{{ file_header | default () }} upstreams: groups: default: {% for item in blocky_dns_upstream %} - {{ item }} {% endfor %} strategy: parallel_best timeout: 2s # optional: If true, blocky will fail to start unless at least one upstream server per group is reachable. Default: false startVerifyUpstream: true # optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists. # accepted: dual, v4, v6 # default: dual connectIPVersion: v4 # optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.) blocking: # definition of blacklist groups. Can be external link (http/https) or local file blackLists: ads: {% for item in blocky_dns_blocklists %} - {{ item }} {% endfor %} # which response will be sent, if query is blocked: # zeroIp: 0.0.0.0 will be returned (default) # nxDomain: return NXDOMAIN as return code # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page. blockType: {{ blocky_block_type | default ("zeroIp") }} # optional: TTL for answers to blocked domains # default: 6h blockTTL: {{ blocky_block_ttl | default ("6h") }} clientGroupsBlock: # default will be used, if no special definition for a client name exists default: - ads # siehe blocking.blacklists.ads # optional: Configure how lists, AKA sources, are loaded loading: # optional: list refresh period in duration format. # Set to a value <= 0 to disable. # default: 4h refreshPeriod: 4h # optional: Applies only to lists that are downloaded (HTTP URLs). downloads: # optional: timeout for list download (each url). Use large values for big lists or slow internet connections # default: 5s timeout: 5s # optional: Maximum download attempts # default: 3 attempts: 3 # optional: Time between the download attempts # default: 500ms cooldown: 500ms # optional: Maximum number of lists to process in parallel. # default: 4 concurrency: 4 # optional: if failOnError, application startup will fail if at least one list can't be downloaded/opened # default: blocking strategy: {{ blocky_blacklists_strategy | default ("blocking") }} # Number of errors allowed in a list before it is considered invalid. # A value of -1 disables the limit. # default: 5 maxErrorsPerSource: 5 {% if blocky_conditional_mapping is defined %} # optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma # Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name conditional: # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if `fallbackUpstream` was set to `true`, the original query "blog.example.com" will be sent upstream. # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain. fallbackUpstream: false mapping: {% for item in blocky_conditional_mapping %} {{ item.domain }}: {{ item.resolver }} {% endfor %} {% endif %} {% if blocky_custom_lookups is defined %} # optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma # example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3 customDNS: customTTL: 1h # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined). # if false, queries with unmapped types will be forwarded to the upstream resolver filterUnmappedTypes: true # optional: replace domain in the query with other domain before resolver lookup in the mapping # rewrite: # example.com: printer.lan mapping: {% for item in blocky_custom_lookups %} {{ item.name }}: {{ item.ip }} {% endfor %} {% endif %} # optional: configuration for caching of DNS responses caching: # duration how long a response must be cached (min value). # If <=0, use response's TTL, if >0 use this value, if TTL is smaller # Default: 0 minTime: 0 # duration how long a response must be cached (max value). # If <0, do not cache responses # If 0, use TTL # If > 0, use this value, if TTL is greater # Default: 0 maxTime: 0 # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM. # Default (0): unlimited maxItemsCount: 0 # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window) # this improves the response time for often used queries, but significantly increases external traffic # default: false prefetching: true # prefetch track time window (in duration format) # default: 120 prefetchExpires: 120 # name queries threshold for prefetch # default: 5 prefetchThreshold: 5 # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM. # Default (0): unlimited prefetchMaxItemsCount: 0 # Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results. # Default: 30m cacheTimeNegative: -1 # optional: configuration of client name resolution clientLookup: # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router) upstream: {{ blocky_local_upstream | default ("192.168.2.1") }} # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used. # Example: take second name if present, if not take first name # singleNameOrder: # - 2 # - 1 # optional: configuration for prometheus metrics endpoint prometheus: # enabled if true enable: {{ blocky_prometheus | default ("false") }} # url path, optional (default '/metrics') path: /metrics # optional: Mininal TLS version that the DoH and DoT server will use # minTlsServeVersion: 1.3 # if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated #certFile: server.crt #keyFile: server.key # optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries. bootstrapDns: - tcp+udp:9.9.9.9 # optional: drop all queries with following query types. Default: empty filtering: queryTypes: - AAAA # optional: return NXDOMAIN for queries that are not FQDNs. fqdnOnly: # default: false enable: {{ blocky_fqdn_only | default ("false") }} # optional: ports configuration ports: # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353" dns: {{ blocky_port_dns | default ("53") }} # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853 # tls: 853 # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443 # https: 443 # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000 http: 4000 # optional: logging configuration log: # optional: Log level (one from debug, info, warn, error). Default: info level: {{ blocky_log_level | default ("info") }} # optional: Log format (text or json). Default: text format: text # optional: log timestamps. Default: true timestamp: true # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false privacy: false