1. naposidi

    naposidi New Member

    Joined:
    Apr 27, 2019
    Messages:
    1
    Не знаю где лучше спросить.
    Подскажите мне, какие строки удалить(отключить?) и что прописать в dnscrypt-proxy.toml,
    чтобы dnscrypt-proxy использовал только DoH метод и сервера вот эти:

    DNS-over-HTTPS:
    https://dns.adguard.com/dns-query для режима “По умолчанию”
    https://dns-family.adguard.com/dns-query для “Семейного” режима.

    Актуальный файл dnscrypt-proxy.toml, без настроек:
    Code:
    ##############################################
    #                                            #
    #        dnscrypt-proxy configuration        #
    #                                            #
    ##############################################
    
    ## This is an example configuration file.
    ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
    ##
    ## Online documentation is available here: https://dnscrypt.info/doc
    
    
    
    ##################################
    #         Global settings        #
    ##################################
    
    ## List of servers to use
    ##
    ## Servers from the "public-resolvers" source (see down below) can
    ## be viewed here: https://dnscrypt.info/public-servers
    ##
    ## If this line is commented, all registered servers matching the require_* filters
    ## will be used.
    ##
    ## The proxy will automatically pick the fastest, working servers from the list.
    ## Remove the leading # first to enable this; lines starting with # are ignored.
    
    # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
    
    
    ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
    ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
    
    listen_addresses = ['127.0.0.1:53', '[::1]:53']
    
    
    ## Maximum number of simultaneous client connections to accept
    
    max_clients = 250
    
    
    ## Switch to a different system user after listening sockets have been created.
    ## Note (1): this feature is currently unsupported on Windows.
    ## Note (2): this feature is not compatible with systemd socket activation.
    ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
    
    # user_name = 'nobody'
    
    
    ## Require servers (from static + remote sources) to satisfy specific properties
    
    # Use servers reachable over IPv4
    ipv4_servers = true
    
    # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
    ipv6_servers = false
    
    # Use servers implementing the DNSCrypt protocol
    dnscrypt_servers = true
    
    # Use servers implementing the DNS-over-HTTPS protocol
    doh_servers = true
    
    
    ## Require servers defined by remote sources to satisfy specific properties
    
    # Server must support DNS security extensions (DNSSEC)
    require_dnssec = false
    
    # Server must not log user queries (declarative)
    require_nolog = true
    
    # Server must not enforce its own blacklist (for parental control, ads blocking...)
    require_nofilter = true
    
    # Server names to avoid even if they match all criteria
    disabled_server_names = []
    
    
    ## Always use TCP to connect to upstream servers.
    ## This can be useful if you need to route everything through Tor.
    ## Otherwise, leave this to `false`, as it doesn't improve security
    ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
    ## only increase latency.
    
    force_tcp = false
    
    
    ## SOCKS proxy
    ## Uncomment the following line to route all TCP connections to a local Tor node
    ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
    
    # proxy = "socks5://127.0.0.1:9050"
    
    
    ## HTTP/HTTPS proxy
    ## Only for DoH servers
    
    # http_proxy = "http://127.0.0.1:8888"
    
    
    ## How long a DNS query will wait for a response, in milliseconds
    
    timeout = 2500
    
    
    ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
    
    keepalive = 30
    
    
    ## Use the REFUSED return code for blocked responses
    ## Setting this to `false` means that some responses will be lies.
    ## Unfortunately, `false` appears to be required for Android 8+
    
    refused_code_in_responses = false
    
    
    ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
    
    # lb_strategy = 'p2'
    
    
    ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
    
    # log_level = 2
    
    
    ## log file for the application
    
    # log_file = 'dnscrypt-proxy.log'
    
    
    ## Use the system logger (syslog on Unix, Event Log on Windows)
    
    # use_syslog = true
    
    
    ## Delay, in minutes, after which certificates are reloaded
    
    cert_refresh_delay = 240
    
    
    ## DNSCrypt: Create a new, unique key for every single DNS query
    ## This may improve privacy but can also have a significant impact on CPU usage
    ## Only enable if you don't have a lot of network load
    
    # dnscrypt_ephemeral_keys = false
    
    
    ## DoH: Disable TLS session tickets - increases privacy but also latency
    
    # tls_disable_session_tickets = false
    
    
    ## DoH: Use a specific cipher suite instead of the server preference
    ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    ##
    ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
    ## the following suite improves performance.
    ## This may also help on Intel CPUs running 32-bit operating systems.
    ##
    ## Keep tls_cipher_suite empty if you have issues fetching sources or
    ## connecting to some DoH servers. Google and Cloudflare are fine with it.
    
    # tls_cipher_suite = [52392, 49199]
    
    
    ## Fallback resolver
    ## This is a normal, non-encrypted DNS resolver, that will be only used
    ## for one-shot queries when retrieving the initial resolvers list, and
    ## only if the system DNS configuration doesn't work.
    ## No user application queries will ever be leaked through this resolver,
    ## and it will not be used after IP addresses of resolvers URLs have been found.
    ## It will never be used if lists have already been cached, and if stamps
    ## don't include host names without IP addresses.
    ## It will not be used if the configured system DNS works.
    ## A resolver supporting DNSSEC is recommended. This may become mandatory.
    ##
    ## People in China may need to use 114.114.114.114:53 here.
    ## Other popular options include 8.8.8.8 and 1.1.1.1.
    
    fallback_resolver = '9.9.9.9:53'
    
    
    ## Never let dnscrypt-proxy try to use the system DNS settings;
    ## unconditionally use the fallback resolver.
    
    ignore_system_dns = false
    
    
    ## Maximum time (in seconds) to wait for network connectivity before
    ## initializing the proxy.
    ## Useful if the proxy is automatically started at boot, and network
    ## connectivity is not guaranteed to be immediately available.
    ## Use 0 to disable.
    
    netprobe_timeout = 60
    
    
    ## Offline mode - Do not use any remote encrypted servers.
    ## The proxy will remain fully functional to respond to queries that
    ## plugins can handle directly (forwarding, cloaking, ...)
    
    # offline_mode = false
    
    
    ## Automatic log files rotation
    
    # Maximum log files size in MB
    log_files_max_size = 10
    
    # How long to keep backup files, in days
    log_files_max_age = 7
    
    # Maximum log files backups to keep (or 0 to keep all backups)
    log_files_max_backups = 1
    
    
    
    #########################
    #        Filters        #
    #########################
    
    ## Immediately respond to IPv6-related queries with an empty response
    ## This makes things faster when there is no IPv6 connectivity, but can
    ## also cause reliability issues with some stub resolvers.
    ## Do not enable if you added a validating resolver such as dnsmasq in front
    ## of the proxy.
    
    block_ipv6 = false
    
    
    
    ##################################################################################
    #        Route queries for specific domains to a dedicated set of servers        #
    ##################################################################################
    
    ## Example map entries (one entry per line):
    ## example.com 9.9.9.9
    ## example.net 9.9.9.9,8.8.8.8,1.1.1.1
    
    # forwarding_rules = 'forwarding-rules.txt'
    
    
    
    ###############################
    #        Cloaking rules       #
    ###############################
    
    ## Cloaking returns a predefined address for a specific name.
    ## In addition to acting as a HOSTS file, it can also return the IP address
    ## of a different name. It will also do CNAME flattening.
    ##
    ## Example map entries (one entry per line)
    ## example.com     10.1.1.1
    ## www.google.com  forcesafesearch.google.com
    
    # cloaking_rules = 'cloaking-rules.txt'
    
    
    
    ###########################
    #        DNS cache        #
    ###########################
    
    ## Enable a DNS cache to reduce latency and outgoing traffic
    
    cache = true
    
    
    ## Cache size
    
    cache_size = 512
    
    
    ## Minimum TTL for cached entries
    
    cache_min_ttl = 600
    
    
    ## Maximum TTL for cached entries
    
    cache_max_ttl = 86400
    
    
    ## Minimum TTL for negatively cached entries
    
    cache_neg_min_ttl = 60
    
    
    ## Maximum TTL for negatively cached entries
    
    cache_neg_max_ttl = 600
    
    
    
    ###############################
    #        Query logging        #
    ###############################
    
    ## Log client queries to a file
    
    [query_log]
    
      ## Path to the query log file (absolute, or relative to the same directory as the executable file)
    
      # file = 'query.log'
    
    
      ## Query log format (currently supported: tsv and ltsv)
    
      format = 'tsv'
    
    
      ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
    
      # ignored_qtypes = ['DNSKEY', 'NS']
    
    
    
    ############################################
    #        Suspicious queries logging        #
    ############################################
    
    ## Log queries for nonexistent zones
    ## These queries can reveal the presence of malware, broken/obsolete applications,
    ## and devices signaling their presence to 3rd parties.
    
    [nx_log]
    
      ## Path to the query log file (absolute, or relative to the same directory as the executable file)
    
      # file = 'nx.log'
    
    
      ## Query log format (currently supported: tsv and ltsv)
    
      format = 'tsv'
    
    
    
    ######################################################
    #        Pattern-based blocking (blacklists)        #
    ######################################################
    
    ## Blacklists are made of one pattern per line. Example of valid patterns:
    ##
    ##   example.com
    ##   =example.com
    ##   *sex*
    ##   ads.*
    ##   ads*.example.*
    ##   ads*.example[0-9]*.com
    ##
    ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
    ## A script to build blacklists from public feeds can be found in the
    ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
    
    [blacklist]
    
      ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
    
      # blacklist_file = 'blacklist.txt'
    
    
      ## Optional path to a file logging blocked queries
    
      # log_file = 'blocked.log'
    
    
      ## Optional log format: tsv or ltsv (default: tsv)
    
      # log_format = 'tsv'
    
    
    
    ###########################################################
    #        Pattern-based IP blocking (IP blacklists)        #
    ###########################################################
    
    ## IP blacklists are made of one pattern per line. Example of valid patterns:
    ##
    ##   127.*
    ##   fe80:abcd:*
    ##   192.168.1.4
    
    [ip_blacklist]
    
      ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
    
      # blacklist_file = 'ip-blacklist.txt'
    
    
      ## Optional path to a file logging blocked queries
    
      # log_file = 'ip-blocked.log'
    
    
      ## Optional log format: tsv or ltsv (default: tsv)
    
      # log_format = 'tsv'
    
    
    
    ######################################################
    #   Pattern-based whitelisting (blacklists bypass)   #
    ######################################################
    
    ## Whitelists support the same patterns as blacklists
    ## If a name matches a whitelist entry, the corresponding session
    ## will bypass names and IP filters.
    ##
    ## Time-based rules are also supported to make some websites only accessible at specific times of the day.
    
    [whitelist]
    
      ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
    
      # whitelist_file = 'whitelist.txt'
    
    
      ## Optional path to a file logging whitelisted queries
    
      # log_file = 'whitelisted.log'
    
    
      ## Optional log format: tsv or ltsv (default: tsv)
    
      # log_format = 'tsv'
    
    
    
    ##########################################
    #        Time access restrictions        #
    ##########################################
    
    ## One or more weekly schedules can be defined here.
    ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
    ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
    ##
    ## For example, the following rule in a blacklist file:
    ## *.youtube.* @time-to-sleep
    ## would block access to YouTube only during the days, and period of the days
    ## define by the 'time-to-sleep' schedule.
    ##
    ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
    ## {after= '9:00', before='18:00'} matches 9:00-18:00
    
    [schedules]
    
      # [schedules.'time-to-sleep']
      # mon = [{after='21:00', before='7:00'}]
      # tue = [{after='21:00', before='7:00'}]
      # wed = [{after='21:00', before='7:00'}]
      # thu = [{after='21:00', before='7:00'}]
      # fri = [{after='23:00', before='7:00'}]
      # sat = [{after='23:00', before='7:00'}]
      # sun = [{after='21:00', before='7:00'}]
    
      # [schedules.'work']
      # mon = [{after='9:00', before='18:00'}]
      # tue = [{after='9:00', before='18:00'}]
      # wed = [{after='9:00', before='18:00'}]
      # thu = [{after='9:00', before='18:00'}]
      # fri = [{after='9:00', before='17:00'}]
    
    
    
    #########################
    #        Servers        #
    #########################
    
    ## Remote lists of available servers
    ## Multiple sources can be used simultaneously, but every source
    ## requires a dedicated cache file.
    ##
    ## Refer to the documentation for URLs of public sources.
    ##
    ## A prefix can be prepended to server names in order to
    ## avoid collisions if different sources share the same for
    ## different servers. In that case, names listed in `server_names`
    ## must include the prefixes.
    ##
    ## If the `urls` property is missing, cache files and valid signatures
    ## must be already present; This doesn't prevent these cache files from
    ## expiring after `refresh_delay` hours.
    
    [sources]
    
      ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
    
      [sources.'public-resolvers']
      urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
      cache_file = 'public-resolvers.md'
      minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
      refresh_delay = 72
      prefix = ''
    
      ## Quad9 over DNSCrypt - https://quad9.net/
    
      # [sources.quad9-resolvers]
      # urls = ["https://www.quad9.net/quad9-resolvers.md"]
      # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
      # cache_file = "quad9-resolvers.md"
      # refresh_delay = 72
      # prefix = "quad9-"
    
      ## Another example source, with resolvers censoring some websites not appropriate for children
      ## This is a subset of the `public-resolvers` list, so enabling both is useless
    
      #  [sources.'parental-control']
      #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
      #  cache_file = 'parental-control.md'
      #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    
    
    
    ## Optional, local, static list of additional servers
    ## Mostly useful for testing your own servers.
    
    [static]
    
      # [static.'google']
      # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
    

    Понимаю все настройки, только с этим никак.
    -

    Если первое в false, то будет только DoH, но где мне прописать адрес сервера Adguard?
     
    Last edited: Apr 27, 2019
  2. Chinaski

    Chinaski Support Marine Staff Member Administrator Moderator

    Joined:
    Apr 15, 2019
    Messages:
    411
    @naposidi

    Добрый день! Попробуйте воспользоваться данной инструкцией!