malhuda/AdGuardDNS
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardDNS.git synced 2025-02-20 11:23:36 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
AdGuardDNS/config.dist.yaml
Andrey Meshkov cfb4caf935 Sync v2.3
2023-09-06 08:22:07 +03:00

420 lines
14 KiB
YAML
Raw Permalink Blame History

# See README.md for a full documentation of the configuration file, its types
# and values.
# Rate limiting configuration. It controls how we should mitigate DNS
# amplification attacks.
ratelimit:
# Flag to refuse ANY type request.
refuseany: true
# If response is larger than this, it is counted as several responses.
response_size_estimate: 1KB
# Rate limit options for IPv4 addresses.
ipv4:
# Rate of requests per second for one subnet for IPv4 addresses.
rps: 30
# The lengths of the subnet prefixes used to calculate rate limiter
# bucket keys for IPv4 addresses.
subnet_key_len: 24
# Rate limit options for IPv6 addresses.
ipv6:
# Rate of requests per second for one subnet for IPv6 addresses.
rps: 300
# The lengths of the subnet prefixes used to calculate rate limiter
# bucket keys for IPv6 addresses.
subnet_key_len: 48
# The time during which to count the number of times a client has hit the
# rate limit for a back off.
#
# TODO(a.garipov): Rename to "backoff_period" along with others.
back_off_period: 10m
# How many times a client hits the rate limit before being held in the back
# off.
back_off_count: 1000
# How much a client that has hit the rate limit too often stays in the back
# off.
back_off_duration: 30m
# Configuration for the allowlist.
allowlist:
# Lists of CIDRs or IPs ratelimit should be disabled for.
list:
- '127.0.0.1'
- '127.0.0.1/24'
# Time between two updates of allow list.
refresh_interval: 1h
# Configuration for the stream connection limiting.
connection_limit:
enabled: true
# The point at which the limiter stops accepting new connections. Once
# the number of active connections reaches this limit, new connections
# wait for the number to decrease below resume.
stop: 1000
resume: 800
# Access settings.
access:
# Domains to block.
blocked_question_domains:
- 'test.org'
# Client subnets to block.
blocked_client_subnets:
- '1.2.3.0/8'
# DNS cache configuration.
cache:
# The type of cache to use. Can be 'simple' (a simple LRU cache) or 'ecs'
# (a ECS-aware LRU cache). If set to 'ecs', ecs_size must be greater than
# zero.
type: 'simple'
# The total number of items in the cache for hostnames with no ECS support.
size: 10000
# The total number of items in the cache for hostnames with ECS support.
ecs_size: 10000
ttl_override:
enabled: true
# The minimum duration of TTL for a cache item.
min: 60s
# DNS upstream configuration.
upstream:
server: '8.8.8.8:53'
timeout: 2s
fallback:
- 1.1.1.1:53
- 8.8.8.8:53
healthcheck:
enabled: true
interval: 2s
timeout: 1s
backoff_duration: 30s
domain_template: '${RANDOM}.neverssl.com'
# DNSDB configuration.
dnsdb:
enabled: true
max_size: 500000
# Common DNS HTTP backend service configuration.
backend:
# Timeout for all outgoing backend HTTP requests. Set to `0s` to disable
# timeouts.
timeout: 10s
# How often AdGuard DNS checks the backend for data updates.
#
# TODO(a.garipov): Replace with a better update mechanism in the future.
refresh_interval: 15s
# How often AdGuard DNS performs full synchronization.
full_refresh_interval: 24h
# How often AdGuard DNS sends the billing statistics to the backend.
bill_stat_interval: 15s
# Query logging configuration.
query_log:
file:
# If true, enable writing JSONL logs to a file.
enabled: true
# Common GeoIP database configuration.
geoip:
# The size of the host lookup cache.
host_cache_size: 100000
# The size of the IP lookup cache.
ip_cache_size: 100000
# Interval between the GeoIP database refreshes.
refresh_interval: 1h
# DNS checking configuration.
check:
# Domains to use for DNS checking.
domains:
- dnscheck.adguard-dns.com
- dnscheck.adguard.com
# Location of this node.
node_location: 'ams'
# Name of this node.
node_name: 'eu-1.dns.example.com'
# IPs to respond with.
ipv4:
- 1.2.3.4
- 5.6.7.8
ipv6:
- 1234::cdee
- 1234::cdef
# For how long to keep the information about the client.
ttl: 30s
# Web/HTTP(S) service configuration. All non-root requests to the main service
# not matching the static_content map are shown a 404 page. In special
# case of `/robots.txt` request the special response is served.
web:
# Optional linked IP web server configuration. static_content is not served
# on these addresses.
linked_ip:
bind:
- address: '127.0.0.1:9080'
- address: '127.0.0.1:9443'
certificates:
- certificate: './test/cert.crt'
key: './test/cert.key'
# Optional safe browsing web server configuration. static_content is not
# served on these addresses. The addresses should be the same as in the
# safe_browsing object.
safe_browsing:
bind:
- address: '127.0.0.1:9081'
- address: '127.0.0.1:9444'
certificates:
- certificate: './test/cert.crt'
key: './test/cert.key'
block_page: './test/block_page_sb.html'
# Optional adult blocking web server configuration. static_content is not
# served on these addresses. The addresses should be the same as in the
# adult_blocking object.
adult_blocking:
bind:
- address: '127.0.0.1:9082'
- address: '127.0.0.1:9445'
certificates:
- certificate: './test/cert.crt'
key: './test/cert.key'
block_page: './test/block_page_adult.html'
# Listen addresses for the web service in addition to the ones in the
# DNS-over-HTTPS handlers.
non_doh_bind:
- address: '127.0.0.1:9083'
- address: '127.0.0.1:9446'
certificates:
- certificate: './test/cert.crt'
key: './test/cert.key'
# Static content map. Not served on the linked_ip, safe_browsing and adult_blocking
# servers. Paths must not cross the ones used by the DNS-over-HTTPS server.
static_content:
'/favicon.ico':
content: ''
headers:
Access-Control-Allow-Origin:
- '*'
Content-Type:
- 'image/x-icon'
# If not defined, AdGuard DNS will respond with a 404 page to all such
# requests.
root_redirect_url: 'https://adguard-dns.com'
# Path to the 404 page HTML file. If not set, a simple plain text 404
# response will be served.
error_404: './test/error_404.html'
# Same as error_404, but for the 500 status.
error_500: './test/error_500.html'
# Timeout for server operations
timeout: 1m
# AdGuard general safe browsing filter configuration.
safe_browsing:
block_host: 'standard-block.dns.adguard.com'
cache_size: 1024
cache_ttl: 1h
refresh_interval: 1h
# AdGuard adult content blocking filter configuration.
adult_blocking:
block_host: 'family-block.dns.adguard.com'
cache_size: 1024
cache_ttl: 1h
refresh_interval: 1h
# Settings for rule-list-based filters.
filters:
# The TTL to set for responses to requests for filtered domains.
response_ttl: 5m
# The size of the LRU cache of compiled filtering engines for profiles with
# custom filtering rules.
custom_filter_cache_size: 1024
# The size of the LRU cache of safe-search filtering results.
safe_search_cache_size: 1024
# How often to update filters from the index. See the documentation for the
# FILTER_INDEX_URL environment variable.
refresh_interval: 1h
# The timeout for the entire filter update operation. Be aware that each
# individual refresh operation also has its own hardcoded 30s timeout.
refresh_timeout: 5m
# MaxSize is the maximum size of the downloadable filtering rule-list.
max_size: 256MB
# Rule list cache.
rule_list_cache:
# If true, use filtering rule list result cache.
enabled: true
# The size of the LRU cache of rule-list filtering results.
size: 10000
# Filtering groups are a set of different filtering configurations. These
# filtering configurations are then used by server_groups.
filtering_groups:
- id: 'default'
parental:
enabled: false
rule_lists:
enabled: true
# IDs must be the same as those of the filtering rule lists received
# from the filter index.
ids:
- 'adguard_dns_filter'
safe_browsing:
enabled: true
block_dangerous_domains: true
block_newly_registered_domains: false
block_private_relay: false
block_firefox_canary: true
- id: 'family'
parental:
enabled: true
block_adult: true
general_safe_search: true
youtube_safe_search: true
rule_lists:
enabled: true
ids:
- 'adguard_dns_filter'
safe_browsing:
enabled: true
block_dangerous_domains: true
block_newly_registered_domains: false
block_private_relay: false
block_firefox_canary: true
- id: 'non_filtering'
rule_lists:
enabled: false
parental:
enabled: false
safe_browsing:
enabled: false
block_dangerous_domains: true
block_newly_registered_domains: false
block_private_relay: false
block_firefox_canary: true
# The configuration for the device-listening feature. Works only on Linux with
# SO_BINDTODEVICE support.
interface_listeners:
# The size of the buffers of the channels used to dispatch TCP connections
# and UDP sessions.
channel_buffer_size: 1000
# List is the mapping of interface-listener IDs to their configuration.
list:
'eth0_plain_dns':
interface: 'eth0'
port: 53
'eth0_plain_dns_secondary':
interface: 'eth0'
port: 5353
# Server groups and servers.
server_groups:
- name: 'adguard_dns_default'
# This filtering_group is used for all anonymous clients.
filtering_group: 'default'
tls:
certificates:
- certificate: './test/cert.crt'
key: './test/cert.key'
session_keys:
- './test/tls_key_1'
- './test/tls_key_2'
device_id_wildcards:
- '*.dns.example.com'
ddr:
enabled: true
# Device ID domain name suffix to DDR record template mapping. Keep in
# sync with servers and device_id_wildcards.
device_records:
'*.d.dns.example.com':
doh_path: '/dns-query{?dns}'
https_port: 443
quic_port: 853
tls_port: 853
ipv4_hints:
- '127.0.0.1'
ipv6_hints:
- '::1'
# Public domain name to DDR record template mapping. Keep in sync with
# servers.
public_records:
'dns.example.com':
doh_path: '/dns-query{?dns}'
https_port: 443
quic_port: 853
tls_port: 853
ipv4_hints:
- '127.0.0.1'
ipv6_hints:
- '::1'
servers:
- name: 'default_dns'
# See README for the list of protocol values.
protocol: 'dns'
linked_ip_enabled: true
# Either bind_interfaces or bind_addresses (see below) can be used for
# the plain-DNS servers.
bind_interfaces:
- id: 'eth0_plain_dns'
subnets:
- '127.0.0.0/8'
- id: 'eth0_plain_dns_secondary'
subnets:
- '127.0.0.0/8'
- name: 'default_dot'
protocol: 'tls'
linked_ip_enabled: false
bind_addresses:
- '127.0.0.1:853'
- name: 'default_doh'
protocol: 'https'
linked_ip_enabled: false
bind_addresses:
- '127.0.0.1:443'
- name: 'default_doq'
protocol: 'quic'
linked_ip_enabled: false
bind_addresses:
- '127.0.0.1:784'
- '127.0.0.1:853'
- name: 'default_dnscrypt'
protocol: 'dnscrypt'
linked_ip_enabled: false
bind_addresses:
- '127.0.0.1:5443'
dnscrypt:
# See https://github.com/ameshkov/dnscrypt/blob/master/README.md#configure.
config_path: ./test/dnscrypt.yml
- name: 'default_dnscrypt_inline'
protocol: 'dnscrypt'
linked_ip_enabled: false
bind_addresses:
- '127.0.0.1:5444'
dnscrypt:
inline:
provider_name: '2.dnscrypt-cert.example.org'
public_key: 'F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0'
private_key: '5752095FFA56D963569951AFE70FE1690F378D13D8AD6F8054DFAA100907F8B6F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0'
resolver_secret: '9E46E79FEB3AB3D45F4EB3EA957DEAF5D9639A0179F1850AFABA7E58F87C74C4'
resolver_public: '9327C5E64783E19C339BD6B680A56DB85521CC6E4E0CA5DF5274E2D3CE026C6B'
es_version: 1
certificate_ttl: 8760h
# Connectivity check configuration.
connectivity_check:
probe_ipv4: '8.8.8.8:53'
probe_ipv6: '[2001:4860:4860::8888]:53'
# Additional information to be exposed through metrics.
additional_metrics_info:
test_key: 'test_value'
# Network settings.
network:
# Defines the size of socket send buffer in a human-readable format.
# Default is zero (uses system settings).
so_sndbuf: 0
# Defines the size of socket receive buffer in a human-readable format.
# Default is zero (uses system settings).
so_rcvbuf: 0
Reference in New Issue View Git Blame Copy Permalink