config-full-paths.patch 22.1 KB
Newer Older
1 2
diff --git a/./dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
new file mode 100644
3
index 0000000..6f4282a
4 5
--- /dev/null
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
6
@@ -0,0 +1,678 @@
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
+
+##############################################
+#                                            #
+#        dnscrypt-proxy configuration        #
+#                                            #
+##############################################
+
+## This is an example configuration file.
+## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
+##
+## Online documentation is available here: https://dnscrypt.info/doc
+
+
+
+##################################
+#         Global settings        #
+##################################
+
+## List of servers to use
+##
+## Servers from the "public-resolvers" source (see down below) can
+## be viewed here: https://dnscrypt.info/public-servers
+##
30 31 32 33 34
+## The proxy will automatically pick working servers from this list.
+## Note that the require_* filters do NOT apply when using this setting.
+##
+## By default, this list is empty and all registered servers matching the
+## require_* filters will be used instead.
35 36 37 38 39 40 41
+##
+## Remove the leading # first to enable this; lines starting with # are ignored.
+
+# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
+
+
+## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
42 43
+## Example with both IPv4 and IPv6:
+## listen_addresses = ['127.0.0.1:53', '[::1]:53']
44
+
45
+listen_addresses = ['127.0.0.1:53']
46 47 48 49 50 51 52
+
+
+## Maximum number of simultaneous client connections to accept
+
+max_clients = 250
+
+
53 54 55 56 57 58 59 60
+## Switch to a different system user after listening sockets have been created.
+## Note (1): this feature is currently unsupported on Windows.
+## Note (2): this feature is not compatible with systemd socket activation.
+## Note (3): when using -pidfile, the PID file directory must be writable by the new user
+
+# user_name = 'dnscrypt'
+
+
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
+## Require servers (from static + remote sources) to satisfy specific properties
+
+# Use servers reachable over IPv4
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+ipv6_servers = false
+
+# Use servers implementing the DNSCrypt protocol
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol
+doh_servers = true
+
+
+## Require servers defined by remote sources to satisfy specific properties
+
+# Server must support DNS security extensions (DNSSEC)
+require_dnssec = false
+
+# Server must not log user queries (declarative)
+require_nolog = true
+
+# Server must not enforce its own blacklist (for parental control, ads blocking...)
+require_nofilter = true
+
87 88 89
+# Server names to avoid even if they match all criteria
+disabled_server_names = []
+
90
+
91
+## Always use TCP to connect to upstream servers.
92
+## This can be useful if you need to route everything through Tor.
93 94 95
+## Otherwise, leave this to `false`, as it doesn't improve security
+## (dnscrypt-proxy will always encrypt everything even using UDP), and can
+## only increase latency.
96 97 98
+
+force_tcp = false
+
99
+
100
+## SOCKS proxy
101 102 103
+## Uncomment the following line to route all TCP connections to a local Tor node
+## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
+
104
+# proxy = 'socks5://127.0.0.1:9050'
105
+
106
+
107 108 109
+## HTTP/HTTPS proxy
+## Only for DoH servers
+
110
+# http_proxy = 'http://127.0.0.1:8888'
111
+
112
+
113 114 115 116
+## How long a DNS query will wait for a response, in milliseconds.
+## If you have a network with *a lot* of latency, you may need to
+## increase this. Startup may be slower if you do so.
+## Don't increase it too much. 10000 is the highest reasonable value.
117
+
118
+timeout = 5000
119 120 121 122 123 124 125
+
+
+## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
+
+keepalive = 30
+
+
126 127 128 129
+## Response for blocked queries.  Options are `refused`, `hinfo` (default) or
+## an IP response.  To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
+## Using the `hinfo` option means that some responses will be lies.
+## Unfortunately, the `hinfo` option appears to be required for Android 8+
130
+
131
+# blocked_query_response = 'refused'
132 133
+
+
134
+## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
135 136 137
+
+# lb_strategy = 'p2'
+
138 139 140 141 142
+## Set to `true` to constantly try to estimate the latency of all the resolvers
+## and adjust the load-balancing parameters accordingly, or to `false` to disable.
+
+# lb_estimator = true
+
143 144 145 146 147 148 149 150
+
+## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
+
+# log_level = 2
+
+
+## log file for the application
+
151
+# log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180
+
+
+## Use the system logger (syslog on Unix, Event Log on Windows)
+
+# use_syslog = true
+
+
+## Delay, in minutes, after which certificates are reloaded
+
+cert_refresh_delay = 240
+
+
+## DNSCrypt: Create a new, unique key for every single DNS query
+## This may improve privacy but can also have a significant impact on CPU usage
+## Only enable if you don't have a lot of network load
+
+# dnscrypt_ephemeral_keys = false
+
+
+## DoH: Disable TLS session tickets - increases privacy but also latency
+
+# tls_disable_session_tickets = false
+
+
+## DoH: Use a specific cipher suite instead of the server preference
+## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
181 182
+##  4865 = TLS_AES_128_GCM_SHA256
+##  4867 = TLS_CHACHA20_POLY1305_SHA256
183 184 185 186 187 188 189 190 191 192 193
+##
+## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
+## the following suite improves performance.
+## This may also help on Intel CPUs running 32-bit operating systems.
+##
+## Keep tls_cipher_suite empty if you have issues fetching sources or
+## connecting to some DoH servers. Google and Cloudflare are fine with it.
+
+# tls_cipher_suite = [52392, 49199]
+
+
194 195
+## Fallback resolvers
+## These are normal, non-encrypted DNS resolvers, that will be only used
196 197
+## for one-shot queries when retrieving the initial resolvers list, and
+## only if the system DNS configuration doesn't work.
198 199 200
+## No user application queries will ever be leaked through these resolvers,
+## and they will not be used after IP addresses of resolvers URLs have been found.
+## They will never be used if lists have already been cached, and if stamps
201
+## don't include host names without IP addresses.
202
+## They will not be used if the configured system DNS works.
203
+## Resolvers supporting DNSSEC are recommended.
204 205 206
+##
+## People in China may need to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8 and 1.1.1.1.
207
+##
208
+## If more than one resolver is specified, they will be tried in sequence.
209
+
210
+fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
211 212
+
+
213
+## Always use the fallback resolver before the system DNS settings.
214
+
215
+ignore_system_dns = true
216 217
+
+
218 219 220 221
+## Maximum time (in seconds) to wait for network connectivity before
+## initializing the proxy.
+## Useful if the proxy is automatically started at boot, and network
+## connectivity is not guaranteed to be immediately available.
222
+## Use 0 to not test for connectivity at all (not recommended),
223
+## and -1 to wait as much as possible.
224
+
225
+netprobe_timeout = 60
226
+
227 228 229 230 231 232 233 234 235
+## Address and port to try initializing a connection to, just to check
+## if the network is up. It can be any address and any port, even if
+## there is nothing answering these on the other side. Just don't use
+## a local address, as the goal is to check for Internet connectivity.
+## On Windows, a datagram with a single, nul byte will be sent, only
+## when the system starts.
+## On other operating systems, the connection will be initialized
+## but nothing will be sent at all.
+
236
+netprobe_address = '9.9.9.9:53'
237
+
238 239 240 241 242 243 244 245
+
+## Offline mode - Do not use any remote encrypted servers.
+## The proxy will remain fully functional to respond to queries that
+## plugins can handle directly (forwarding, cloaking, ...)
+
+# offline_mode = false
+
+
246 247 248 249
+## Additional data to attach to outgoing queries.
+## These strings will be added as TXT records to queries.
+## Do not use, except on servers explicitly asking for extra data
+## to be present.
250 251
+## encrypted-dns-server can be configured to use this for access control
+## in the [access_control] section
252
+
253
+# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]
254 255
+
+
256 257
+## Automatic log files rotation
+
258
+# Maximum log files size in MB - Set to 0 for unlimited.
259 260 261 262 263 264 265 266 267 268 269 270 271 272
+log_files_max_size = 10
+
+# How long to keep backup files, in days
+log_files_max_age = 7
+
+# Maximum log files backups to keep (or 0 to keep all backups)
+log_files_max_backups = 1
+
+
+
+#########################
+#        Filters        #
+#########################
+
273 274 275
+## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
+## configure dnscrypt-proxy to do any kind of filtering (including the filters
+## below and blacklists).
276
+## You can still choose resolvers that do DNSSEC validation.
277 278
+
+
279 280
+## Immediately respond to IPv6-related queries with an empty response
+## This makes things faster when there is no IPv6 connectivity, but can
281
+## also cause reliability issues with some stub resolvers.
282 283 284 285
+
+block_ipv6 = false
+
+
286 287 288 289 290
+## Immediately respond to A and AAAA queries for host names without a domain name
+
+block_unqualified = true
+
+
291 292 293 294 295 296
+## Immediately respond to queries for local zones instead of leaking them to
+## upstream resolvers (always causing errors or timeouts).
+
+block_undelegated = true
+
+
297 298 299 300 301 302
+## TTL for synthetic responses sent when a request has been blocked (due to
+## IPv6 or blacklists).
+
+reject_ttl = 600
+
+
303 304 305 306 307
+
+##################################################################################
+#        Route queries for specific domains to a dedicated set of servers        #
+##################################################################################
+
308
+## See `/usr/share/dnscrypt-proxy/example-forwarding-rules.txt` file for an example
309 310 311 312 313 314 315 316 317 318 319 320 321
+
+# forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
+
+
+
+###############################
+#        Cloaking rules       #
+###############################
+
+## Cloaking returns a predefined address for a specific name.
+## In addition to acting as a HOSTS file, it can also return the IP address
+## of a different name. It will also do CNAME flattening.
+##
322
+## See `/usr/share/dnscrypt-proxy/example-cloaking-rules.txt` file for an example
323 324 325
+
+# cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
+
326 327 328
+## TTL used when serving entries in cloaking-rules.txt
+
+# cloak_ttl = 600
329 330 331 332 333 334 335 336 337 338 339 340 341
+
+
+###########################
+#        DNS cache        #
+###########################
+
+## Enable a DNS cache to reduce latency and outgoing traffic
+
+cache = true
+
+
+## Cache size
+
342
+cache_size = 4096
343 344 345 346
+
+
+## Minimum TTL for cached entries
+
347
+cache_min_ttl = 2400
348 349 350 351 352 353 354
+
+
+## Maximum TTL for cached entries
+
+cache_max_ttl = 86400
+
+
355 356 357 358 359 360
+## Minimum TTL for negatively cached entries
+
+cache_neg_min_ttl = 60
+
+
+## Maximum TTL for negatively cached entries
361
+
362
+cache_neg_max_ttl = 600
363 364 365
+
+
+
366 367 368 369 370 371 372 373
+##################################
+#        Local DoH server        #
+##################################
+
+[local_doh]
+
+## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
+## requiring a direct connection to a DoH server in order to enable some
374
+## features will enable these, without bypassing your DNS proxy.
375 376 377 378 379 380 381 382 383 384 385 386 387 388 389
+
+## Addresses that the local DoH server should listen to
+
+# listen_addresses = ['127.0.0.1:3000']
+
+
+## Path of the DoH URL. This is not a file, but the part after the hostname
+## in the URL. By convention, `/dns-query` is frequently chosen.
+## For each `listen_address` the complete URL to access the server will be:
+## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
+
+# path = "/dns-query"
+
+
+## Certificate file and key - Note that the certificate has to be trusted.
390
+## See the documentation (wiki) for more information.
391 392 393 394 395 396
+
+# cert_file = "localhost.pem"
+# cert_key_file = "localhost.pem"
+
+
+
397 398 399 400 401 402 403 404
+###############################
+#        Query logging        #
+###############################
+
+## Log client queries to a file
+
+[query_log]
+
405
+  ## Path to the query log file (absolute, or relative to the same directory as the config file)
406
+  ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0)
407
+
408
+  # file = '/var/log/dnscrypt-proxy/query.log'
409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431
+
+
+  ## Query log format (currently supported: tsv and ltsv)
+
+  format = 'tsv'
+
+
+  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+
+  # ignored_qtypes = ['DNSKEY', 'NS']
+
+
+
+############################################
+#        Suspicious queries logging        #
+############################################
+
+## Log queries for nonexistent zones
+## These queries can reveal the presence of malware, broken/obsolete applications,
+## and devices signaling their presence to 3rd parties.
+
+[nx_log]
+
432
+  ## Path to the query log file (absolute, or relative to the same directory as the config file)
433
+
434
+  # file = '/var/log/dnscrypt-proxy/nx.log'
435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461
+
+
+  ## Query log format (currently supported: tsv and ltsv)
+
+  format = 'tsv'
+
+
+
+######################################################
+#        Pattern-based blocking (blacklists)        #
+######################################################
+
+## Blacklists are made of one pattern per line. Example of valid patterns:
+##
+##   example.com
+##   =example.com
+##   *sex*
+##   ads.*
+##   ads*.example.*
+##   ads*.example[0-9]*.com
+##
+## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
+## A script to build blacklists from public feeds can be found in the
+## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
+
+[blacklist]
+
462
+  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
463 464 465 466 467 468
+
+  # blacklist_file = '/etc/dnscrypt-proxy/blacklist.txt'
+
+
+  ## Optional path to a file logging blocked queries
+
469
+  # log_file = '/var/log/dnscrypt-proxy/blocked.log'
470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489
+
+
+  ## Optional log format: tsv or ltsv (default: tsv)
+
+  # log_format = 'tsv'
+
+
+
+###########################################################
+#        Pattern-based IP blocking (IP blacklists)        #
+###########################################################
+
+## IP blacklists are made of one pattern per line. Example of valid patterns:
+##
+##   127.*
+##   fe80:abcd:*
+##   192.168.1.4
+
+[ip_blacklist]
+
490
+  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
491 492 493 494 495 496
+
+  # blacklist_file = '/etc/dnscrypt-proxy/ip-blacklist.txt'
+
+
+  ## Optional path to a file logging blocked queries
+
497
+  # log_file = '/var/log/dnscrypt-proxy/ip-blocked.log'
498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517
+
+
+  ## Optional log format: tsv or ltsv (default: tsv)
+
+  # log_format = 'tsv'
+
+
+
+######################################################
+#   Pattern-based whitelisting (blacklists bypass)   #
+######################################################
+
+## Whitelists support the same patterns as blacklists
+## If a name matches a whitelist entry, the corresponding session
+## will bypass names and IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
+[whitelist]
+
518
+  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)
519 520 521 522 523 524
+
+  # whitelist_file = '/etc/dnscrypt-proxy/whitelist.txt'
+
+
+  ## Optional path to a file logging whitelisted queries
+
525
+  # log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543
+
+
+  ## Optional log format: tsv or ltsv (default: tsv)
+
+  # log_format = 'tsv'
+
+
+
+##########################################
+#        Time access restrictions        #
+##########################################
+
+## One or more weekly schedules can be defined here.
+## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
+##
+## For example, the following rule in a blacklist file:
+## *.youtube.* @time-to-sleep
544
+## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584
+##
+## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
+## {after= '9:00', before='18:00'} matches 9:00-18:00
+
+[schedules]
+
+  # [schedules.'time-to-sleep']
+  # mon = [{after='21:00', before='7:00'}]
+  # tue = [{after='21:00', before='7:00'}]
+  # wed = [{after='21:00', before='7:00'}]
+  # thu = [{after='21:00', before='7:00'}]
+  # fri = [{after='23:00', before='7:00'}]
+  # sat = [{after='23:00', before='7:00'}]
+  # sun = [{after='21:00', before='7:00'}]
+
+  # [schedules.'work']
+  # mon = [{after='9:00', before='18:00'}]
+  # tue = [{after='9:00', before='18:00'}]
+  # wed = [{after='9:00', before='18:00'}]
+  # thu = [{after='9:00', before='18:00'}]
+  # fri = [{after='9:00', before='17:00'}]
+
+
+
+#########################
+#        Servers        #
+#########################
+
+## Remote lists of available servers
+## Multiple sources can be used simultaneously, but every source
+## requires a dedicated cache file.
+##
+## Refer to the documentation for URLs of public sources.
+##
+## A prefix can be prepended to server names in order to
+## avoid collisions if different sources share the same for
+## different servers. In that case, names listed in `server_names`
+## must include the prefixes.
+##
+## If the `urls` property is missing, cache files and valid signatures
585
+## must already be present. This doesn't prevent these cache files from
586 587 588 589 590 591 592 593 594 595 596 597
+## expiring after `refresh_delay` hours.
+
+[sources]
+
+  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
+
+  [sources.'public-resolvers']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
+  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  prefix = ''
+
598 599 600
+  ## Anonymized DNS relays
+
+  [sources.'relays']
601
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
602
+  cache_file = '/var/cache/dnscrypt-proxy/relays.md'
603 604 605 606
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
+
607 608 609
+  ## Quad9 over DNSCrypt - https://quad9.net/
+
+  # [sources.quad9-resolvers]
610 611 612 613
+  # urls = ['https://www.quad9.net/quad9-resolvers.md']
+  # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
+  # cache_file = '/var/cache/dnscrypt-proxy/quad9-resolvers.md'
+  # prefix = 'quad9-'
614
+
615 616 617 618 619 620 621 622 623
+  ## Another example source, with resolvers censoring some websites not appropriate for children
+  ## This is a subset of the `public-resolvers` list, so enabling both is useless
+
+  #  [sources.'parental-control']
+  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
+  #  cache_file = '/var/cache/dnscrypt-proxy/parental-control.md'
+  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+
624 625 626 627 628 629 630 631 632
+
+#########################################
+#        Servers with known bugs        #
+#########################################
+
+[broken_implementations]
+
+# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
+# truncate reponses larger than questions as expected by the DNSCrypt protocol.
633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651
+# This prevents large responses from being received over UDP and over relays.
+#
+# The `dnsdist` server software drops client queries larger than 1500 bytes.
+# They are aware of it and are working on a fix.
+#
+# The list below enables workarounds to make non-relayed usage more reliable
+# until the servers are fixed.
+
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
+
+
+
+
+################################
+#   TLS Client Authentication  #
+################################
+
+# This is only useful if you are operating your own, private DoH server(s).
+# (for DNSCrypt, see the `query_meta` feature instead)
652
+
653
+[tls_client_auth]
654
+
655 656 657
+# creds = [
+#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
+# ]
658 659 660
+
+
+
661 662 663 664 665 666 667 668 669 670 671 672 673 674
+################################
+#        Anonymized DNS        #
+################################
+
+[anonymized_dns]
+
+## Routes are indirect ways to reach DNSCrypt servers.
+##
+## A route maps a server name ("server_name") to one or more relays that will be
+## used to connect to that server.
+##
+## A relay can be specified as a DNS Stamp (either a relay stamp, or a
+## DNSCrypt stamp), an IP:port, a hostname:port, or a server name.
+##
675
+## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
676 677 678 679 680
+## and "example-server-2" via the relay whose relay DNS stamp
+## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
+##
+## !!! THESE ARE JUST EXAMPLES !!!
+##
681
+## Review the list of available relays from the "relays.md" file, and, for each
682 683
+## server you want to use, define the relays you want connections to go through.
+##
684
+## Carefully choose relays and servers so that they are run by different entities.
685 686
+##
+## "server_name" can also be set to "*" to define a default route, but this is not
687
+## recommended. If you do so, keep "server_names" short and distinct from relays.
688 689 690 691 692 693
+
+# routes = [
+#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
+#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
+# ]
+
694
+
695 696 697 698 699 700 701
+# skip resolvers incompatible with anonymization instead of using them directly
+
+skip_incompatible = false
+
+
+
+
702 703 704 705 706
+## Optional, local, static list of additional servers
+## Mostly useful for testing your own servers.
+
+[static]
+
707 708
+  # [static.'myserver']
+  # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'