Skyxim/Smartdns.conf

## Smartdns.conf
# dns server name, default is host name
# server-name,
# example:
#   server-name smartdns
#

# Include another configuration options
# conf-file [file]
# conf-file blacklist-ip.conf

# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
# bind udp server
#   bind [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# bind tcp server
#   bind-tcp [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# option:
#   -group: set domain request to use the appropriate server group.
#   -no-rule-addr: skip address rule.
#   -no-rule-nameserver: skip nameserver rule.
#   -no-rule-ipset: skip ipset rule.
#   -no-speed-check: do not check speed.
#   -no-cache: skip cache.
#   -no-rule-soa: Skip address SOA(#) rules.
#   -no-dualstack-selection: Disable dualstack ip selection.
#   -force-aaaa-soa: force AAAA query return SOA.
# example:
#  IPV4:
#    bind :53
#    bind :6053 -group office -no-speed-check
#  IPV6:
#    bind [::]:53
#    bind-tcp [::]:53
bind [::]:6053 -group china -no-speed-check
bind [::]:7053 -group global -no-speed-check
bind :5053 -group bootstrap -no-speed-check
# tcp connection idle timeout
tcp-idle-time 900

# dns cache size
# cache-size [number]
#   0: for no cache
cache-size 8192

# enable persist cache when restart
cache-persist yes

# cache persist file
# cache-file /tmp/smartdns.cache

# prefetch domain
# prefetch-domain [yes|no]
prefetch-domain yes

# cache serve expired
# serve-expired [yes|no]
serve-expired yes

# cache serve expired TTL
# serve-expired-ttl [num]
serve-expired-ttl 10

# reply TTL value to use when replying with expired data
# serve-expired-reply-ttl [num]
serve-expired-reply-ttl 30

# List of hosts that supply bogus NX domain results
# bogus-nxdomain [ip/subnet]

# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
# blacklist-ip [ip/subnet]

# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
# whitelist-ip [ip/subnet]

# List of IPs that will be ignored
# ignore-ip [ip/subnet]

# speed check mode
# speed-check-mode [ping|tcp:port|none|,]
# example:
#   speed-check-mode ping,tcp:80
#   speed-check-mode tcp:443,ping
#   speed-check-mode none
speed-check-mode ping
# force AAAA query return SOA
# force-AAAA-SOA [yes|no]

# Enable IPV4, IPV6 dual stack IP optimization selection strategy
# dualstack-ip-selection-threshold [num] (0~1000)
# dualstack-ip-selection [yes|no]
# dualstack-ip-selection yes

# edns client subnet
# edns-client-subnet [ip/subnet]
# edns-client-subnet 192.168.1.1/24
# edns-client-subnet [8::8]/56

# ttl for all resource record
# rr-ttl: ttl for all record
# rr-ttl-min: minimum ttl for resource record
# rr-ttl-max: maximum ttl for resource record
# example:
rr-ttl 300
rr-ttl-min 60
rr-ttl-max 86400

# set log level
# log-level: [level], level=fatal, error, warn, notice, info, debug
# log-file: file path of log file.
# log-size: size of each log file, support k,m,g
# log-num: number of logs
log-level error
# log-file /var/log/smartdns.log
# log-size 128k
# log-num 2

# dns audit
# audit-enable [yes|no]: enable or disable audit.
# audit-enable yes
# audit-SOA [yes|no]: enable or disable log soa result.
# audit-size size of each audit file, support k,m,g
# audit-file /var/log/smartdns-audit.log
# audit-size 128k
# audit-num 2

# certificate file
# ca-file [file]
# ca-file /etc/ssl/certs/ca-certificates.crt

# certificate path
# ca-path [path]
# ca-path /etc/ss/certs

# remote udp dns server list
# server [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
# default port is 53
#   -blacklist-ip: filter result with blacklist ip
#   -whitelist-ip: filter result whth whitelist ip,  result in whitelist-ip will be accepted.
#   -check-edns: result must exist edns RR, or discard result.
#   -group [group]: set server to group, use with nameserver /domain/group.
#   -exclude-default-group: exclude this server from default group.
# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
server 223.6.6.6 -tls-host-verify *.alidns.com -hsot-name dns.alidns.com -group bootstrap -exclude-default-group
# remote tcp dns server list
# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
# default port is 53
# server-tcp 8.8.8.8

# remote tls dns server list
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   -no-check-certificate: no check certificate.
# Get SPKI with this command:
#    echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# default port is 853
# server-tls 8.8.8.8
# server-tls 1.0.0.1
server-tls dns.alidns.com -tls-host-verify *.alidns.com -host-name dns.alidns.com -group china -exclude-default-group
server-tls dot.pub -tls-host-verify *.dot.pub -host-name dot.pub -group china -exclude-default-group

server-tls dns.google -tls-host-verify dns.google -host-name dns.google -exclude-default-group -group global
server-tls 1.1.1.1 -tls-host-verify cloudflare-dns.com -group global -exclude-default-group
# remote https dns server list
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   -http-host: http host.
#   -no-check-certificate: no check certificate.
# default port is 443
# server-https https://cloudflare-dns.com/dns-query

# specific nameserver to domain
# nameserver /domain/[group|-]
# nameserver /www.example.com/office, Set the domain name to use the appropriate server group.
# nameserver /www.example.com/-, ignore this domain
nameserver /dot.pub/bootstrap
nameserver /dns.alidns.com/bootstrap
nameserver /dns.google/bootstrap
#nameserver /1.1.1.1/bootstrap
# specific address to domain
# address /domain/[ip|-|-4|-6|#|#4|#6]
# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client
# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all

# enable ipset timeout by ttl feature
# ipset-timeout [yes]

# specific ipset to domain
# ipset /domain/[ipset|-]
# ipset /www.example.com/block, set ipset with ipset name of block
# ipset /www.example.com/-, ignore this domain

# set domain rules
# domain-rules /domain/ [-speed-check-mode [...]]
# rules:
#   -speed-check-mode [mode]: speed check mode
#                             speed-check-mode [ping|tcp:port|none|,]
#   -address [address|-]: same as address option
#   -nameserver [group|-]: same as nameserver option
#   -ipset [ipset|-]: same as ipset option
	# dns server name, default is host name
	# server-name,
	# example:
	# server-name smartdns
	#

	# Include another configuration options
	# conf-file [file]
	# conf-file blacklist-ip.conf

	# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
	# bind udp server
	# bind [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
	# bind tcp server
	# bind-tcp [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
	# option:
	# -group: set domain request to use the appropriate server group.
	# -no-rule-addr: skip address rule.
	# -no-rule-nameserver: skip nameserver rule.
	# -no-rule-ipset: skip ipset rule.
	# -no-speed-check: do not check speed.
	# -no-cache: skip cache.
	# -no-rule-soa: Skip address SOA(#) rules.
	# -no-dualstack-selection: Disable dualstack ip selection.
	# -force-aaaa-soa: force AAAA query return SOA.
	# example:
	# IPV4:
	# bind :53
	# bind :6053 -group office -no-speed-check
	# IPV6:
	# bind [::]:53
	# bind-tcp [::]:53
	bind [::]:6053 -group china -no-speed-check
	bind [::]:7053 -group global -no-speed-check
	bind :5053 -group bootstrap -no-speed-check
	# tcp connection idle timeout
	tcp-idle-time 900

	# dns cache size
	# cache-size [number]
	# 0: for no cache
	cache-size 8192

	# enable persist cache when restart
	cache-persist yes

	# cache persist file
	# cache-file /tmp/smartdns.cache

	# prefetch domain
	# prefetch-domain [yes\|no]
	prefetch-domain yes

	# cache serve expired
	# serve-expired [yes\|no]
	serve-expired yes

	# cache serve expired TTL
	# serve-expired-ttl [num]
	serve-expired-ttl 10

	# reply TTL value to use when replying with expired data
	# serve-expired-reply-ttl [num]
	serve-expired-reply-ttl 30

	# List of hosts that supply bogus NX domain results
	# bogus-nxdomain [ip/subnet]

	# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
	# blacklist-ip [ip/subnet]

	# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
	# whitelist-ip [ip/subnet]

	# List of IPs that will be ignored
	# ignore-ip [ip/subnet]

	# speed check mode
	# speed-check-mode [ping\|tcp:port\|none\|,]
	# example:
	# speed-check-mode ping,tcp:80
	# speed-check-mode tcp:443,ping
	# speed-check-mode none
	speed-check-mode ping
	# force AAAA query return SOA
	# force-AAAA-SOA [yes\|no]

	# Enable IPV4, IPV6 dual stack IP optimization selection strategy
	# dualstack-ip-selection-threshold [num] (0~1000)
	# dualstack-ip-selection [yes\|no]
	# dualstack-ip-selection yes

	# edns client subnet
	# edns-client-subnet [ip/subnet]
	# edns-client-subnet 192.168.1.1/24
	# edns-client-subnet [8::8]/56

	# ttl for all resource record
	# rr-ttl: ttl for all record
	# rr-ttl-min: minimum ttl for resource record
	# rr-ttl-max: maximum ttl for resource record
	# example:
	rr-ttl 300
	rr-ttl-min 60
	rr-ttl-max 86400

	# set log level
	# log-level: [level], level=fatal, error, warn, notice, info, debug
	# log-file: file path of log file.
	# log-size: size of each log file, support k,m,g
	# log-num: number of logs
	log-level error
	# log-file /var/log/smartdns.log
	# log-size 128k
	# log-num 2

	# dns audit
	# audit-enable [yes\|no]: enable or disable audit.
	# audit-enable yes
	# audit-SOA [yes\|no]: enable or disable log soa result.
	# audit-size size of each audit file, support k,m,g
	# audit-file /var/log/smartdns-audit.log
	# audit-size 128k
	# audit-num 2

	# certificate file
	# ca-file [file]
	# ca-file /etc/ssl/certs/ca-certificates.crt

	# certificate path
	# ca-path [path]
	# ca-path /etc/ss/certs

	# remote udp dns server list
	# server [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
	# default port is 53
	# -blacklist-ip: filter result with blacklist ip
	# -whitelist-ip: filter result whth whitelist ip, result in whitelist-ip will be accepted.
	# -check-edns: result must exist edns RR, or discard result.
	# -group [group]: set server to group, use with nameserver /domain/group.
	# -exclude-default-group: exclude this server from default group.
	# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
	server 223.6.6.6 -tls-host-verify *.alidns.com -hsot-name dns.alidns.com -group bootstrap -exclude-default-group
	# remote tcp dns server list
	# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
	# default port is 53
	# server-tcp 8.8.8.8

	# remote tls dns server list
	# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
	# -spki-pin: TLS spki pin to verify.
	# -tls-host-verify: cert hostname to verify.
	# -host-name: TLS sni hostname.
	# -no-check-certificate: no check certificate.
	# Get SPKI with this command:
	# echo \| openssl s_client -connect '[ip]:853' \| openssl x509 -pubkey -noout \| openssl pkey -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64
	# default port is 853
	# server-tls 8.8.8.8
	# server-tls 1.0.0.1
	server-tls dns.alidns.com -tls-host-verify *.alidns.com -host-name dns.alidns.com -group china -exclude-default-group
	server-tls dot.pub -tls-host-verify *.dot.pub -host-name dot.pub -group china -exclude-default-group

	server-tls dns.google -tls-host-verify dns.google -host-name dns.google -exclude-default-group -group global
	server-tls 1.1.1.1 -tls-host-verify cloudflare-dns.com -group global -exclude-default-group
	# remote https dns server list
	# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
	# -spki-pin: TLS spki pin to verify.
	# -tls-host-verify: cert hostname to verify.
	# -host-name: TLS sni hostname.
	# -http-host: http host.
	# -no-check-certificate: no check certificate.
	# default port is 443
	# server-https https://cloudflare-dns.com/dns-query

	# specific nameserver to domain
	# nameserver /domain/[group\|-]
	# nameserver /www.example.com/office, Set the domain name to use the appropriate server group.
	# nameserver /www.example.com/-, ignore this domain
	nameserver /dot.pub/bootstrap
	nameserver /dns.alidns.com/bootstrap
	nameserver /dns.google/bootstrap
	#nameserver /1.1.1.1/bootstrap
	# specific address to domain
	# address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6]
	# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client
	# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
	# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all

	# enable ipset timeout by ttl feature
	# ipset-timeout [yes]

	# specific ipset to domain
	# ipset /domain/[ipset\|-]
	# ipset /www.example.com/block, set ipset with ipset name of block
	# ipset /www.example.com/-, ignore this domain

	# set domain rules
	# domain-rules /domain/ [-speed-check-mode [...]]
	# rules:
	# -speed-check-mode [mode]: speed check mode
	# speed-check-mode [ping\|tcp:port\|none\|,]
	# -address [address\|-]: same as address option
	# -nameserver [group\|-]: same as nameserver option
	# -ipset [ipset\|-]: same as ipset option