docker-doh/doh-server.sample.conf at master · satishweb/docker-doh · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# HTTP listen port
#listen = [
#
#    "127.0.0.1:8053",
#    "[::1]:8053",
#
#    ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
#    # ":8053",
#]
listen = [ "${DOH_SERVER_LISTEN}" ]

# Local address and port for upstream DNS
# If left empty, a local address is automatically chosen.
local_addr = ""

# TLS certification file
# If left empty, plain-text HTTP will be used.
# You are recommended to leave empty and to use a server load balancer (e.g.
# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
# Stapling, which is necessary for client bootstrapping in a network
# environment with completely no traditional DNS service.
cert = ""

# TLS private key file
key = ""

# HTTP path for resolve application
path = "${DOH_HTTP_PREFIX}"

# Upstream DNS resolver
# If multiple servers are specified, a random one will be chosen each time.
# You can use "udp", "tcp" or "tcp-tls" for the type prefix.
# For "udp", UDP will first be used, and switch to TCP when the server asks to
# or the response is too large.
# For "tcp", only TCP will be used.
# For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
# upstream = [
#     "udp:1.1.1.1:53",
#     "udp:1.0.0.1:53",
#     "udp:8.8.8.8:53",
#     "udp:8.8.4.4:53",
# ]
upstream = ${upstream_servers}

# Upstream timeout
# timeout = 10
timeout = ${DOH_SERVER_TIMEOUT}

# Number of tries if upstream DNS fails
# tries = 3
tries = ${DOH_SERVER_TRIES}

# Enable logging
# verbose = false
verbose = ${DOH_SERVER_VERBOSE}

# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
# Note: http uri/useragent log cannot be controlled by this config
log_guessed_client_ip = false

# By default, non global IP addresses are never forwarded to upstream servers.
# This is to prevent two things from happening:
#   1. the upstream server knowing your private LAN addresses;
#   2. the upstream server unable to provide geographically near results,
#      or even fail to provide any result.
# However, if you are deploying a split tunnel corporation network environment,
# or for any other reason you want to inhibit this behavior, change the following
# option to "true".
ecs_allow_non_global_ip = false

# If ECS is added to the request, let the full IP address or
# cap it to 24 or 128 mask. This option is to be used only on private
# networks where knwoledge of the terminal endpoint may be required for
# security purposes (eg. DNS Firewalling). Not a good option on the
# internet where IP address may be used to identify the user and
# not only the approximate location.
ecs_use_precise_ip = false