2021-03-05 08:02:00 +01:00
# Configuration
2021-03-05 22:04:18 +01:00
This chapter describes all configuration options in `config.yaml` . You can download a reference file with all
configuration properties as [JSON ](config.yml ).
2021-03-05 08:02:00 +01:00
2021-09-12 21:17:32 +02:00
??? example "reference configuration file"
2021-09-14 22:20:41 +02:00
2022-01-19 22:46:27 +01:00
```yaml
--8< -- " docs / config . yml "
```
2021-09-12 21:17:32 +02:00
2021-03-05 08:02:00 +01:00
## Basic configuration
2021-12-21 22:03:02 +01:00
| Parameter | Type | Mandatory | Default value | Description |
|--------------|---------------------------------|-----------------------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| port | [IP]:port[,[IP]:port]* | no | 53 | Port(s) and optional bind ip address(es) to serve DNS endpoint (TCP and UDP). If you wish to specify a specific IP, you can do so such as `192.168.0.1:53` . Example: `53` , `:53` , `127.0.0.1:53,[::1]:53` |
| tlsPort | [IP]:port[,[IP]:port]* | no | | Port(s) and optional bind ip address(es) to serve DoT DNS endpoint (DNS-over-TLS). If you wish to specify a specific IP, you can do so such as `192.168.0.1:853` . Example: `83` , `:853` , `127.0.0.1:853,[::1]:853` |
| httpPort | [IP]:port[,[IP]:port]* | no | | Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as `192.168.0.1:4000` . Example: `4000` , `:4000` , `127.0.0.1:4000,[::1]:4000` |
| httpsPort | [IP]:port[,[IP]:port]* | no | | Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as `192.168.0.1:443` . Example: `443` , `:443` , `127.0.0.1:443,[::1]:443` |
2022-05-27 22:20:44 +02:00
| certFile | path | no | | Path to cert and key file for SSL encryption (DoH and DoT); if empty, self-signed certificate is generated |
| keyFile | path | no | | Path to cert and key file for SSL encryption (DoH and DoT); if empty, self-signed certificate is generated |
2021-12-21 22:03:02 +01:00
| logLevel | enum (debug, info, warn, error) | no | info | Log level |
| logFormat | enum (text, json) | no | text | Log format (text or json). |
| logTimestamp | bool | no | true | Log time stamps (true or false). |
2022-05-18 08:49:15 +02:00
| logPrivacy | bool | no | false | Obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. |
| dohUserAgent | string | no | | HTTP User Agent for DoH upstreams |
2022-06-04 08:23:40 +02:00
| minTlsServeVersion | string | no | 1.2 | Minimum TLS version that the DoT and DoH server use to serve those encrypted DNS requests |
2022-08-21 17:21:08 +02:00
| startVerifyUpstream | bool | no | false | If true, blocky will fail to start unless at least one upstream server per group is reachable. |
2022-09-19 21:44:12 +02:00
| connectIPVersion | bool | no | dual | IP version to use for outgoing connections (dual, v4, v6) |
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
port: 53
httpPort: 4000
httpsPort: 443
logLevel: info
```
2021-03-05 08:02:00 +01:00
## Upstream configuration
To resolve a DNS query, blocky needs external public or private DNS resolvers. Blocky supports DNS resolvers with
following network protocols (net part of the resolver URL):
- tcp+udp (UDP and TCP, dependent on query type)
- https (aka DoH)
- tcp-tls (aka DoT)
!!! hint
2022-01-19 22:46:27 +01:00
You can (and should!) configure multiple DNS resolvers. Blocky picks 2 random resolvers from the list for each query and
returns the answer from the fastest one. This improves your network speed and increases your privacy - your DNS traffic
will be distributed over multiple providers.
2021-03-05 08:02:00 +01:00
2022-09-15 03:18:33 +02:00
Each resolver must be defined as a string in following format: `[net:]host:[port][/path][#commonName]` .
2021-03-05 08:02:00 +01:00
2021-12-21 22:03:02 +01:00
| Parameter | Type | Mandatory | Default value |
|-----------|----------------------------------|-----------|---------------------------------------------------|
2022-09-15 03:18:33 +02:00
| net | enum (tcp+udp, tcp-tls or https) | no | tcp+udp |
| host | IP or hostname | yes | |
| port | int (1 - 65535) | no | 53 for udp/tcp, 853 for tcp-tls and 443 for https |
| commonName | string | no | the host value |
2021-03-05 08:02:00 +01:00
2022-09-17 21:34:34 +02:00
The commonName parameter overrides the expected certificate common name value used for verification.
2021-03-05 08:02:00 +01:00
2021-04-22 22:37:59 +02:00
Blocky needs at least the configuration of the **default** group. This group will be used as a fallback, if no client
specific resolver configuration is available.
You can use the client name (see [Client name lookup ](#client-name-lookup )), client's IP address or a client subnet as
CIDR notation.
!!! tip
You can use `*` as wildcard for the sequence of any character or `[0-9]` as number range
2021-03-05 08:02:00 +01:00
!!! example
```yaml
upstream:
2021-04-22 22:37:59 +02:00
default:
2022-04-02 22:04:26 +02:00
- 5.9.164.112
- 1.1.1.1
- tcp-tls:fdns1.dismail.de:853
- https://dns.digitale-gesellschaft.ch/dns-query
2022-01-19 22:46:27 +01:00
laptop*:
2022-04-02 22:04:26 +02:00
- 123.123.123.123
2022-01-19 22:46:27 +01:00
10.43.8.67/28:
2022-04-02 22:04:26 +02:00
- 1.1.1.1
- 9.9.9.9
2022-01-19 22:46:27 +01:00
```
2022-01-19 22:03:41 +01:00
Use `123.123.123.123` as single upstream DNS resolver for client laptop-home,
`1.1.1.1` and `9.9.9.9` for all clients in the sub-net `10.43.8.67/28` and 4 resolvers (default) for all others clients.
2021-03-05 08:02:00 +01:00
!!! note
2022-01-19 22:46:27 +01:00
** Blocky needs at least one upstream DNS server **
2021-03-05 08:02:00 +01:00
See [List of public DNS servers ](additional_information.md#list-of-public-dns-servers ) if you need some ideas, which
public free DNS server you could use.
2021-09-19 22:25:04 +02:00
### Upstream lookup timeout
Blocky will wait 2 seconds (default value) for the response from the external upstream DNS server. You can change this
value by setting the `upstreamTimeout` configuration parameter (in **duration format** ).
!!! example
2022-01-19 22:46:27 +01:00
```yaml
upstream:
2022-04-02 22:04:26 +02:00
default:
2022-01-19 22:46:27 +01:00
- 46.182.19.48
- 80.241.218.68
upstreamTimeout: 5s
```
2021-09-19 22:25:04 +02:00
2022-04-22 22:12:35 +02:00
## Bootstrap DNS configuration
This DNS server is used to resolve upstream DoH and DoT servers that are specified as hostnames.
Useful if no system DNS resolver is configured, and to encrypt the bootstrap queries.
| Parameter | Type | Mandatory | Default value | Description |
|-----------|----------------------------------|-----------------------------|---------------|--------------------------------------|
| upstream | Upstream (see below) | no | | |
| ips | List of IPs | yes, if upstream is DoT/DoH | | Only valid if upstream is DoH or DoT |
If you only need to specify upstream, you can use the short form: `bootstrapDns: <upstream>` .
!!! note
Works only on Linux/\*nix OS due to golang limitations under Windows.
!!! example
```yaml
bootstrapDns:
upstream: tcp-tls:dns.example.com
ips:
- 123.123.123.123
```
2022-04-01 08:58:09 +02:00
## Filtering
Under certain circumstances, it may be useful to filter some types of DNS queries. You can define one or more DNS query
types, all queries with these types will be dropped (empty answer will be returned).
!!! example
```yaml
filtering:
2022-04-02 22:04:26 +02:00
queryTypes:
- AAAA
2022-04-01 08:58:09 +02:00
```
This configuration will drop all 'AAAA' (IPv6) queries.
2022-06-20 13:02:51 +02:00
## FQDN only
In domain environments, it may be usefull to only response to FQDN requests. If this option is enabled blocky respond immidiatly
with NXDOMAIN if the request is not a valid FQDN. The request is therfore not further processed by other options like custom or conditional.
Please be aware that by enabling it your hostname resolution will break unless every hostname is part of a domain.
!!! example
```yaml
fqdnOnly: true
```
2021-03-05 08:02:00 +01:00
## Custom DNS
You can define your own domain name to IP mappings. For example, you can use a user-friendly name for a network printer
2021-03-07 22:50:47 +01:00
or define a domain name for your local device on order to use the HTTPS certificate. Multiple IP addresses for one
domain must be separated by a comma.
2021-03-05 08:02:00 +01:00
2022-04-02 22:04:26 +02:00
| Parameter | Type | Mandatory | Default value |
|-----------------------|-----------------------------------------|-----------|---------------|
| customTTL | duration (no unit is minutes) | no | 1h |
| rewrite | string: string (domain: domain) | no | |
| mapping | string: string (hostname: address list) | no | |
| filterUnmappedTypes | boolean | no | true |
2021-12-16 21:38:01 +01:00
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
customDNS:
2022-04-02 22:04:26 +02:00
customTTL: 1h
2022-04-02 22:04:26 +02:00
filterUnmappedTypes: true
rewrite:
home: lan
replace-me.com: with-this.com
2022-04-02 22:04:26 +02:00
mapping:
2022-01-19 22:46:27 +01:00
printer.lan: 192.168.178.3
otherdevice.lan: 192.168.178.15,2001:0db8:85a3:08d3:1319:8a2e:0370:7344
```
2021-03-05 08:02:00 +01:00
This configuration will also resolve any subdomain of the defined domain. For example a query "printer.lan" or "
my.printer.lan" will return 192.168.178.3 as IP address.
2022-03-17 22:30:21 +01:00
With the optional parameter `rewrite` you can replace domain part of the query with the defined part **before** the
2022-06-07 15:12:38 +02:00
resolver lookup is performed.
2022-03-17 22:30:21 +01:00
The query "printer.home" will be rewritten to "printer.lan" and return 192.168.178.3.
2021-03-05 08:02:00 +01:00
2022-03-22 22:15:31 +01:00
With parameter `filterUnmappedTypes = true` (default), blocky will filter all queries with unmapped types, for example:
AAAA for "printer.lan" or TXT for "otherdevice.lan".
2022-06-28 11:48:00 +02:00
With `filterUnmappedTypes = false` a query AAAA "printer.lan" will be forwarded to the upstream DNS server.
2022-03-22 22:15:31 +01:00
2021-03-05 08:02:00 +01:00
## Conditional DNS resolution
2021-12-21 22:03:02 +01:00
You can define, which DNS resolver(s) should be used for queries for the particular domain (with all subdomains). This
2021-03-05 08:02:00 +01:00
is for example useful, if you want to reach devices in your local network by the name. Since only your router know which
hostname belongs to which IP address, all DNS queries for the local network should be redirected to the router.
2022-03-17 22:30:21 +01:00
The optional parameter `rewrite` behaves the same as with custom DNS.
2021-03-10 22:59:04 +01:00
2022-07-11 08:06:42 +02:00
The optional parameter fallbackUpstream, if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver.
2022-09-03 22:12:07 +02:00
### Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain
2022-07-11 08:06:42 +02:00
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
conditional:
2022-07-11 08:06:42 +02:00
fallbackUpstream: false
2022-04-02 22:04:26 +02:00
rewrite:
example.com: fritz.box
replace-me.com: with-this.com
mapping:
fritz.box: 192.168.178.1
lan.net: 192.170.1.2,192.170.1.3
# for reverse DNS lookups of local devices
178.168.192.in-addr.arpa: 192.168.178.1
# for all unqualified hostnames
.: 168.168.0.1
2022-01-19 22:46:27 +01:00
```
!!! tip
You can use `.` as wildcard for all non full qualified domains (domains without dot)
2021-03-05 08:02:00 +01:00
2022-01-19 22:03:41 +01:00
In this example, a DNS query "client.fritz.box" will be redirected to the router's DNS server at 192.168.178.1 and client.lan.net to 192.170.1.2 and 192.170.1.3.
2022-07-11 08:06:42 +02:00
The query "client.example.com" will be rewritten to "client.fritz.box" and also redirected to the resolver at 192.168.178.1.
If not found and if `fallbackUpstream` was set to `true` , the original query "blog.example.com" will be sent upstream.
All unqualified hostnames (e.g. "test") will be redirected to the DNS server at 168.168.0.1.
2021-03-05 08:02:00 +01:00
2022-07-11 08:06:42 +02:00
One usecase for `fallbackUpstream` is when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain.
2021-03-05 08:02:00 +01:00
## Client name lookup
2021-10-13 22:47:14 +02:00
Blocky can try to resolve a user-friendly client name from the IP address or server URL (DoT and DoH). This is useful
for defining of blocking groups, since IP address can change dynamically.
2021-03-05 08:02:00 +01:00
2021-10-13 22:47:14 +02:00
### Resolving client name from URL/Host
If DoT or DoH is enabled, you can use a subdomain prefixed with `id-` to provide a client name (wildcard ssl certificate
recommended).
Example: domain `example.com`
DoT Host: `id-bob.example.com` -> request's client name is `bob`
DoH URL: `https://id-bob.example.com/dns-query` -> request's client name is `bob`
For DoH you can also pass the client name as url parameter:
2022-01-19 22:46:27 +01:00
DoH URL: `https://blocky.example.com/dns-query/alice` -> request's client name is `alice`
2021-10-13 22:47:14 +02:00
### Resolving client name from IP address
Blocky uses rDNS to retrieve client's name. To use this feature, you can configure a DNS server for client lookup (
typically your router). You can also define client names manually per IP address.
#### Single name order
2021-03-05 08:02:00 +01:00
Some routers return multiple names for the client (host name and user defined name). With
parameter `clientLookup.singleNameOrder` you can specify, which of retrieved names should be used.
2021-10-13 22:47:14 +02:00
#### Custom client name mapping
2021-03-05 08:02:00 +01:00
You can also map a particular client name to one (or more) IP (ipv4/ipv6) addresses. Parameter `clientLookup.clients`
contains a map of client name and multiple IP addresses.
!!! example
```yaml
clientLookup:
2022-04-02 22:04:26 +02:00
upstream: 192.168.178.1
singleNameOrder:
- 2
- 1
clients:
laptop:
- 192.168.178.29
2021-03-05 08:02:00 +01:00
```
Use `192.168.178.1` for rDNS lookup. Take second name if present, if not take first name. IP address `192.168.178.29` is mapped to `laptop` as client name.
## Blocking and whitelisting
Blocky can download and use external lists with domains or IP addresses to block DNS query (e.g. advertisement, malware,
trackers, adult sites). You can group several list sources together and define the blocking behavior per client.
2021-09-18 22:37:02 +02:00
External blacklists must be either in the well-known [Hosts format ](https://en.wikipedia.org/wiki/Hosts_(file )) or just
a plain domain list (one domain per line). Blocky also supports regex as more powerful tool to define patterns to block.
2021-03-05 08:02:00 +01:00
Blocky uses [DNS sinkhole ](https://en.wikipedia.org/wiki/DNS_sinkhole ) approach to block a DNS query. Domain name from
the request, IP address from the response, and the CNAME record will be checked against configured blacklists.
2021-12-21 22:03:02 +01:00
To avoid over-blocking, you can define or use already existing whitelists.
2021-03-05 08:02:00 +01:00
### Definition black and whitelists
2021-08-28 22:20:59 +02:00
Each black or whitelist can be either a path to the local file, a URL to download or inline list definition of a domains
in hosts format (YAML literal block scalar style). All Urls must be grouped to a group name.
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
blocking:
2022-04-02 22:04:26 +02:00
blackLists:
ads:
- https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- |
# inline definition with YAML literal block scalar style
someadsdomain.com
anotheradsdomain.com
# this is a regex
/^banners?[_.-]/
2021-03-05 08:02:00 +01:00
special:
- https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
whiteLists:
ads:
- whitelist.txt
2021-08-28 22:20:59 +02:00
- |
# inline definition with YAML literal block scalar style
whitelistdomain.com
2021-03-05 08:02:00 +01:00
```
In this example you can see 2 groups: **ads** with 2 lists and **special** with one list. One local whitelist was defined for the **ads** group.
!!! warning
If the same group has black and whitelists, whitelists will be used to disable particular blacklist entries.
If a group has **only** whitelist entries -> this means only domains from this list are allowed, all other domains will
be blocked
2022-02-14 21:38:26 +01:00
!!! note
Please define also client group mapping, otherwise you black and whitelist definition will have no effect
2021-09-18 22:37:02 +02:00
#### Regex support
You can use regex to define patterns to block. A regex entry must start and end with the slash character (/). Some
Examples:
- `/baddomain/` will block `www.baddomain.com` , `baddomain.com` , but also `mybaddomain-sometext.com`
- `/^baddomain/` will block `baddomain.com` , but not `www.baddomain.com`
- `/^apple\.(de|com)$/` will only block `apple.de` and `apple.com`
2021-03-05 08:02:00 +01:00
### Client groups
In this configuration section, you can define, which blocking group(s) should be used for which client in your network.
Example: All clients should use the **ads** group, which blocks advertisement and kids devices should use the **adult**
group, which blocky adult sites.
Clients without a group assignment will use automatically the **default** group.
2022-02-14 21:38:26 +01:00
You can use the client name (see [Client name lookup ](#client-name-lookup )), client's IP address, client's full-qualified domain name
or a client subnet as CIDR notation.
If full-qualified domain name is used (for example "myclient.ddns.org"), blocky will try to resolve the IP address (A and AAAA records) of this domain.
If client's IP address matches with the result, the defined group will be used.
2021-03-05 08:02:00 +01:00
!!! example
```yaml
blocking:
2022-04-02 22:04:26 +02:00
clientGroupsBlock:
# default will be used, if no special definition for a client name exists
default:
- ads
- special
laptop*:
- ads
192.168.178.1/24:
- special
kid-laptop:
- ads
- adult
2021-03-05 08:02:00 +01:00
```
All queries from network clients, whose device name starts with `laptop` , will be filtered against the **ads** group's lists. All devices from the subnet `192.168.178.1/24` against the **special** group and `kid-laptop` against **ads** and **adult** . All other clients: **ads** and **special** .
!!! tip
2022-01-19 22:46:27 +01:00
You can use `*` as wildcard for the sequence of any character or `[0-9]` as number range
2021-03-05 08:02:00 +01:00
### Block type
2021-03-26 22:37:36 +01:00
You can configure, which response should be sent to the client, if a requested query is blocked (only for A and AAAA
queries, NXDOMAIN for other types):
2021-03-05 08:02:00 +01:00
2021-12-21 22:03:02 +01:00
| blockType | Example | Description |
|------------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| zeroIP | zeroIP | This is the default block type. Server returns 0.0.0.0 (or :: for IPv6) as result for A and AAAA queries |
| nxDomain | nxDomain | return NXDOMAIN as return code |
| custom IPs | 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 | comma separated list of destination IP addresses. Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page. |
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
blocking:
2022-04-02 22:04:26 +02:00
blockType: nxDomain
2022-01-19 22:46:27 +01:00
```
2021-03-05 08:02:00 +01:00
2021-09-04 23:10:32 +02:00
### Block TTL
2021-09-12 21:17:32 +02:00
TTL for answers to blocked domains can be set to customize the time (in **duration format** ) clients ask for those
2022-04-02 22:05:07 +02:00
domains again. Default Block TTL is **6hours** . This setting only makes sense when `blockType` is set to `nxDomain` or
`zeroIP` , and will affect how much time it could take for a client to be able to see the real IP address for a domain
after receiving the custom value.
2021-09-04 23:10:32 +02:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
2021-09-04 23:10:32 +02:00
blocking:
blockType: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344
2021-09-12 21:17:32 +02:00
blockTTL: 10s
2021-09-04 23:10:32 +02:00
```
2021-03-05 08:02:00 +01:00
### List refresh period
To keep the list cache up-to-date, blocky will periodically download and reload all external lists. Default period is **
2021-09-12 21:17:32 +02:00
4 hours**. You can configure this by setting the `blocking.refreshPeriod` parameter to a value in **duration format** .
Negative value will deactivate automatically refresh.
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
blocking:
2022-04-02 22:04:26 +02:00
refreshPeriod: 60m
```
2021-03-05 08:02:00 +01:00
2021-12-21 22:03:02 +01:00
Refresh every hour.
2021-03-05 08:02:00 +01:00
2021-11-14 21:34:09 +01:00
### Download
2021-09-14 22:48:57 +02:00
2021-11-14 21:34:09 +01:00
You can configure the list download attempts according to your internet connection:
2021-12-21 22:03:02 +01:00
| Parameter | Type | Mandatory | Default value | Description |
|------------------|-----------------|-----------|---------------|-------------------------------------------------|
| downloadTimeout | duration format | no | 60s | Download attempt timeout |
| downloadAttempts | int | no | 3 | How many download attempts should be performed |
| downloadCooldown | duration format | no | 1s | Time between the download attempts |
2021-10-14 21:53:20 +02:00
2021-09-14 22:48:57 +02:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
blocking:
2022-04-02 22:04:26 +02:00
downloadTimeout: 4m
downloadAttempts: 5
downloadCooldown: 10s
2022-01-19 22:46:27 +01:00
```
2021-09-14 22:48:57 +02:00
2022-09-03 22:12:07 +02:00
### Start strategy
2021-10-14 21:53:20 +02:00
2022-09-03 22:12:07 +02:00
You can configure the blocking behavior during application start of blocky.
If no starategy is selected blocking will be used.
2021-10-14 21:53:20 +02:00
2022-09-03 22:12:07 +02:00
| startStrategy | Description |
|---------------|-------------------------------------------------------------------------------------------------------|
| blocking | all blocking lists will be loaded before DNS resoulution starts |
| failOnError | like blocking but blocky shutsdown if an download fails |
| fast | DNS resolution starts immediately without blocking which will be enabled after list load is completed |
2021-10-14 21:53:20 +02:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
blocking:
2022-09-03 22:12:07 +02:00
startStrategy: failOnError
2021-10-14 21:53:20 +02:00
```
2022-05-16 21:32:16 +02:00
### Concurrency
Blocky downloads and processes links in a single group concurrently. With parameter `processingConcurrency` you can adjust
how many links can be processed in the same time. Higher value can reduce the overall list refresh time, but more parallel
download and processing jobs need more RAM. Please consider to reduce this value on systems with limited memory. Default value is 4.
2022-09-03 22:12:07 +02:00
!!! example
2022-05-16 21:32:16 +02:00
```yaml
blocking:
processingConcurrency: 10
```
2021-03-05 08:02:00 +01:00
## Caching
Each DNS response has a TTL (Time-to-live) value. This value defines, how long is the record valid in seconds. The
values are maintained by domain owners, server administrators etc. Blocky caches the answers from all resolved queries
in own cache in order to avoid repeated requests. This reduces the DNS traffic and increases the network speed, since
blocky can serve the result immediately from the cache.
With following parameters you can tune the caching behavior:
!!! warning
2022-01-19 22:46:27 +01:00
Wrong values can significantly increase external DNS traffic or memory consumption.
2021-03-05 08:02:00 +01:00
2021-12-21 22:03:02 +01:00
| Parameter | Type | Mandatory | Default value | Description |
|-------------------------------|-----------------|-----------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| caching.minTime | duration format | no | 0 (use TTL) | How long a response must be cached (min value). If < =0, use response's TTL, if >0 use this value, if TTL is smaller |
| caching.maxTime | duration format | no | 0 (use TTL) | How long a response must be cached (max value). If < 0 , do not cache responses . If 0 , use TTL . If > 0, use this value, if TTL is greater |
| caching.maxItemsCount | int | no | 0 (unlimited) | Max number of cache entries (responses) to be kept in cache (soft limit). Default (0): unlimited. Useful on systems with limited amount of RAM. |
| caching.prefetching | bool | no | false | if true, blocky will preload DNS results for often used queries (default: names queried more than 5 times in a 2 hour time window). Results in cache will be loaded again on their expire (TTL). This improves the response time for often used queries, but significantly increases external traffic. It is recommended to increase "minTime" to reduce the number of prefetch queries to external resolvers. |
| caching.prefetchExpires | duration format | no | 2h | Prefetch track time window |
| caching.prefetchThreshold | int | no | 5 | Name queries threshold for prefetch |
| caching.prefetchMaxItemsCount | int | no | 0 (unlimited) | Max number of domains to be kept in cache for prefetching (soft limit). Default (0): unlimited. Useful on systems with limited amount of RAM. |
2022-11-08 11:27:59 +01:00
| caching.cacheTimeNegative | duration format | no | 30m | Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results. |
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
caching:
2022-04-02 22:04:26 +02:00
minTime: 5m
maxTime: 30m
prefetching: true
2022-01-19 22:46:27 +01:00
```
2021-12-21 22:03:02 +01:00
2021-12-21 17:06:16 +01:00
## Redis
2022-01-19 22:03:41 +01:00
Blocky can synchronize its cache and blocking state between multiple instances through redis.
2021-12-21 17:06:16 +01:00
Synchronization is disabled if no address is configured.
2021-12-21 22:03:02 +01:00
| Parameter | Type | Mandatory | Default value | Description |
|--------------------------|-----------------|-----------|---------------|--------------------------------------------|
| redis.address | string | no | | Server address and port |
| redis.password | string | no | | Password if necessary |
| redis.database | int | no | 0 | Database |
| redis.required | bool | no | false | Connection is required for blocky to start |
| redis.connectionAttempts | int | no | 3 | Max connection attempts |
| redis.connectionCooldown | duration format | no | 1s | Time between the connection attempts |
2021-12-21 17:06:16 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
redis:
2022-04-02 22:04:26 +02:00
address: redis:6379
password: passwd
database: 2
required: true
connectionAttempts: 10
connectionCooldown: 3s
2022-01-19 22:46:27 +01:00
```
2021-03-05 08:02:00 +01:00
## Prometheus
Blocky can expose various metrics for prometheus. To use the prometheus feature, the HTTP listener must be enabled (
see [Basic Configuration ](#basic-configuration )).
2021-12-21 22:03:02 +01:00
| Parameter | Mandatory | Default value | Description |
|-------------------|-----------|---------------|-------------------------------------|
| prometheus.enable | no | false | If true, enables prometheus metrics |
| prometheus.path | no | /metrics | URL path to the metrics endpoint |
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
prometheus:
2022-04-02 22:04:26 +02:00
enable: true
path: /metrics
2022-01-19 22:46:27 +01:00
```
2021-03-05 08:02:00 +01:00
## Query logging
2021-08-30 18:11:06 +02:00
You can enable the logging of DNS queries (question, answer, client, duration etc.) to a daily CSV file (can be opened
in Excel or OpenOffice Calc) or MySQL/MariaDB database.
2021-03-05 08:02:00 +01:00
!!! warning
2022-01-19 22:46:27 +01:00
Query file/database contains sensitive information. Please ensure to inform users, if you log their queries.
2021-08-30 18:11:06 +02:00
### Query log types
You can select one of following query log types:
- `mysql` - log each query in the external MySQL/MariaDB database
2022-01-07 21:42:06 +01:00
- `postgresql` - log each query in the external PostgreSQL database
2021-08-30 18:11:06 +02:00
- `csv` - log into CSV file (one per day)
- `csv-client` - log into CSV file (one per day and per client)
2021-11-10 21:54:32 +01:00
- `console` - log into console output
- `none` - do not log any queries
2021-03-05 08:02:00 +01:00
Configuration parameters:
2022-01-07 21:42:06 +01:00
| Parameter | Type | Mandatory | Default value | Description |
|---------------------------|----------------------------------------------------------------------|-----------|---------------|----------------------------------------------------------------------------------------|
| queryLog.type | enum (mysql, postgresql, csv, csv-client, console, none (see above)) | no | | Type of logging target. Console if empty |
| queryLog.target | string | no | | directory for writing the logs (for csv) or database url (for mysql or postgresql) |
| queryLog.logRetentionDays | int | no | 0 | if > 0, deletes log files/database entries which are older than ... days |
| queryLog.creationAttempts | int | no | 3 | Max attempts to create specific query log writer |
| queryLog.CreationCooldown | duration format | no | 2 | Time between the creation attempts |
2021-03-05 08:02:00 +01:00
!!! hint
2022-01-19 22:46:27 +01:00
Please ensure, that the log directory is writable or database exists. If you use docker, please ensure, that the directory is properly
mounted (e.g. volume)
2021-03-05 08:02:00 +01:00
2021-08-30 18:11:06 +02:00
example for CSV format
!!! example
2022-01-19 22:46:27 +01:00
```yaml
queryLog:
2022-04-02 22:04:26 +02:00
type: csv
target: /logs
logRetentionDays: 7
2022-01-19 22:46:27 +01:00
```
2021-08-30 18:11:06 +02:00
example for Database
2021-03-05 08:02:00 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
queryLog:
2022-04-02 22:04:26 +02:00
type: mysql
target: db_user:db_password@tcp(db_host_or_ip:3306)/db_user?charset=utf8mb4& parseTime=True& loc=Local
logRetentionDays: 7
2022-01-19 22:46:27 +01:00
```
2022-01-04 15:40:09 +01:00
2022-11-03 20:44:33 +01:00
## Hosts file
2022-01-04 15:40:09 +01:00
You can enable resolving of entries, located in local hosts file.
Configuration parameters:
2022-08-23 08:54:03 +02:00
| Parameter | Type | Mandatory | Default value | Description |
|--------------------------|--------------------------------|-----------|---------------|--------------------------------------------------|
| hostsFile.filePath | string | no | | Path to hosts file (e.g. /etc/hosts on Linux) |
| hostsFile.hostsTTL | duration (no units is minutes) | no | 1h | TTL |
| hostsFile.refreshPeriod | duration format | no | 1h | Time between hosts file refresh |
| hostsFile.filterLoopback | bool | no | false | Filter loopback addresses (127.0.0.0/8 and ::1) |
2022-01-04 15:40:09 +01:00
!!! example
2022-01-19 22:46:27 +01:00
```yaml
hostsFile:
2022-04-02 22:04:26 +02:00
filePath: /etc/hosts
hostsTTL: 60m
refreshPeriod: 30m
2022-01-19 22:46:27 +01:00
```
2021-03-05 08:02:00 +01:00
2022-08-06 22:30:26 +02:00
### Deliver EDE codes as EDNS0 option
DNS responses can be extended with EDE codes according to [RFC8914 ](https://datatracker.ietf.org/doc/rfc8914/ ).
Configuration parameters:
| Parameter | Type | Mandatory | Default value | Description |
|--------------------------|--------------------------------|-----------|---------------|----------------------------------------------------|
| ede.enable | bool | no | false | If true, DNS responses are deliverd with EDE codes |
!!! example
```yaml
ede:
enable: true
```
2021-10-02 22:54:56 +02:00
## SSL certificate configuration (DoH / TLS listener)
2021-03-05 08:02:00 +01:00
See [Wiki - Configuration of HTTPS ](https://github.com/0xERR0R/blocky/wiki/Configuration-of-HTTPS-for-DoH-and-Rest-API )
2021-10-02 22:54:56 +02:00
for detailed information, how to create and configure SSL certificates.
2021-03-05 08:02:00 +01:00
DoH url: `https://host:port/dns-query`
--8< -- " docs / includes / abbreviations . md "
