# See README.md for a full documentation of the configuration file, its types # and values. # Rate limiting configuration. It controls how we should mitigate DNS # amplification attacks. ratelimit: # Flag to refuse ANY type request. refuseany: true # If response is larger than this, it is counted as several responses. response_size_estimate: 1KB # Rate limit options for IPv4 addresses. ipv4: # Rate of requests per second for one subnet for IPv4 addresses. rps: 30 # The lengths of the subnet prefixes used to calculate rate limiter # bucket keys for IPv4 addresses. subnet_key_len: 24 # Rate limit options for IPv6 addresses. ipv6: # Rate of requests per second for one subnet for IPv6 addresses. rps: 300 # The lengths of the subnet prefixes used to calculate rate limiter # bucket keys for IPv6 addresses. subnet_key_len: 48 # The time during which to count the number of times a client has hit the # rate limit for a back off. backoff_period: 10m # How many times a client hits the rate limit before being held in the back # off. backoff_count: 1000 # How much a client that has hit the rate limit too often stays in the back # off. backoff_duration: 30m # Configuration for the allowlist. allowlist: # Lists of CIDRs or IPs ratelimit should be disabled for. list: - '127.0.0.1' - '127.0.0.1/24' # Time between two updates of allow list. refresh_interval: 1h # Configuration for the stream connection limiting. connection_limit: enabled: true # The point at which the limiter stops accepting new connections. Once # the number of active connections reaches this limit, new connections # wait for the number to decrease below resume. stop: 1000 resume: 800 # Configuration of QUIC streams limiting. quic: enabled: true # The maximum number of concurrent streams that a peer is allowed to # open. max_streams_per_peer: 100 # Configuration of TCP pipeline limiting. tcp: enabled: true # The maximum number of processing TCP messages per one connection. max_pipeline_count: 100 # Access settings. access: # Domains to block. blocked_question_domains: - 'test.org' # Client subnets to block. blocked_client_subnets: - '1.2.3.0/8' # DNS cache configuration. cache: # The type of cache to use. Can be 'simple' (a simple LRU cache) or 'ecs' # (a ECS-aware LRU cache). If set to 'ecs', ecs_size must be greater than # zero. type: 'simple' # The total number of items in the cache for hostnames with no ECS support. size: 10000 # The total number of items in the cache for hostnames with ECS support. ecs_size: 10000 ttl_override: enabled: true # The minimum duration of TTL for a cache item. min: 60s # DNS upstream configuration. upstream: servers: - address: 'tcp://1.1.1.1:53' timeout: 2s - address: '8.8.4.4:53' timeout: 2s fallback: servers: - address: '1.1.1.1:53' timeout: 1s - address: '8.8.8.8:53' timeout: 1s healthcheck: enabled: true interval: 2s timeout: 1s backoff_duration: 30s domain_template: '${RANDOM}.neverssl.com' # Common DNS settings. # # TODO(a.garipov): Consider making these settings per-server-group. dns: # The timeout for any read from a UDP connection or the first read from # a TCP/TLS connection. It currently doesn't affect DNSCrypt, QUIC, or # HTTPS. read_timeout: 2s # The timeout for consecutive reads from a TCP/TLS connection. It currently # doesn't affect DNSCrypt, QUIC, or HTTPS. tcp_idle_timeout: 30s # The timeout for writing to a UDP or TCP/TLS connection. It currently # doesn't affect DNSCrypt, QUIC, or HTTPS. write_timeout: 2s # The timeout for the entire handling of a single query. handle_timeout: 1s # UDP response size limit. max_udp_response_size: 1024B # DNSDB configuration. dnsdb: enabled: true max_size: 500000 # Common DNS HTTP backend service configuration. backend: # Timeout for all outgoing backend HTTP requests. Set to `0s` to disable # timeouts. timeout: 10s # How often AdGuard DNS checks the backend for data updates. # # TODO(a.garipov): Replace with a better update mechanism in the future. refresh_interval: 15s # How often AdGuard DNS performs full synchronization. full_refresh_interval: 24h # How long to wait before attempting a new full synchronization after a # failure. full_refresh_retry_interval: 1h # How often AdGuard DNS sends the billing statistics to the backend. bill_stat_interval: 15s # Query logging configuration. query_log: file: # If true, enable writing JSONL logs to a file. enabled: true # Common GeoIP database configuration. geoip: # The size of the host lookup cache. host_cache_size: 100000 # The size of the IP lookup cache. ip_cache_size: 100000 # Interval between the GeoIP database refreshes. refresh_interval: 1h # DNS checking configuration. check: # Domains to use for DNS checking. kv: # Defines the type of remote kay-value storage. Allowed values are # "consul" and "redis". type: 'consul' # For how long to keep the information about the client. ttl: 30s # Domains to use for DNS checking. domains: - dnscheck.adguard-dns.com - dnscheck.adguard.com # Location of this node. node_location: 'ams' # Name of this node. node_name: 'eu-1.dns.example.com' # IPs to respond with. ipv4: - 1.2.3.4 - 5.6.7.8 ipv6: - 1234::cdee - 1234::cdef # Web/HTTP(S) service configuration. All non-root requests to the main service # not matching the static_content map are shown a 404 page. In special # case of `/robots.txt` request the special response is served. web: # Optional linked IP web server configuration. static_content is not served # on these addresses. linked_ip: bind: - address: '127.0.0.1:9080' - address: '127.0.0.1:9443' certificates: - certificate: './test/cert.crt' key: './test/cert.key' # Optional adult blocking web server configuration. static_content is not # served on these addresses. The addresses should be the same as in the # general_blocking and safe_browsing objects. adult_blocking: bind: - address: '127.0.0.1:9081' - address: '127.0.0.1:9444' certificates: - certificate: './test/cert.crt' key: './test/cert.key' block_page: './test/block_page_adult.html' # Optional general blocking web server configuration. static_content is not # served on these addresses. The addresses should be the same as in the # adult_blocking and safe_browsing objects. general_blocking: bind: - address: '127.0.0.1:9082' - address: '127.0.0.1:9445' certificates: - certificate: './test/cert.crt' key: './test/cert.key' block_page: './test/block_page_general.html' # Optional safe browsing web server configuration. static_content is not # served on these addresses. The addresses should be the same as in the # general_blocking and safe_browsing objects. safe_browsing: bind: - address: '127.0.0.1:9083' - address: '127.0.0.1:9446' certificates: - certificate: './test/cert.crt' key: './test/cert.key' block_page: './test/block_page_sb.html' # Listen addresses for the web service in addition to the ones in the # DNS-over-HTTPS handlers. non_doh_bind: - address: '127.0.0.1:9084' - address: '127.0.0.1:9447' certificates: - certificate: './test/cert.crt' key: './test/cert.key' # Static content map. Not served on the linked_ip, safe_browsing and adult_blocking # servers. Paths must not cross the ones used by the DNS-over-HTTPS server. static_content: '/favicon.ico': content: '' headers: Access-Control-Allow-Origin: - '*' Content-Type: - 'image/x-icon' # If not defined, AdGuard DNS will respond with a 404 page to all such # requests. root_redirect_url: 'https://adguard-dns.com' # Path to the 404 page HTML file. If not set, a simple plain text 404 # response will be served. error_404: './test/error_404.html' # Same as error_404, but for the 500 status. error_500: './test/error_500.html' # Timeout for server operations timeout: 1m # AdGuard general safe browsing filter configuration. safe_browsing: block_host: 'standard-block.dns.adguard.com' cache_size: 1024 cache_ttl: 1h refresh_interval: 1h refresh_timeout: 1m # AdGuard adult content blocking filter configuration. adult_blocking: block_host: 'family-block.dns.adguard.com' cache_size: 1024 cache_ttl: 1h refresh_interval: 1h refresh_timeout: 1m # Settings for rule-list-based filters. # # TODO(a.garipov): Add the timeout for the blocked-service index refresh. It # is currently hardcoded to 3 minutes. filters: # The TTL to set for responses to requests for filtered domains. response_ttl: 5m # The size of the LRU cache of compiled filtering engines for profiles with # custom filtering rules. custom_filter_cache_size: 1024 # The size of the LRU cache of safe-search filtering results. safe_search_cache_size: 1024 # How often to update filters from the index. See the documentation for the # FILTER_INDEX_URL environment variable. refresh_interval: 1h # The timeout for the entire filter update operation. Note that filter # rule-list index and each filter rule-list update operations have their own # timeouts, see index_refresh_timeout and rule_list_refresh_timeout. refresh_timeout: 5m # The timeout for the filter rule-list index update operation. See also # refresh_timeout for the entire filter update operation. index_refresh_timeout: 1m # The timeout for the filter update operation of each rule-list, including # the safe-search ones. See also refresh_timeout for the entire filter # update operation. rule_list_refresh_timeout: 1m # MaxSize is the maximum size of the downloadable filtering rule-list. max_size: 256MB # Rule list cache. rule_list_cache: # If true, use filtering rule list result cache. enabled: true # The size of the LRU cache of rule-list filtering results. size: 10000 # Filtering groups are a set of different filtering configurations. These # filtering configurations are then used by server_groups. filtering_groups: - id: 'default' parental: enabled: false rule_lists: enabled: true # IDs must be the same as those of the filtering rule lists received # from the filter index. ids: - 'adguard_dns_filter' safe_browsing: enabled: true block_dangerous_domains: true block_newly_registered_domains: false block_private_relay: false block_firefox_canary: true - id: 'family' parental: enabled: true block_adult: true general_safe_search: true youtube_safe_search: true rule_lists: enabled: true ids: - 'adguard_dns_filter' safe_browsing: enabled: true block_dangerous_domains: true block_newly_registered_domains: false block_private_relay: false block_firefox_canary: true - id: 'non_filtering' rule_lists: enabled: false parental: enabled: false safe_browsing: enabled: false block_dangerous_domains: true block_newly_registered_domains: false block_private_relay: false block_firefox_canary: true # The configuration for the device-listening feature. Works only on Linux with # SO_BINDTODEVICE support. interface_listeners: # The size of the buffers of the channels used to dispatch TCP connections # and UDP sessions. channel_buffer_size: 1000 # List is the mapping of interface-listener IDs to their configuration. list: 'eth0_plain_dns': interface: 'eth0' port: 53 'eth0_plain_dns_secondary': interface: 'eth0' port: 5353 # Server groups and servers. server_groups: - name: 'adguard_dns_default' # This filtering_group is used for all anonymous clients. filtering_group: 'default' ddr: enabled: true # Device ID domain name suffix to DDR record template mapping. Keep in # sync with servers and device_id_wildcards. device_records: '*.d.dns.example.com': doh_path: '/dns-query{?dns}' https_port: 443 quic_port: 853 tls_port: 853 ipv4_hints: - '127.0.0.1' ipv6_hints: - '::1' # Public domain name to DDR record template mapping. Keep in sync with # servers. public_records: 'dns.example.com': doh_path: '/dns-query{?dns}' https_port: 443 quic_port: 853 tls_port: 853 ipv4_hints: - '127.0.0.1' ipv6_hints: - '::1' tls: certificates: - certificate: './test/cert.crt' key: './test/cert.key' session_keys: - './test/tls_key_1' - './test/tls_key_2' device_id_wildcards: - '*.dns.example.com' servers: - name: 'default_dns' # See README for the list of protocol values. protocol: 'dns' linked_ip_enabled: true # Either bind_interfaces or bind_addresses (see below) can be used for # the plain-DNS servers. bind_interfaces: - id: 'eth0_plain_dns' subnets: - '127.0.0.0/8' - id: 'eth0_plain_dns_secondary' subnets: - '127.0.0.0/8' - name: 'default_dot' protocol: 'tls' linked_ip_enabled: false bind_addresses: - '127.0.0.1:853' - name: 'default_doh' protocol: 'https' linked_ip_enabled: false bind_addresses: - '127.0.0.1:443' - name: 'default_doq' protocol: 'quic' linked_ip_enabled: false bind_addresses: - '127.0.0.1:784' - '127.0.0.1:853' - name: 'default_dnscrypt' protocol: 'dnscrypt' linked_ip_enabled: false bind_addresses: - '127.0.0.1:5443' dnscrypt: # See https://github.com/ameshkov/dnscrypt/blob/master/README.md#configure. config_path: ./test/dnscrypt.yml - name: 'default_dnscrypt_inline' protocol: 'dnscrypt' linked_ip_enabled: false bind_addresses: - '127.0.0.1:5444' dnscrypt: inline: provider_name: '2.dnscrypt-cert.example.org' public_key: 'F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0' private_key: '5752095FFA56D963569951AFE70FE1690F378D13D8AD6F8054DFAA100907F8B6F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0' resolver_secret: '9E46E79FEB3AB3D45F4EB3EA957DEAF5D9639A0179F1850AFABA7E58F87C74C4' resolver_public: '9327C5E64783E19C339BD6B680A56DB85521CC6E4E0CA5DF5274E2D3CE026C6B' es_version: 1 certificate_ttl: 8760h profiles_enabled: true # Connectivity check configuration. connectivity_check: probe_ipv4: '8.8.8.8:53' probe_ipv6: '[2001:4860:4860::8888]:53' # Additional information to be exposed through metrics. additional_metrics_info: test_key: 'test_value' # Network settings. network: # Defines the size of socket send buffer in a human-readable format. # Default is zero (uses system settings). so_sndbuf: 0 # Defines the size of socket receive buffer in a human-readable format. # Default is zero (uses system settings). so_rcvbuf: 0