├── .gitattributes
├── .github
    └── ISSUE_TEMPLATE
    │   ├── bug_report.md
    │   └── feature_request.md
├── CHANGELOG.md
├── LICENSE.md
├── META-INF
    └── com
    │   └── google
    │       └── android
    │           ├── update-binary
    │           └── updater-script
├── README.md
├── binary
    ├── dnscrypt-proxy-arm
    ├── dnscrypt-proxy-arm64
    ├── dnscrypt-proxy-i386
    └── dnscrypt-proxy-x86_64
├── config
    ├── LICENSE
    ├── allowed-ips.txt
    ├── allowed-names.txt
    ├── blocked-ips.txt
    ├── blocked-names.txt
    └── dnscrypt-proxy.toml
├── customize.sh
├── module.prop
├── post-fs-data.sh
├── service.sh
├── uninstall.sh
└── update.json


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Declare files that will always have LF line endings on checkout.
2 | META-INF/** text eol=lf
3 | *.prop text eol=lf
4 | *.sh text eol=lf
5 | *.md text eol=lf
6 | 
7 | # Denote all files that are truly binary and should not be modified.
8 | system/** binary
9 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: 'Bug Report'
 3 | about: Create a dnscrypt-proxy-android bug report
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 | 
13 | **To Reproduce**
14 | Steps to reproduce the behavior:
15 | 1. Go to '...'
16 | 2. Click on '...'
17 | 3. Scroll down to '...'
18 | 4. See error
19 | 
20 | **Expected behavior (i.e. solution)**
21 | A clear and concise description of what you expected to happen or what could be the solution.
22 | 
23 | **Screenshots**
24 | If applicable, add screenshots to help explain your problem.
25 | 
26 | **Device informations:**
27 | - Android: `version`
28 | - Magisk: `version`
29 | - OS/Custom ROM: `e.g. stock, lineageos`
30 | - Browser: `e.g. stock browser, safari`
31 | 
32 | **Additional context**
33 | Add any other context about the problem here.
34 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an idea for dnscrypt-proxy-android
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 | 
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 | 
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 | 
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
  1 | # Changelog
  2 | 
  3 | ## unreleased
  4 | ### Changed
  5 | - `dct-nl1` name resolver to `dct-nl`.
  6 | - `dct-ru1` name resolver to `dct-ru`.
  7 | - Optimized relays.
  8 | 
  9 | ### Removed
 10 | - `dct-at1` resolver (ceased).
 11 | - `dnscrypt.ca-1` resolver (ceased).
 12 | - `dnscrypt.ca-2` resolver (ceased).
 13 | 
 14 | ## 2.1.5
 15 | ### Upstream
 16 |  - dnscrypt-proxy can be compiled with Go 1.21.0+
 17 |  - Responses to blocked queries now include extended error codes
 18 |  - Reliability of connections using HTTP/3 has been improved
 19 |  - New configuration directive: `tls_key_log_file`. When defined, this
 20 | is the path to a file where TLS secret keys will be written to, so
 21 | that DoH traffic can be locally inspected.
 22 | 
 23 | ### Changed
 24 | - Optimized relays.
 25 | 
 26 | ### Removed
 27 | - `altername` resolver (temporarily down).
 28 | - `dct-de1` resolver (ceased).
 29 | - `dns.watch` resolver (unresponsive).
 30 | - `starrydns` resolver (ceased).
 31 | 
 32 | ## 2.1.4
 33 | ### Upstream
 34 |  - Fixes a regression from version 2.1.3: when cloaking was enabled,
 35 | blocked responses were returned for records that were not A/AAAA/PTR
 36 | even for names that were not in the cloaked list.
 37 | 
 38 | ### Added
 39 | - `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
 40 | 
 41 | ## 2.1.3
 42 | ### Upstream
 43 |  - DNS-over-HTTP/3 (QUIC) should be more reliable. In particular,
 44 | version 2.1.2 required another (non-QUIC) resolver to be present for
 45 | bootstrapping, or the resolver's IP address to be present in the
 46 | stamp. This is not the case any more.
 47 |  - dnscrypt-proxy is now compatible with Go 1.20+
 48 |  - Commands (-check, -show-certs, -list, -list-all) now ignore log
 49 | files and directly output the result to the standard output.
 50 |  - The `cert_ignore_timestamp` configuration switch is now documented.
 51 | It allows ignoring timestamps for DNSCrypt certificate verification,
 52 | until a first server is available. This should only be used on devices
 53 | that don't have any ways to set the clock before DNS service is up.
 54 | However, a safer alternative remains to use an NTP server with a fixed
 55 | IP address (such as time.google.com), configured in the captive portals
 56 | file.
 57 |  - Cloaking: when a name is cloaked, unsupported record types now
 58 | return a blocked response rather than the actual records.
 59 |  - systemd: report Ready earlier as dnscrypt-proxy can itself manage
 60 | retries for updates/refreshes.
 61 | 
 62 | ### Added
 63 | - Script in `customize.sh` file for automatically disable Private DNS feature.
 64 | - `dct-nl1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Naaldwijk, Netherlands).
 65 | - `openinternet` resolver (DNSCrypt resolver colocated at Sonic.net in Santa Rosa, CA in the United States. No log, no filter, DNSSEC. Provided by https://openinternet.io).
 66 | 
 67 | ### Changed
 68 | - Optimized relays.
 69 | 
 70 | ### Removed
 71 | - `acsacsar-ams-ipv4` resolver (unresponsive).
 72 | - `dct-ru1` resolver (unresponsive).
 73 | - `dnscrypt.eu-nl` resolver (ceased).
 74 | - `dotya.ml` resolver (unresponsive).
 75 | - `resolver4.dns.openinternet.io` resolver (changed).
 76 | - `sgp-dn53` resolver (unresponsive).
 77 | 
 78 | ### Fixed
 79 | - Show the correct changelog version in Magisk app.
 80 | 
 81 | ## 2.1.2.4
 82 | ### Added
 83 | - Automatic redirections in `post-fs-data.sh` file.
 84 | 
 85 | ### Changed
 86 | - Use a more modern [DNS.SB](https://dns.sb/) as `bootstrap_resolvers`.
 87 | 
 88 | ## 2.1.2.3
 89 | ### Changed
 90 | - Use [DNS.SB](https://dns.sb/) as `bootstrap_resolvers`.
 91 | - Use [DNS.SB](https://dns.sb/) as `netprobe_address`.
 92 | 
 93 | ### Removed
 94 | - Automatic redirections in `post-fs-data.sh` file.
 95 | 
 96 | ## 2.1.2.2
 97 | ### Fixed
 98 | - Forgotten scripts in `post-fs-data` file (it prevent using bootstrap resolvers correctly).
 99 | 
100 | ## 2.1.2.1
101 | ### Added
102 | - `dct-at1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Vienna, Austria).
103 | - `dct-de1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Düsseldorf, Germany).
104 | - `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
105 | - `dnswarden-uncensor-dc-swiss` resolver (Hosted in Switzerland. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
106 | - `dotya.ml` resolver (Free, uncensored, DNSSEC-validated, non-logging DNSCrypt server hosted in Nuremberg, Germany on Contabo servers. Operated by dotya.ml, configs live [here](https://git.dotya.ml/dotya.ml/dnscrypt-server)).
107 | - `sby-limotelu` resolver (non-censoring, non-logging, DNSSEC-capable Hosted in Surabaya, Indonesia (Dnscrypt) https://limotelu.org maintained by [poentodewo](https://github.com/poentodewo)).
108 | - `sgp-dn53` resolver (non-censoring, non-logging, DNSSEC-capable Hosted in Singapore (Dnscrypt) https://limotelu.org maintained by [poentodewo](https://github.com/poentodewo)).
109 | - `starrydns` resolver (DNSCrypt server in Singapore, no filter, no logs, DNSSEC support).
110 | 
111 | ### Changed
112 | - Optimized relays.
113 | - Use [dns.watch](https://dns.watch/) `resolver1` and `resolver2` as `bootstrap_resolvers`.
114 | - Use [dns.watch](https://dns.watch/) `resolver1` as `netprobe_address`.
115 | 
116 | ### Removed
117 | - `breddns` resolver (unresponsive).
118 | - `dnswarden-uncensor-fr1-dc` resolver (changed).
119 | - `dnswarden-uncensor-ind1-dc` resolver (changed).
120 | - `dnswarden-uncensor-sg1-dc` resolver (changed).
121 | - `dnswarden-uncensor-us1-dc` resolver (changed).
122 | - `moulticast-fr-ipv4` resolver (unresponsive).
123 | - `moulticast-sg-ipv4` resolver (unresponsive).
124 | - `moulticast-uk-ipv4` resolver (unresponsive).
125 | - `pwoss.org-dnscrypt` resolver (unresponsive).
126 | 
127 | ## 2.1.2
128 | ### Upstream
129 | - Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added.
130 | Compatible servers will automatically use it. Note that QUIC uses UDP
131 | (usually over port 443, like DNSCrypt) instead of TCP.
132 | - In previous versions, memory usage kept growing due to channels not
133 | being properly closed, causing goroutines to pile up. This was fixed,
134 | resulting in an important reduction of memory usage. Thanks to
135 | @lifenjoiner for investigating and fixing this!
136 | - DNS64: `CNAME` records are now translated like other responses.
137 | Thanks to @ignoramous for this!
138 | - A relay whose name has been configured, but doesn't exist in the
139 | list of available relays is now a hard error. Thanks to @lifenjoiner!
140 | - Mutexes/locking: bug fixes and improvements, by @ignoramous
141 | - Official packages now include linux/riscv64 builds.
142 | - `dnscrypt-proxy -resolve` now reports if ECS (EDNS-clientsubnet) is
143 | supported by the server.
144 | - `dnscrypt-proxy -list` now includes ODoH (Oblivious DoH) servers.
145 | - Local DoH: queries made using the `GET` method are now handled.
146 | - The service can now be installed on OpenRC-based systems.
147 | - `PTR` queries are now supported for cloaked domains. Contributed by
148 | Ian Bashford, thanks!
149 | 
150 | ### Added
151 | - Scripts in `post-fs-data.sh` file for force disable IPv6 connections at OS level, preventing possible leaks.
152 | - `breddns` resolver (Non-logging DNSCrypt server located in Luxembourg, operated by @tmclo).
153 | - `dnswarden-uncensor-fr1-dc` resolver (Hosted in France. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
154 | - `dnswarden-uncensor-ind1-dc` resolver (Hosted in India. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
155 | - `dnswarden-uncensor-sg1-dc` resolver (Hosted in Singapore. For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
156 | - `dnswarden-uncensor-us1-dc` resolver (Hosted in USA (Dallas). For more information look [here](https://github.com/bhanupratapys/dnswarden) or [here](https://dnswarden.com)).
157 | 
158 | ### Changed
159 | - Adjusted `versionCode` in `module.prop` file (more easy share beta and manage minor dnscrypt-proxy versions with two digits).
160 | - Optimized relays.
161 | 
162 | ### Removed
163 | - `dnswarden-asia-uncensor-dcv4` resolver (changed).
164 | - `dnswarden-eu-uncensor-dcv4` resolver (changed).
165 | - `dnswarden-us-uncensor-dcv4` resolver (changed).
166 | 
167 | ## 2.1.1-3
168 | ### Added
169 | - `plan9dns-fl` resolver (Miami Florida, US No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dns).
170 | - `plan9dns-mx` resolver (Mexico City, Mexico No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dns).
171 | - `plan9dns-nj` resolver (Piscataway New Jersey, US No-logs, no-filters, DNSSEC -info https://jlongua.github.io/plan9-dnsPiscataway).
172 | - `techsaviours.org-dnscrypt` resolver (No filter | No logs | DNSSEC | Nuremberg, Germany (netcup) | Maintained by https://techsaviours.org/).
173 | 
174 | ### Changed
175 | - Optimized relays.
176 | 
177 | ### Fixed
178 | - Changelog display issues in Magisk app.
179 | 
180 | ### Removed
181 | - `bcn-dnscrypt` resolver (ceased).
182 | - `dns.digitalsize.net` resolver (DoH).
183 | - `dct-at1` resolver (temporarily down).
184 | - `dct-de1` resolver (temporarily down).
185 | - `dct-ru1` resolver (temporarily down).
186 | - `gombadi-syd` resolver (ceased).
187 | - `moulticast-ca-ipv4` resolver (unresponsive).
188 | - `moulticast-de-ipv4` resolver (unresponsive).
189 | - `plan9-ns1` resolver (changed).
190 | - `plan9-ns2` resolver (changed).
191 | 
192 | ## 2.1.1-2
193 | ### Fixed
194 | - Random connection issues under mobile data. (see [DNSCrypt/dnscrypt-proxy/discussions/2020](https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2020))
195 | 
196 | ### Removed
197 | - `dct-ru2` resolver (ceased).
198 | - `pf-dnscrypt` resolver (unresponsive).
199 | - `zackptg5-us-il-ipv4` resolver (ceased).
200 | 
201 | ## 2.1.1-1
202 | ### Added
203 | - `uninstall.sh` file for `dnscrypt-proxy` folder removal after module uninstallation (Android 7 and below at the moment).
204 | - `update.json` file for enable the new auto-update feature from `Magisk v24+`.
205 | - `dct-at1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Vienna, Austria).
206 | - `dct-de1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Düsseldorf, Germany).
207 | - `dns.digitalsize.net` resolver (A public, non-tracking, non-filtering DNS resolver with DNSSEC enabled and hosted in Germany (https://dns.digitalsize.net)).
208 | - `dnswarden-asia-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Singapore. by Bhanu Pratap).
209 | - `dnswarden-eu-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Germany. by Bhanu Pratap).
210 | - `dnswarden-us-uncensor-dcv4` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in USA (Dallas). by Bhanu Pratap).
211 | 
212 | ### Changed
213 | - Project migrated to GitHub.
214 | - Optimized relays.
215 | 
216 | ### Removed
217 | - `zackptg5-us-pit-ipv4` resolver (unresponsive).
218 | 
219 | ## 2.1.1
220 | ### Upstream
221 | This is a bugfix only release, addressing regressions introduced in
222 | version 2.1.0:
223 | - When using DoH, cached responses were not served any more when
224 | experiencing connectivity issues. This has been fixed.
225 | - Time attributes in allow/block lists were ignored. This has been
226 | fixed.
227 | - The TTL as served to clients is now rounded and starts decreasing
228 | before the first query is received.
229 | - Time-based rules are properly handled again in
230 | generate-domains-blocklist.
231 | - DoH/ODoH: entries with an IP address and using a non-standard port
232 | used to require help from a bootstrap resolver. This is not the case
233 | any more.
234 | 
235 | ### Changed
236 | - Optimized relays.
237 | 
238 | ### Removed
239 | - `dama.no-osl-s04` resolver (unresponsive).
240 | - `dama.no-sa-a80` resolver (unresponsive).
241 | - `kenshiro` resolver (unresponsive, no more lucenera resolvers).
242 | - `suami` resolver (unresponsive, no more lucenera resolvers).
243 | 
244 | ## 2.1.0
245 | ### Upstream
246 | - `dnscrypt-proxy` now includes support for Oblivious DoH.
247 | - If the proxy is overloaded, cached and synthetic queries now keep being
248 | served, while non-cached queries are delayed.
249 | - A deprecation warning was for `fallback_resolvers`.
250 | - Source URLs are now randomized.
251 | - On some platforms, redirecting the application log to a file was not
252 | compatible with user switching; this has been fixed.
253 | - `fallback_resolvers` was renamed to `bootstrap_resolvers` for
254 | clarity. Please update your configuration file accordingly.
255 | 
256 | ### Added
257 | - DNS Rebind Protection with `blocked-ips.txt` file enabled by default.
258 | - UncensoredDNS (Unicast) in addition to UncensoredDNS (Anycast) as `bootstrap_resolvers`.
259 | - `ams-dnscrypt-nl` resolver (Resolver in Amsterdam. Dnscrypt protocol. Non-logging, non-filtering, DNSSEC).
260 | - `altername` resolver (Protocol: DNSCrypt IPv4 | Features: Non-logging, Non-filtering, DNSSEC, EmerDNS | Location: Moscow, Russia).
261 | - `dama.no-osl-s04` resolver (DNSCrypt server located in Oslo/Norway. Link-speed 100 Mbit/s. Non-censoring, non-logging, DNSSEC-capable).
262 | - `dama.no-sa-a80` resolver (DNSCrypt Server located in Sandefjord/Norway. non-censoring, non-logging, DNSSEC-capable).
263 | - `dct-ru1` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Saint Petersburg, Russia).
264 | - `dct-ru2` resolver (DNSCrypt | IPv4 only | Non-logging | Non-filtering | DNSSEC | Moscow, Russia).
265 | - `dns.watch` resolver (Free, uncensored, non-logging server in Germany. https://dns.watch).
266 | - `gombadi-syd` resolver (Protocol: DNSCrypt IPv4 | Features: Non-logging, Non-filtering, DNSSEC, Unbound | Location: Sydney, AU).
267 | - `kenshiro` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Amsterdam. by lucenera).
268 | - `pf-dnscrypt` resolver (by post-factum | Zürich, Switzerland | Non-logging | Non-filtering | DNSSEC | https://dns.post-factum.tk).
269 | - `plan9-ns2` resolver (DNSCrypt server in Florida, USA. Non-logging, non-filtering, DNSSEC, anonymized. info - https://jlongua.github.io/plan9-dns/).
270 | - `pryv8boi` resolver (By pryv8, non Logging, uncensored, DNSSEC - hosted on contabo servers).
271 | - `resolver4.dns.openinternet.io` resolver (DNSCrypt resolver on dedicated hardware, colocated at Sonic.net in Santa Rosa, CA in the United States. No log, no filter, DNSSEC. Uses Sonic's recusrive DNS servers as upstream resolvers (but is not affiliated with Sonic in any way). Provided by https://openinternet.io).
272 | - `suami` resolver (dnscrypt-server. No logging, No filtering, support DNSSEC, located in Frankfurt. by lucenera).
273 | - `zackptg5-us-il-ipv4` resolver (DNSSEC/unfiltered/non-logged. Hosted on Vultr in Chicago, IL. Running the official Docker image by @zackptg5).
274 | - `zackptg5-us-pit-ipv4` resolver (DNSSEC/unfiltered/non-logged. Hosted on TeraSwitch in Pittsburgh, PA. Running the official Docker image by @zackptg5).
275 | 
276 | ### Changed
277 | - The path of the config. files from `/data/media/0/dnscrypt-proxy` to `/storage/emulated/0/dnscrypt-proxy` (fix for log issues on `A11+` and an issue on `A6-` where the config. files could not be modified).
278 | - Set `dnscrypt-proxy.log` level from `2` to `0` (but keep it disabled by default).
279 | - Optimized relays.
280 | 
281 | ### Removed
282 | - `dama.no-osl-s04` resolver (unresponsive).
283 | - `dama.no-sa-a80` resolver (unresponsive).
284 | - `kenshiro` resolver (unresponsive, no more lucenera resolvers).
285 | - `suami` resolver (unresponsive, no more lucenera resolvers).
286 | 
287 | ## 2.0.45
288 | ### Upstream
289 | - Configuration changes (to be required in versions 2.1.x):
290 |   * `[blacklist]` has been renamed to `[blocked_names]`
291 |   * `[ip_blacklist]` has been renamed to `[blocked_ips]`
292 |   * `[whitelist]` has been renamed to `[allowed_names]`
293 |   * `generate-domains-blacklist.py` has been renamed to
294 |     `generate-domains-blocklist.py`, and the configuration files have been
295 |     renamed as well.
296 | - `dnscrypt-proxy -resolve` has been completely revamped, and now requires
297 | the configuration file to be accessible. It will send a query to an IP address
298 | of the `dnscrypt-proxy` server by default. Sending queries to arbitrary
299 | servers is also supported with the new `-resolve name,address` syntax.
300 | - Relay lists can be set to `*` for automatic relay selection. When a wildcard
301 | is used, either for the list of servers or relays, the proxy ensures that
302 | relays and servers are on distinct networks.
303 | - Lying resolvers are detected and reported.
304 | - New return code: `NOT_READY` for queries received before the proxy has
305 | been initialized.
306 | - Server lists can't be older than a week any more, even if directory
307 | permissions are incorrect and cache files cannot be written.
308 | - macOS/arm64 is now officially supported.
309 | - New feature: `allowed_ips`, to configure a set of IP addresses to
310 | never block no matter what DNS name resolves to them.
311 | - Hard-coded IP addresses can be immediately returned for test queries
312 | sent by operating systems in order to check for connectivity and captive
313 | portals. Such responses can be sent even before an interface is considered
314 | as enabled by the operating system. This can be configured in a new section
315 | called `[captive_portals]`.
316 | - On Linux, OpenBSD and FreeBSD, `listen_addresses` can now include IP
317 | addresses that haven't been assigned to an interface yet.
318 | - The logo has been tweaked to look fine on a dark background.
319 | - `generate-domains-blocklist.py`: regular expressions are now ignored in
320 | time-based entries.
321 | - Minor bug fixes and logging improvements.
322 | - Cloaking plugin: if an entry has multiple IP addresses for a type,
323 | all the IP addresses are now returned instead of a random one.
324 | - Static entries can now include DNSCrypt relays.
325 | - Name blocking: aliases relying on `SVCB` and `HTTPS` records can now
326 | be blocked in addition to aliases via regular `CNAME` records.
327 | - EDNS-Client-Subnet information can be added to outgoing queries.
328 | Instead of sending the actual client IP, ECS information is user
329 | configurable, and IP addresses will be randomly chosen for every query.
330 | - Initial DoH queries are now checked using random names in order to
331 | properly measure CDNs such as Tencent that ignore the padding.
332 | - DoH: the `max-stale` cache control directive is now present in queries.
333 | - Logs can now be sent to `/dev/stdout` instead of actual files.
334 | - User switching is now supported on macOS.
335 | - New download mirror (https://download.dnscrypt.net) for resolvers,
336 | relays and parental-control.
337 | 
338 | ### Added
339 | - `allowed-ips.txt` and `blocked-ips.txt` files (as placeholder).
340 | - Cleanup unneeded binary files after the installation.
341 | - `acsacsar-ams-ipv4` resolver (Public non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver hosted on Scaleway by [acsacsar](https://nitter.net/acsacsar)).
342 | - `arvind-io` resolver (Public resolver by EnKrypt (https://arvind.io). Hosted in Bangalore, India. Non-logging, non-filtering, supports DNSSEC).
343 | - `bcn-dnscrypt` resolver (Resolver in Barcelona, Spain. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC).
344 | - `d0wn-tz-ns1` resolver (Server provided by Martin 'd0wn' Albus) Hosted by Aptus Solutions Ltd. in Tanzania.
345 | - `dnscrypt.be` resolver (Resolver in Leuven, Belgium (UCLL Campus Proximus). Non-logging/DNSSEC/Uncensored. https://dnscrypt.be
346 | Maintained by Sigfried (https://sigfried.be) hosted by ISW Leuven (https://iswleuven.be)).
347 | - `dnscrypt.ca-1` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure).
348 | - `dnscrypt.ca-2` resolver (Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated. DNS service for your pleasure).
349 | - `dnscrypt.one` resolver (Non-logging, non-censoring, DNSSEC-capable DNSCrypt resolver hosted in Germany (Nuremberg), https://dnscrypt.one).
350 | - `dnscrypt.pl` resolver (Free | No filtering | Zero logs | DNSSEC | Poland | https://dnscrypt.pl/).
351 | - `ev-canada` resolver (Non-logging, uncensored DNS resolver provided by evilvibes.com Location: Vancouver, Canada).
352 | - `freetsa.org-ipv4` resolver (Non-logged/Uncensored provided by www.freetsa.org. Support for DNS and DNS-over-TLS (DoT)).
353 | - `jp.tiar.app` resolver (Non-Logging, Non-Filtering DNSCrypt server in Japan. No ECS, Support DNSSEC).
354 | - `moulticast-ca-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Canada | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
355 | - `moulticast-de-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Germany | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
356 | - `moulticast-fr-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in France | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
357 | - `moulticast-sg-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in Singapore | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
358 | - `moulticast-uk-ipv4` resolver (Public | Non-filtering | Non-logging | DNSSEC aware | Hosted in UK | Operated by @herver (Github) | https://moulticast.net/dnscrypt/).
359 | - `plan9-ns1` resolver (Resolver in New Jersey, USA. DNSCrypt protocol. Non-logging, non-filtering, DNSSEC, anonymized. Running the official Docker image on Vultr by @jlongua1).
360 | - `pwoss.org-dnscrypt` resolver (No filter | No logs | DNSSEC | Nuremberg, Germany (netcup) | Maintained by https://pwoss.org/ (Dan)).
361 | - `sarpel-dns-istanbul` resolver (No-filter | No-logs | Uncensored | Hosted in Istanbul(Turkey) on Cloudeos).
362 | - `serbica` resolver (Public DNSCrypt server in the Netherlands by https://litepay.ch).
363 | - `ventricle.us` resolver (Public DNSCrypt resolver provided by Jacob Henner. Hosted by Digital Ocean, New York).
364 | 
365 | ### Changed
366 | - `Magisk 20.4+` required.
367 | - Disabled `direct_cert_fallback` option to prevent direct connections through the resolvers for failed certificate retrieved via relay.
368 | - Reduced the max. query waiting time from `1500` to `1000` ms.
369 | - Renamed `blacklist.txt` into `blocked-names.txt`.
370 | - Renamed `whitelist.txt` into `allowed-names.txt`.
371 | - Optimized relays.
372 | 
373 | ### Removed
374 | - [Applied Privacy DNS](https://applied-privacy.net/privacy-policy/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers.
375 | - `DROP` IPv6 queries script in `post-fs-data.sh` file.
376 | 
377 | ## 2.0.44
378 | ### Upstream
379 | - More updates to the set of block lists, thanks again to IceCodeNew.
380 | - Netprobes and listening sockets are now ignored when the `-list`, `-list-all`, `-show-certs` or `-check` command-line switches are used.
381 | - `tls_client_auth` was renamed to `doh_client_x509_auth`. A section with the previous name is temporarily ignored if empty, but will error out if not.
382 | - Unit tests are now working on 32-bit systems. Thanks to Will Elwood and @lifenjoiner.
383 | 
384 | ## 2.0.43
385 | ### Upstream
386 | - Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
387 | - Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
388 | - Multiple stamps are now allowed for a single server in resolvers and relays lists.
389 | - Android: the time zone for log files is now set to the system time zone.
390 | - Quite a lot of updates and additions have been made to the example domain block lists. Thanks to `IceCodeNew`!
391 | - Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. Contributed by
392 | `lifenjoiner`, thanks!
393 | - Precompiled macOS binaries are now notarized.
394 | - `generate-domains-blacklists` now tries to deduplicate entries clobbered by wildcard rules. Thanks to `Huhni`!
395 | - `generate-domains-blacklists` can now directly write lists to a file with the `-o` command-line option.
396 | - cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time.
397 | - Forwarded queries are now subject to global timeouts, and can be
398 | forced to use TCP.
399 | - The `ct` parameter has been removed from DoH queries, as Google doesn't require it any more.
400 | - Service installation is now supported on FreeBSD.
401 | - When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new `log_file_latest` option.
402 | 
403 | ### Added
404 | - [Applied Privacy DNS](https://applied-privacy.net/privacy-policy/) and [NixNet DNS](https://nixnet.xyz/dns/) as fallback resolvers.
405 | 
406 | ### Changed
407 | - `Magisk 20+` required.
408 | 
409 | ## 2.0.42-3
410 | ### Added
411 | - `DROP` properly IPv6 queries in `post-fs-data.sh` file (no more DNS leaks this time).
412 | 
413 | ## 2.0.42-2
414 | ### Added
415 | - 2nd attempt to `DROP` IPv6 queries in `post-fs-data.sh` file.
416 | 
417 | ## 2.0.42-1
418 | ### Added
419 | - 1st attempt to `DROP` IPv6 queries in `post-fs-data.sh` file.
420 | - `whitelist.txt` file (as placeholder, once the blacklist goes public).
421 | - `meganerd` resolver (Non-logging, non-filtering, supports DNSSEC by MegaNerd.nl).
422 | 
423 | ### Changed
424 | - Moved all the example documents into `dnscrypt-proxy/example-docs` folder (the remaining example documents must be deleted manually).
425 | - Optimized relays.
426 | 
427 | ### Removed
428 | - `dnscrypt.nl-ns0` resolver.
429 | - `dnscrypt.one` resolver.
430 | - `ffmuc.net` resolver.
431 | - `publicarray-au2` resolver.
432 | 
433 | ## 2.0.42
434 | ### Upstream
435 | - The current versions of the `dnsdist` load balancer (presumably used
436 | by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net,
437 | opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more)
438 | is preventing queries over 1500 bytes from being received over UDP.
439 | Temporary workarounds have been introduced to improve reliability
440 | with these resolvers for regular DNSCrypt. Unfortunately, anonymized
441 | DNS cannot be reliable until the issue is fixed server-side. `dnsdist`
442 | authors are aware of it and are working on a fix.
443 | - New option in the `[anonymized_dns]` section: `skip_incompatible`,
444 | to ignore resolvers incompatible with Anonymized DNS instead of
445 | using them without a relay.
446 | - The server latency benchmark is faster while being able to perform
447 | more retries if necessary.
448 | - Continuous integration has been moved to GitHub Actions.
449 | 
450 | ### Added
451 | - Set `skip_incompatible` option from `false` to `true` to ignore servers incompatible with anonymization.
452 | 
453 | ## 2.0.41
454 | ### Upstream
455 | - Precompiled binaries for armv5, armv6 and armv7 are available.
456 | The default arm builds were not compatible with older CPUs when
457 | compiled with Go 1.14. mips64 binaries are explicitly compiled with
458 | softfloat to improve compatibility.
459 | - Quad9 seems to be only blocking fragmented queries over UDP for
460 | some networks. They have been removed from the default list of broken
461 | resolvers; runtime detection of support for fragments should now do
462 | the job.
463 | - Runtime detection of support for fragments was actually enabled.
464 | 
465 | ## 2.0.40
466 | ### Upstream
467 | - Servers blocking fragmented queries are now automatically detected.
468 | - The server name is now only present in query logs when an actual upstream servers was required to resolve a query.
469 | - TLS client authentication has been added for DoH.
470 | - The Firefox plugin is now skipped for connections coming from the local DoH server.
471 | - DoH RTT computation is now more accurate, especially when CDNs are in the middle.
472 | - The forwarding plugin is now more reliable, and handles retries over TCP.
473 | 
474 | ## 2.0.39-2
475 | ### Removed
476 | - `blacklist.txt` file (too many false positives, will be added back in the future, when it reaches a more stable level).
477 | 
478 | ## 2.0.39-1
479 | ### Added
480 | - Automatic redirection in `post-fs-data.sh` file. (no more 3rd-party apps are required to start the service).
481 | - Substrings and wildcards into `blacklist.txt` file and updated to `2020.03.19`.
482 | 
483 | ### Removed
484 | - `ibksturm` resolver.
485 | - `dnswarden-dc1`, `dnswarden-dc2`, `dnswarden-dc3`, resolvers.
486 | 
487 | ## 2.0.39
488 | ### Upstream
489 | - The Firefox Local DoH service didn't properly work in version 2.0.38; 
490 | this has been fixed. Thanks to Simon Brand for the report!
491 | 
492 | ## 2.0.38
493 | ### Upstream
494 | - Entries from lists (forwarding, blacklists, whitelists) now support
495 | inline comments.
496 | - Reliability improvement: queries over UDP are retried after a timeout
497 | instead of solely relying on the client.
498 | - Reliability improvement: during temporary network outages, cached records
499 | are now served even if they are stale.
500 | - Bug fix: SOCKS proxies and DNS relays can be combined.
501 | - New feature: multiple fallback resolvers are now supported (see the
502 | new `fallback_resolvers` option. Note that `fallback_resolver` is
503 | still supported for backward compatibility).
504 | - Windows: the service can be installed with a configuration file
505 | stored separately from the application.
506 | - Security (affecting DoH): precompiled binaries of `dnscrypt-proxy 2.0.37` are
507 | built using `Go 1.13.7` that fixes a TLS certificate parsing issue present in
508 | previous versions of the compiler.
509 | 
510 | ### Added
511 | - `dnswarden-dc3` (DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com).
512 | 
513 | ### Changed
514 | - `Magisk 19+` required.
515 | - Updated `blacklist.txt` to `2020.01.30`.
516 | 
517 | ### Fixed
518 | - `dnscrypt-proxy` service doesn't detect the config file.
519 | 
520 | ## 2.0.36
521 | ### Upstream
522 | - New option: `block_undelegated`. When enabled, `dnscrypt-proxy` will
523 | directly respond to queries for locally-served zones (https://sk.tl/2QqB971U)
524 | and nonexistent zones that should have been kept local, but are frequently
525 | leaked. This reduces latency and improves privacy.
526 | - Conformance: the `DO` bit is now set in synthetic responses if it was
527 | set in a question, and the `AD` bit is cleared.
528 | - The `miegkg/dns` module was updated to version 1.1.26, that fixes a
529 | security issue affecting non-encrypted/non-authenticated DNS traffic. In
530 | `dnscrypt-proxy`, this only affects the forwarding feature.
531 | 
532 | ### Added
533 | - `dnscrypt.one` resolver (DNSSEC / no logs / uncensored, Germany (Nuremberg), https://dnscrypt.one/).
534 | 
535 | ### Changed
536 | - Updated `blacklist.txt` to `2019.12.22`.
537 | - Optimized relays.
538 | 
539 | ## 2.0.35
540 | ### Upstream
541 | - New option: `block_unqualified` to block `A`/`AAAA` queries with
542 | unqualified host names. These will very rarely get an answer from upstream
543 | resolvers, but can leak private information to these, as well as to root
544 | servers.
545 | - When a `CNAME` pointer is blocked, the original query name is now logged
546 | along with the pointer. This makes it easier to know what the original
547 | query name, so it can be whitelisted, or what the pointer was, so it
548 | can be removed from the blacklist.
549 | 
550 | ### Added
551 | - `scaleway-ams` resolver (DNSSEC/Non-logged/Uncensored in Amsterdam- ARM server donated by Scaleway.com) Maintained by Frank Denis- https://fr.dnscrypt.info).
552 | - `ffmuc.net` resolver (An open DNSCrypt resolver operated by Freifunk Munich with nodes in DE. https://ffmuc.net/).
553 | 
554 | ### Changed
555 | - Updated `blacklist.txt` to `2019.12.09`.
556 | - Optimized relays.
557 | 
558 | ### Fixed
559 | - Backup an existing `.toml` file before proceed with the installation.
560 | 
561 | ## 2.0.34
562 | ### Upstream
563 | - Blacklisted names are now also blocked if they appear in `CNAME`
564 | pointers.
565 | - `dnscrypt-proxy` can now act as a local DoH *server*. Firefox can
566 | be configured to use it, so that ESNI can be enabled without bypassing
567 | your DNS proxy.
568 | 
569 | ### Added
570 | - `ibksturm`- dnscrypt-server (nginx- encrypted-dns- unbound backend), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone- Hosted in Switzerland by ibksturm, aka Andreas Ziegler).
571 | - `blacklist.txt` file to prevent `CNAME Cloaking` tracking feature.
572 | 
573 | ### Changed
574 | - Optimized relays.
575 | 
576 | ### Removed
577 | - `charis` and `suami` resolvers.
578 | 
579 | ## 2.0.33
580 | ### Upstream
581 | - Fixes an issue that caused some valid queries to return `PARSE_ERROR`.
582 | - On certificate errors, the server name is now logged instead of the
583 | provider name, which is generally more useful.
584 | - IP addresses for DoH servers that require DNS lookups are now cached
585 | for at least 12 hours.
586 | - `ignore_system_dns` is now set to `true` by default.
587 | - A workaround for a bug in Cisco servers has been implemented.
588 | - A corrupted or incomplete resolvers list is now ignored, keeping the
589 | last good known cached list until the next update. In addition, logging was
590 | improved and unit tests were also added. Awesome contribution from William
591 | Elwood, thanks!
592 | - On Windows, the network probe immediately returned instead of blocking
593 | if `netprobe_timeout` was set to `-1`. This has been fixed.
594 | - Expired cached IP addresses now have a grace period, to avoid breaking the
595 | service if they temporarily can't be refreshed.
596 | - On Windows, the service now returns immediately, solving a long-standing
597 | issue when initialization took more than 30 seconds ("The service did not
598 | respond to the start or control request in a timely fashion"). Fantastic
599 | work by Alison Winters, thanks!
600 | - The `SERVER_ERROR` error code has been split into two new error codes:
601 | `NETWORK_ERROR` (self-explanatory) and `SERVFAIL` (a response was returned,
602 | but it includes a `SERVFAIL` error code).
603 | - Responses are now always compressed.
604 | 
605 | ### Added
606 | - `v.dnscrypt.uk-ipv4` (DNSCrypt v2, no logs, uncensored, DNSSEC. Hosted in London UK on Vultr- https://www.dnscrypt.uk).
607 | - Optimized relays (set to use other providers different from the main one).
608 | 
609 | ## 2.0.31
610 | ### Upstream
611 | - This version fixes a startup issue introduced in version 2.0.29, on systems for which the service cannot be automatically installed (such as OpenBSD and FreeBSD). Reported by @5ch17 and Vinícius Zavam, and fixed by Will Elwood, thanks!
612 | - This version fixes two regressions introduced in version 2.0.29: DoH server couldn't be reached over IPv6 any more, and the proxy couldn't be interrupted while servers were being benchmarked.
613 | 
614 | ### Changed
615 | - Another way to backup an existing `.toml` file (the old configuration is now backed up with `year-month-day-hour-minute.bak` suffix, thanks to @lindroidux).
616 | 
617 | ## 2.0.29
618 | ### Upstream
619 | - Support for Anonymized DNS has been added!
620 | - Wait before stopping, fixing an issue with Unbound (thanks to Vladimir Bauer)
621 | - DNS stamps are now included in the `-list-all-json` ouptut
622 | - The `netprobe_timeout` setting from the configuration file or command-line was ignored. This has been fixed.
623 | - The TTL or cloaked entries can now be adjusted (thanks to Markus Linnala)
624 | - Cached IP address from DoH servers now expire (thanks to Markus Linnala)
625 | - DNSCrypt certificates can be fetched over Tor and SOCKS proxies
626 | - Retries over TCP are faster
627 | - Improved logging (thanks to Alison Winters)
628 | - Ignore non-TXT records in certificate responses (thanks to Vladimir Bauer)
629 | - A lot of internal cleanups, thanks to Markus Linnala
630 | 
631 | ### Added
632 | - `publicarray-au` resolver Australia (DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on vultr.com maintained by publicarray- https://dns.seby.io).
633 | - `publicarray-au2` resolver Australia (DNSSEC/OpenNIC/Non-logging/Uncensored- hosted on ovh.com.au maintained by publicarray- https://dns.seby.io).
634 | 
635 | ### Changed
636 | - Optimized relays.
637 | 
638 | ## 2.0.29-beta.3
639 | ### Upstream
640 | - Support for Anonymized DNSCrypt has been added.
641 | - Latency with large responses has actually been reduced.
642 | - DNSCrypt certificates can now be retrieved over Tor, proxies, and DNS relays.
643 | - Improved server error reporting (thanks to Alison Winters)
644 | - Quite a lot of internal improvements and bug fixes have been made, thanks to Markus Linnala.
645 | - Improved logging
646 | - Added a workaround for DNS servers using a non-standard provider name.
647 | 
648 | ### Added
649 | - `anonymized_dns` feature (each resolver has 2 relays assigned).
650 | - `scaleway-fr` resolver (DNSSEC/Non-logging/Uncensored- Maintained by Frank Denis- https://fr.dnscrypt.info).
651 | 
652 | ## 2.0.28
653 | ### Upstream
654 | - Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
655 | - Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
656 | - Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
657 | - Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.
658 | 
659 | ## 2.0.27
660 | ### Upstream
661 | - The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
662 | - All the dependencies have been updated.
663 | 
664 | ### Changed
665 | - New project mantainer, [@quindecim](https://github.com/quindecim) :)
666 | ___
667 | 
668 | #### v2.8.7 ([@bluemeda](https://github.com/bluemeda))
669 | - Changed path of configuration file [dnscrypt.toml] from /system/etc/ to /data/media/0/ [or /sdcard]
670 | - Updated binary & configuration files to 2.0.25
671 | - Removed automatic redirection of dns-request and let dnscrypt-proxy do its job only.
672 | 
673 | #### v2.8.5 ([@bluemeda](https://github.com/bluemeda))
674 | - Fix #40
675 | 
676 | #### v2.8.4 ([@bluemeda](https://github.com/bluemeda))
677 | - Fix failed to copy or backup config file
678 | 
679 | #### v2.8.3 ([@bluemeda](https://github.com/bluemeda))
680 | - Fix permission issue
681 | - Add option to replace or backup-restore config file
682 | 
683 | #### v2.8.2 ([@bluemeda](https://github.com/bluemeda))
684 | - Fix "binary file is missing"
685 | 
686 | #### v2.8.7 ([@bluemeda](https://github.com/bluemeda))
687 | - Update Magisk 18100 requirements
688 | 
689 | #### v2.8.0 ([@bluemeda](https://github.com/bluemeda))
690 | - Update binary files 2.0.22
691 | 
692 | #### v2.7.0 ([@bluemeda](https://github.com/bluemeda))
693 | - Update binary files 2.0.21
694 | 
695 | #### v2.6.0 ([@bluemeda](https://github.com/bluemeda))
696 | - Update binary files to 2.0.19
697 | 
698 | #### v2.5.0 ([@bluemeda](https://github.com/bluemeda))
699 | - Update binary files to 2.0.16
700 | - add exception for cloudflare fallback resolver.
701 | 
702 | #### v2.4.0 ([@bluemeda](https://github.com/bluemeda))
703 | - Update binary files to 2.0.14
704 | 
705 | #### v2.3.0 ([@bluemeda](https://github.com/bluemeda))
706 | - Update binary files to 2.0.10
707 | - Add option to choose auto redirect DNS or manually set with 3rd-party app.
708 | 
709 | #### v2.2.0 ([@bluemeda](https://github.com/bluemeda))
710 | - Update binary files to 2.0.8
711 | 
712 | #### v2.1.3 ([@bluemeda](https://github.com/bluemeda))
713 | - If you have previous version, please uninstall it first then reinstall it again or you can change listen port manually in dnscrypt-proxy.toml file.
714 | - Fix Tethering Client cannot Resolve DNSCrypt
715 | - Fix Chromecast devices not showing jedisct1/dnscrypt-proxy#226
716 | - Add binary files for x86 and x86_64 (test)
717 | 
718 | #### v2.1.2 ([@bluemeda](https://github.com/bluemeda))
719 | - Bug Fixes
720 | 
721 | #### v2.1.1 ([@bluemeda](https://github.com/bluemeda))
722 | - Bug fixes
723 | 
724 | #### v2.1 ([@bluemeda](https://github.com/bluemeda))
725 | - Bug fixes
726 | 
727 | #### v2.0 ([@bluemeda](https://github.com/bluemeda))
728 | - Resolve download.dnscrypt.info first before executing iptable
729 | - Don't override dnscrypt-proxy.toml if exist
730 | - Update binary files to v2.0.6
731 | 
732 | #### v1.1 ([@bluemeda](https://github.com/bluemeda))
733 | - Change listen port to 5353 (avoid conflict while tethering)
734 | 
735 | #### v1.0 ([@bluemeda](https://github.com/bluemeda))
736 | - Initial release
737 | - dnscrypt-proxy v2.0.5
738 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     dnscrypt-proxy-android
635 |     Copyright (C) 2020-2023, d3cim
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     dnscrypt-proxy-android  Copyright (C) 2020-2023, d3cim
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <https://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <https://www.gnu.org/licenses/why-not-lgpl.html>.
675 | 
676 | 


--------------------------------------------------------------------------------
/META-INF/com/google/android/update-binary:
--------------------------------------------------------------------------------
 1 | #!/sbin/sh
 2 | 
 3 | #################
 4 | # Initialization
 5 | #################
 6 | 
 7 | umask 022
 8 | 
 9 | # echo before loading util_functions
10 | ui_print() { echo "$1"; }
11 | 
12 | require_new_magisk() {
13 |   ui_print "*******************************"
14 |   ui_print " Please install Magisk v20.4+! "
15 |   ui_print "*******************************"
16 |   exit 1
17 | }
18 | 
19 | #########################
20 | # Load util_functions.sh
21 | #########################
22 | 
23 | OUTFD=$2
24 | ZIPFILE=$3
25 | 
26 | mount /data 2>/dev/null
27 | 
28 | [ -f /data/adb/magisk/util_functions.sh ] || require_new_magisk
29 | . /data/adb/magisk/util_functions.sh
30 | [ $MAGISK_VER_CODE -lt 20400 ] && require_new_magisk
31 | 
32 | install_module
33 | exit 0
34 | 


--------------------------------------------------------------------------------
/META-INF/com/google/android/updater-script:
--------------------------------------------------------------------------------
1 | #MAGISK
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # DNSCrypt Proxy 2 for Android
  2 | 
  3 | ![GitHub release (latest by date)](https://img.shields.io/github/v/release/d3cim/dnscrypt-proxy-android?style=for-the-badge)
  4 | ![GitHub all releases](https://img.shields.io/github/downloads/d3cim/dnscrypt-proxy-android/total?style=for-the-badge)
  5 | 
  6 | A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol), [DNS-over-HTTPS](https://www.rfc-editor.org/rfc/rfc8484.txt), [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt) and [ODoH (Oblivious DoH)](https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md).
  7 | 
  8 | ## Features
  9 | 
 10 | - For all features please refer to the [official page](https://github.com/DNSCrypt/dnscrypt-proxy#features).
 11 | 
 12 | ## Pre-built binaries
 13 | 
 14 | Up-to-date, pre-built binaries are available for:
 15 | 
 16 | - Android/arm
 17 | - Android/arm64
 18 | - Android/x86
 19 | - Android/x86_64
 20 | 
 21 | All the binary files are downloaded from the [official release page](https://github.com/DNSCrypt/dnscrypt-proxy/releases).
 22 | 
 23 | ## Differences from the main project
 24 | 
 25 | - `server_names` = `ams-dnscrypt-nl` [NLD], `d0wn-tz-ns1` [TZA], `dct-nl` [NLD], `dct-ru` [RUS], `dnscrypt.be` [BEL], `dnscrypt.pl` [POL], `dnscrypt.uk-ipv4` [GBR], `dnswarden-uncensor-dc-swiss` [CHE], `meganerd` [NLD], `openinternet` [USA], `plan9dns-fl` [USA], `plan9dns-mx` [MEX], `plan9dns-nj` [USA], `pryv8boi` [DEU], `sby-limotelu` [IDN], `scaleway-ams` [NLD], `scaleway-fr` [FRA], `serbica` [NLD], `techsaviours.org-dnscrypt` [DEU], `v.dnscrypt.uk-ipv4` [GBR] are the resolvers in use.
 26 | 
 27 | - `doh_servers = false` (disable servers implementing the `DNS-over-HTTPS` protocol)
 28 | 
 29 | - `require_dnssec = true` (server must support `DNSSEC` security extension)
 30 | 
 31 | - `force_tcp = true` (fix for mobile data intial connection random issues if `routes` have been set and `skip_incompatible = true`, see [DNSCrypt/dnscrypt-proxy/discussions/2020](https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2020))
 32 | 
 33 | - `timeout = 1000` (set the max. response time of a single DNS query from `5000` to `1000` ms.)
 34 | 
 35 | - `blocked_query_response = 'refused'` (set `refused` response to blocked queries)
 36 | 
 37 | - `# log_level = 0` (set the log level of the `dnscrypt-proxy.log` file to very verbose, but keep it disabled by default)
 38 | 
 39 | - `dnscrypt_ephemeral_keys = true` (create a new, unique key for every single DNS query)
 40 | 
 41 | - `bootstrap_resolvers = ['45.11.45.11:53']` (use [DNS.SB](https://dns.sb/) instead [CloudFlare](https://archive.today/tS1Ln))
 42 | 
 43 | - `netprobe_address = '45.11.45.11:53'` (use [DNS.SB](https://dns.sb/) instead [CloudFlare](https://archive.today/tS1Ln))
 44 | 
 45 | - `block_ipv6 = true` (immediately respond to IPv6-related queries with an empty response)
 46 | 
 47 | - `blocked-names.txt`, `blocked-ips.txt`, `allowed-names.txt` and `allowed-ips.txt` files enabled. (to know more specifics about this, please refer to the [Filters (optional)](https://github.com/d3cim/dnscrypt-proxy-android#filters-optional) section below)
 48 | 
 49 | - `anonymized_dns` feature enabled. (`routes` are indirect ways to reach DNSCrypt servers, each resolver has 2 relays assigned)
 50 | 
 51 | - `skip_incompatible = true` (skip resolvers incompatible with anonymization instead of using them directly)
 52 | 
 53 | - `direct_cert_fallback = false` (prevent direct connections through the resolvers for failed certificate retrieved via relay)
 54 | 
 55 | ## Installation
 56 | 
 57 | **1.** Download the latest `dnscrypt-proxy-android-*.zip` file from the [Releases](https://github.com/d3cim/dnscrypt-proxy-android/releases/latest) page and flash it with [Magisk](https://github.com/topjohnwu/Magisk):
 58 | 
 59 | ```
 60 | Magisk > Modules > Install from storage > dnscrypt-proxy-android-*.zip
 61 | ```
 62 | 
 63 | **2.** Reboot your device.
 64 | 
 65 | **3.** Test your DNS at https://dnsleaktest.com/
 66 | 
 67 | ### Configuration (optional)
 68 | 
 69 | You can edit the `dnscrypt-proxy.toml` file as you wish located on `storage/emulated/0/dnscrypt-proxy` path.
 70 | 
 71 | For a more detailed configuration you can refer to the [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration) or simply join our group on [Telegram](https://telegram.org/), at [dnscrypt-proxy-android | CHAT](https://t.me/qd_invitations).
 72 | 
 73 | ### Filters (optional)
 74 | 
 75 | Filters are a powerful set of built-in features, that let you control exactly what domain names and IP addresses your device are allowed to connect to. This can be used to block ads, trackers, malware, or anything you don't want your device to load.
 76 | 
 77 | This [module](https://github.com/d3cim/dnscrypt-proxy-android) comes with the [filtering feature](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters) enabled by default, that's why you can see files designed for this operation inside the internal folder. Out of the box these files are empty and are used only to ensure the correct start of `dnscrypt-proxy` service.\
 78 | To know more about it you can consult the [official documentation](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters), or in a simpler way through my [block repository](https://github.com/d3cim/block).
 79 | 
 80 | I'm also providing the `allowed-names.txt` and `blocked-names.txt` files regularly updated at [dnscrypt-proxy-filters | CHANNEL](https://t.me/dnscrypt_proxy_filters). The [sources](https://github.com/d3cim/block#sources) used for this merge are among the hardest on the web.
 81 | 
 82 | You can contribute to this blocklist at anytime, opening a [New Issue](https://github.com/d3cim/dnscrypt-proxy-android/issues) here or simply reporting the issue at [dnscrypt-proxy-filters | CHAT](https://t.me/qd_invitations) on [Telegram](https://telegram.org/).
 83 | 
 84 | ## Changelog
 85 | 
 86 | - See [CHANGELOG](https://github.com/d3cim/dnscrypt-proxy-android/blob/master/CHANGELOG.md).
 87 | 
 88 | ## Version numbers
 89 | 
 90 | dnscrypt-proxy-android tags follow the format `{dnscrypt-proxy_version}.{revision}` where
 91 | 
 92 | * `dnscrypt-proxy_version` is the version of dnscrypt-proxy used in `x.x.x` format, and
 93 | * `revision` is a number indicating the version of dnscrypt-proxy-android for the corresponding dnscrypt-proxy version.
 94 | 
 95 | ## Donations
 96 | 
 97 | - **BTC** address: `126Y2BJQyPq8CHAaFMCyVH5QcbSViQz89e`
 98 | - **ETH** address: `0x16b917Bb585D2411b9c9C81b03de72471f3f072F`
 99 | - **XMR** address: `41jXybL88etPg1nGuPsMZbFSzKzbXYat4Xak3QssPy7LNs4VBWXDxbhjSdtLJDA138cx7cTq8JhFoiTTVLhWrTNAUywgGFD`
100 | 
101 | ## Credits
102 | 
103 | - [Frank Denis](https://github.com/jedisct1) and his [contributors](https://github.com/DNSCrypt/dnscrypt-proxy/graphs/contributors) for the upstream code.
104 | - [Affif Mukhlashin](https://github.com/bluemeda) and his [contributors](https://github.com/bluemeda/dnscrypt-proxy-magisk/graphs/contributors) for the very first module.
105 | - [John Wu](https://github.com/topjohnwu) and his [contributors](https://github.com/topjohnwu/Magisk/graphs/contributors) for Magisk.
106 | 


--------------------------------------------------------------------------------
/binary/dnscrypt-proxy-arm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/fe7a434df83e8a2ea9a24af046cdf62196975dab/binary/dnscrypt-proxy-arm


--------------------------------------------------------------------------------
/binary/dnscrypt-proxy-arm64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/fe7a434df83e8a2ea9a24af046cdf62196975dab/binary/dnscrypt-proxy-arm64


--------------------------------------------------------------------------------
/binary/dnscrypt-proxy-i386:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/fe7a434df83e8a2ea9a24af046cdf62196975dab/binary/dnscrypt-proxy-i386


--------------------------------------------------------------------------------
/binary/dnscrypt-proxy-x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/fe7a434df83e8a2ea9a24af046cdf62196975dab/binary/dnscrypt-proxy-x86_64


--------------------------------------------------------------------------------
/config/LICENSE:
--------------------------------------------------------------------------------
 1 | ISC License
 2 | 
 3 | Copyright (c) 2018-2023, Frank Denis <j at pureftpd dot org>
 4 | 
 5 | Permission to use, copy, modify, and/or distribute this software for any
 6 | purpose with or without fee is hereby granted, provided that the above
 7 | copyright notice and this permission notice appear in all copies.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
10 | REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 | AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
12 | INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 | LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
14 | OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 | PERFORMANCE OF THIS SOFTWARE.
16 | 


--------------------------------------------------------------------------------
/config/allowed-ips.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | ##############################
 3 | #        IP allowlist        #
 4 | ##############################
 5 | 
 6 | ## Author      : d3cim  : https://github.com/d3cim
 7 | ##                        https://git.nixnet.services/d3cim
 8 | ##
 9 | ## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
10 | ##
11 | ##
12 | ## DO NOT DELETE THIS FILE !!
13 | ##
14 | ## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
15 | ##
16 | ## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
17 | ##               https://github.com/d3cim/block
18 | 


--------------------------------------------------------------------------------
/config/allowed-names.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | ###########################
 3 | #        Allowlist        #
 4 | ###########################
 5 | 
 6 | ## Author      : d3cim  : https://github.com/d3cim
 7 | ##                        https://git.nixnet.services/d3cim
 8 | ##
 9 | ## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
10 | ##
11 | ##
12 | ## DO NOT DELETE THIS FILE !!
13 | ##
14 | ## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
15 | ##
16 | ## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
17 | ##               https://github.com/d3cim/block
18 | 


--------------------------------------------------------------------------------
/config/blocked-ips.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | ##############################
 3 | #        IP blocklist        #
 4 | ##############################
 5 | 
 6 | ## Author      : d3cim     : https://github.com/d3cim
 7 | ##                           https://git.nixnet.services/d3cim
 8 | ##
 9 | ## Based on    : DNSCrypt  : Rebind Protection  : https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters#dns-rebind-protection
10 | ##
11 | ## License     : GPLv3     : https://github.com/d3cim/block/blob/master/LICENSE.md
12 | ##
13 | ##
14 | ## DO NOT DELETE THIS FILE !!
15 | ##
16 | ## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
17 | ##
18 | ## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
19 | ##               https://github.com/d3cim/block
20 | 
21 | # Blocklist from [https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters#dns-rebinding-protection]
22 | # Localhost rebind protection
23 | 0.0.0.0
24 | 127.0.0.*
25 | # RFC1918 rebind protection
26 | 10.*
27 | 172.16.*
28 | 172.17.*
29 | 172.18.*
30 | 172.19.*
31 | 172.20.*
32 | 172.21.*
33 | 172.22.*
34 | 172.23.*
35 | 172.24.*
36 | 172.25.*
37 | 172.26.*
38 | 172.27.*
39 | 172.28.*
40 | 172.29.*
41 | 172.30.*
42 | 172.31.*
43 | 192.168.*
44 | 


--------------------------------------------------------------------------------
/config/blocked-names.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | ###########################
 3 | #        Blocklist        #
 4 | ###########################
 5 | 
 6 | ## Author      : d3cim  : https://github.com/d3cim
 7 | ##                        https://git.nixnet.services/d3cim
 8 | ##
 9 | ## License     : GPLv3  : https://github.com/d3cim/block/blob/master/LICENSE.md
10 | ##
11 | ##
12 | ## DO NOT DELETE THIS FILE !!
13 | ##
14 | ## This file is required by dnscrypt-proxy to work properly, you can use it to filter your content on the web, otherwise forget about it.
15 | ##
16 | ## More info at: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters
17 | ##               https://github.com/d3cim/block
18 | 


--------------------------------------------------------------------------------
/config/dnscrypt-proxy.toml:
--------------------------------------------------------------------------------
  1 | 
  2 | ##############################################
  3 | #                                            #
  4 | #        dnscrypt-proxy configuration        #
  5 | #                                            #
  6 | ##############################################
  7 | 
  8 | ## This is an example configuration file.
  9 | ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
 10 | ##
 11 | ## Online documentation is available here: https://dnscrypt.info/doc
 12 | 
 13 | 
 14 | 
 15 | ##################################
 16 | #         Global settings        #
 17 | ##################################
 18 | 
 19 | ## List of servers to use
 20 | ##
 21 | ## Servers from the "public-resolvers" source (see down below) can
 22 | ## be viewed here: https://dnscrypt.info/public-servers
 23 | ##
 24 | ## The proxy will automatically pick working servers from this list.
 25 | ## Note that the require_* filters do NOT apply when using this setting.
 26 | ##
 27 | ## By default, this list is empty and all registered servers matching the
 28 | ## require_* filters will be used instead.
 29 | ##
 30 | ## Remove the leading # first to enable this; lines starting with # are ignored.
 31 | 
 32 | server_names = ['ams-dnscrypt-nl', 'd0wn-tz-ns1', 'dct-nl', 'dct-ru', 'dnscrypt.be', 'dnscrypt.pl', 'dnscrypt.uk-ipv4', 'dnswarden-uncensor-dc-swiss', 'meganerd', 'openinternet', 'plan9dns-fl', 'plan9dns-mx', 'plan9dns-nj', 'pryv8boi', 'sby-limotelu', 'scaleway-ams', 'scaleway-fr', 'serbica', 'techsaviours.org-dnscrypt', 'v.dnscrypt.uk-ipv4']
 33 | 
 34 | 
 35 | ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 36 | ## Example with both IPv4 and IPv6:
 37 | ## listen_addresses = ['127.0.0.1:53', '[::1]:53']
 38 | ##
 39 | ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
 40 | ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
 41 | 
 42 | listen_addresses = ['127.0.0.1:5354']
 43 | 
 44 | 
 45 | ## Maximum number of simultaneous client connections to accept
 46 | 
 47 | max_clients = 250
 48 | 
 49 | 
 50 | ## Switch to a different system user after listening sockets have been created.
 51 | ## Note (1): this feature is currently unsupported on Windows.
 52 | ## Note (2): this feature is not compatible with systemd socket activation.
 53 | ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
 54 | 
 55 | # user_name = 'nobody'
 56 | 
 57 | 
 58 | ## Require servers (from remote sources) to satisfy specific properties
 59 | 
 60 | # Use servers reachable over IPv4
 61 | ipv4_servers = true
 62 | 
 63 | # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
 64 | ipv6_servers = false
 65 | 
 66 | # Use servers implementing the DNSCrypt protocol
 67 | dnscrypt_servers = true
 68 | 
 69 | # Use servers implementing the DNS-over-HTTPS protocol
 70 | doh_servers = false
 71 | 
 72 | # Use servers implementing the Oblivious DoH protocol
 73 | odoh_servers = false
 74 | 
 75 | 
 76 | ## Require servers defined by remote sources to satisfy specific properties
 77 | 
 78 | # Server must support DNS security extensions (DNSSEC)
 79 | require_dnssec = true
 80 | 
 81 | # Server must not log user queries (declarative)
 82 | require_nolog = true
 83 | 
 84 | # Server must not enforce its own blocklist (for parental control, ads blocking...)
 85 | require_nofilter = true
 86 | 
 87 | # Server names to avoid even if they match all criteria
 88 | disabled_server_names = []
 89 | 
 90 | 
 91 | ## Always use TCP to connect to upstream servers.
 92 | ## This can be useful if you need to route everything through Tor.
 93 | ## Otherwise, leave this to `false`, as it doesn't improve security
 94 | ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
 95 | ## only increase latency.
 96 | 
 97 | force_tcp = true
 98 | 
 99 | 
100 | ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
101 | ## Note that, like DNSCrypt but unlike other HTTP versions, this uses
102 | ## UDP and (usually) port 443 instead of TCP.
103 | 
104 | http3 = false
105 | 
106 | 
107 | ## SOCKS proxy
108 | ## Uncomment the following line to route all TCP connections to a local Tor node
109 | ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
110 | 
111 | # proxy = 'socks5://127.0.0.1:9050'
112 | 
113 | 
114 | ## HTTP/HTTPS proxy
115 | ## Only for DoH servers
116 | 
117 | # http_proxy = 'http://127.0.0.1:8888'
118 | 
119 | 
120 | ## How long a DNS query will wait for a response, in milliseconds.
121 | ## If you have a network with *a lot* of latency, you may need to
122 | ## increase this. Startup may be slower if you do so.
123 | ## Don't increase it too much. 10000 is the highest reasonable value.
124 | 
125 | timeout = 1000
126 | 
127 | 
128 | ## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds
129 | 
130 | keepalive = 30
131 | 
132 | 
133 | ## Add EDNS-client-subnet information to outgoing queries
134 | ##
135 | ## Multiple networks can be listed; they will be randomly chosen.
136 | ## These networks don't have to match your actual networks.
137 | 
138 | # edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']
139 | 
140 | 
141 | ## Response for blocked queries. Options are `refused`, `hinfo` (default) or
142 | ## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
143 | ## Using the `hinfo` option means that some responses will be lies.
144 | ## Unfortunately, the `hinfo` option appears to be required for Android 8+
145 | 
146 | blocked_query_response = 'refused'
147 | 
148 | 
149 | ## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
150 | ## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
151 | ## The response quality still depends on the server itself.
152 | 
153 | # lb_strategy = 'p2'
154 | 
155 | ## Set to `true` to constantly try to estimate the latency of all the resolvers
156 | ## and adjust the load-balancing parameters accordingly, or to `false` to disable.
157 | ## Default is `true` that makes 'p2' `lb_strategy` work well.
158 | 
159 | # lb_estimator = true
160 | 
161 | 
162 | ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
163 | 
164 | # log_level = 0
165 | 
166 | 
167 | ## Log file for the application, as an alternative to sending logs to
168 | ## the standard system logging service (syslog/Windows event log).
169 | ##
170 | ## This file is different from other log files, and will not be
171 | ## automatically rotated by the application.
172 | 
173 | # log_file = 'dnscrypt-proxy.log'
174 | 
175 | 
176 | ## When using a log file, only keep logs from the most recent launch.
177 | 
178 | # log_file_latest = true
179 | 
180 | 
181 | ## Use the system logger (syslog on Unix, Event Log on Windows)
182 | 
183 | # use_syslog = true
184 | 
185 | 
186 | ## Delay, in minutes, after which certificates are reloaded
187 | 
188 | cert_refresh_delay = 240
189 | 
190 | 
191 | ## Initially don't check DNSCrypt server certificates for expiration, and
192 | ## only start checking them after a first successful connection to a resolver.
193 | ## This can be useful on routers with no battery-backed clock.
194 | 
195 | # cert_ignore_timestamp = false
196 | 
197 | 
198 | ## DNSCrypt: Create a new, unique key for every single DNS query
199 | ## This may improve privacy but can also have a significant impact on CPU usage
200 | ## Only enable if you don't have a lot of network load
201 | 
202 | dnscrypt_ephemeral_keys = true
203 | 
204 | 
205 | ## DoH: Disable TLS session tickets - increases privacy but also latency
206 | 
207 | # tls_disable_session_tickets = false
208 | 
209 | 
210 | ## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference
211 | ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
212 | ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
213 | ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
214 | ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
215 | ##
216 | ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
217 | ## the following suite improves performance.
218 | ## This may also help on Intel CPUs running 32-bit operating systems.
219 | ##
220 | ## Keep tls_cipher_suite empty if you have issues fetching sources or
221 | ## connecting to some DoH servers.
222 | 
223 | # tls_cipher_suite = [52392, 49199]
224 | 
225 | 
226 | ## Log TLS key material to a file, for debugging purposes only.
227 | ## This file will contain the TLS master key, which can be used to decrypt
228 | ## all TLS traffic to/from DoH servers.
229 | ## Never ever enable except for debugging purposes with a tool such as mitmproxy.
230 | 
231 | # tls_key_log_file = '/tmp/keylog.txt'
232 | 
233 | 
234 | ## Bootstrap resolvers
235 | ##
236 | ## These are normal, non-encrypted DNS resolvers, that will be only used
237 | ## for one-shot queries when retrieving the initial resolvers list and if
238 | ## the system DNS configuration doesn't work.
239 | ##
240 | ## No user queries will ever be leaked through these resolvers, and they will
241 | ## not be used after IP addresses of DoH resolvers have been found (if you are
242 | ## using DoH).
243 | ##
244 | ## They will never be used if lists have already been cached, and if the stamps
245 | ## of the configured servers already include IP addresses (which is the case for
246 | ## most of DoH servers, and for all DNSCrypt servers and relays).
247 | ##
248 | ## They will not be used if the configured system DNS works, or after the
249 | ## proxy already has at least one usable secure resolver.
250 | ##
251 | ## Resolvers supporting DNSSEC are recommended, and, if you are using
252 | ## DoH, bootstrap resolvers should ideally be operated by a different entity
253 | ## than the DoH servers you will be using, especially if you have IPv6 enabled.
254 | ##
255 | ## People in China may want to use 114.114.114.114:53 here.
256 | ## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
257 | ##
258 | ## If more than one resolver is specified, they will be tried in sequence.
259 | ##
260 | ## TL;DR: put valid standard resolver addresses here. Your actual queries will
261 | ## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
262 | ## lists are up to date, these resolvers will not even be used.
263 | 
264 | bootstrap_resolvers = ['45.11.45.11:53']
265 | 
266 | 
267 | ## When internal DNS resolution is required, for example to retrieve
268 | ## the resolvers list:
269 | ##
270 | ## - queries will be sent to dnscrypt-proxy itself, if it is already
271 | ##   running with active servers (*)
272 | ## - or else, queries will be sent to fallback servers
273 | ## - finally, if `ignore_system_dns` is `false`, queries will be sent
274 | ##   to the system DNS
275 | ##
276 | ## (*) this is incompatible with systemd sockets.
277 | ## `listen_addrs` must not be empty.
278 | 
279 | ignore_system_dns = true
280 | 
281 | 
282 | ## Maximum time (in seconds) to wait for network connectivity before
283 | ## initializing the proxy.
284 | ## Useful if the proxy is automatically started at boot, and network
285 | ## connectivity is not guaranteed to be immediately available.
286 | ## Use 0 to not test for connectivity at all (not recommended),
287 | ## and -1 to wait as much as possible.
288 | 
289 | netprobe_timeout = -1
290 | 
291 | ## Address and port to try initializing a connection to, just to check
292 | ## if the network is up. It can be any address and any port, even if
293 | ## there is nothing answering these on the other side. Just don't use
294 | ## a local address, as the goal is to check for Internet connectivity.
295 | ## On Windows, a datagram with a single, nul byte will be sent, only
296 | ## when the system starts.
297 | ## On other operating systems, the connection will be initialized
298 | ## but nothing will be sent at all.
299 | 
300 | netprobe_address = '45.11.45.11:53'
301 | 
302 | 
303 | ## Offline mode - Do not use any remote encrypted servers.
304 | ## The proxy will remain fully functional to respond to queries that
305 | ## plugins can handle directly (forwarding, cloaking, ...)
306 | 
307 | # offline_mode = false
308 | 
309 | 
310 | ## Additional data to attach to outgoing queries.
311 | ## These strings will be added as TXT records to queries.
312 | ## Do not use, except on servers explicitly asking for extra data
313 | ## to be present.
314 | ## encrypted-dns-server can be configured to use this for access control
315 | ## in the [access_control] section
316 | 
317 | # query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
318 | 
319 | 
320 | ## Automatic log files rotation
321 | 
322 | # Maximum log files size in MB - Set to 0 for unlimited.
323 | log_files_max_size = 10
324 | 
325 | # How long to keep backup files, in days
326 | log_files_max_age = 7
327 | 
328 | # Maximum log files backups to keep (or 0 to keep all backups)
329 | log_files_max_backups = 1
330 | 
331 | 
332 | 
333 | #########################
334 | #        Filters        #
335 | #########################
336 | 
337 | ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
338 | ## configure dnscrypt-proxy to do any kind of filtering (including the filters
339 | ## below and blocklists).
340 | ## You can still choose resolvers that do DNSSEC validation.
341 | 
342 | 
343 | ## Immediately respond to IPv6-related queries with an empty response
344 | ## This makes things faster when there is no IPv6 connectivity, but can
345 | ## also cause reliability issues with some stub resolvers.
346 | 
347 | block_ipv6 = true
348 | 
349 | 
350 | ## Immediately respond to A and AAAA queries for host names without a domain name
351 | ## This also prevents "dotless domain names" from being resolved upstream.
352 | 
353 | block_unqualified = true
354 | 
355 | 
356 | ## Immediately respond to queries for local zones instead of leaking them to
357 | ## upstream resolvers (always causing errors or timeouts).
358 | 
359 | block_undelegated = true
360 | 
361 | 
362 | ## TTL for synthetic responses sent when a request has been blocked (due to
363 | ## IPv6 or blocklists).
364 | 
365 | reject_ttl = 10
366 | 
367 | 
368 | 
369 | ##################################################################################
370 | #        Route queries for specific domains to a dedicated set of servers        #
371 | ##################################################################################
372 | 
373 | ## See the `example-forwarding-rules.txt` file for an example
374 | 
375 | # forwarding_rules = 'forwarding-rules.txt'
376 | 
377 | 
378 | 
379 | ###############################
380 | #        Cloaking rules       #
381 | ###############################
382 | 
383 | ## Cloaking returns a predefined address for a specific name.
384 | ## In addition to acting as a HOSTS file, it can also return the IP address
385 | ## of a different name. It will also do CNAME flattening.
386 | ## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled
387 | ## for cloaking rules that do not contain wild cards.
388 | ##
389 | ## See the `example-cloaking-rules.txt` file for an example
390 | 
391 | # cloaking_rules = 'cloaking-rules.txt'
392 | 
393 | ## TTL used when serving entries in cloaking-rules.txt
394 | 
395 | # cloak_ttl = 600
396 | # cloak_ptr = false
397 | 
398 | 
399 | 
400 | ###########################
401 | #        DNS cache        #
402 | ###########################
403 | 
404 | ## Enable a DNS cache to reduce latency and outgoing traffic
405 | 
406 | cache = true
407 | 
408 | 
409 | ## Cache size
410 | 
411 | cache_size = 4096
412 | 
413 | 
414 | ## Minimum TTL for cached entries
415 | 
416 | cache_min_ttl = 2400
417 | 
418 | 
419 | ## Maximum TTL for cached entries
420 | 
421 | cache_max_ttl = 86400
422 | 
423 | 
424 | ## Minimum TTL for negatively cached entries
425 | 
426 | cache_neg_min_ttl = 60
427 | 
428 | 
429 | ## Maximum TTL for negatively cached entries
430 | 
431 | cache_neg_max_ttl = 600
432 | 
433 | 
434 | 
435 | ########################################
436 | #        Captive portal handling       #
437 | ########################################
438 | 
439 | [captive_portals]
440 | 
441 | ## A file that contains a set of names used by operating systems to
442 | ## check for connectivity and captive portals, along with hard-coded
443 | ## IP addresses to return.
444 | 
445 | # map_file = 'example-captive-portals.txt'
446 | 
447 | 
448 | 
449 | ##################################
450 | #        Local DoH server        #
451 | ##################################
452 | 
453 | [local_doh]
454 | 
455 | ## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
456 | ## requiring a direct connection to a DoH server in order to enable some
457 | ## features will enable these, without bypassing your DNS proxy.
458 | 
459 | ## Addresses that the local DoH server should listen to
460 | 
461 | # listen_addresses = ['127.0.0.1:3000']
462 | 
463 | 
464 | ## Path of the DoH URL. This is not a file, but the part after the hostname
465 | ## in the URL. By convention, `/dns-query` is frequently chosen.
466 | ## For each `listen_address` the complete URL to access the server will be:
467 | ## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
468 | 
469 | # path = '/dns-query'
470 | 
471 | 
472 | ## Certificate file and key - Note that the certificate has to be trusted.
473 | ## Can be generated using the following commands:
474 | ## openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM.pem
475 | ## openssl req -x509 -nodes -newkey ec:ECPARAM.pem -subj "/C=XZ/L=own PC/O=localhost/CN=localhost/" -days 5000 -sha256 -keyout localhost.pem -out localhost.pem
476 | ## See the documentation (wiki) for more information.
477 | 
478 | # cert_file = 'localhost.pem'
479 | # cert_key_file = 'localhost.pem'
480 | 
481 | 
482 | 
483 | ###############################
484 | #        Query logging        #
485 | ###############################
486 | 
487 | ## Log client queries to a file
488 | 
489 | [query_log]
490 | 
491 | ## Path to the query log file (absolute, or relative to the same directory as the config file)
492 | ## Can be set to /dev/stdout in order to log to the standard output.
493 | 
494 | # file = 'query.log'
495 | 
496 | 
497 | ## Query log format (currently supported: tsv and ltsv)
498 | 
499 | format = 'tsv'
500 | 
501 | 
502 | ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
503 | 
504 | # ignored_qtypes = ['DNSKEY', 'NS']
505 | 
506 | 
507 | 
508 | ############################################
509 | #        Suspicious queries logging        #
510 | ############################################
511 | 
512 | ## Log queries for nonexistent zones
513 | ## These queries can reveal the presence of malware, broken/obsolete applications,
514 | ## and devices signaling their presence to 3rd parties.
515 | 
516 | [nx_log]
517 | 
518 | ## Path to the query log file (absolute, or relative to the same directory as the config file)
519 | 
520 | # file = 'nx.log'
521 | 
522 | 
523 | ## Query log format (currently supported: tsv and ltsv)
524 | 
525 | format = 'tsv'
526 | 
527 | 
528 | 
529 | ######################################################
530 | #        Pattern-based blocking (blocklists)         #
531 | ######################################################
532 | 
533 | ## Blocklists are made of one pattern per line. Example of valid patterns:
534 | ##
535 | ##   example.com
536 | ##   =example.com
537 | ##   *sex*
538 | ##   ads.*
539 | ##   ads*.example.*
540 | ##   ads*.example[0-9]*.com
541 | ##
542 | ## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
543 | ## A script to build blocklists from public feeds can be found in the
544 | ## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
545 | 
546 | [blocked_names]
547 | 
548 | ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
549 | 
550 | blocked_names_file = 'blocked-names.txt'
551 | 
552 | 
553 | ## Optional path to a file logging blocked queries
554 | 
555 | # log_file = 'blocked-names.log'
556 | 
557 | 
558 | ## Optional log format: tsv or ltsv (default: tsv)
559 | 
560 | # log_format = 'tsv'
561 | 
562 | 
563 | 
564 | ###########################################################
565 | #        Pattern-based IP blocking (IP blocklists)        #
566 | ###########################################################
567 | 
568 | ## IP blocklists are made of one pattern per line. Example of valid patterns:
569 | ##
570 | ##   127.*
571 | ##   fe80:abcd:*
572 | ##   192.168.1.4
573 | 
574 | [blocked_ips]
575 | 
576 | ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
577 | 
578 | blocked_ips_file = 'blocked-ips.txt'
579 | 
580 | 
581 | ## Optional path to a file logging blocked queries
582 | 
583 | # log_file = 'blocked-ips.log'
584 | 
585 | 
586 | ## Optional log format: tsv or ltsv (default: tsv)
587 | 
588 | # log_format = 'tsv'
589 | 
590 | 
591 | 
592 | ######################################################
593 | #   Pattern-based allow lists (blocklists bypass)    #
594 | ######################################################
595 | 
596 | ## Allowlists support the same patterns as blocklists
597 | ## If a name matches an allowlist entry, the corresponding session
598 | ## will bypass names and IP filters.
599 | ##
600 | ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
601 | 
602 | [allowed_names]
603 | 
604 | ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
605 | 
606 | allowed_names_file = 'allowed-names.txt'
607 | 
608 | 
609 | ## Optional path to a file logging allowed queries
610 | 
611 | # log_file = 'allowed-names.log'
612 | 
613 | 
614 | ## Optional log format: tsv or ltsv (default: tsv)
615 | 
616 | # log_format = 'tsv'
617 | 
618 | 
619 | 
620 | #########################################################
621 | #   Pattern-based allowed IPs lists (blocklists bypass) #
622 | #########################################################
623 | 
624 | ## Allowed IP lists support the same patterns as IP blocklists
625 | ## If an IP response matches an allowed entry, the corresponding session
626 | ## will bypass IP filters.
627 | ##
628 | ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
629 | 
630 | [allowed_ips]
631 | 
632 | ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
633 | 
634 | allowed_ips_file = 'allowed-ips.txt'
635 | 
636 | 
637 | ## Optional path to a file logging allowed queries
638 | 
639 | # log_file = 'allowed-ips.log'
640 | 
641 | ## Optional log format: tsv or ltsv (default: tsv)
642 | 
643 | # log_format = 'tsv'
644 | 
645 | 
646 | 
647 | ##########################################
648 | #        Time access restrictions        #
649 | ##########################################
650 | 
651 | ## One or more weekly schedules can be defined here.
652 | ## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
653 | ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
654 | ##
655 | ## For example, the following rule in a blocklist file:
656 | ## *.youtube.* @time-to-sleep
657 | ## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
658 | ##
659 | ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
660 | ## {after= '9:00', before='18:00'} matches 9:00-18:00
661 | 
662 | [schedules]
663 | 
664 |   # [schedules.time-to-sleep]
665 |   #   mon = [{after='21:00', before='7:00'}]
666 |   #   tue = [{after='21:00', before='7:00'}]
667 |   #   wed = [{after='21:00', before='7:00'}]
668 |   #   thu = [{after='21:00', before='7:00'}]
669 |   #   fri = [{after='23:00', before='7:00'}]
670 |   #   sat = [{after='23:00', before='7:00'}]
671 |   #   sun = [{after='21:00', before='7:00'}]
672 | 
673 |   # [schedules.work]
674 |   #   mon = [{after='9:00', before='18:00'}]
675 |   #   tue = [{after='9:00', before='18:00'}]
676 |   #   wed = [{after='9:00', before='18:00'}]
677 |   #   thu = [{after='9:00', before='18:00'}]
678 |   #   fri = [{after='9:00', before='17:00'}]
679 | 
680 | 
681 | 
682 | #########################
683 | #        Servers        #
684 | #########################
685 | 
686 | ## Remote lists of available servers
687 | ## Multiple sources can be used simultaneously, but every source
688 | ## requires a dedicated cache file.
689 | ##
690 | ## Refer to the documentation for URLs of public sources.
691 | ##
692 | ## A prefix can be prepended to server names in order to
693 | ## avoid collisions if different sources share the same for
694 | ## different servers. In that case, names listed in `server_names`
695 | ## must include the prefixes.
696 | ##
697 | ## If the `urls` property is missing, cache files and valid signatures
698 | ## must already be present. This doesn't prevent these cache files from
699 | ## expiring after `refresh_delay` hours.
700 | ## `refreshed_delay` must be in the [24..168] interval.
701 | ## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers.
702 | ## The maximum delay of 168 hours (1 week) ensures cache freshness.
703 | 
704 | [sources]
705 | 
706 |   ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
707 | 
708 |   [sources.public-resolvers]
709 |     urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
710 |     cache_file = 'public-resolvers.md'
711 |     minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
712 |     refresh_delay = 72
713 |     prefix = ''
714 | 
715 |   ### Anonymized DNS relays
716 | 
717 |   [sources.relays]
718 |     urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
719 |     cache_file = 'relays.md'
720 |     minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
721 |     refresh_delay = 72
722 |     prefix = ''
723 | 
724 |   ### ODoH (Oblivious DoH) servers and relays
725 | 
726 |   # [sources.odoh-servers]
727 |   #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
728 |   #   cache_file = 'odoh-servers.md'
729 |   #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
730 |   #   refresh_delay = 24
731 |   #   prefix = ''
732 |   # [sources.odoh-relays]
733 |   #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
734 |   #   cache_file = 'odoh-relays.md'
735 |   #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
736 |   #   refresh_delay = 24
737 |   #   prefix = ''
738 | 
739 |   ### Quad9
740 | 
741 |   # [sources.quad9-resolvers]
742 |   #   urls = ['https://www.quad9.net/quad9-resolvers.md']
743 |   #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
744 |   #   cache_file = 'quad9-resolvers.md'
745 |   #   prefix = 'quad9-'
746 | 
747 |   ### Another example source, with resolvers censoring some websites not appropriate for children
748 |   ### This is a subset of the `public-resolvers` list, so enabling both is useless
749 | 
750 |   # [sources.parental-control]
751 |   #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
752 |   #   cache_file = 'parental-control.md'
753 |   #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
754 | 
755 |   ### dnscry.pt servers - See https://www.dnscry.pt
756 | 
757 |   #  [sources.dnscry-pt-resolvers]
758 |   #    urls = ["https://www.dnscry.pt/resolvers.md"]
759 |   #    minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
760 |   #    cache_file = "dnscry.pt-resolvers.md"
761 |   #    refresh_delay = 72
762 |   #    prefix = "dnscry.pt-"
763 | 
764 | 
765 | 
766 | #########################################
767 | #        Servers with known bugs        #
768 | #########################################
769 | 
770 | [broken_implementations]
771 | 
772 | ## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
773 | ## truncate responses larger than questions as expected by the DNSCrypt protocol.
774 | ## This prevents large responses from being received over UDP and over relays.
775 | ##
776 | ## Older versions of the `dnsdist` server software had a bug with queries larger
777 | ## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
778 | ## some server may still run an outdated version.
779 | ##
780 | ## The list below enables workarounds to make non-relayed usage more reliable
781 | ## until the servers are fixed.
782 | 
783 | fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
784 | 
785 | 
786 | 
787 | #################################################################
788 | #        Certificate-based client authentication for DoH        #
789 | #################################################################
790 | 
791 | ## Use a X509 certificate to authenticate yourself when connecting to DoH servers.
792 | ## This is only useful if you are operating your own, private DoH server(s).
793 | ## 'creds' maps servers to certificates, and supports multiple entries.
794 | ## If you are not using the standard root CA, an optional "root_ca"
795 | ## property set to the path to a root CRT file can be added to a server entry.
796 | 
797 | [doh_client_x509_auth]
798 | 
799 | # creds = [
800 | #    { server_name='*', client_cert='client.crt', client_key='client.key' }
801 | # ]
802 | 
803 | 
804 | 
805 | ################################
806 | #        Anonymized DNS        #
807 | ################################
808 | 
809 | [anonymized_dns]
810 | 
811 | ## Routes are indirect ways to reach DNSCrypt servers.
812 | ##
813 | ## A route maps a server name ("server_name") to one or more relays that will be
814 | ## used to connect to that server.
815 | ##
816 | ## A relay can be specified as a DNS Stamp (either a relay stamp, or a
817 | ## DNSCrypt stamp) or a server name.
818 | ##
819 | ## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
820 | ## and "example-server-2" via the relay whose relay DNS stamp is
821 | ## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
822 | ##
823 | ## !!! THESE ARE JUST EXAMPLES !!!
824 | ##
825 | ## Review the list of available relays from the "relays.md" file, and, for each
826 | ## server you want to use, define the relays you want connections to go through.
827 | ##
828 | ## Carefully choose relays and servers so that they are run by different entities.
829 | ##
830 | ## "server_name" can also be set to "*" to define a default route, for all servers:
831 | ## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
832 | ##
833 | ## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
834 | ## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
835 | ##
836 | ## Manual selection is always recommended over automatic selection, so that you can
837 | ## select (relay,server) pairs that work well and fit your own criteria (close by or
838 | ## in different countries, operated by different entities, on distinct ISPs...)
839 | 
840 |  routes = [
841 |     { server_name='ams-dnscrypt-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
842 |     { server_name='d0wn-tz-ns1', via=['anon-arapurayil-in-ipv4', 'anon-cs-rome'] },
843 |     { server_name='dct-nl', via=['anon-meganerd', 'anon-scaleway-ams'] },
844 |     { server_name='dct-ru', via=['anon-cs-czech', 'anon-techsaviours.org'] },
845 |     { server_name='dnscrypt.be', via=['anon-cs-belgium', 'anon-serbica'] },
846 |     { server_name='dnscrypt.pl', via=['anon-cs-poland', 'anon-techsaviours.org'] },
847 |     { server_name='dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] },
848 |     { server_name='dnswarden-uncensor-dc-swiss', via=['anon-cs-fr', 'anon-kama'] },
849 |     { server_name='meganerd', via=['anon-scaleway-ams', 'anon-serbica'] },
850 |     { server_name='openinternet', via=['anon-cs-sea', 'anon-inconnu'] },
851 |     { server_name='plan9dns-fl', via=['anon-cs-tx', 'anon-inconnu'] },
852 |     { server_name='plan9dns-mx', via=['anon-cs-tx', 'anon-inconnu'] },
853 |     { server_name='plan9dns-nj', via=['anon-cs-nyc1', 'anon-inconnu'] },
854 |     { server_name='pryv8boi', via=['anon-cs-dus1', 'anon-techsaviours.org'] },
855 |     { server_name='sby-limotelu', via=['anon-cs-sydney', 'anon-tiarap'] },
856 |     { server_name='scaleway-ams', via=['anon-meganerd', 'anon-serbica'] },
857 |     { server_name='scaleway-fr', via=['anon-cs-fr', 'anon-dnscrypt.uk-ipv4'] },
858 |     { server_name='serbica', via=['anon-cs-nl', 'anon-scaleway-ams'] },
859 |     { server_name='techsaviours.org-dnscrypt', via=['anon-cs-berlin', 'anon-dnswarden-swiss'] },
860 |     { server_name='v.dnscrypt.uk-ipv4', via=['anon-cs-london', 'anon-scaleway'] }
861 | #    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
862 | #    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
863 |  ]
864 | 
865 | 
866 | ## Skip resolvers incompatible with anonymization instead of using them directly
867 | 
868 | skip_incompatible = true
869 | 
870 | 
871 | ## If public server certificates for a non-conformant server cannot be
872 | ## retrieved via a relay, try getting them directly. Actual queries
873 | ## will then always go through relays.
874 | 
875 | direct_cert_fallback = false
876 | 
877 | 
878 | 
879 | ###############################
880 | #            DNS64            #
881 | ###############################
882 | 
883 | ## DNS64 is a mechanism for synthesizing AAAA records from A records.
884 | ## It is used with an IPv6/IPv4 translator to enable client-server
885 | ## communication between an IPv6-only client and an IPv4-only server,
886 | ## without requiring any changes to either the IPv6 or the IPv4 node,
887 | ## for the class of applications that work through NATs.
888 | ##
889 | ## There are two options to synthesize such records:
890 | ## Option 1: Using a set of static IPv6 prefixes;
891 | ## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
892 | ##
893 | ## If both options are configured - only static prefixes are used.
894 | ## (Ref. RFC6147, RFC6052, RFC7050)
895 | ##
896 | ## Do not enable unless you know what DNS64 is and why you need it, or else
897 | ## you won't be able to connect to anything at all.
898 | 
899 | [dns64]
900 | 
901 | ## Static prefix(es) as Pref64::/n CIDRs
902 | 
903 | # prefix = ['64:ff9b::/96']
904 | 
905 | ## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs
906 | ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
907 | ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
908 | ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
909 | 
910 | # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
911 | 
912 | 
913 | 
914 | ########################################
915 | #            Static entries            #
916 | ########################################
917 | 
918 | ## Optional, local, static list of additional servers
919 | ## Mostly useful for testing your own servers.
920 | 
921 | [static]
922 | 
923 |   # [static.myserver]
924 |   #   stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
925 | 


--------------------------------------------------------------------------------
/customize.sh:
--------------------------------------------------------------------------------
 1 |   ui_print " "
 2 |   ui_print "******************************"
 3 |   ui_print "*   dnscrypt-proxy-android   *"
 4 |   ui_print "*            2.1.5           *"
 5 |   ui_print "******************************"
 6 |   ui_print "*            d3cim           *"
 7 |   ui_print "******************************"
 8 |   ui_print " "
 9 | 
10 | # Get architecture specific binary file
11 | if [ "$ARCH" == "arm" ];then
12 |   BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-arm
13 | elif [ "$ARCH" == "arm64" ];then
14 |   BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-arm64
15 | elif [ "$ARCH" == "x86" ];then
16 |   BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-i386
17 | elif [ "$ARCH" == "x64" ];then
18 |   BINARY_PATH=$MODPATH/binary/dnscrypt-proxy-x86_64
19 | fi
20 | 
21 | # Set destination paths
22 | CONFIG_PATH=$MODPATH/config
23 | 
24 | # Create the path for the binary file
25 | ui_print "* Creating the binary path."
26 | mkdir -p $MODPATH/system/bin
27 | 
28 | # Create the path for the configuration files
29 | ui_print "* Creating the config. path."
30 | mkdir -p /storage/emulated/0/dnscrypt-proxy
31 | 
32 | # Copy the binary files into the right folder
33 | if [ -f "$BINARY_PATH" ]; then
34 | ui_print "* Copying the binary files."
35 |  cp -af $BINARY_PATH $MODPATH/system/bin/dnscrypt-proxy
36 | else
37 |   abort "The binary file for your $ARCH device is missing!"
38 | fi
39 | 
40 | # Backup an existing config file before proceed
41 | CONFIG_FILE="/storage/emulated/0/dnscrypt-proxy/dnscrypt-proxy.toml"
42 | 
43 | if [ -f "$CONFIG_FILE" ]; then
44 | ui_print "* Backing up the existing config. file before proceed."
45 |   cp -af  $CONFIG_FILE ${CONFIG_FILE}-`date +%Y%m%d%H%M`.bak
46 | fi
47 | 
48 | # Copy the configuration files into the right folder
49 | if [ -d "$CONFIG_PATH" ]; then
50 | ui_print "* Copying the configuration files into the dnscrypt-proxy folder."
51 |   cp -af $CONFIG_PATH/* /storage/emulated/0/dnscrypt-proxy/
52 | else
53 |   abort "Configuration file (.toml) is missing!"
54 | fi
55 | 
56 | # Set the right permissions to the dnscrypt-proxy binary file
57 | ui_print "* Setting up the right permissions to the dnscrypt-proxy binary file."
58 | set_perm_recursive $MODPATH 0 0 0755 0755
59 | set_perm $MODPATH/system/bin/dnscrypt-proxy 0 0 0755
60 | 
61 | # Set Private DNS mode off
62 | ui_print "* Disabling Android 9+ Private DNS mode."
63 | settings put global private_dns_mode off
64 | 
65 | # Cleanup unneeded binary files
66 | ui_print "* Cleaning up the unnecessary files."
67 | rm -r $MODPATH/binary
68 | 


--------------------------------------------------------------------------------
/module.prop:
--------------------------------------------------------------------------------
1 | id=dnscrypt-proxy-android
2 | name=DNSCrypt-Proxy 2
3 | version=2.1.5
4 | versionCode=210500
5 | author=d3cim
6 | description=A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH). Using dnscrypt-proxy 2.1.5
7 | updateJson=https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/master/update.json
8 | 


--------------------------------------------------------------------------------
/post-fs-data.sh:
--------------------------------------------------------------------------------
 1 | #!/system/bin/sh
 2 | # Do NOT assume where your module will be located.
 3 | # ALWAYS use $MODDIR if you need to know where this script
 4 | # and module is placed.
 5 | # This will make sure your module will still work
 6 | # if Magisk change its mount point in the future
 7 | MODDIR=${0%/*}
 8 | 
 9 | # This script will be executed in post-fs-data mode
10 | 
11 | # Redirect DNS requests to localhost
12 | iptables -t nat -A OUTPUT -p tcp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
13 | iptables -t nat -A OUTPUT -p udp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
14 | # ip6tables -t nat -A OUTPUT -p tcp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination [::1]:5354
15 | # ip6tables -t nat -A OUTPUT -p udp ! -d 45.11.45.11 --dport 53 -j DNAT --to-destination [::1]:5354
16 | 
17 | # Force disable IPv6 OS connections
18 | resetprop net.ipv6.conf.all.accept_redirects 0
19 | resetprop net.ipv6.conf.all.disable_ipv6 1
20 | resetprop net.ipv6.conf.default.accept_redirects 0
21 | resetprop net.ipv6.conf.default.disable_ipv6 1
22 | 


--------------------------------------------------------------------------------
/service.sh:
--------------------------------------------------------------------------------
 1 | #!/system/bin/sh
 2 | # Do NOT assume where your module will be located.
 3 | # ALWAYS use $MODDIR if you need to know where this script
 4 | # and module is placed.
 5 | # This will make sure your module will still work
 6 | # if Magisk change its mount point in the future
 7 | MODDIR=${0%/*}
 8 | 
 9 | 	while ! [ `pgrep -x dnscrypt-proxy` ] ; do
10 | 		$MODDIR/system/bin/dnscrypt-proxy -config /storage/emulated/0/dnscrypt-proxy/dnscrypt-proxy.toml && sleep 15;
11 | 	done
12 | 


--------------------------------------------------------------------------------
/uninstall.sh:
--------------------------------------------------------------------------------
 1 | (
 2 | while [ "$(getprop sys.boot_completed)" != "1" ] && [ ! -d "/storage/emulated/0/Android" ]; do
 3 |   sleep 1
 4 | done
 5 | 
 6 | rm -rf /data/media/0/dnscrypt-proxy
 7 | rm -rf /mnt/runtime/default/emulated/0/dnscrypt-proxy
 8 | rm -rf /mnt/runtime/full/emulated/0/dnscrypt-proxy
 9 | rm -rf /mnt/runtime/read/emulated/0/dnscrypt-proxy
10 | rm -rf /mnt/runtime/write/emulated/0/dnscrypt-proxy
11 | rm -rf /sdcard/dnscrypt-proxy
12 | rm -rf /storage/emulated/0/dnscrypt-proxy
13 | rm -rf /storage/self/primary/dnscrypt-proxy
14 | 
15 | )&
16 | 


--------------------------------------------------------------------------------
/update.json:
--------------------------------------------------------------------------------
1 | {
2 |     "version": "2.1.5",
3 |     "versionCode": 210500,
4 |     "zipUrl": "https://github.com/d3cim/dnscrypt-proxy-android/releases/download/2.1.5/dnscrypt-proxy-android-v2.1.5.zip",
5 |     "changelog": "https://raw.githubusercontent.com/d3cim/dnscrypt-proxy-android/2.1.5/CHANGELOG.md"
6 | }
7 | 


--------------------------------------------------------------------------------