lottanorta
/
HaproxyDNS
同期ミラー https://github.com/minoplhy/doh-dot-haproxy


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257
							####################################################
#                                                  #
#        Encrypted DNS Server configuration        #
#                                                  #
####################################################


##################################
#         Global settings        #
##################################


## IP addresses and ports to listen to, as well as their external IP
## If there is no NAT involved, `local` and `external` can be the same.
## As many addresses as needed can be configured here, IPv4 and/or IPv6.
## You should at least change the `external` IP address.

### Example with both IPv4 and IPv6 addresses:
# listen_addrs = [
#     { local = "0.0.0.0:443",    external = "198.51.100.1:443" },
#     { local = "[::]:443",       external = "[2001:db8::1]:443" }
# ]

listen_addrs = [
    { local = "0.0.0.0:8443",    external = "**YourIP**:8443" },
    { local = "[::]:8443", external = "[**YourIP**]:8443" }
]


## Upstream DNS server and port

upstream_addr = "127.0.0.1:5353"


## File name to save the state to

state_file = "encrypted-dns.state"


## UDP timeout in seconds

udp_timeout = 10


## TCP timeout in seconds

tcp_timeout = 10


## Maximum active UDP sockets

udp_max_active_connections = 1000


## Maximum active TCP connections

tcp_max_active_connections = 100


## Optional IP address to connect to upstream servers from.
## Leave commented/undefined to automatically select it.

# external_addr = "0.0.0.0"


## Built-in DNS cache capacity

cache_capacity = 100000


## DNS cache: minimum TTL

cache_ttl_min = 3600


## DNS cache: max TTL

cache_ttl_max = 86400


## DNS cache: error TTL

cache_ttl_error = 600


## DNS cache: to avoid bursts of traffic for popular queries when an
## RRSET expires, hold a TTL received from an upstream server for
## `client_ttl_holdon` seconds before decreasing it in client responses.

client_ttl_holdon = 60


## Run as a background process

daemonize = false


## Log file

# log_file = "/tmp/encrypted-dns.log"


## PID file

pid_file = "/tmp/encrypted-dns.pid"


## User name to drop privileges to, when started as root.

user = "DNSCrypt"


## Group name to drop privileges to, when started as root.

group = "DNSCrypt"


## Path to chroot() to, when started as root.
## The path to the state file is relative to the chroot base.

# chroot = "/var/empty"


## Queries sent to that name will return the client IP address.
## This can be very useful for debugging, or to check that relaying works.

my_ip = "my.ip"


####################################
#         DNSCrypt settings        #
####################################

[dnscrypt]

## Provider name (with or without the `2.dnscrypt-cert.` prefix)

provider_name = "**Your Preferred Name**"


## Does the server support DNSSEC?

dnssec = true


## Does the server always returns correct answers (no filtering, including ad blocking)?

no_filters = false


## Set to `true` if the server doesn't keep any information that can be used to identify users

no_logs = true


## Key cache capacity, per certificate

key_cache_capacity = 10000


###############################
#         TLS settings        #
###############################

[tls]

## Where to proxy TLS connections to (e.g. DoH server)

# upstream_addr = "127.0.0.1:4343"


#######################################
#        Server-side filtering        #
#######################################

[filtering]

## List of domains to block, one per line

# domain_blacklist = "/etc/domain_blacklist.txt"


## List of undelegated TLDs
## This is the list of nonexistent TLDs that queries are frequently observed for,
## but will never resolve to anything. The server will immediately return a
## synthesized NXDOMAIN response instead of hitting root servers.

# undelegated_list = "/etc/undelegated.txt"


## Ignore A and AAAA queries for unqualified host names.

# ignore_unqualified_hostnames = true


#########################
#        Metrics        #
#########################

# [metrics]

# type = "prometheus"
# listen_addr = "0.0.0.0:9100"
# path = "/metrics"


################################
#        Anonymized DNS        #
################################

[anonymized_dns]

# Enable relaying support for Anonymized DNS

enabled = false


# Allowed upstream ports
# This is a list of commonly used ports for encrypted DNS services

allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]


# Allow all ports >= 1024 in addition to the list above

allow_non_reserved_ports = false


# Blacklisted upstream IP addresses

blacklisted_ips = [ "93.184.216.34" ]


################################
#        Access control        #
################################

[access_control]

# Enable access control

enabled = false

# Only allow access to client queries including one of these random tokens
# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
# Example: `query_meta = ["token:Y2oHkDJNHz"]`

tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]