Last active
December 1, 2019 02:07
-
-
Save goofball222/1624d802dd4e457c6bdadf5383b5cebf to your computer and use it in GitHub Desktop.
DNS-over-HTTPS Client Pi-Hole/Unbound config for Android Private DNS ad filtering
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DNS listen port | |
listen = [ | |
"[::]:5380", | |
] | |
# HTTP path for upstream resolver | |
[upstream] | |
# available selector: random or weighted_round_robin or lvs_weighted_round_robin | |
upstream_selector = "random" | |
# weight should in (0, 100], if upstream_selector is random, weight will be ignored | |
## Google's productive resolver, good ECS, bad DNSSEC | |
#[[upstream.upstream_google]] | |
# url = "https://dns.google.com/resolve" | |
# weight = 50 | |
## CloudFlare's resolver, bad ECS, good DNSSEC | |
#[[upstream.upstream_google]] | |
# url = "https://cloudflare-dns.com/dns-query" | |
# weight = 50 | |
## CloudFlare's resolver, bad ECS, good DNSSEC | |
#[[upstream.upstream_google]] | |
# url = "https://1.1.1.1/dns-query" | |
# weight = 50 | |
# CloudFlare's resolver, bad ECS, good DNSSEC | |
#[[upstream.upstream_ietf]] | |
# url = "https://cloudflare-dns.com/dns-query" | |
# weight = 50 | |
## CloudFlare's resolver, bad ECS, good DNSSEC | |
#[[upstream.upstream_ietf]] | |
# url = "https://1.1.1.1/dns-query" | |
# weight = 50 | |
## Google's experimental resolver, good ECS, good DNSSEC | |
#[[upstream.upstream_ietf]] | |
# url = "https://dns.google.com/experimental" | |
# weight = 50 | |
## CloudFlare's resolver for Tor, available only with Tor | |
## Remember to disable ECS below when using Tor! | |
## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/ | |
#[[upstream.upstream_ietf]] | |
# url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query" | |
# weight = 50 | |
## Custom upstream resolver using hosted DNS-over-HTTPS server | |
[[upstream.upstream_ietf]] | |
url = "https://securedns.domain.name/dns-query" | |
weight = 50 | |
[others] | |
# Bootstrap DNS server to resolve the address of the upstream resolver | |
# If multiple servers are specified, a random one will be chosen each time. | |
# If empty, use the system DNS settings. | |
# If you want to preload IP addresses in /etc/hosts instead of using a | |
# bootstrap server, please make this list empty. | |
bootstrap = [ | |
# Google's resolver, bad ECS, good DNSSEC | |
"8.8.8.8:53", | |
"8.8.4.4:53", | |
# CloudFlare's resolver, bad ECS, good DNSSEC | |
"1.1.1.1:53", | |
"1.0.0.1:53", | |
] | |
# The domain names here are directly passed to bootstrap servers listed above, | |
# allowing captive portal detection and systems without RTC to work. | |
# Only effective if at least one bootstrap server is configured. | |
passthrough = [ | |
"captive.apple.com", | |
"connectivitycheck.gstatic.com", | |
"detectportal.firefox.com", | |
"msftconnecttest.com", | |
"nmcheck.gnome.org", | |
"pool.ntp.org", | |
"time.apple.com", | |
"time.asia.apple.com", | |
"time.euro.apple.com", | |
"time.nist.gov", | |
"time.windows.com", | |
] | |
# Timeout for upstream request in seconds | |
timeout = 30 | |
# Disable HTTP Cookies | |
# | |
# Cookies may be useful if your upstream resolver is protected by some | |
# anti-DDoS services to identify clients. | |
# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability | |
# to track uesrs and is not controlled by doh-client. | |
no_cookies = true | |
# Disable EDNS0-Client-Subnet (ECS) | |
# | |
# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of | |
# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the | |
# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly | |
# the same configuration as most public DNS servers. | |
no_ecs = false | |
# Disable IPv6 when querying upstream | |
# | |
# Only enable this if you really have trouble connecting. | |
# Doh-client uses both IPv4 and IPv6 by default and should not have problems | |
# with an IPv4-only environment. | |
# Note that DNS listening and bootstrapping is not controlled by this option. | |
no_ipv6 = false | |
# Enable logging | |
verbose = false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment