52 lines
3.3 KiB
Properties
52 lines
3.3 KiB
Properties
# minTtl: rewrite TTLs lower than this to this value, default 600, 0 disables this feature
|
|
minTtl=600
|
|
|
|
# staleResponseTimeout: milliseconds to wait for response to query before serving a stale record if we have it, default 1000
|
|
staleResponseTimeout=1000
|
|
# staleResponseTtl: TTL to apply to stale record when above timeout is met and stale record is served, default 10
|
|
staleResponseTtl=10
|
|
|
|
# cacheFile: path to file to persist cache to at an interval
|
|
cacheFile=dnscache.map
|
|
# cacheDelayMinutes: how often to write the cache to disk
|
|
cacheDelayMinutes=60
|
|
|
|
# packetQueueLength: maximum requests queued waiting for responses from upstream, all resolvers specified process from this queue, cached responses don't enter this queue, default 100, 0 means unlimited, -1 means no queue, just use RandomUpstreamResolver
|
|
packetQueueLength=100
|
|
|
|
# listeners: list of listeners, currently supports tcp:// and udp:// with no options, default 'tcp://127.0.0.1:5353 udp://127.0.0.1:5353'
|
|
listeners=tcp://127.0.0.1:5353 udp://127.0.0.1:5353
|
|
|
|
# resolvers: list of resolvers with or without options, whitespace separated, options are in fragment separated by ;
|
|
# currently support tcp:// (regular DNS-over-TCP), tls:// (DNS-over-TLS), http:// https:// (DNS-over-HTTPS)
|
|
# both tls:// and https:// support option pubKeyPinsSha256 with a comma-separated list of base64 public key hashes like HPKP, not supplying this causes TLS connections to be unauthenticated (vulnerable to MITM)
|
|
# https:// also validates the hostname for now like a browser would
|
|
# default 'https://dns.google.com/experimental?ct#name=dns.google.com'
|
|
resolvers=\
|
|
tls://89.233.43.71#name=unicast.censurfridns.dk;pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= \
|
|
tls://145.100.185.15#name=dnsovertls.sinodun.com;pubKeyPinsSha256=62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= \
|
|
tls://145.100.185.16#name=dnsovertls1.sinodun.com;pubKeyPinsSha256=cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= \
|
|
tls://185.49.141.37#name=getdnsapi.net;pubKeyPinsSha256=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= \
|
|
https://dns.google.com/experimental?ct#name=dns.google.com
|
|
#resolvers=https://dns.google.com/experimental?ct
|
|
#resolvers=tcp://8.8.4.4:53
|
|
#resolvers=tls://89.233.43.71:853#pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
|
|
|
|
# below here are resolver options that may be defined here and/or at the resolver level, if both resolver level wins
|
|
|
|
# proxy: defines a proxy to use for all connections to this resolver, supports socks:// and http://, default none
|
|
#proxy=socks://127.0.0.1:9050
|
|
|
|
# pubKeyPinsSha256: should be on an individual resolver level, specify comma-seperated base64 public key hashes like HPKP, not supplying this causes TLS connections to be unauthenticated (vulnerable to MITM), default none
|
|
# https:// also validates the hostname for now like a browser would
|
|
#pubKeyPinsSha256=wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
|
|
|
|
# maxRetries: maximum number of times a request is re-queued to be resolved upstream due to failure before giving up, this is maximum retries total, not per-resolver, default resolvers.length * 2
|
|
#maxRetries=5
|
|
|
|
# name: human-readable name of resolver, might end up in logs, default full resolver URI
|
|
#name=somename
|
|
|
|
# connectTimeout: TCP connection timeout in milliseconds to upstream resolver, default 500
|
|
connectTimeout=500
|