-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdoh-client.conf
132 lines (108 loc) · 4.33 KB
/
doh-client.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# DNS listen port
listen = [
":53",
":5380",
## To listen on both 0.0.0.0:53 and [::]:53, use the following line
# ":53",
]
# HTTP path for upstream resolver
[upstream]
# available selector: random or weighted_round_robin or lvs_weighted_round_robin
upstream_selector = "random"
# weight should in (0, 100], if upstream_selector is random, weight will be ignored
## Google's resolver, good ECS, good DNSSEC
[[upstream.upstream_ietf]]
url = "https://dns.google/dns-query"
weight = 50
## CloudFlare's resolver, bad ECS, good DNSSEC
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
[[upstream.upstream_ietf]]
url = "https://cloudflare-dns.com/dns-query"
weight = 50
## CloudFlare's resolver, bad ECS, good DNSSEC
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
#[[upstream.upstream_ietf]]
# url = "https://1.1.1.1/dns-query"
# weight = 50
## DNS.SB's resolver, good ECS, good DNSSEC
## The provider claims no logging: https://dns.sb/doh/
#[[upstream.upstream_ietf]]
# url = "https://doh.dns.sb/dns-query"
# weight = 50
## Quad9's resolver, bad ECS, good DNSSEC
## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
#[[upstream.upstream_ietf]]
# url = "https://9.9.9.9/dns-query"
# weight = 50
## CloudFlare's resolver for Tor, available only with Tor
## Remember to disable ECS below when using Tor!
## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
#[[upstream.upstream_ietf]]
# url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"
# weight = 50
[others]
# Bootstrap DNS server to resolve the address of the upstream resolver
# If multiple servers are specified, a random one will be chosen each time.
# If empty, use the system DNS settings.
# If you want to preload IP addresses in /etc/hosts instead of using a
# bootstrap server, please make this list empty.
bootstrap = [
# Google's resolver, bad ECS, good DNSSEC
"8.8.8.8:53",
"8.8.4.4:53",
# CloudFlare's resolver, bad ECS, good DNSSEC
#"1.1.1.1:53",
#"1.0.0.1:53",
]
# The domain names here are directly passed to bootstrap servers listed above,
# allowing captive portal detection and systems without RTC to work.
# Only effective if at least one bootstrap server is configured.
passthrough = [
"captive.apple.com",
"connectivitycheck.gstatic.com",
"detectportal.firefox.com",
"msftconnecttest.com",
"nmcheck.gnome.org",
"pool.ntp.org",
"time.apple.com",
"time.asia.apple.com",
"time.euro.apple.com",
"time.nist.gov",
"time.windows.com",
]
# Timeout for upstream request in seconds
timeout = 30
# Disable HTTP Cookies
#
# Cookies may be useful if your upstream resolver is protected by some
# anti-DDoS services to identify clients.
# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
# to track uesrs and is not controlled by doh-client.
no_cookies = true
# Disable EDNS0-Client-Subnet (ECS)
#
# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
# the same configuration as most public DNS servers.
no_ecs = false
# Disable IPv6 when querying upstream
#
# Only enable this if you really have trouble connecting.
# Doh-client uses both IPv4 and IPv6 by default and should not have problems
# with an IPv4-only environment.
# Note that DNS listening and bootstrapping is not controlled by this option.
no_ipv6 = false
# Disable submitting User-Agent
#
# It is generally not recommended to disable submitting User-Agent because it
# is still possible to probe client version according to behavior differences,
# such as TLS handshaking, handling of malformed packets, and specific bugs.
# Additionally, User-Agent is an important way for the server to distinguish
# buggy, old, or insecure clients, and to workaround specific bugs.
# (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
# and older Firefox.)
no_user_agent = false
# Enable logging
verbose = false