# -*- mode: conf-toml -*- # Each commented option contains the default value. [dns] # Listening address of the resolver. # # listen = "127.0.0.1:53000" # Listening protocol. The only supported one is "udp". # # protocol = "udp" # Maximum number of entries to keep in the DNS cache. The cache discards older # entries once the number of entries exceeds this size. # # cache_size = 4096 # Cache pre-fetching. # # If enabled, cached entries will be re-resolved asynchronously. Note that this # may lead to slightly stale entries, but cached requests will never block # waiting for the upstream resolver. # # cache_prefetch = true # Cache persistence. # # If enabled, cache contents is periodically written to disk. The persisted # content will then be used to pre-populate the cache on startup. # # cache_persist = false # Upstream DNS servers to use when answering queries. # # Each entry has the following format: # # addr:port[=tls-name] # # The tls-name part is optional. Some DNS servers only have FQDNs in their # certificate SAN field. This causes certificate validation to fail when # connecting using an IP address. # # When tls-name is set it's used to verify the hostname of the returned # certificate. This only makes sense in combination with the tcp-tls protocol. # # The default is Cloudflare DNS servers, which support DNS-over-TLS. # https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/ # # resolvers = [ # "1.1.1.1:853", # "1.0.0.1:853", # ] # # Or using DNS-over-HTTPS: # # resolvers = [ # "https://cloudflare-dns.com/dns-query", # ] # # Or using a specific TLS server name, for example with a UncensoredDNS servers # (https://blog.uncensoreddns.org): # # resolvers = [ # "89.233.43.71:853=unicast.censurfridns.dk", # "91.239.100.100:853=anycast.censurfridns.dk", # ] # Configure how to answer hijacked DNS requests. # # zero: Respond with the IPv4 zero address (0.0.0.0) to type A requests. # Respond with the IPv6 zero address (::) to type AAAA requests. # empty: Respond with an empty answer to all hijacked requests. # hosts: Respond with the corresponding inline host, if any. # # hijack_mode = "zero" # Configures the interval when each remote hosts list should be refreshed. # # hosts_refresh_interval = "48h" # Path to the database. This is used for persistence, such as logging of DNS requests. # # database = "" # Set logging mode. The option log_database must be set when setting this to # non-empty. # # all: Logs all requests. # hijacked: Logs only hijacked requests # empty string: Log nothing (default). # # log_mode = "" # Configure the duration of logged requests. Log entries older than this will be # removed. # # log_ttl = "168h" # HTTP server for inspecting logs and cache. Setting a listening address on the # form addr:port will enable the server. Set to empty string to disable. # # listen_http = "127.0.0.1:8053" [resolver] # Set the protocol to use when sending requests to upstream resolvers. Supported protocols: # # tcp-tls: DNS over TLS (encrypted). Note that the upstream resolver must # support this protocol. # https: DNS over HTTPS (encrypted). Only recommended for networks where tcp-tls # does not work, due to e.g. aggressive firewalls. Note that the upstream # resolver must support this protocol. # udp: DNS over UDP (plaintext). # tcp: DNS over TCP (plaintext). # # protocol = "tcp-tls" # Set the maximum timeout of a DNS request. # # timeout = "2s" # Answer queries from static hosts files. There are no default values for the # following examples. # # Load hosts from an URL. The hijack option can be one of: # # true: Matching requests will be answered according to hijack_mode. # false: Matching requests will never be hijacked. This can be used to # whitelist particular hosts as shown in the example below. # # [[hosts]] # url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # hijack = true # timeout = "5s" # Load hosts from a local file. # # [[hosts]] # url = "file:///home/foo/myhosts.txt" # hijack = true # Inline hosts list. Useful for blocking or whitelisting a small set of hosts. # # [[hosts]] # entries = [ # # Unblock the following to avoid breaking video watching history # "0.0.0.0 s.youtube.com", # ] # hijack = false