mirror of
https://github.com/trailofbits/algo.git
synced 2025-08-09 14:23:05 +02:00
Update to the latest dnscrypt-proxy version
This commit is contained in:
Jack Ivanov
parent
9f6048ece6
commit
d6e3378bd6
2 changed files with 87 additions and 11 deletions
|
|
@ -4,7 +4,6 @@
|
|||
state: present
|
||||
codename: "{{ ansible_distribution_release }}"
|
||||
repo: ppa:shevchuk/dnscrypt-proxy
|
||||
when: ansible_distribution_version is version_compare('19.04', '<')
|
||||
register: result
|
||||
until: result is succeeded
|
||||
retries: 10
|
||||
|
|
|
|||
|
|
@ -48,6 +48,14 @@ listen_addresses = [
|
|||
max_clients = 250
|
||||
|
||||
|
||||
## Switch to a different system user after listening sockets have been created.
|
||||
## Note (1): this feature is currently unsupported on Windows.
|
||||
## Note (2): this feature is not compatible with systemd socket activation.
|
||||
## Note (3): when using -pidfile, the PID file directory must be writable by the new user
|
||||
|
||||
# user_name = 'nobody'
|
||||
|
||||
|
||||
## Require servers (from static + remote sources) to satisfy specific properties
|
||||
|
||||
# Use servers reachable over IPv4
|
||||
|
|
@ -74,13 +82,32 @@ require_nolog = true
|
|||
# Server must not enforce its own blacklist (for parental control, ads blocking...)
|
||||
require_nofilter = true
|
||||
|
||||
# Server names to avoid even if they match all criteria
|
||||
disabled_server_names = []
|
||||
|
||||
|
||||
## Always use TCP to connect to upstream servers
|
||||
## Always use TCP to connect to upstream servers.
|
||||
## This can be useful if you need to route everything through Tor.
|
||||
## Otherwise, leave this to `false`, as it doesn't improve security
|
||||
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
|
||||
## only increase latency.
|
||||
|
||||
force_tcp = false
|
||||
|
||||
|
||||
## SOCKS proxy
|
||||
## Uncomment the following line to route all TCP connections to a local Tor node
|
||||
## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
|
||||
|
||||
# proxy = "socks5://127.0.0.1:9050"
|
||||
|
||||
|
||||
## HTTP/HTTPS proxy
|
||||
## Only for DoH servers
|
||||
|
||||
# http_proxy = "http://127.0.0.1:8888"
|
||||
|
||||
|
||||
## How long a DNS query will wait for a response, in milliseconds
|
||||
|
||||
timeout = 2500
|
||||
|
|
@ -91,10 +118,22 @@ timeout = 2500
|
|||
keepalive = 30
|
||||
|
||||
|
||||
## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
|
||||
## Use the REFUSED return code for blocked responses
|
||||
## Setting this to `false` means that some responses will be lies.
|
||||
## Unfortunately, `false` appears to be required for Android 8+
|
||||
|
||||
refused_code_in_responses = false
|
||||
|
||||
|
||||
## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
|
||||
|
||||
lb_strategy = 'p2'
|
||||
|
||||
## Set to `true` to constantly try to estimate the latency of all the resolvers
|
||||
## and adjust the load-balancing parameters accordingly, or to `false` to disable.
|
||||
|
||||
# lb_estimator = true
|
||||
|
||||
|
||||
## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
|
||||
|
||||
|
|
@ -133,6 +172,8 @@ tls_disable_session_tickets = true
|
|||
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||
## 4865 = TLS_AES_128_GCM_SHA256
|
||||
## 4867 = TLS_CHACHA20_POLY1305_SHA256
|
||||
##
|
||||
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
|
||||
## the following suite improves performance.
|
||||
|
|
@ -141,7 +182,7 @@ tls_disable_session_tickets = true
|
|||
## Keep tls_cipher_suite empty if you have issues fetching sources or
|
||||
## connecting to some DoH servers. Google and Cloudflare are fine with it.
|
||||
|
||||
# tls_cipher_suite = [49195]
|
||||
# tls_cipher_suite = [52392, 49199]
|
||||
|
||||
|
||||
## Fallback resolver
|
||||
|
|
@ -161,12 +202,40 @@ tls_disable_session_tickets = true
|
|||
fallback_resolver = '{% if ansible_distribution == "FreeBSD" %}{{ ansible_dns.nameservers.0 }}:53{% else %}127.0.0.53:53{% endif %}'
|
||||
|
||||
|
||||
## Never try to use the system DNS settings; unconditionally use the
|
||||
## fallback resolver.
|
||||
## Never let dnscrypt-proxy try to use the system DNS settings;
|
||||
## unconditionally use the fallback resolver.
|
||||
|
||||
ignore_system_dns = true
|
||||
|
||||
|
||||
## Maximum time (in seconds) to wait for network connectivity before
|
||||
## initializing the proxy.
|
||||
## Useful if the proxy is automatically started at boot, and network
|
||||
## connectivity is not guaranteed to be immediately available.
|
||||
## Use 0 to not test for connectivity at all (not recommended),
|
||||
## and -1 to wait as much as possible.
|
||||
|
||||
netprobe_timeout = 60
|
||||
|
||||
## Address and port to try initializing a connection to, just to check
|
||||
## if the network is up. It can be any address and any port, even if
|
||||
## there is nothing answering these on the other side. Just don't use
|
||||
## a local address, as the goal is to check for Internet connectivity.
|
||||
## On Windows, a datagram with a single, nul byte will be sent, only
|
||||
## when the system starts.
|
||||
## On other operating systems, the connection will be initialized
|
||||
## but nothing will be sent at all.
|
||||
|
||||
netprobe_address = "1.1.1.1:53"
|
||||
|
||||
|
||||
## Offline mode - Do not use any remote encrypted servers.
|
||||
## The proxy will remain fully functional to respond to queries that
|
||||
## plugins can handle directly (forwarding, cloaking, ...)
|
||||
|
||||
# offline_mode = false
|
||||
|
||||
|
||||
## Automatic log files rotation
|
||||
|
||||
# Maximum log files size in MB
|
||||
|
|
@ -186,8 +255,9 @@ log_files_max_backups = 1
|
|||
|
||||
## Immediately respond to IPv6-related queries with an empty response
|
||||
## This makes things faster when there is no IPv6 connectivity, but can
|
||||
## also cause reliability issues with some stub resolvers. In
|
||||
## particular, enabling this on macOS is not recommended.
|
||||
## also cause reliability issues with some stub resolvers.
|
||||
## Do not enable if you added a validating resolver such as dnsmasq in front
|
||||
## of the proxy.
|
||||
|
||||
block_ipv6 = false
|
||||
|
||||
|
|
@ -455,9 +525,16 @@ cache_neg_max_ttl = 600
|
|||
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
|
||||
cache_file = '/tmp/public-resolvers.md'
|
||||
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
||||
refresh_delay = 72
|
||||
prefix = ''
|
||||
|
||||
## Quad9 over DNSCrypt - https://quad9.net/
|
||||
|
||||
# [sources.quad9-resolvers]
|
||||
# urls = ["https://www.quad9.net/quad9-resolvers.md"]
|
||||
# minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
|
||||
# cache_file = "quad9-resolvers.md"
|
||||
# prefix = "quad9-"
|
||||
|
||||
## Another example source, with resolvers censoring some websites not appropriate for children
|
||||
## This is a subset of the `public-resolvers` list, so enabling both is useless
|
||||
|
||||
|
|
@ -473,5 +550,5 @@ cache_neg_max_ttl = 600
|
|||
|
||||
[static]
|
||||
|
||||
# [static.'google']
|
||||
# stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
|
||||
# [static.'myserver']
|
||||
# stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue