diff --git a/tornet.yml b/tornet.yml index caad342..f041db4 100644 --- a/tornet.yml +++ b/tornet.yml @@ -251,18 +251,25 @@ group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | + # Documentation https://github.com/DNSCrypt/dnscrypt-proxy/wiki - # Listen + # listen on all interfaces listen_addresses = ['127.0.0.55:5354'] - # what kinds of server do we want to resolve from? + # DoH server list + server_names = ['doh.mullvad.net-194.242.2.2', 'doh.ffmuc.net-185.150.99.255', 'doh.ffmuc.net-5.1.66.255', 'dns.digitale-gesellschaft.ch-185.95.218.42', 'dns.digitale-gesellschaft.ch-185.95.218.43', 'anycast.uncensoreddns.org-91.239.100.100'] + + # server names to avoid even if they match all criteria + # disabled_server_names = [] + + ## what kinds of server do we want to resolve from? doh_servers = true ipv4_servers = false ipv6_servers = false dnscrypt_servers = false - # do we support IPv6 accressing? Maybe performance issue. - block_ipv6 = false + # do we support IPv6 accressing? + block_ipv6 = true # don't let weird queries & typos leak upstream block_unqualified = true @@ -279,7 +286,7 @@ # request DoH servers that advertise themselves as unfiltered require_nofilter = true - + # use tor force_tcp = true proxy = 'socks5://127.0.0.1:9050' @@ -296,7 +303,7 @@ # logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb log_level = 2 - use_syslog = true + use_syslog = false log_files_max_size = 64 log_files_max_age = 7 log_files_max_backups = 4 @@ -322,7 +329,7 @@ ignore_system_dns = true # explicit caching - cache = true + cache = true cache_size = 4096 cache_min_ttl = 2400 cache_max_ttl = 86400 @@ -340,9 +347,9 @@ file = '/var/log/dnscrypt-proxy/nx.log' [blocked_names] - # blocked_names_file = 'blocked-names.txt' - # log_file = '/var/log/dnscrypt-proxy/blocked-names.log' - + blocked_names_file = 'blocked-names.txt' + log_file = '/var/log/dnscrypt-proxy/blocked-names.log' + [blocked_ips] # blocked_ips_file = 'blocked-ips.txt' # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log' @@ -350,26 +357,33 @@ [allowed_names] # allowed_names_file = 'allowed-names.txt' # log_file = '/var/log/dnscrypt-proxy/allowed-names.log' - + [allowed_ips] # allowed_ips_file = 'allowed-ips.txt' # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log' - [sources] - - [sources.'public-resolvers'] - - - [sources.'public-resolvers'] - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] - minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' - cache_file = 'public-resolvers.md' + # Static DoH DNS Servers from inspired by https://www.kuketz-blog.de/empfehlungsecke/#dns + # Stamps from https://dnscrypt.info/stamps/ + [static] + + [static.'doh.mullvad.net-194.242.2.2'] + stamp = 'sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kb2gubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ' + + [static.'doh.ffmuc.net-185.150.99.255'] + stamp = 'sdns://AgcAAAAAAAAADjE4NS4xNTAuOTkuMjU1AA1kb2guZmZtdWMubmV0Ci9kbnMtcXVlcnk' + + [static.'doh.ffmuc.net-5.1.66.255'] + stamp = 'sdns://AgcAAAAAAAAACjUuMS42Ni4yNTUADWRvaC5mZm11Yy5uZXQKL2Rucy1xdWVyeQ' + + [static.'dns.digitale-gesellschaft.ch-185.95.218.42'] + stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDIAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ' + + [static.'dns.digitale-gesellschaft.ch-185.95.218.43'] + stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDMAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ' + + [static.'anycast.uncensoreddns.org-91.239.100.100'] + stamp = 'sdns://AgcAAAAAAAAADjkxLjIzOS4xMDAuMTAwABlhbnljYXN0LnVuY2Vuc29yZWRkbnMub3JnCi9kbnMtcXVlcnk' - [sources.'onion-services'] - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v3/onion-services.md'] - minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' - cache_file = 'onion-services.md' - notify: - Restart dnscrypt-proxy