194 lines
8.4 KiB
Django/Jinja
194 lines
8.4 KiB
Django/Jinja
{{ file_header | default () }}
|
|
upstreams:
|
|
groups:
|
|
default:
|
|
{% for item in blocky_dns_upstream %}
|
|
- {{ item }}
|
|
{% endfor %}
|
|
strategy: parallel_best
|
|
timeout: 2s
|
|
|
|
# optional: If true, blocky will fail to start unless at least one upstream server per group is reachable. Default: false
|
|
startVerifyUpstream: true
|
|
|
|
# optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists.
|
|
# accepted: dual, v4, v6
|
|
# default: dual
|
|
connectIPVersion: v4
|
|
|
|
|
|
# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.)
|
|
blocking:
|
|
# definition of blacklist groups. Can be external link (http/https) or local file
|
|
blackLists:
|
|
ads:
|
|
{% for item in blocky_dns_blocklists %}
|
|
- {{ item }}
|
|
{% endfor %}
|
|
# which response will be sent, if query is blocked:
|
|
# zeroIp: 0.0.0.0 will be returned (default)
|
|
# nxDomain: return NXDOMAIN as return code
|
|
# comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page.
|
|
blockType: {{ blocky_block_type | default ("zeroIp") }}
|
|
# optional: TTL for answers to blocked domains
|
|
# default: 6h
|
|
blockTTL: {{ blocky_block_ttl | default ("6h") }}
|
|
clientGroupsBlock:
|
|
# default will be used, if no special definition for a client name exists
|
|
default:
|
|
- ads # siehe blocking.blacklists.ads
|
|
# optional: Configure how lists, AKA sources, are loaded
|
|
loading:
|
|
# optional: list refresh period in duration format.
|
|
# Set to a value <= 0 to disable.
|
|
# default: 4h
|
|
refreshPeriod: 4h
|
|
# optional: Applies only to lists that are downloaded (HTTP URLs).
|
|
downloads:
|
|
# optional: timeout for list download (each url). Use large values for big lists or slow internet connections
|
|
# default: 5s
|
|
timeout: 5s
|
|
# optional: Maximum download attempts
|
|
# default: 3
|
|
attempts: 3
|
|
# optional: Time between the download attempts
|
|
# default: 500ms
|
|
cooldown: 500ms
|
|
# optional: Maximum number of lists to process in parallel.
|
|
# default: 4
|
|
concurrency: 4
|
|
# optional: if failOnError, application startup will fail if at least one list can't be downloaded/opened
|
|
# default: blocking
|
|
strategy: {{ blocky_blacklists_strategy | default ("blocking") }}
|
|
# Number of errors allowed in a list before it is considered invalid.
|
|
# A value of -1 disables the limit.
|
|
# default: 5
|
|
maxErrorsPerSource: 5
|
|
|
|
{% if blocky_conditional_mapping is defined %}
|
|
|
|
# optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma
|
|
# Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name
|
|
conditional:
|
|
# optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver
|
|
# Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if `fallbackUpstream` was set to `true`, the original query "blog.example.com" will be sent upstream.
|
|
# Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain.
|
|
fallbackUpstream: false
|
|
mapping:
|
|
{% for item in blocky_conditional_mapping %}
|
|
{{ item.domain }}: {{ item.resolver }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
|
|
{% if blocky_custom_lookups is defined %}
|
|
# optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma
|
|
# example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3
|
|
customDNS:
|
|
customTTL: 1h
|
|
# optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined).
|
|
# if false, queries with unmapped types will be forwarded to the upstream resolver
|
|
filterUnmappedTypes: true
|
|
# optional: replace domain in the query with other domain before resolver lookup in the mapping
|
|
# rewrite:
|
|
# example.com: printer.lan
|
|
mapping:
|
|
{% for item in blocky_custom_lookups %}
|
|
{{ item.name }}: {{ item.ip }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
# optional: configuration for caching of DNS responses
|
|
caching:
|
|
# duration how long a response must be cached (min value).
|
|
# If <=0, use response's TTL, if >0 use this value, if TTL is smaller
|
|
# Default: 0
|
|
minTime: 0
|
|
# duration how long a response must be cached (max value).
|
|
# If <0, do not cache responses
|
|
# If 0, use TTL
|
|
# If > 0, use this value, if TTL is greater
|
|
# Default: 0
|
|
maxTime: 0
|
|
# Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM.
|
|
# Default (0): unlimited
|
|
maxItemsCount: 0
|
|
# if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window)
|
|
# this improves the response time for often used queries, but significantly increases external traffic
|
|
# default: false
|
|
prefetching: true
|
|
# prefetch track time window (in duration format)
|
|
# default: 120
|
|
prefetchExpires: 120
|
|
# name queries threshold for prefetch
|
|
# default: 5
|
|
prefetchThreshold: 5
|
|
# Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM.
|
|
# Default (0): unlimited
|
|
prefetchMaxItemsCount: 0
|
|
# Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results.
|
|
# Default: 30m
|
|
cacheTimeNegative: 30m
|
|
|
|
# optional: configuration of client name resolution
|
|
clientLookup:
|
|
# optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router)
|
|
upstream: {{ blocky_local_upstream | default ("192.168.2.1") }}
|
|
# optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used.
|
|
# Example: take second name if present, if not take first name
|
|
# singleNameOrder:
|
|
# - 2
|
|
# - 1
|
|
|
|
|
|
# optional: configuration for prometheus metrics endpoint
|
|
prometheus:
|
|
# enabled if true
|
|
enable: {{ blocky_prometheus | default ("false") }}
|
|
# url path, optional (default '/metrics')
|
|
path: /metrics
|
|
|
|
|
|
# optional: Mininal TLS version that the DoH and DoT server will use
|
|
# minTlsServeVersion: 1.3
|
|
|
|
# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated
|
|
#certFile: server.crt
|
|
#keyFile: server.key
|
|
|
|
# optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries.
|
|
bootstrapDns:
|
|
- tcp+udp:9.9.9.9
|
|
|
|
# optional: drop all queries with following query types. Default: empty
|
|
filtering:
|
|
queryTypes:
|
|
- AAAA
|
|
|
|
# optional: return NXDOMAIN for queries that are not FQDNs.
|
|
fqdnOnly:
|
|
# default: false
|
|
enable: {{ blocky_fqdn_only | default ("false") }}
|
|
|
|
# optional: ports configuration
|
|
ports:
|
|
# optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353"
|
|
dns: {{ blocky_port_dns | default ("53") }}
|
|
# optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853
|
|
# tls: 853
|
|
# optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443
|
|
# https: 443
|
|
# optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000
|
|
http: 4000
|
|
|
|
# optional: logging configuration
|
|
log:
|
|
# optional: Log level (one from debug, info, warn, error). Default: info
|
|
level: {{ blocky_log_level | default ("info") }}
|
|
# optional: Log format (text or json). Default: text
|
|
format: text
|
|
# optional: log timestamps. Default: true
|
|
timestamp: true
|
|
# optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false
|
|
privacy: false
|