for nonexistent zones
579 | ## These queries can reveal the presence of malware, broken/obsolete applications,
580 | ## and devices signaling their presence to 3rd parties.
581 |
582 | ## Path to the query log file (absolute, or relative to the same directory as the config file)
583 |
584 | # file = 'nx.log'
585 |
586 |
587 | ## Query log format (currently supported: tsv and ltsv)
588 |
589 | format = 'tsv'
590 |
591 |
592 | ###############################################################################
593 | # Pattern-based blocking (blocklists) #
594 | ###############################################################################
595 |
596 | ## Blocklists are made of one pattern per line. Example of valid patterns:
597 | ##
598 | ## example.com
599 | ## =example.com
600 | ## *sex*
601 | ## ads.*
602 | ## ads*.example.*
603 | ## ads*.example[0-9]*.com
604 | ##
605 | ## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
606 | ## A script to build blocklists from public feeds can be found in the
607 | ## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
608 |
609 | [blocked_names]
610 |
611 | ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
612 |
613 | # blocked_names_file = 'blocked-names.txt'
614 |
615 |
616 | ## Optional path to a file logging blocked queries
617 |
618 | # log_file = 'blocked-names.log'
619 |
620 |
621 | ## Optional log format: tsv or ltsv (default: tsv)
622 |
623 | # log_format = 'tsv'
624 |
625 |
626 | ###############################################################################
627 | # Pattern-based IP blocking (IP blocklists) #
628 | ###############################################################################
629 |
630 | ## IP blocklists are made of one pattern per line. Example of valid patterns:
631 | ##
632 | ## 127.*
633 | ## fe80:abcd:*
634 | ## 192.168.1.4
635 |
636 | [blocked_ips]
637 |
638 | ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
639 |
640 | # blocked_ips_file = 'blocked-ips.txt'
641 |
642 |
643 | ## Optional path to a file logging blocked queries
644 |
645 | # log_file = 'blocked-ips.log'
646 |
647 |
648 | ## Optional log format: tsv or ltsv (default: tsv)
649 |
650 | # log_format = 'tsv'
651 |
652 |
653 | ###############################################################################
654 | # Pattern-based allow lists (blocklists bypass) #
655 | ###############################################################################
656 |
657 | ## Allowlists support the same patterns as blocklists
658 | ## If a name matches an allowlist entry, the corresponding session
659 | ## will bypass names and IP filters.
660 | ##
661 | ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
662 |
663 | [allowed_names]
664 |
665 | ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
666 |
667 | # allowed_names_file = 'allowed-names.txt'
668 |
669 |
670 | ## Optional path to a file logging allowed queries
671 |
672 | # log_file = 'allowed-names.log'
673 |
674 |
675 | ## Optional log format: tsv or ltsv (default: tsv)
676 |
677 | # log_format = 'tsv'
678 |
679 |
680 | ###############################################################################
681 | # Pattern-based allowed IPs lists (blocklists bypass) #
682 | ###############################################################################
683 |
684 | ## Allowed IP lists support the same patterns as IP blocklists
685 | ## If an IP response matches an allowed entry, the corresponding session
686 | ## will bypass IP filters.
687 | ##
688 | ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
689 |
690 | [allowed_ips]
691 |
692 | ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
693 |
694 | # allowed_ips_file = 'allowed-ips.txt'
695 |
696 |
697 | ## Optional path to a file logging allowed queries
698 |
699 | # log_file = 'allowed-ips.log'
700 |
701 | ## Optional log format: tsv or ltsv (default: tsv)
702 |
703 | # log_format = 'tsv'
704 |
705 |
706 | ###############################################################################
707 | # Time access restrictions #
708 | ###############################################################################
709 |
710 | ## One or more weekly schedules can be defined here.
711 | ## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
712 | ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
713 | ##
714 | ## For example, the following rule in a blocklist file:
715 | ## *.youtube.* @time-to-sleep
716 | ## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
717 | ##
718 | ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
719 | ## {after= '9:00', before='18:00'} matches 9:00-18:00
720 |
721 | [schedules]
722 |
723 | # [schedules.time-to-sleep]
724 | # mon = [{after='21:00', before='7:00'}]
725 | # tue = [{after='21:00', before='7:00'}]
726 | # wed = [{after='21:00', before='7:00'}]
727 | # thu = [{after='21:00', before='7:00'}]
728 | # fri = [{after='23:00', before='7:00'}]
729 | # sat = [{after='23:00', before='7:00'}]
730 | # sun = [{after='21:00', before='7:00'}]
731 |
732 | # [schedules.work]
733 | # mon = [{after='9:00', before='18:00'}]
734 | # tue = [{after='9:00', before='18:00'}]
735 | # wed = [{after='9:00', before='18:00'}]
736 | # thu = [{after='9:00', before='18:00'}]
737 | # fri = [{after='9:00', before='17:00'}]
738 |
739 |
740 | ###############################################################################
741 | # Servers #
742 | ###############################################################################
743 |
744 | ## Remote lists of available servers
745 | ## Multiple sources can be used simultaneously, but every source
746 | ## requires a dedicated cache file.
747 | ##
748 | ## Refer to the documentation for URLs of public sources.
749 | ##
750 | ## A prefix can be prepended to server names in order to
751 | ## avoid collisions if different sources share the same for
752 | ## different servers. In that case, names listed in `server_names`
753 | ## must include the prefixes.
754 | ##
755 | ## If the `urls` property is missing, cache files and valid signatures
756 | ## must already be present. This doesn't prevent these cache files from
757 | ## expiring after `refresh_delay` hours.
758 | ## `refreshed_delay` must be in the [24..168] interval.
759 | ## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers.
760 | ## The maximum delay of 168 hours (1 week) ensures cache freshness.
761 |
762 | [sources]
763 |
764 | ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
765 |
766 | [sources.public-resolvers]
767 | urls = [
768 | 'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md',
769 | 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md',
770 | ]
771 | cache_file = 'public-resolvers.md'
772 | minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
773 | refresh_delay = 73
774 | prefix = ''
775 |
776 | ### Anonymized DNS relays
777 |
778 | [sources.relays]
779 | urls = [
780 | 'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md',
781 | 'https://download.dnscrypt.info/resolvers-list/v3/relays.md',
782 | ]
783 | cache_file = 'relays.md'
784 | minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
785 | refresh_delay = 73
786 | prefix = ''
787 |
788 | ### ODoH (Oblivious DoH) servers and relays
789 |
790 | # [sources.odoh-servers]
791 | # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
792 | # cache_file = 'odoh-servers.md'
793 | # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
794 | # refresh_delay = 73
795 | # prefix = ''
796 | # [sources.odoh-relays]
797 | # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
798 | # cache_file = 'odoh-relays.md'
799 | # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
800 | # refresh_delay = 73
801 | # prefix = ''
802 |
803 | ### Quad9
804 |
805 | # [sources.quad9-resolvers]
806 | # urls = ['https://quad9.net/dnscrypt/quad9-resolvers.md']
807 | # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
808 | # cache_file = 'quad9-resolvers.md'
809 | # prefix = 'quad9-'
810 |
811 | ### Another example source, with resolvers censoring some websites not appropriate for children
812 | ### This is a subset of the `public-resolvers` list, so enabling both is useless.
813 |
814 | # [sources.parental-control]
815 | # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
816 | # cache_file = 'parental-control.md'
817 | # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
818 |
819 | ### dnscry.pt servers - See https://www.dnscry.pt
820 |
821 | # [sources.dnscry-pt-resolvers]
822 | # urls = ["https://www.dnscry.pt/resolvers.md"]
823 | # minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
824 | # cache_file = "dnscry.pt-resolvers.md"
825 | # refresh_delay = 73
826 | # prefix = "dnscry.pt-"
827 |
828 |
829 | ###############################################################################
830 | # Servers with known bugs #
831 | ###############################################################################
832 |
833 | [broken_implementations]
834 |
835 | ## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
836 | ## truncate responses larger than questions as expected by the DNSCrypt protocol.
837 | ## This prevents large responses from being received over UDP and over relays.
838 | ##
839 | ## Older versions of the `dnsdist` server software had a bug with queries larger
840 | ## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
841 | ## some server may still run an outdated version.
842 | ##
843 | ## The list below enables workarounds to make non-relayed usage more reliable
844 | ## until the servers are fixed.
845 |
846 | fragments_blocked = [
847 | 'cisco',
848 | 'cisco-ipv6',
849 | 'cisco-familyshield',
850 | 'cisco-familyshield-ipv6',
851 | 'cisco-sandbox',
852 | 'cleanbrowsing-adult',
853 | 'cleanbrowsing-adult-ipv6',
854 | 'cleanbrowsing-family',
855 | 'cleanbrowsing-family-ipv6',
856 | 'cleanbrowsing-security',
857 | 'cleanbrowsing-security-ipv6',
858 | ]
859 |
860 |
861 | ###############################################################################
862 | # Certificate-based client authentication for DoH #
863 | ###############################################################################
864 |
865 | [doh_client_x509_auth]
866 |
867 | ## Use an X509 certificate to authenticate yourself when connecting to DoH servers.
868 | ## This is only useful if you are operating your own, private DoH server(s).
869 | ## 'creds' maps servers to certificates, and supports multiple entries.
870 | ## If you are not using the standard root CA, an optional "root_ca"
871 | ## property set to the path to a root CRT file can be added to a server entry.
872 |
873 | # creds = [
874 | # { server_name='*', client_cert='client.crt', client_key='client.key' }
875 | # ]
876 |
877 |
878 | ###############################################################################
879 | # Anonymized DNS #
880 | ###############################################################################
881 |
882 | [anonymized_dns]
883 |
884 | ## Routes are indirect ways to reach DNSCrypt servers.
885 | ##
886 | ## A route maps a server name ("server_name") to one or more relays that will be
887 | ## used to connect to that server.
888 | ##
889 | ## A relay can be specified as a DNS Stamp (either a relay stamp, or a
890 | ## DNSCrypt stamp) or a server name.
891 | ##
892 | ## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
893 | ## and "example-server-2" via the relay whose relay DNS stamp is
894 | ## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
895 | ##
896 | ## !!! THESE ARE JUST EXAMPLES !!!
897 | ##
898 | ## Review the list of available relays from the "relays.md" file, and, for each
899 | ## server you want to use, define the relays you want connections to go through.
900 | ##
901 | ## Carefully choose relays and servers so that they are run by different entities.
902 | ##
903 | ## "server_name" can also be set to "*" to define a default route, for all servers:
904 | ## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
905 | ##
906 | ## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
907 | ## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
908 | ##
909 | ## Manual selection is always recommended over automatic selection, so that you can
910 | ## select (relay,server) pairs that work well and fit your own criteria (close by or
911 | ## in different countries, operated by different entities, on distinct ISPs...)
912 |
913 | routes = [
914 | { server_name='ams-dnscrypt-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
915 | { server_name='d0wn-tz-ns1', via=['anon-arapurayil-in-ipv4', 'anon-cs-rome'] },
916 | { server_name='dct-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
917 | { server_name='dct-ru', via=['anon-cs-czech', 'anon-techsaviours.org'] },
918 | { server_name='dnscrypt.be', via=['anon-cs-belgium', 'anon-serbica'] },
919 | { server_name='dnscrypt.pl', via=['anon-cs-poland', 'anon-techsaviours.org'] },
920 | { server_name='dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] },
921 | { server_name='dnswarden-uncensor-dc-swiss', via=['anon-cs-fr', 'anon-kama'] },
922 | { server_name='meganerd', via=['anon-scaleway-ams', 'anon-serbica'] },
923 | { server_name='openinternet', via=['anon-cs-sea', 'anon-inconnu'] },
924 | { server_name='plan9dns-fl', via=['anon-cs-tx', 'anon-inconnu'] },
925 | { server_name='plan9dns-mx', via=['anon-cs-tx', 'anon-inconnu'] },
926 | { server_name='plan9dns-nj', via=['anon-cs-nyc1', 'anon-inconnu'] },
927 | { server_name='pryv8boi', via=['anon-cs-dus1', 'anon-techsaviours.org'] },
928 | { server_name='sby-limotelu', via=['anon-cs-sydney', 'anon-tiarap'] },
929 | { server_name='scaleway-ams', via=['anon-meganerd', 'anon-serbica'] },
930 | { server_name='scaleway-fr', via=['anon-cs-fr', 'anon-dnscrypt.uk-ipv4'] },
931 | { server_name='serbica', via=['anon-cs-nl', 'anon-scaleway-ams'] },
932 | { server_name='techsaviours.org-dnscrypt', via=['anon-cs-berlin', 'anon-dnswarden-swiss'] },
933 | { server_name='v.dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] }
934 | # { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
935 | # { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
936 | ]
937 |
938 |
939 | ## Skip resolvers incompatible with anonymization instead of using them directly
940 |
941 | skip_incompatible = true
942 |
943 |
944 | ## If public server certificates for a non-conformant server cannot be
945 | ## retrieved via a relay, try getting them directly. Actual queries
946 | ## will then always go through relays.
947 |
948 | direct_cert_fallback = false
949 |
950 |
951 | ###############################################################################
952 | # DNS64 #
953 | ###############################################################################
954 |
955 | [dns64]
956 |
957 | ## DNS64 is a mechanism for synthesizing AAAA records from A records.
958 | ## It is used with an IPv6/IPv4 translator to enable client-server
959 | ## communication between an IPv6-only client and an IPv4-only server,
960 | ## without requiring any changes to either the IPv6 or the IPv4 node,
961 | ## for the class of applications that work through NATs.
962 | ##
963 | ## There are two options to synthesize such records:
964 | ## Option 1: Using a set of static IPv6 prefixes;
965 | ## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
966 | ##
967 | ## If both options are configured - only static prefixes are used.
968 | ## (Ref. RFC6147, RFC6052, RFC7050)
969 | ##
970 | ## Do not enable unless you know what DNS64 is and why you need it, or else
971 | ## you won't be able to connect to anything at all.
972 |
973 | ## Static prefix(es) as Pref64::/n CIDRs
974 |
975 | # prefix = ['64:ff9b::/96']
976 |
977 | ## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs
978 | ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
979 | ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
980 | ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
981 |
982 | # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
983 |
984 |
985 | ###############################################################################
986 | # IP Encryption #
987 | ###############################################################################
988 |
989 | [ip_encryption]
990 |
991 | ## Encrypt client IP addresses in plugin logs using IPCrypt
992 | ## This provides privacy for client IP addresses while maintaining
993 | ## the ability to distinguish between different clients in logs
994 |
995 | ## Encryption algorithm (default: "none")
996 | ## - "none": No encryption (default)
997 | ## - "ipcrypt-deterministic": Deterministic encryption (same IP always encrypts to same value) - requires 16-byte key
998 | ## - "ipcrypt-nd": Non-deterministic encryption with 8-byte tweak - requires 16-byte key
999 | ## - "ipcrypt-ndx": Non-deterministic encryption with 16-byte tweak (extended) - requires 32-byte key
1000 | ## - "ipcrypt-pfx": Prefix-preserving encryption (preserves network prefix relationships) - requires 32-byte key
1001 |
1002 | algorithm = "none"
1003 |
1004 | ## Encryption key in hexadecimal format (required if algorithm is not "none")
1005 | ## Key size depends on algorithm:
1006 | ## - ipcrypt-deterministic: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
1007 | ## - ipcrypt-nd: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
1008 | ## - ipcrypt-ndx: 64 hex chars (32 bytes) - Generate with: openssl rand -hex 32
1009 | ## Example for deterministic/nd: key = "1234567890abcdef1234567890abcdef"
1010 | ## Example for ndx: key = "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
1011 | ## IMPORTANT: Keep this key secret
1012 |
1013 | key = ""
1014 |
1015 |
1016 | ###############################################################################
1017 | # Monitoring UI #
1018 | ###############################################################################
1019 |
1020 | [monitoring_ui]
1021 |
1022 | ## Enable the monitoring UI
1023 | enabled = false
1024 |
1025 | ## Listen address for the monitoring UI
1026 | listen_address = "127.0.0.1:8080"
1027 |
1028 | ## Optional username and password for basic authentication
1029 | ## To disable authentication, set username to an empty string: username = ""
1030 | ## If both username and password are empty, no authentication is required
1031 | username = "admin"
1032 | password = "changeme"
1033 |
1034 | ## Optional TLS certificate and key for HTTPS
1035 | ## If both are empty, HTTP will be used
1036 | tls_certificate = ""
1037 | tls_key = ""
1038 |
1039 | ## Enable query logging in the monitoring UI
1040 | ## This will show recent queries in the UI
1041 | enable_query_log = true
1042 |
1043 | ## Privacy level for the monitoring UI
1044 | ## 0: show all details including client IPs
1045 | ## 1: anonymize client IPs (default)
1046 | ## 2: aggregate data only (no individual queries or domains shown)
1047 | privacy_level = 1
1048 |
1049 | ## Maximum number of recent query log entries to keep in memory
1050 | ## Helps control memory usage on high-traffic servers
1051 | ## Default: 100
1052 | # max_query_log_entries = 100
1053 |
1054 | ## Maximum memory usage in MB for recent query logs
1055 | ## Automatic cleanup when limit is exceeded
1056 | ## Default: 1
1057 | # max_memory_mb = 1
1058 |
1059 | ## Enable Prometheus metrics endpoint
1060 | ## Default: false
1061 | # prometheus_enabled = false
1062 |
1063 | ## Path for Prometheus metrics endpoint
1064 | ## Default: /metrics
1065 | # prometheus_path = "/metrics"
1066 |
1067 |
1068 | ###############################################################################
1069 | # Static entries #
1070 | ###############################################################################
1071 |
1072 | [static]
1073 |
1074 | ## Optional, local, static list of additional servers
1075 | ## Mostly useful for testing your own servers.
1076 |
1077 | # [static.myserver]
1078 | # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
1079 |
--------------------------------------------------------------------------------
