Allow more flexible DNSCrypt configuration (#1120)

* Allow more flexible DNSCrypt configuration * Correct permissions on files changed in #1120 I'm not sure why using BBEdit over SMB makes every file executable. * Put the public resolvers cache file in /tmp.
2025-06-05 22:54:01 +02:00 · 2018-10-04 18:12:48 -04:00 · 2018-10-04 18:12:48 -04:00 · d90ba3d11a
commit d90ba3d11a
parent d7dcaeb575
3 changed files with 27 additions and 7 deletions
--- a/config.cfg
+++ b/config.cfg
@ -38,13 +38,25 @@ adblock_lists:
 - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
 - "https://hosts-file.net/ad_servers.txt"

-# Enable DNS encryption. Use dns_encryption_provider to specify the provider. If false dns_servers should be specified
+# Enable DNS encryption.
+# If 'false', 'dns_servers' should be specified below.
 dns_encryption: true

-# Possible values: google, cloudflare
-dns_encryption_provider: cloudflare
+# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
+# providers may be specified, but avoid mixing providers that filter results
+# (like Cisco) with those that don't (like Cloudflare) or you could get
+# inconsistent results. The list of available public providers can be found
+# here:
+# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
+dnscrypt_servers:
+  ipv4:
+    - cloudflare
+#   - google
+  ipv6:
+    - cloudflare-ipv6

-# DNS servers which will be used if dns_encryption disabled
+# DNS servers which will be used if 'dns_encryption' is 'false'.
+# The default is to use Cloudflare.
 dns_servers:
  ipv4:
    - 1.1.1.1
--- a/roles/dns_encryption/defaults/main.yml
+++ b/roles/dns_encryption/defaults/main.yml
@ -5,5 +5,9 @@ listen_port: "{% if algo_local_dns %}5353{% else %}53{% endif %}"
 dnscrypt_proxy_version: 2.0.10
 apparmor_enabled: true
 dns_encryption: true
-dns_encryption_provider: "*"
 ipv6_support: false
+dnscrypt_servers:
+  ipv4:
+    - cloudflare
+  ipv6:
+    - cloudflare-ipv6
--- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
+++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
@ -27,7 +27,11 @@
 ## The proxy will automatically pick the fastest, working servers from the list.
 ## Remove the leading # first to enable this; lines starting with # are ignored.

-server_names      = ['{{ dns_encryption_provider }}'{% if ipv6_support and dns_encryption_provider == "cloudflare" %}, '{{ dns_encryption_provider }}-ipv6' {% endif %} ]
+{# Allow either list to be empty. Output nothing if both are empty. #}
+{% set servers = [] %}
+{% if dnscrypt_servers.ipv4 %}{% set servers = dnscrypt_servers.ipv4 %}{% endif %}
+{% if ipv6_support and dnscrypt_servers.ipv6 %}{% set servers = servers + dnscrypt_servers.ipv6 %}{% endif %}
+{% if servers %}server_names = ['{{ servers | join("', '") }}']{% endif %}


 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
@ -446,7 +450,7 @@ cache_neg_max_ttl = 600

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
-  cache_file = 'public-resolvers.md'
+  cache_file = '/tmp/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''