Skip to content

Instantly share code, notes, and snippets.

@darkmanlv
Forked from Zenithar/dnscrypt-proxy
Created May 31, 2022 21:45
Show Gist options
  • Save darkmanlv/24dfad3bb4cdcba4eb7fa55e93aa39bb to your computer and use it in GitHub Desktop.
Save darkmanlv/24dfad3bb4cdcba4eb7fa55e93aa39bb to your computer and use it in GitHub Desktop.
Unbound + DNSCrypt configuration
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALIP2=127.0.0.2
DNSCRYPT_LOCALPORT=9053
DNSCRYPT_RESOLVERPORT=443
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver2.dnscrypt.eu
DNSCRYPT_PROVIDER_NAME2=2.dnscrypt-cert.resolver1.dnscrypt.eu
DNSCRYPT_PROVIDER_KEY=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955
DNSCRYPT_PROVIDER_KEY2=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
DNSCRYPT_RESOLVERIP=77.66.84.233
DNSCRYPT_RESOLVERIP2=176.56.237.171
local-zone: "home." static
local-data: "raspberry.home. IN A 192.168.0.253"
local-data: "router.home. IN A 192.168.0.254"
local-data-ptr: "192.168.0.253 raspberry.home."
local-data-ptr: "192.168.0.254 router.home."
server:
# Core cpu count
num-threads: 2
# DNSSEC features
# Updated via : unbound-anchor -v -a /etc/unbound/root.key
auto-trust-anchor-file: "/etc/unbound/root.key"
module-config: "validator iterator"
# Downloaded via : wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints
root-hints: "/etc/unbound/root.hints"
interface: 0.0.0.0
port: 53 # port to answer queries from
do-ip4: yes # Enable IPv4, "yes" or "no".
do-ip6: no # Enable IPv6, "yes" or "no".
do-udp: yes # Enable UDP, "yes" or "no".
do-tcp: yes
# Hide unbound information
hide-identity: yes
hide-version: yes
# If yes, Unbound rotates RRSet order in response. This is almost
# same as Thijs Kinkhorst's implementation except that random number
# source is query-id.
rrset-roundrobin: yes
# Time to live minimum for RRsets and messages in the cache.
cache-min-ttl: 60
# If yes, Unbound doesn't insert authority/additional sections into
# response message when those sections are not required [1]. This is
# similar to BIND9's minimal-responses or Google Public DNS
# behavior.
minimal-responses: no
# Use 0x20-encoded random bits in the query to foil spoof
# attempts. This perturbs the lowercase and uppercase of query
# names sent to authority servers and checks if the reply still
# has the correct casing. Disabled by default. This feature is
# an experimental implementation of draft dns-0x20.
use-caps-for-id: yes
# If yes, message cache elements are prefetched before they expire
# to keep the cache up to date.
prefetch: yes
# If yes, fetch the DNSKEYs earlier in the validation process,
# when a DS record is encountered.
prefetch-key: yes
# ACL
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/24 allow
access-control: 0.0.0.0/0 refuse
# Enforce privacy
private-address: 192.168.0.0/24
# Local zone definition
private-domain: "home."
include: /etc/unbound/forward.conf
include: /etc/unbound/reverse.conf
# You need this as no for dnscrypt-proxy to work
do-not-query-localhost: no
# Disable remote control
remote-control:
control-enable: no
# Forward all queries to specified servers
forward-zone:
name: "."
# CryptDNS
# forward-addr: 127.0.0.1@9053
# OpenDNS
forward-addr: 208.67.222.222
forward-addr: 208.67.220.220
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment