From 3edb0bddd94e171d89f3554b1354a71c2000f6bd Mon Sep 17 00:00:00 2001
From: olli <olli@ds9.dedyn.io>
Date: Fri, 28 Jul 2023 12:32:14 +0200
Subject: [PATCH] tornet.yml aktualisiert

---
 tornet.yml | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 69 insertions(+), 1 deletion(-)

diff --git a/tornet.yml b/tornet.yml
index 427c554..8de55fb 100644
--- a/tornet.yml
+++ b/tornet.yml
@@ -300,7 +300,75 @@
           log_files_max_size = 64
           log_files_max_age = 7
           log_files_max_backups = 4
-   
+          
+          # delay, in minutes, after which certificates are reloaded; this also
+          # drives the latency logger, so we poll/log every hour
+          cert_refresh_delay = 60
+          
+          # less linkability / more privacy at slight performance impact;
+          # see the notes in the above-cited documentation
+          tls_disable_session_tickets = true
+          tls_cipher_suite = [52392, 49199]
+          
+          # for healthcheck, heartbeat and bootstrap, dnscrypt-proxy MUST be
+          # able to probe the internet, so we must configure our firewall so
+          # that it is the only one which can use port 53 to the internet;
+          # dnscrypt-proxy claims that it will only use these services in very
+          # limited circumstances. Regards option naming, see:
+          # https://github.com/DNSCrypt/dnscrypt-proxy/commit/c500287498a05b07c3af8effa23a0ba4c42f00f1
+          fallback_resolvers = ['46.182.19.48:53']
+          netprobe_address = '46.182.19.48:53'
+          netprobe_timeout = 60
+          ignore_system_dns = true
+          
+          # explicit caching
+          cache = true
+          cache_size = 4096
+          cache_min_ttl = 2400
+          cache_max_ttl = 86400
+          cache_neg_min_ttl = 60
+          cache_neg_max_ttl = 600
+          
+          # I am not configuring this resolver as a local DoH listener, to do so
+          # requires a TLS certificate and that's a world of pain
+          
+          [query_log]
+          file = '/var/log/dnscrypt-proxy/query.log'
+          # ignored_qtypes = ['DNSKEY', 'NS']
+          
+          [nx_log]
+          file = '/var/log/dnscrypt-proxy/nx.log'
+          
+          [blocked_names]
+          # blocked_names_file = 'blocked-names.txt'
+          # log_file = '/var/log/dnscrypt-proxy/blocked-names.log'
+          
+          [blocked_ips]
+          # blocked_ips_file = 'blocked-ips.txt'
+          # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log'
+          
+          [allowed_names]
+          # allowed_names_file = 'allowed-names.txt'
+          # log_file = '/var/log/dnscrypt-proxy/allowed-names.log'
+          
+          [allowed_ips]
+          # allowed_ips_file = 'allowed-ips.txt'
+          # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log'
+          
+          [sources]
+
+          [sources.'public-resolvers']
+
+
+          [sources.'public-resolvers']
+          urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+          minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+          cache_file = 'public-resolvers.md'
+          
+          [sources.'onion-services']
+          urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v3/onion-services.md']
+          minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+          cache_file = 'onion-services.md'
 
       notify:
       - Restart dnscrypt-proxy