-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlabyrinth.yaml
More file actions
103 lines (94 loc) · 2.67 KB
/
labyrinth.yaml
File metadata and controls
103 lines (94 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# labyrinth.yaml — Example configuration
# All values shown are defaults. Uncomment and modify as needed.
server:
listen_addr: "0.0.0.0:53"
metrics_addr: "127.0.0.1:9153"
max_udp_size: 4096
tcp_timeout: 10s
max_tcp_connections: 256
graceful_shutdown: 5s
resolver:
max_depth: 30
max_cname_depth: 10
upstream_timeout: 2s
upstream_retries: 3
qname_minimization: true
prefer_ipv4: true
dnssec_enabled: true
cache:
max_entries: 100000
min_ttl: 5
max_ttl: 86400
negative_max_ttl: 3600
sweep_interval: 60s
serve_stale: false
serve_stale_ttl: 30
# Comma-separated list of client IPs/CIDRs that bypass the cache (always resolve fresh)
# no_cache_clients: 192.168.1.100, 10.0.0.0/24
security:
rate_limit:
enabled: false
rate: 5000
burst: 10000
rrl:
enabled: true
responses_per_second: 5
slip_ratio: 2
ipv4_prefix: 24
ipv6_prefix: 56
logging:
level: info
format: json
web:
enabled: true
addr: "127.0.0.1:9153"
# DNS-over-HTTPS over HTTP/2 (and HTTP/1.1 for compatibility)
doh_enabled: false
# DNS-over-HTTPS over HTTP/3 (QUIC). Requires web.tls_enabled + cert/key.
doh3_enabled: false
# Serve dashboard/API over HTTPS directly
tls_enabled: false
# tls_cert_file: "/etc/labyrinth/certs/web.crt"
# tls_key_file: "/etc/labyrinth/certs/web.key"
query_log_buffer: 1000
# Maximum number of entries for top clients/domains leaderboards
top_clients_limit: 2000
top_domains_limit: 2000
alert_error_threshold_pct: 5
alert_latency_threshold_ms: 250
# Automatic update check — queries GitHub Releases periodically
auto_update: true
update_check_interval: 24h
auth:
username: "admin"
password_hash: "$2a$10$nS.tf.v7HRdqyChSmP9nBeJKXESl/J2bn8OnCEHCe5UYugbygOCjO"
blocklist:
enabled: true
# Pipe-separated URL|format pairs
# lists: "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts|hosts"
refresh_interval: 24h
blocking_mode: nxdomain # nxdomain, null_ip, custom_ip
# custom_ip: "0.0.0.0"
# whitelist: example.com, another.com
cluster:
enabled: false
role: standalone # standalone, master, secondary
node_id: dns-1
# Comma-separated top-level keys/paths considered common
# shared_fields: access_control, blocklist, security.rate_limit
actions:
fanout_cache_flush: false
fanout_blocklist_refresh: false
sync:
mode: off # off, manual_push, auto_push
push_on_save: false
pull_interval: 30s
# peers:
# dns-2:
# enabled: true
# api_base: "http://10.0.0.2:9153"
# api_token: "CHANGE_ME"
# sync_fields: access_control, blocklist
access_control:
allow: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
deny: