From e431f21cbb2ebb8ad05daad9e8cf1b7dcd65f1bd Mon Sep 17 00:00:00 2001 From: David Myers Date: Sat, 14 Aug 2021 08:12:54 -0400 Subject: [PATCH] Move the dnscrypt-proxy cache file (#14235) --- roles/dns/files/apparmor.profile.dnscrypt-proxy | 2 +- roles/dns/templates/dnscrypt-proxy.toml.j2 | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/dns/files/apparmor.profile.dnscrypt-proxy b/roles/dns/files/apparmor.profile.dnscrypt-proxy index 51de03f..ba5a70e 100644 --- a/roles/dns/files/apparmor.profile.dnscrypt-proxy +++ b/roles/dns/files/apparmor.profile.dnscrypt-proxy @@ -14,7 +14,7 @@ /etc/dnscrypt-proxy/** r, /usr/bin/dnscrypt-proxy mr, - /tmp/public-resolvers.md* rw, + /var/cache/{private/,}dnscrypt-proxy/** rw, /tmp/*.tmp w, owner /tmp/*.tmp r, diff --git a/roles/dns/templates/dnscrypt-proxy.toml.j2 b/roles/dns/templates/dnscrypt-proxy.toml.j2 index a51c7b7..86c05ae 100644 --- a/roles/dns/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns/templates/dnscrypt-proxy.toml.j2 @@ -118,11 +118,12 @@ timeout = 2500 keepalive = 30 -## Use the REFUSED return code for blocked responses -## Setting this to `false` means that some responses will be lies. -## Unfortunately, `false` appears to be required for Android 8+ +## Response for blocked queries. Options are `refused`, `hinfo` (default) or +## an IP response. To give an IP response, use the format `a:,aaaa:`. +## Using the `hinfo` option means that some responses will be lies. +## Unfortunately, the `hinfo` option appears to be required for Android 8+ -refused_code_in_responses = false +# blocked_query_response = 'refused' ## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random' @@ -523,7 +524,7 @@ cache_neg_max_ttl = 600 [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] - cache_file = '/tmp/public-resolvers.md' + cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' prefix = ''