# HTTP listen port listen = [ "127.0.0.1:8053", "[::1]:8053", ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line # ":8053", ] # Local address and port for upstream DNS # If left empty, a local address is automatically chosen. local_addr = "" # TLS certification file # If left empty, plain-text HTTP will be used. # You are recommended to leave empty and to use a server load balancer (e.g. # Caddy, Nginx) and set up TLS there, because this program does not do OCSP # Stapling, which is necessary for client bootstrapping in a network # environment with completely no traditional DNS service. cert = "" # TLS private key file key = "" # HTTP path for resolve application path = "/dns-query" # Upstream DNS resolver # If multiple servers are specified, a random one will be chosen each time. # You can use "udp", "tcp" or "tcp-tls" for the type prefix. # For "udp", UDP will first be used, and switch to TCP when the server asks to # or the response is too large. # For "tcp", only TCP will be used. # For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection. upstream = [ "udp:1.1.1.1:53", "udp:1.0.0.1:53", "udp:8.8.8.8:53", "udp:8.8.4.4:53", ] # Upstream timeout timeout = 10 # Number of tries if upstream DNS fails tries = 3 # Enable logging verbose = false # Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP # Note: http uri/useragent log cannot be controlled by this config log_guessed_client_ip = false # By default, non global IP addresses are never forwarded to upstream servers. # This is to prevent two things from happening: # 1. the upstream server knowing your private LAN addresses; # 2. the upstream server unable to provide geographically near results, # or even fail to provide any result. # However, if you are deploying a split tunnel corporation network # environment, or for any other reason you want to inhibit this # behavior and allow local (eg RFC1918) address to be forwarded, # change the following option to "true". ecs_allow_non_global_ip = false # If ECS is added to the request, let the full IP address or # cap it to 24 or 128 mask. This option is to be used only on private # networks where knwoledge of the terminal endpoint may be required for # security purposes (eg. DNS Firewalling). Not a good option on the # internet where IP address may be used to identify the user and # not only the approximate location. ecs_use_precise_ip = false # If DOH is used for a controlled network, it is possible to enable # the client TLS certificate validation with a specific certificate # authority used to sign any client one. Disabled by default. # tls_client_auth = true # tls_client_auth_ca = "root-ca-public.crt"