hsouna/doh-server.conf

## doh-server.conf
# HTTP listen port
listen = [
    "127.0.0.1:8053",
    "[::1]:8053",

    ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
    # ":8053",
]

# Local address and port for upstream DNS
# If left empty, a local address is automatically chosen.
local_addr = ""

# TLS certification file
# If left empty, plain-text HTTP will be used.
# You are recommended to leave empty and to use a server load balancer (e.g.
# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
# Stapling, which is necessary for client bootstrapping in a network
# environment with completely no traditional DNS service.
cert = ""

# TLS private key file
key = ""

# HTTP path for resolve application
path = "/dns-query"

# Upstream DNS resolver
# If multiple servers are specified, a random one will be chosen each time.
# You can use "udp", "tcp" or "tcp-tls" for the type prefix.
# For "udp", UDP will first be used, and switch to TCP when the server asks to
# or the response is too large.
# For "tcp", only TCP will be used.
# For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
upstream = [
    "tcp:127.0.2.1:53",
]

# Upstream timeout
timeout = 10

# Number of tries if upstream DNS fails
tries = 3

# Enable logging
verbose = false

# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
# Note: http uri/useragent log cannot be controlled by this config
log_guessed_client_ip = false

# By default, non global IP addresses are never forwarded to upstream servers.
# This is to prevent two things from happening:
#   1. the upstream server knowing your private LAN addresses;
#   2. the upstream server unable to provide geographically near results,
#      or even fail to provide any result.
# However, if you are deploying a split tunnel corporation network
# environment, or for any other reason you want to inhibit this
# behavior and allow local (eg RFC1918) address to be forwarded,
# change the following option to "true".
ecs_allow_non_global_ip = false

# If ECS is added to the request, let the full IP address or
# cap it to 24 or 128 mask. This option is to be used only on private
# networks where knwoledge of the terminal endpoint may be required for
# security purposes (eg. DNS Firewalling). Not a good option on the
# internet where IP address may be used to identify the user and
# not only the approximate location.
ecs_use_precise_ip = false

# If DOH is used for a controlled network, it is possible to enable
# the client TLS certificate validation with a specific certificate
# authority used to sign any client one. Disabled by default.
# tls_client_auth = true
# tls_client_auth_ca = "root-ca-public.crt"
	# HTTP listen port
	listen = [
	"127.0.0.1:8053",
	"[::1]:8053",

	## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
	# ":8053",
	]

	# Local address and port for upstream DNS
	# If left empty, a local address is automatically chosen.
	local_addr = ""

	# TLS certification file
	# If left empty, plain-text HTTP will be used.
	# You are recommended to leave empty and to use a server load balancer (e.g.
	# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
	# Stapling, which is necessary for client bootstrapping in a network
	# environment with completely no traditional DNS service.
	cert = ""

	# TLS private key file
	key = ""

	# HTTP path for resolve application
	path = "/dns-query"

	# Upstream DNS resolver
	# If multiple servers are specified, a random one will be chosen each time.
	# You can use "udp", "tcp" or "tcp-tls" for the type prefix.
	# For "udp", UDP will first be used, and switch to TCP when the server asks to
	# or the response is too large.
	# For "tcp", only TCP will be used.
	# For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
	upstream = [
	"tcp:127.0.2.1:53",
	]

	# Upstream timeout
	timeout = 10

	# Number of tries if upstream DNS fails
	tries = 3

	# Enable logging
	verbose = false

	# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
	# Note: http uri/useragent log cannot be controlled by this config
	log_guessed_client_ip = false

	# By default, non global IP addresses are never forwarded to upstream servers.
	# This is to prevent two things from happening:
	# 1. the upstream server knowing your private LAN addresses;
	# 2. the upstream server unable to provide geographically near results,
	# or even fail to provide any result.
	# However, if you are deploying a split tunnel corporation network
	# environment, or for any other reason you want to inhibit this
	# behavior and allow local (eg RFC1918) address to be forwarded,
	# change the following option to "true".
	ecs_allow_non_global_ip = false

	# If ECS is added to the request, let the full IP address or
	# cap it to 24 or 128 mask. This option is to be used only on private
	# networks where knwoledge of the terminal endpoint may be required for
	# security purposes (eg. DNS Firewalling). Not a good option on the
	# internet where IP address may be used to identify the user and
	# not only the approximate location.
	ecs_use_precise_ip = false

	# If DOH is used for a controlled network, it is possible to enable
	# the client TLS certificate validation with a specific certificate
	# authority used to sign any client one. Disabled by default.
	# tls_client_auth = true
	# tls_client_auth_ca = "root-ca-public.crt"