# DNS listen port listen = [ "127.0.0.1:53", "127.0.0.1:5380", "[::1]:53", "[::1]:5380", ## To listen on both 0.0.0.0:53 and [::]:53, use the following line # ":53", ] # HTTP path for upstream resolver [upstream] # available selector: random or weighted_round_robin or lvs_weighted_round_robin upstream_selector = "random" # weight should in (0, 100], if upstream_selector is random, weight will be ignored ## Google's resolver, good ECS, good DNSSEC #[[upstream.upstream_ietf]] # url = "https://dns.google/dns-query" # weight = 50 ## CloudFlare's resolver, bad ECS, good DNSSEC ## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet [[upstream.upstream_ietf]] url = "https://cloudflare-dns.com/dns-query" weight = 50 ## CloudFlare's resolver, bad ECS, good DNSSEC ## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet ## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen. #[[upstream.upstream_ietf]] # url = "https://1.1.1.1/dns-query" # weight = 50 ## DNS.SB's resolver, good ECS, good DNSSEC ## The provider claims no logging: https://dns.sb/doh/ #[[upstream.upstream_ietf]] # url = "https://doh.dns.sb/dns-query" # weight = 50 ## Quad9's resolver, bad ECS, good DNSSEC ## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet #[[upstream.upstream_ietf]] # url = "https://9.9.9.9/dns-query" # weight = 50 ## CloudFlare's resolver for Tor, available only with Tor ## Remember to disable ECS below when using Tor! ## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/ #[[upstream.upstream_ietf]] # url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query" # weight = 50 [others] # Bootstrap DNS server to resolve the address of the upstream resolver # If multiple servers are specified, a random one will be chosen each time. # If empty, use the system DNS settings. # If you want to preload IP addresses in /etc/hosts instead of using a # bootstrap server, please make this list empty. bootstrap = [ # Google's resolver, good ECS, good DNSSEC "8.8.8.8:53", "8.8.4.4:53", # CloudFlare's resolver, bad ECS, good DNSSEC #"1.1.1.1:53", #"1.0.0.1:53", ] # The domain names here are directly passed to bootstrap servers listed above, # allowing captive portal detection and systems without RTC to work. # Only effective if at least one bootstrap server is configured. passthrough = [ "captive.apple.com", "connectivitycheck.gstatic.com", "detectportal.firefox.com", "msftconnecttest.com", "nmcheck.gnome.org", "pool.ntp.org", "time.apple.com", "time.asia.apple.com", "time.euro.apple.com", "time.nist.gov", "time.windows.com", ] # Timeout for upstream request in seconds timeout = 30 # Disable HTTP Cookies # # Cookies may be useful if your upstream resolver is protected by some # anti-DDoS services to identify clients. # Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability # to track uesrs and is not controlled by doh-client. no_cookies = true # Disable EDNS0-Client-Subnet (ECS) # # DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of # the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the # upstream server. This is useful for GeoDNS and CDNs to work, and is exactly # the same configuration as most public DNS servers. no_ecs = false # Disable IPv6 when querying upstream # # Only enable this if you really have trouble connecting. # Doh-client uses both IPv4 and IPv6 by default and should not have problems # with an IPv4-only environment. # Note that DNS listening and bootstrapping is not controlled by this option. no_ipv6 = false # Disable submitting User-Agent # # It is generally not recommended to disable submitting User-Agent because it # is still possible to probe client version according to behavior differences, # such as TLS handshaking, handling of malformed packets, and specific bugs. # Additionally, User-Agent is an important way for the server to distinguish # buggy, old, or insecure clients, and to workaround specific bugs. # (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy # and older Firefox.) no_user_agent = false # Enable logging verbose = false # insecure_tls_skip_verification will disable necessary TLS security verification. # This option is designed for testing or development purposes, # turning on this option on public Internet may cause your connection # vulnerable to MITM attack. insecure_tls_skip_verify = false