# minTtl: rewrite TTLs lower than this to this value, default 600, 0 disables this feature
minTtl=600

# staleResponseTimeout: milliseconds to wait for response to query before serving a stale record if we have it, default 1000
staleResponseTimeout=1000
# staleResponseTtl: TTL to apply to stale record when above timeout is met and stale record is served, default 10
staleResponseTtl=10

# packetQueueLength: maximum requests queued waiting for responses from upstream, all resolvers specified process from this queue, cached responses don't enter this queue, default 100, 0 means unlimited
packetQueueLength=100

# listeners: list of listeners, currently supports tcp:// and udp:// with no options, default 'tcp://127.0.0.1:5353 udp://127.0.0.1:5353'
listeners=tcp://127.0.0.1:5353 udp://127.0.0.1:5353

# resolvers: list of resolvers with or without options, whitespace separated, options are in fragment separated by ;
# currently support tcp:// (regular DNS-over-TCP), tls:// (DNS-over-TLS), http:// https:// (DNS-over-HTTPS)
# both tls:// and https:// support option pubKeyPinsSha256 with a comma-separated list of base64 public key hashes like HPKP, not supplying this causes TLS connections to be unauthenticated (vulnerable to MITM)
# https:// also validates the hostname for now like a browser would
# default 'https://dns.google.com/experimental?ct#name=dns.google.com'
resolvers=\
  tls://89.233.43.71#name=unicast.censurfridns.dk;pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= \
  tls://145.100.185.15#name=dnsovertls.sinodun.com;pubKeyPinsSha256=62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= \
  tls://145.100.185.16#name=dnsovertls1.sinodun.com;pubKeyPinsSha256=cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= \
  tls://185.49.141.37#name=getdnsapi.net;pubKeyPinsSha256=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= \
  https://dns.google.com/experimental?ct#name=dns.google.com
#resolvers=https://dns.google.com/experimental?ct
#resolvers=tcp://8.8.4.4:53
#resolvers=tls://89.233.43.71:853#pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=

# below here are resolver options that may be defined here and/or at the resolver level, if both resolver level wins

# proxy: defines a proxy to use for all connections to this resolver, supports socks:// and http://, default none
#proxy=socks://127.0.0.1:9050

# pubKeyPinsSha256: should be on an individual resolver level, specify comma-seperated base64 public key hashes like HPKP, not supplying this causes TLS connections to be unauthenticated (vulnerable to MITM), default none
# https:// also validates the hostname for now like a browser would
#pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=

# maxRetries: maximum number of times a request is re-queued to be resolved upstream due to failure before giving up, this is maximum retries total, not per-resolver, default resolvers.length * 2
#maxRetries=5

# name: human-readable name of resolver, might end up in logs, default full resolver URI
#name=somename

# connectTimeout: TCP connection timeout in milliseconds to upstream resolver, default 500
connectTimeout=500