1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
# /etc/default/dnscrypt-proxy
# This file contains the configuration settings for dnscrypt-proxy. This file
# supports configuring and running multiple instances (see the bottom of this
# file for a sample secondary configuration).
# CHROOTDIR should be the same path as the USER's home directory.
# For the standard dnscrypt user this should be "/run/dnscrypt". For nobody,
# this should be "/".
CHROOTDIR[0]="/run/dnscrypt"
#CHROOTDIR[0]="/"
# The local address and (optional) port to listen on. The default port is 53.
LOCALADDRESS[0]="127.0.0.1:53"
# The pid file for this instance. PIDFILE must always be specified for each
# instance!
PIDFILE[0]="/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid"
# Runs the daemon as the following user and chroots to that user's home
# directory (this is a security feature -- it is best not to change this!)
USER[0]="dnscrypt"
#USER[0]="nobody"
# If RESOLVERNAME is set, then RESOLVERADDRESS, PROVIDERNAME, and
# PROVIDERKEY will be ignored. RESOLVERNAME should be the name of a resolver
# from RESOLVERSLIST (the first column).
RESOLVERNAME[0]="cisco"
# Specify the location of the resolver list, used if RESOLVERNAME is set.
RESOLVERSLIST[0]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
# If RESOLVERNAME is unset, RESOLVERADDRESS, PROVIDERNAME and PROVIDERKEY are
# the settings of the remote DNSCrypt provider.
#RESOLVERADDRESS[0]="208.67.220.220:443"
#PROVIDERNAME[0]="2.dnscrypt-cert.opendns.com"
#PROVIDERKEY[0]="B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"
# By default, queries are always sent with the same public key, allowing
# providers to link this public key to the different IP addresses you
# are using. Enabling ephemeral keys requires extra CPU cycles, but
# mitigates this by computing an ephemeral key pair for every query.
#EPHEMERALKEYS[0]="no"
# Use client authentication (ie. a static client key) instead of randomly
# generating one. This should point to a private file. Its content does *not*
# need to be known by the DNS service provider. See
# /usr/doc/dnscrypt-proxy-@VERSION@/README.markdown for more information. This
# option conflicts with EPHEMERALKEYS.
#CLIENTKEY[0]="/etc/dnscrypt.clientkey"
# Transparently add an OPT pseudo-RR to outgoing queries in order to enable
# the EDNS0 extension mechanism. The payload size is the size of the largest
# response we accept from the resolver before retrying over TCP. This feature
# is enabled by default, with a payload size of 1252 bytes. Any value below
# 512 disables it.
#EDNSPAYLOADSIZE[0]="1252"
# Set the maximum number of simultaneous active requests (default 250).
#MAXACTIVEREQUESTS[0]="250"
# Use TCP instead of UDP. This is slower than UDP, and this workaround should
# never be used except when bypassing a filter is actually required. Moreover,
# multiple queries over a single TCP connection aren't supported yet.
# Don't use this unless you have to. Defaults to off ("no").
#TCPONLY[0]="no"
# Load the following plugins. None are loaded by default. See
# /usr/doc/dnscrypt-proxy-@VERSION@/README-PLUGINS.markdown for more
# information.
#PLUGINS[0]="libdcplugin_example,--ips=/etc/blk-ips,--domains=/etc/blk-names \
#libdcplugin_example_logging,/var/log/dns.log"
# Where and what to log. The default LOGLEVEL is LOG_INFO.
#LOGLEVEL[0]="LOG_INFO"
LOGFILE[0]="/var/log/dnscrypt-proxy/dnscrypt-proxy.log"
# A simple example configuration for a second instance
#CHROOTDIR[1]="/run/dnscrypt"
#LOCALADDRESS[1]="127.0.0.2:53"
#PIDFILE[1]="/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid"
#USER[1]="dnscrypt"
#RESOLVERNAME[1]="cloudns-can"
#RESOLVERSLIST[1]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
#LOGFILE[1]="/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log"
|