Failures showing on "DNSCrypt Proxy Monitoring Dashboard"

[ArthurLee9]

I'm seeing failures daily on the DNSCrypt Proxy Monitoring Dashboard

I'm attaching my .toml for review - can anyone help me decipher if there is something I have setup wrong or are these failures just normal. I am not using IPV6 - so I have that disabled.

I am trying to encrypt my DNS and using Quad 9 and a secondary provider (doesnt have to be nextdns).

root@myservername:/etc/dnscrypt-proxy# cat *.toml
##############################################

dnscrypt-proxy configuration

##############################################

This is an example configuration file.

You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"

Online documentation is available here: https://dnscrypt.info/doc

###############################################################################

Global settings

###############################################################################

List of servers to use

Servers from the "public-resolvers" source (see down below) can

be viewed here: https://dnscrypt.info/public-servers

The proxy will automatically pick working servers from this list.

Note that the require_* filters do NOT apply when using this setting.

By default, this list is empty and all registered servers matching the

require_* filters will be used instead.

Remove the leading # first to enable this; lines starting with # are ignored.

server_names = ['quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip4-nofilter-ecs-pri', 'nextdns']

List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.

Example with both IPv4 and IPv6:

listen_addresses = ['127.0.0.1:53', '[::1]:53']

To listen to all IPv4 addresses, use listen_addresses = ['0.0.0.0:53']

To listen to all IPv4+IPv6 addresses, use listen_addresses = ['[::]:53']

listen_addresses = ['127.0.0.1:53', '10.25.1.250:53']

Maximum number of simultaneous client connections to accept

max_clients = 250

Switch to a different system user after listening sockets have been created.

Note (1): this feature is currently unsupported on Windows.

Note (2): this feature is not compatible with systemd socket activation.

Note (3): when using -pidfile, the PID file directory must be writable by the new user

user_name = 'nobody'

###############################################################################

Server Selection

###############################################################################

Require servers (from remote sources) to satisfy specific properties

Use servers reachable over IPv4

ipv4_servers = true

Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity

ipv6_servers = false

Use servers implementing the DNSCrypt protocol

dnscrypt_servers = true

Use servers implementing the DNS-over-HTTPS protocol

doh_servers = true

Use servers implementing the Oblivious DoH protocol

odoh_servers = false

Require servers defined by remote sources to satisfy specific properties

Server must support DNS security extensions (DNSSEC)

#changed 1-21-2026
require_dnssec = false

Server must not log user queries (declarative)

require_nolog = true

Server must not enforce its own blocklist (for parental control, ads blocking...)

require_nofilter = true

Server names to avoid even if they match all criteria

disabled_server_names = []

###############################################################################

Connection Settings

###############################################################################

Always use TCP to connect to upstream servers.

This can be useful if you need to route everything through Tor.

Otherwise, leave this to false, as it doesn't improve security

(dnscrypt-proxy will always encrypt everything even using UDP), and can

only increase latency.

#changed to true 1-21-2026
force_tcp = false

Enable experimental support for HTTP/3 (HTTP over QUIC)

Note that, like DNSCrypt but unlike other HTTP versions, this uses

UDP and (usually) port 443 instead of TCP.

http3 = false

When http3 is true, always try HTTP/3 first for DoH servers.

If the HTTP/3 connection fails, fallback to HTTP/2 and don't try

HTTP/3 again for that server. By default, HTTP/3 is only used for

servers that advertise support via the Alt-Svc header.

WARNING: This setting is disabled by default because it will make

connections significantly slower for servers that don't support HTTP/3.

This is primarily a workaround for server operators who haven't

configured their servers to send proper Alt-Svc headers. The better

solution is to reach out to these operators and encourage them to

fix their servers to correctly advertise HTTP/3 support.

http3_probe = false

SOCKS proxy

Uncomment the following line to route all TCP connections to a local Tor node

Tor doesn't support UDP, so set force_tcp to true as well. When passing

a random username and password to Tor's socks5 connection, dnscrypt-proxy gets

an isolated circuit so it will not share an exit node with other applications.

Note: the random username and password used by dnscrypt-proxy should not

actually be defined in Tor's configuration.

proxy = 'socks5://dnscrypt:dnscrypt@127.0.0.1:9050'

HTTP/HTTPS proxy

Only for DoH servers

http_proxy = 'http://127.0.0.1:8888'

How long a DNS query will wait for a response, in milliseconds.

If you have a network with a lot of latency, you may need to

increase this. Startup may be slower if you do so.

Don't increase it too much. 10000 is the highest reasonable value.

A timeout below 5000 is not recommended.

5000 milliseconds is 5 seconds

timeout = 1500

Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds

keepalive = 30

Add EDNS-client-subnet information to outgoing queries

Multiple networks can be listed; they will be randomly chosen.

These networks don't have to match your actual networks.

edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']

Response for blocked queries. Options are refused, hinfo (default) or

an IP response. To give an IP response, use the format a:<IPv4>,aaaa:<IPv6>.

Using the hinfo option means that some responses will be lies.

Unfortunately, the hinfo option appears to be required for Android 8+

blocked_query_response = 'refused'

###############################################################################

Load Balancing & Performance

###############################################################################

Load-balancing strategy: 'wp2' (default), 'p2', 'ph', 'p', 'first', or 'random'

'wp2' (default): Weighted Power of Two - selects the better performing server

from two random candidates based on real-time RTT and success rates.

'p2': Randomly choose 1 of the fastest 2 servers by latency.

'ph': Randomly choose from fastest half of servers.

'p': Randomly choose from fastest n servers (e.g., 'p3' for fastest 3).

'first': Always use the fastest server.

'random': Randomly choose from all servers.

The response quality still depends on the server itself.

changed from wp2 to first on 4-10-26

lb_strategy = 'first'

Set to true to constantly try to estimate the latency of all the resolvers

and adjust the load-balancing parameters accordingly, or to false to disable.

Default is true that makes 'p2' lb_strategy work well.

lb_estimator = true

Set to true to enable hot reloading of configuration files (like allowed-names.txt,

blocked-names.txt, etc.) when they are modified. This can increase CPU and memory usage.

Default is false (hot reloading is disabled).

enable_hot_reload = false

###############################################################################

Logging

###############################################################################

Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

log_level = 2

Log file for the application, as an alternative to sending logs to

the standard system logging service (syslog/Windows event log).

This file is different from other log files, and will not be

automatically rotated by the application.

log_file = '/var/log/dnscrypt-proxy/error.log'

When using a log file, only keep logs from the most recent launch.

log_file_latest = true

Use the system logger (syslog on Unix, Event Log on Windows)

use_syslog = true

Automatic log files rotation

Maximum log files size in MB - Set to 0 for unlimited.

log_files_max_size = 5

How long to keep backup files, in days

log_files_max_age = 7

Maximum log files backups to keep (or 0 to keep all backups)

log_files_max_backups = 1

###############################################################################

Certificate Management

###############################################################################

The maximum concurrency to reload certificates from the resolvers.

Default is 10.

cert_refresh_concurrency = 10

Delay, in minutes, after which certificates are reloaded changed from 240 to 720 4-10-26

cert_refresh_delay = 720

Initially don't check DNSCrypt server certificates for expiration, and

only start checking them after a first successful connection to a resolver.

This can be useful on routers with no battery-backed clock.

cert_ignore_timestamp = false

DNSCrypt: Create a new, unique key for every single DNS query

This may improve privacy but can also have a significant impact on CPU usage

Only enable if you don't have a lot of network load

dnscrypt_ephemeral_keys = false

DoH: Disable TLS session tickets - increases privacy but also latency

#tls_disable_session_tickets = false

DoH: Use TLS 1.2 and specific cipher suite instead of the server preference

49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),

uncommenting the following line may improve performance.

This may also help on Intel CPUs running 32-bit operating systems.

However, this can cause issues fetching sources or connecting to some HTTP servers,

and should not be set on regular CPUs.

Keep tls_cipher_suite undefined to let the app automatically choose secure parameters.

Log TLS key material to a file, for debugging purposes only.

This file will contain the TLS master key, which can be used to decrypt

all TLS traffic to/from DoH servers.

Never ever enable except for debugging purposes with a tool such as mitmproxy.

#commented out by Chad 09-03-2025
#tls_key_log_file = '/etc/dnscrypt-proxy/keylog.txt'

###############################################################################

Startup & Network

###############################################################################

Bootstrap resolvers

These are normal, non-encrypted DNS resolvers, that will be only used

for one-shot queries when retrieving the initial resolvers list and if

the system DNS configuration doesn't work.

No user queries will ever be leaked through these resolvers, and they will

not be used after IP addresses of DoH resolvers have been found (if you are

using DoH).

They will never be used if lists have already been cached, and if the stamps

of the configured servers already include IP addresses (which is the case for

most of DoH servers, and for all DNSCrypt servers and relays).

They will not be used if the configured system DNS works, or after the

proxy already has at least one usable secure resolver.

Resolvers supporting DNSSEC are recommended, and, if you are using

DoH, bootstrap resolvers should ideally be operated by a different entity

than the DoH servers you will be using, especially if you have IPv6 enabled.

People in China may want to use 114.114.114.114:53 here.

Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.

If more than one resolver is specified, they will be tried in sequence.

TL;DR: put valid standard resolver addresses here. Your actual queries will

not be sent there. If you're using DNSCrypt or Anonymized DNS and your

lists are up to date, these resolvers will not even be used.

bootstrap_resolvers = [
'64.6.64.6:53',
'64.6.65.6:53',
'9.9.9.9:53',
'149.112.112.112:53'
]

When internal DNS resolution is required, for example to retrieve

the resolvers list:

- queries will be sent to dnscrypt-proxy itself, if it is already

running with active servers (*)

- or else, queries will be sent to fallback servers

- finally, if ignore_system_dns is false, queries will be sent

to the system DNS

(*) this is incompatible with systemd sockets.

listen_addrs must not be empty.

ignore_system_dns = true

Maximum time (in seconds) to wait for network connectivity before

initializing the proxy.

Useful if the proxy is automatically started at boot, and network

connectivity is not guaranteed to be immediately available.

Use 0 to not test for connectivity at all (not recommended),

and -1 to wait as much as possible.

netprobe_timeout = 45

Address and port to try initializing a connection to, just to check

if the network is up. It can be any address and any port, even if

there is nothing answering these on the other side. Just don't use

a local address, as the goal is to check for Internet connectivity.

On Windows, a datagram with a single, nul byte will be sent, only

when the system starts.

On other operating systems, the connection will be initialized

but nothing will be sent at all.

netprobe_address = '208.67.220.220:53'

Offline mode - Do not use any remote encrypted servers.

The proxy will remain fully functional to respond to queries that

plugins can handle directly (forwarding, cloaking, ...)

offline_mode = false

Additional data to attach to outgoing queries.

These strings will be added as TXT records to queries.

Do not use, except on servers explicitly asking for extra data

to be present.

encrypted-dns-server can be configured to use this for access control

in the [access_control] section

query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']

###############################################################################

Filters

###############################################################################

Note: if you are using dnsmasq, disable the dnssec option in dnsmasq if you

configure dnscrypt-proxy to do any kind of filtering (including the filters

below and blocklists).

You can still choose resolvers that do DNSSEC validation.

Immediately respond to IPv6-related queries with an empty response

This makes things faster when there is no IPv6 connectivity, but can

also cause reliability issues with some stub resolvers.

block_ipv6 = false

Immediately respond to A and AAAA queries for host names without a domain name

This also prevents "dotless domain names" from being resolved upstream.

block_unqualified = true

Immediately respond to queries for local zones instead of leaking them to

upstream resolvers (always causing errors or timeouts).

block_undelegated = true

TTL for synthetic responses sent when a request has been blocked (due to

IPv6 or blocklists).

reject_ttl = 10

###############################################################################

Forwarding

###############################################################################

Route queries for specific domains to a dedicated set of servers

See the example-forwarding-rules.txt file for an example

forwarding_rules = 'forwarding-rules.txt'

###############################################################################

Cloaking

###############################################################################

Cloaking returns a predefined address for a specific name.

In addition to acting as a HOSTS file, it can also return the IP address

of a different name. It will also do CNAME flattening.

If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled

for cloaking rules that do not contain wild cards.

See the example-cloaking-rules.txt file for an example

cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'

TTL used when serving entries in cloaking-rules.txt

cloak_ttl = 600

cloak_ptr = false

###############################################################################

DNS Cache

###############################################################################

Enable a DNS cache to reduce latency and outgoing traffic

cache = true

Cache size changed fro 4096 to 32768 on 4-10-26

cache_size = 32768

Minimum TTL for cached entries changed from 1800 to 3600 4-10-26

cache_min_ttl = 3600

Maximum TTL for cached entries

cache_max_ttl = 86400

Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60

Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600

###############################################################################

Captive portal handling

###############################################################################

[captive_portals]

A file that contains a set of names used by operating systems to

check for connectivity and captive portals, along with hard-coded

IP addresses to return.

map_file = 'example-captive-portals.txt'

###############################################################################

Local DoH server

###############################################################################

[local_doh]

dnscrypt-proxy can act as a local DoH server. By doing so, web browsers

requiring a direct connection to a DoH server in order to enable some

features will enable these, without bypassing your DNS proxy.

Addresses that the local DoH server should listen to

listen_addresses = ['127.0.0.1:3000']

Path of the DoH URL. This is not a file, but the part after the hostname

in the URL. By convention, /dns-query is frequently chosen.

For each listen_address the complete URL to access the server will be:

https://<listen_address><path> (ex: https://127.0.0.1/dns-query)

path = '/dns-query'

Certificate file and key - Note that the certificate has to be trusted.

Can be generated using the following command:

openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout localhost.pem -out localhost.pem

See the documentation (wiki) for more information.

cert_file = 'localhost.pem'

cert_key_file = 'localhost.pem'

###############################################################################

Query logging

###############################################################################

[query_log]

Path to the query log file (absolute, or relative to the same directory as the config file)

Can be set to /dev/stdout in order to log to the standard output.

file = '/var/log/dnscrypt-proxy/query.log'

Query log format (currently supported: tsv and ltsv)

format = 'tsv'

Do not log these query types, to reduce verbosity. Keep empty to log everything.

ignored_qtypes = ['DNSKEY', 'NS']

###############################################################################

Suspicious queries logging

###############################################################################

[nx_log]

Log queries for nonexistent zones

These queries can reveal the presence of malware, broken/obsolete applications,

and devices signaling their presence to 3rd parties.

Path to the query log file (absolute, or relative to the same directory as the config file)

file = '/var/log/dnscrypt-proxy/nxdomain.log'

Query log format (currently supported: tsv and ltsv)

format = 'tsv'

###############################################################################

Pattern-based blocking (blocklists)

###############################################################################

Blocklists are made of one pattern per line. Example of valid patterns:

example.com

=example.com

sex

ads.*

ads*.example.* ## ads*.example[0-9]*.com

Example blocklist files can be found at https://download.dnscrypt.info/blocklists/

A script to build blocklists from public feeds can be found in the

utils/generate-domains-blocklists directory of the dnscrypt-proxy source code.

[blocked_names]

Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

blocked_names_file = '/etc/dnscrypt-proxy/blocklist.txt'

Optional path to a file logging blocked queries

log_file = '/var/log/dnscrypt-proxy/blocklist.log'

Optional log format: tsv or ltsv (default: tsv)

log_format = 'tsv'

###############################################################################

Pattern-based IP blocking (IP blocklists)

###############################################################################

IP blocklists are made of one pattern per line. Example of valid patterns:

127.*

fe80:abcd:*

192.168.1.4

[blocked_ips]

Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

blocked_ips_file = 'blocked-ips.txt'

Optional path to a file logging blocked queries

log_file = 'blocked-ips.log'

Optional log format: tsv or ltsv (default: tsv)

log_format = 'tsv'

###############################################################################

Pattern-based allow lists (blocklists bypass)

###############################################################################

Allowlists support the same patterns as blocklists

If a name matches an allowlist entry, the corresponding session

will bypass names and IP filters.

Time-based rules are also supported to make some websites only accessible at specific times of the day.

[allowed_names]

allowed_names_file = '/etc/dnscrypt-proxy/allowlist.txt'

Optional path to a file logging allowed queries

log_file = '/var/log/dnscrypt-proxy/allowlist.log'

Optional log format: tsv or ltsv (default: tsv)

log_format = 'tsv'

###############################################################################

Pattern-based allowed IPs lists (blocklists bypass)

###############################################################################

Allowed IP lists support the same patterns as IP blocklists

If an IP response matches an allowed entry, the corresponding session

will bypass IP filters.

Time-based rules are also supported to make some websites only accessible at specific times of the day.

[allowed_ips]

Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)

allowed_ips_file = 'allowed-ips.txt'

Optional path to a file logging allowed queries

log_file = 'allowed-ips.log'

Optional log format: tsv or ltsv (default: tsv)

log_format = 'tsv'

###############################################################################

Time access restrictions

###############################################################################

One or more weekly schedules can be defined here.

Patterns in the name-based blocked_names file can optionally be followed with @schedule_name

to apply the pattern 'schedule_name' only when it matches a time range of that schedule.

For example, the following rule in a blocklist file:

.youtube. @Time-To-Sleep

would block access to YouTube during the times defined by the 'time-to-sleep' schedule.

{after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00

{after= '9:00', before='18:00'} matches 9:00-18:00

[schedules]

[schedules.time-to-sleep]

mon = [{after='21:00', before='7:00'}]

tue = [{after='21:00', before='7:00'}]

wed = [{after='21:00', before='7:00'}]

thu = [{after='21:00', before='7:00'}]

fri = [{after='23:00', before='7:00'}]

sat = [{after='23:00', before='7:00'}]

sun = [{after='21:00', before='7:00'}]

[schedules.work]

mon = [{after='9:00', before='18:00'}]

tue = [{after='9:00', before='18:00'}]

wed = [{after='9:00', before='18:00'}]

thu = [{after='9:00', before='18:00'}]

fri = [{after='9:00', before='17:00'}]

###############################################################################

Servers

###############################################################################

Remote lists of available servers

Multiple sources can be used simultaneously, but every source

requires a dedicated cache file.

Refer to the documentation for URLs of public sources.

A prefix can be prepended to server names in order to

avoid collisions if different sources share the same for

different servers. In that case, names listed in server_names

must include the prefixes.

If the urls property is missing, cache files and valid signatures

must already be present. This doesn't prevent these cache files from

expiring after refresh_delay hours.

refreshed_delay must be in the [24..168] interval.

The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers.

The maximum delay of 168 hours (1 week) ensures cache freshness.

[sources]

An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

COMMENTED OUT 7-3-2025

#[sources.public-resolvers]

urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/refs/heads/master/v3/public-resolvers.md']

cache_file = 'public-resolvers.md'

minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

refresh_delay = 72

prefix = ''

[sources.public-resolvers]
urls = [
'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md',
'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md',
]
cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 24
prefix = ''

#using on 01-04-2026 - working great - but changing above to Github recommendations.

[sources.'public-resolvers']

urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/refs/heads/master/v3/public-resolvers.md']

minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

cache_file = 'public-resolvers.md'

Anonymized DNS relays

#[sources.relays]
#urls = [

'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md',

'https://download.dnscrypt.info/resolvers-list/v3/relays.md',

#]
#cache_file = 'relays.md'
#minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
#refresh_delay = 73
#prefix = ''

ODoH (Oblivious DoH) servers and relays

[sources.odoh-servers]

urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']

cache_file = 'odoh-servers.md'

minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

refresh_delay = 73

prefix = ''

[sources.odoh-relays]

urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']

cache_file = 'odoh-relays.md'

minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

refresh_delay = 73

prefix = ''

Quad9

#[sources.quad9-resolvers]

urls = ['https://quad9.net/dnscrypt/quad9-resolvers.md']

minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'

cache_file = 'quad9-resolvers.md'

prefix = 'quad9-'

Another example source, with resolvers censoring some websites not appropriate for children

This is a subset of the public-resolvers list, so enabling both is useless.

[sources.parental-control]

urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']

cache_file = 'parental-control.md'

minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

dnscry.pt servers - See https://www.dnscry.pt

[sources.dnscry-pt-resolvers]

urls = ["https://www.dnscry.pt/resolvers.md"]

minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"

cache_file = "dnscry.pt-resolvers.md"

refresh_delay = 73

prefix = "dnscry.pt-"

###############################################################################

Servers with known bugs

###############################################################################

[broken_implementations]

Cisco servers currently cannot handle queries larger than 1472 bytes, and don't

truncate responses larger than questions as expected by the DNSCrypt protocol.

This prevents large responses from being received over UDP and over relays.

Older versions of the dnsdist server software had a bug with queries larger

than 1500 bytes. This is fixed since dnsdist version 1.5.0, but

some server may still run an outdated version.

The list below enables workarounds to make non-relayed usage more reliable

until the servers are fixed.

#fragments_blocked = [

'cisco',

'cisco-sandbox',

'cleanbrowsing-adult',

'cleanbrowsing-family',

'cleanbrowsing-security',

#]

###############################################################################

Certificate-based client authentication for DoH

###############################################################################

[doh_client_x509_auth]

Use a X509 certificate to authenticate yourself when connecting to DoH servers.

This is only useful if you are operating your own, private DoH server(s).

'creds' maps servers to certificates, and supports multiple entries.

If you are not using the standard root CA, an optional "root_ca"

property set to the path to a root CRT file can be added to a server entry.

creds = [

{ server_name='*', client_cert='client.crt', client_key='client.key' }

]

###############################################################################

Anonymized DNS

###############################################################################

[anonymized_dns]

Routes are indirect ways to reach DNSCrypt servers.

A route maps a server name ("server_name") to one or more relays that will be

used to connect to that server.

A relay can be specified as a DNS Stamp (either a relay stamp, or a

DNSCrypt stamp) or a server name.

The following example routes "example-server-1" via anon-example-1 or anon-example-2,

and "example-server-2" via the relay whose relay DNS stamp is

"sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".

!!! THESE ARE JUST EXAMPLES !!!

Review the list of available relays from the "relays.md" file, and, for each

server you want to use, define the relays you want connections to go through.

Carefully choose relays and servers so that they are run by different entities.

"server_name" can also be set to "*" to define a default route, for all servers:

{ server_name='*', via=['anon-example-1', 'anon-example-2'] }

If a route is ["*"], the proxy automatically picks a relay on a distinct network.

{ server_name='', via=[''] } is also an option, but is likely to be suboptimal.

Manual selection is always recommended over automatic selection, so that you can

select (relay,server) pairs that work well and fit your own criteria (close by or

in different countries, operated by different entities, on distinct ISPs...)

routes = [

{ server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },

{ server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }

]

Skip resolvers incompatible with anonymization instead of using them directly

skip_incompatible = false

If public server certificates for a non-conformant server cannot be

retrieved via a relay, try getting them directly. Actual queries

will then always go through relays.

direct_cert_fallback = false

###############################################################################

DNS64

###############################################################################

[dns64]

DNS64 is a mechanism for synthesizing AAAA records from A records.

It is used with an IPv6/IPv4 translator to enable client-server

communication between an IPv6-only client and an IPv4-only server,

without requiring any changes to either the IPv6 or the IPv4 node,

for the class of applications that work through NATs.

There are two options to synthesize such records:

Option 1: Using a set of static IPv6 prefixes;

Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.

If both options are configured - only static prefixes are used.

(Ref. RFC6147, RFC6052, RFC7050)

Do not enable unless you know what DNS64 is and why you need it, or else

you won't be able to connect to anything at all.

Static prefix(es) as Pref64::/n CIDRs

prefix = ['64:ff9b::/96']

DNS64-enabled resolver(s) to discover Pref64::/n CIDRs

These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.

Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).

IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.

resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']

###############################################################################

Monitoring UI

###############################################################################

[monitoring_ui]

Enable the monitoring UI

enabled = true

Listen address for the monitoring UI

listen_address = "0.0.0.0:8888"

Optional username and password for basic authentication

To disable authentication, set username to an empty string: username = ""

If both username and password are empty, no authentication is required

username = ""
password = ""

Optional TLS certificate and key for HTTPS

If both are empty, HTTP will be used

tls_certificate = ""
tls_key = ""

Enable query logging in the monitoring UI

This will show recent queries in the UI

enable_query_log = true

Privacy level for the monitoring UI

0: show all details including client IPs

1: anonymize client IPs (default)

2: aggregate data only (no individual queries or domains shown)

privacy_level = 0

Maximum number of recent query log entries to keep in memory

Helps control memory usage on high-traffic servers

Default: 100

max_query_log_entries = 100

Maximum memory usage in MB for recent query logs

Automatic cleanup when limit is exceeded

Default: 1

max_memory_mb = 1

Enable Prometheus metrics endpoint

Default: false

prometheus_enabled = false

Path for Prometheus metrics endpoint

Default: /metrics

prometheus_path = "/metrics"

###############################################################################

Static entries

###############################################################################

[static]

Optional, local, static list of additional servers

Mostly useful for testing your own servers.

[static.myserver]

stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

#[static.cisco]

stamp = 'sdns://AQEAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ'

#[static.cisco-doh]

stamp = 'sdns://AgAAAAAAAAAADDE0Ni4xMTIuNDEuMiBoU4_HgY6B0kIqkGBjb6UoKkP2Dc4bumDC1_Orq2YAlw9kb2gub3BlbmRucy5jb20KL2Rucy1xdWVyeQ'

[static."Cisco Umbrella-Opendns"]
stamp = "sdns://AgcAAAAAAAAAAAAPZG9oLm9wZW5kbnMuY29tCi9kbnMtcXVlcnk"

[static."Control-D-Pri"]
stamp = "sdns://AgcAAAAAAAAACjc2Ljc2LjIuMTEAFGZyZWVkbnMuY29udHJvbGQuY29tAy9wMQ"

[static."Control-D-Alt"]
stamp = "sdns://AgcAAAAAAAAACjc2Ljc2LjIuMTEAFGZyZWVkbnMuY29udHJvbGQuY29tAy9wMA"

[static."CloudFlare-Chad"]
stamp = "sdns://AgcAAAAAAAAADjEwNC4xNi4xMzIuMjI5ABJkbnMuY2xvdWRmbGFyZS5jb20KL2Rucy1xdWVyeQ"

[static.'Google-DOH']
stamp = "sdns://AgMAAAAAAAAABzguOC44LjgACmRucy5nb29nbGUKL2Rucy1xdWVyeQ"