Last active
May 20, 2021 15:20
-
-
Save Skyxim/4f5124f917b1c0aae3a39ec382ac290e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# dns server name, default is host name | |
# server-name, | |
# example: | |
# server-name smartdns | |
# | |
# Include another configuration options | |
# conf-file [file] | |
# conf-file blacklist-ip.conf | |
# dns server bind ip and port, default dns server port is 53, support binding multi ip and port | |
# bind udp server | |
# bind [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] | |
# bind tcp server | |
# bind-tcp [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] | |
# option: | |
# -group: set domain request to use the appropriate server group. | |
# -no-rule-addr: skip address rule. | |
# -no-rule-nameserver: skip nameserver rule. | |
# -no-rule-ipset: skip ipset rule. | |
# -no-speed-check: do not check speed. | |
# -no-cache: skip cache. | |
# -no-rule-soa: Skip address SOA(#) rules. | |
# -no-dualstack-selection: Disable dualstack ip selection. | |
# -force-aaaa-soa: force AAAA query return SOA. | |
# example: | |
# IPV4: | |
# bind :53 | |
# bind :6053 -group office -no-speed-check | |
# IPV6: | |
# bind [::]:53 | |
# bind-tcp [::]:53 | |
bind [::]:6053 -group china -no-speed-check | |
bind [::]:7053 -group global -no-speed-check | |
bind :5053 -group bootstrap -no-speed-check | |
# tcp connection idle timeout | |
tcp-idle-time 900 | |
# dns cache size | |
# cache-size [number] | |
# 0: for no cache | |
cache-size 8192 | |
# enable persist cache when restart | |
cache-persist yes | |
# cache persist file | |
# cache-file /tmp/smartdns.cache | |
# prefetch domain | |
# prefetch-domain [yes|no] | |
prefetch-domain yes | |
# cache serve expired | |
# serve-expired [yes|no] | |
serve-expired yes | |
# cache serve expired TTL | |
# serve-expired-ttl [num] | |
serve-expired-ttl 10 | |
# reply TTL value to use when replying with expired data | |
# serve-expired-reply-ttl [num] | |
serve-expired-reply-ttl 30 | |
# List of hosts that supply bogus NX domain results | |
# bogus-nxdomain [ip/subnet] | |
# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter | |
# blacklist-ip [ip/subnet] | |
# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter | |
# whitelist-ip [ip/subnet] | |
# List of IPs that will be ignored | |
# ignore-ip [ip/subnet] | |
# speed check mode | |
# speed-check-mode [ping|tcp:port|none|,] | |
# example: | |
# speed-check-mode ping,tcp:80 | |
# speed-check-mode tcp:443,ping | |
# speed-check-mode none | |
speed-check-mode ping | |
# force AAAA query return SOA | |
# force-AAAA-SOA [yes|no] | |
# Enable IPV4, IPV6 dual stack IP optimization selection strategy | |
# dualstack-ip-selection-threshold [num] (0~1000) | |
# dualstack-ip-selection [yes|no] | |
# dualstack-ip-selection yes | |
# edns client subnet | |
# edns-client-subnet [ip/subnet] | |
# edns-client-subnet 192.168.1.1/24 | |
# edns-client-subnet [8::8]/56 | |
# ttl for all resource record | |
# rr-ttl: ttl for all record | |
# rr-ttl-min: minimum ttl for resource record | |
# rr-ttl-max: maximum ttl for resource record | |
# example: | |
rr-ttl 300 | |
rr-ttl-min 60 | |
rr-ttl-max 86400 | |
# set log level | |
# log-level: [level], level=fatal, error, warn, notice, info, debug | |
# log-file: file path of log file. | |
# log-size: size of each log file, support k,m,g | |
# log-num: number of logs | |
log-level error | |
# log-file /var/log/smartdns.log | |
# log-size 128k | |
# log-num 2 | |
# dns audit | |
# audit-enable [yes|no]: enable or disable audit. | |
# audit-enable yes | |
# audit-SOA [yes|no]: enable or disable log soa result. | |
# audit-size size of each audit file, support k,m,g | |
# audit-file /var/log/smartdns-audit.log | |
# audit-size 128k | |
# audit-num 2 | |
# certificate file | |
# ca-file [file] | |
# ca-file /etc/ssl/certs/ca-certificates.crt | |
# certificate path | |
# ca-path [path] | |
# ca-path /etc/ss/certs | |
# remote udp dns server list | |
# server [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group] | |
# default port is 53 | |
# -blacklist-ip: filter result with blacklist ip | |
# -whitelist-ip: filter result whth whitelist ip, result in whitelist-ip will be accepted. | |
# -check-edns: result must exist edns RR, or discard result. | |
# -group [group]: set server to group, use with nameserver /domain/group. | |
# -exclude-default-group: exclude this server from default group. | |
# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2 | |
server 223.6.6.6 -tls-host-verify *.alidns.com -hsot-name dns.alidns.com -group bootstrap -exclude-default-group | |
# remote tcp dns server list | |
# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group] | |
# default port is 53 | |
# server-tcp 8.8.8.8 | |
# remote tls dns server list | |
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] | |
# -spki-pin: TLS spki pin to verify. | |
# -tls-host-verify: cert hostname to verify. | |
# -host-name: TLS sni hostname. | |
# -no-check-certificate: no check certificate. | |
# Get SPKI with this command: | |
# echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 | |
# default port is 853 | |
# server-tls 8.8.8.8 | |
# server-tls 1.0.0.1 | |
server-tls dns.alidns.com -tls-host-verify *.alidns.com -host-name dns.alidns.com -group china -exclude-default-group | |
server-tls dot.pub -tls-host-verify *.dot.pub -host-name dot.pub -group china -exclude-default-group | |
server-tls dns.google -tls-host-verify dns.google -host-name dns.google -exclude-default-group -group global | |
server-tls 1.1.1.1 -tls-host-verify cloudflare-dns.com -group global -exclude-default-group | |
# remote https dns server list | |
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] | |
# -spki-pin: TLS spki pin to verify. | |
# -tls-host-verify: cert hostname to verify. | |
# -host-name: TLS sni hostname. | |
# -http-host: http host. | |
# -no-check-certificate: no check certificate. | |
# default port is 443 | |
# server-https https://cloudflare-dns.com/dns-query | |
# specific nameserver to domain | |
# nameserver /domain/[group|-] | |
# nameserver /www.example.com/office, Set the domain name to use the appropriate server group. | |
# nameserver /www.example.com/-, ignore this domain | |
nameserver /dot.pub/bootstrap | |
nameserver /dns.alidns.com/bootstrap | |
nameserver /dns.google/bootstrap | |
#nameserver /1.1.1.1/bootstrap | |
# specific address to domain | |
# address /domain/[ip|-|-4|-6|#|#4|#6] | |
# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client | |
# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all | |
# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all | |
# enable ipset timeout by ttl feature | |
# ipset-timeout [yes] | |
# specific ipset to domain | |
# ipset /domain/[ipset|-] | |
# ipset /www.example.com/block, set ipset with ipset name of block | |
# ipset /www.example.com/-, ignore this domain | |
# set domain rules | |
# domain-rules /domain/ [-speed-check-mode [...]] | |
# rules: | |
# -speed-check-mode [mode]: speed check mode | |
# speed-check-mode [ping|tcp:port|none|,] | |
# -address [address|-]: same as address option | |
# -nameserver [group|-]: same as nameserver option | |
# -ipset [ipset|-]: same as ipset option | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment