-
Notifications
You must be signed in to change notification settings - Fork 62
/
use-case-6.toml
82 lines (71 loc) · 2.91 KB
/
use-case-6.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# RouteDNS config with caching and multiple blocklists that are loaded and refreshed from remote
# locations daily. DNS queries are received on the local network, filtered, cached and forwarded
# over DoT to upstream resolvers.
# Since this configuration references remote blocklists, hostname resolution for them could
# fail on startup if the system uses RouteDNS as only source of name resolution. Using
# a bootstrap-resolver defines how hostnames in blocklists or resolvers should be looked up.
# Here, use Cloudflare DNS-over-TLS to lookup blocklist addresses.
[bootstrap-resolver]
address = "1.1.1.1:853"
protocol = "dot"
# Listeners for the local network. Can be restricted further to specific networks
# with the "allowed-net" option
[listeners.local-udp]
address = ":53"
protocol = "udp"
resolver = "cache"
[listeners.local-tcp]
address = ":53"
protocol = "tcp"
resolver = "cache"
# Cache
[groups.cache]
type = "cache"
resolvers = ["ttl-update"]
cache-size = 8192
cache-negative-ttl = 120
backend = {type = "memory"}
# Update TTL to avoid noise using values that are too low
[groups.ttl-update]
type = "ttl-modifier"
resolvers = ["blocklist"]
ttl-min = 1800 # 30 Minutes
ttl-max = 43200 # 12 Hours
# Block queries (by name) using lists loaded from remote locations with HTTP and refreshed once a day
[groups.blocklist]
type = "blocklist-v2"
resolvers = ["blocklist-response"]
blocklist-refresh = 86400
blocklist-source = [
{format = "domain", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/easylist/routedns.blocklist.domain.list"},
{format = "domain", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/malicious-dom/routedns.blocklist.domain.list"},
]
# Block responses that include certain names. Also loaded via HTTP and refreshed daily
[groups.blocklist-response]
type = "response-blocklist-name"
resolvers = ["blocklist-ip"]
blocklist-refresh = 86400
blocklist-source = [
{format = "domain", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/cloak/routedns.blocklist.domain.list"},
{format = "domain", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/malicious-dom/routedns.blocklist.domain.list"},
]
# Block responses by IP ranges
[groups.blocklist-ip]
type = "response-blocklist-ip"
resolvers = ["cloudflare"]
blocklist-refresh = 86400
blocklist-source = [
{format = "cidr", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/malicious-ip/plain.black.ip4cidr.list"},
{format = "cidr", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/malicious-ip/plain.black.ip6cidr.list"},
]
# Resolver group that uses 2 cloudflare upstream resolvers, additional ones can be added
[groups.cloudflare]
type = "fail-rotate"
resolvers = ["cloudflare-dot-1", "cloudflare-dot-2"]
# Cloudflare DNS-over-TLS
[resolvers.cloudflare-dot-1]
address = "1.1.1.1:853"
protocol = "dot"
[resolvers.cloudflare-dot-2]
address = "1.0.0.1:853"
protocol = "dot"