Update Changelog v2.0.0
[dns-over-https.git] / doh-client / doh-client.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# DNS listen port
listen = [
    "127.0.0.1:53",
    "127.0.0.1:5380",
    "[::1]:53",
    "[::1]:5380",
]
 
# HTTP path for upstream resolver
 
# CloudFlare's resolver for Tor, available only with Tor
# Remember to disable ECS below when using Tor!
# Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
#"https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query",
 
 
[upstream]
 
# available selector: random or weighted_round_robin or lvs_weighted_round_robin
upstream_selector = "random"
 
# weight should in (0, 100], if upstream_selector is random, weight will be ignored
 
# Google's productive resolver, good ECS, bad DNSSEC
[[upstream.upstream_google]]
    url = "https://dns.google.com/resolve"
    weight = 50
 
# CloudFlare's resolver, bad ECS, good DNSSEC
[[upstream.upstream_google]]
    url = "https://cloudflare-dns.com/dns-query"
    weight = 50
 
# CloudFlare's resolver, bad ECS, good DNSSEC
[[upstream.upstream_google]]
    url = "https://1.1.1.1/dns-query"
    weight = 50
 
# Google's experimental resolver, good ECS, good DNSSEC
[[upstream.upstream_ietf]]
    url = "https://dns.google.com/experimental"
    weight = 50
 
# CloudFlare's resolver, bad ECS, good DNSSEC
[[upstream.upstream_ietf]]
    url = "https://cloudflare-dns.com/dns-query"
    weight = 50
 
# CloudFlare's resolver, bad ECS, good DNSSEC
[[upstream.upstream_ietf]]
    url = "https://1.1.1.1/dns-query"
    weight = 50
 
 
[others]
# Bootstrap DNS server to resolve the address of the upstream resolver
# If multiple servers are specified, a random one will be chosen each time.
# If empty, use the system DNS settings.
# If you want to preload IP addresses in /etc/hosts instead of using a
# bootstrap server, please make this list empty.
bootstrap = [
 
    # Google's resolver, bad ECS, good DNSSEC
    "8.8.8.8:53",
    "8.8.4.4:53",
 
    # CloudFlare's resolver, bad ECS, good DNSSEC
    #"1.1.1.1:53",
    #"1.0.0.1:53",
 
]
 
# The domain names here are directly passed to bootstrap servers listed above,
# allowing captive portal detection and systems without RTC to work.
# Only effective if at least one bootstrap server is configured.
passthrough = [
    "captive.apple.com",
    "connectivitycheck.gstatic.com",
    "detectportal.firefox.com",
    "msftconnecttest.com",
    "nmcheck.gnome.org",
 
    "pool.ntp.org",
    "time.apple.com",
    "time.asia.apple.com",
    "time.euro.apple.com",
    "time.nist.gov",
    "time.windows.com",
]
 
# Timeout for upstream request in seconds
timeout = 30
 
# Disable HTTP Cookies
#
# Cookies may be useful if your upstream resolver is protected by some
# anti-DDoS services to identify clients.
# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
# to track uesrs and is not controlled by doh-client.
no_cookies = true
 
# Disable EDNS0-Client-Subnet (ECS)
#
# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
# the same configuration as most public DNS servers.
no_ecs = false
 
# Disable IPv6 when querying upstream
#
# Only enable this if you really have trouble connecting.
# Doh-client uses both IPv4 and IPv6 by default and should not have problems
# with an IPv4-only environment.
# Note that DNS listening and bootstrapping is not controlled by this option.
no_ipv6 = false
 
# Enable logging
verbose = false