# minTtl: rewrite TTLs lower than this to this value, default 600, 0 disables this feature minTtl=600 # staleResponseTimeout: milliseconds to wait for response to query before serving a stale record if we have it, default 1000 staleResponseTimeout=1000 # staleResponseTtl: TTL to apply to stale record when above timeout is met and stale record is served, default 10 staleResponseTtl=10 # packetQueueLength: maximum requests queued waiting for responses from upstream, all resolvers specified process from this queue, cached responses don't enter this queue, default 100, 0 means unlimited packetQueueLength=100 # listeners: list of listeners, currently supports tcp:// and udp:// with no options, default 'tcp://127.0.0.1:5353 udp://127.0.0.1:5353' listeners=tcp://127.0.0.1:5353 udp://127.0.0.1:5353 # resolvers: list of resolvers with or without options, whitespace separated, options are in fragment separated by ; # currently support tcp:// (regular DNS-over-TCP), tls:// (DNS-over-TLS), http:// https:// (DNS-over-HTTPS) # both tls:// and https:// support option pubKeyPinsSha256 with a comma-separated list of base64 public key hashes like HPKP, not supplying this causes TLS connections to be unauthenticated (vulnerable to MITM) # https:// also validates the hostname for now like a browser would # default 'https://dns.google.com/experimental?ct#name=dns.google.com' resolvers=\ tls://89.233.43.71#name=unicast.censurfridns.dk;pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= \ tls://145.100.185.15#name=dnsovertls.sinodun.com;pubKeyPinsSha256=62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= \ tls://145.100.185.16#name=dnsovertls1.sinodun.com;pubKeyPinsSha256=cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= \ tls://185.49.141.37#name=getdnsapi.net;pubKeyPinsSha256=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= \ https://dns.google.com/experimental?ct#name=dns.google.com #resolvers=https://dns.google.com/experimental?ct #resolvers=tcp://8.8.4.4:53 #resolvers=tls://89.233.43.71:853#pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= # below here are resolver options that may be defined here and/or at the resolver level, if both resolver level wins # proxy: defines a proxy to use for all connections to this resolver, supports socks:// and http://, default none #proxy=socks://127.0.0.1:9050 # pubKeyPinsSha256: should be on an individual resolver level, specify comma-seperated base64 public key hashes like HPKP, not supplying this causes TLS connections to be unauthenticated (vulnerable to MITM), default none # https:// also validates the hostname for now like a browser would #pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= # maxRetries: maximum number of times a request is re-queued to be resolved upstream due to failure before giving up, this is maximum retries total, not per-resolver, default resolvers.length * 2 #maxRetries=5 # name: human-readable name of resolver, might end up in logs, default full resolver URI #name=somename # connectTimeout: TCP connection timeout in milliseconds to upstream resolver, default 500 connectTimeout=500