Encrypted DNS Example On Windows 11

%3CLINGO-SUB%20id%3D%22lingo-sub-3262025%22%20slang%3D%22en-US%22%3EEncrypted%20DNS%20Example%20On%20Windows%2011%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3262025%22%20slang%3D%22en-US%22%3E%3CP%3ENote%3A%20This%20stub%20resolver%20example%20utilizes%20ODoH%20(DNS-CryptProxy%202.x)%2C%20can%20be%20used%20in%20conjunction%20with%20a%20VPN%2C%20and%20an%20optional%20Caching-Only%20DNS%20%2F%20Name%20Server%20behind%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.)%20Install%20the%20latest%20version%20of%20%3CA%20href%3D%22https%3A%2F%2Fwww.win-rar.com%2Fdownload.html%3F%26amp%3BL%3D0%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EWinRAR%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.)%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-proxy%2Freleases%2Flatest%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDownload%20DNS-CryptProxy%20(win64%20.%20zip)%3C%2FA%3E%20and%20extract%20the%20following%20files%20to%20this%20folder%3A%20%22C%3A%5CProgram%20Files%5Cdnscrypt-proxy%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ednscrypt-proxy.exe%2C%20localhost.pem%2C%20service-install.bat%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.)%20Download%20the%20following%20resolvers%20and%20place%20them%20in%3A%20%22C%3A%5CProgram%20Files%5Cdnscrypt-proxy%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fblob%2Fmaster%2Fv3%2Fodoh-relays.md%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eodoh-relays.md%3C%2FA%3E%20%7C%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fblob%2Fmaster%2Fv3%2Fodoh-relays.md.minisig%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eodoh-relays.md.minisig%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fblob%2Fmaster%2Fv3%2Fodoh-servers.md%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eodoh-servers.md%3C%2FA%3E%20%7C%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fblob%2Fmaster%2Fv3%2Fodoh-servers.md.minisig%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eodoh-servers.md.minisig%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.)%20Download%20the%20%5B%20OISD%20FULL%20-%20Domains%20(wildcards)%20%5D%20blacklist%20and%20place%20it%20in%3A%20%22C%3A%5CProgram%20Files%5Cdnscrypt-proxy%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdblw.oisd.nl%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eoisd_dblw_full.txt%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.)%20Copy%20the%20following%20and%20save%20it%20as%20%22dnscrypt-proxy.toml%22%20in%20this%20folder%3A%20%22C%3A%5CProgram%20Files%5Cdnscrypt-proxy%22%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3E%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20%20%20%20%20%20%20%20dnscrypt-proxy%20configuration%20%20%20%20%20%20%20%20%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20This%20is%20an%20example%20configuration%20file.%0A%23%23%20You%20should%20adjust%20it%20to%20your%20needs%2C%20and%20save%20it%20as%20%22dnscrypt-proxy.toml%22%0A%23%23%0A%23%23%20Online%20documentation%20is%20available%20here%3A%20https%3A%2F%2Fdnscrypt.info%2Fdoc%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20%20Global%20settings%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20List%20of%20servers%20to%20use%0A%23%23%0A%23%23%20Servers%20from%20the%20%22public-resolvers%22%20source%20(see%20down%20below)%20can%0A%23%23%20be%20viewed%20here%3A%20https%3A%2F%2Fdnscrypt.info%2Fpublic-servers%0A%23%23%0A%23%23%20The%20proxy%20will%20automatically%20pick%20working%20servers%20from%20this%20list.%0A%23%23%20Note%20that%20the%20require_*%20filters%20do%20NOT%20apply%20when%20using%20this%20setting.%0A%23%23%0A%23%23%20By%20default%2C%20this%20list%20is%20empty%20and%20all%20registered%20servers%20matching%20the%0A%23%23%20require_*%20filters%20will%20be%20used%20instead.%0A%23%23%0A%23%23%20Remove%20the%20leading%20%23%20first%20to%20enable%20this%3B%20lines%20starting%20with%20%23%20are%20ignored.%0A%0A%23%20server_names%20%3D%20%5B'scaleway-fr'%2C%20'google'%2C%20'yandex'%2C%20'cloudflare'%5D%0A%0A%0A%23%23%20List%20of%20local%20addresses%20and%20ports%20to%20listen%20to.%20Can%20be%20IPv4%20and%2For%20IPv6.%0A%23%23%20Example%20with%20both%20IPv4%20and%20IPv6%3A%0A%23%23%20listen_addresses%20%3D%20%5B'127.0.0.1%3A53'%2C%20'%5B%3A%3A1%5D%3A53'%5D%0A%23%23%0A%23%23%20To%20listen%20to%20all%20IPv4%20addresses%2C%20use%20%60listen_addresses%20%3D%20%5B'0.0.0.0%3A53'%5D%60%0A%23%23%20To%20listen%20to%20all%20IPv4%2BIPv6%20addresses%2C%20use%20%60listen_addresses%20%3D%20%5B'%5B%3A%3A%5D%3A53'%5D%60%0A%0Alisten_addresses%20%3D%20%5B'127.0.0.1%3A53'%5D%0A%0A%0A%23%23%20Maximum%20number%20of%20simultaneous%20client%20connections%20to%20accept%0A%0Amax_clients%20%3D%2025000%0A%0A%0A%23%23%20Switch%20to%20a%20different%20system%20user%20after%20listening%20sockets%20have%20been%20created.%0A%23%23%20Note%20(1)%3A%20this%20feature%20is%20currently%20unsupported%20on%20Windows.%0A%23%23%20Note%20(2)%3A%20this%20feature%20is%20not%20compatible%20with%20systemd%20socket%20activation.%0A%23%23%20Note%20(3)%3A%20when%20using%20-pidfile%2C%20the%20PID%20file%20directory%20must%20be%20writable%20by%20the%20new%20user%0A%0A%23%20user_name%20%3D%20'nobody'%0A%0A%0A%23%23%20Require%20servers%20(from%20remote%20sources)%20to%20satisfy%20specific%20properties%0A%0A%23%20Use%20servers%20reachable%20over%20IPv4%0Aipv4_servers%20%3D%20true%0A%0A%23%20Use%20servers%20reachable%20over%20IPv6%20--%20Do%20not%20enable%20if%20you%20don't%20have%20IPv6%20connectivity%0Aipv6_servers%20%3D%20false%0A%0A%23%20Use%20servers%20implementing%20the%20DNSCrypt%20protocol%0Adnscrypt_servers%20%3D%20true%0A%0A%23%20Use%20servers%20implementing%20the%20DNS-over-HTTPS%20protocol%0Adoh_servers%20%3D%20true%0A%0A%23%20Use%20servers%20implementing%20the%20Oblivious%20DoH%20protocol%0Aodoh_servers%20%3D%20true%0A%0A%23%23%20Require%20servers%20defined%20by%20remote%20sources%20to%20satisfy%20specific%20properties%0A%0A%23%20Server%20must%20support%20DNS%20security%20extensions%20(DNSSEC)%0Arequire_dnssec%20%3D%20true%0A%0A%23%20Server%20must%20not%20log%20user%20queries%20(declarative)%0Arequire_nolog%20%3D%20true%0A%0A%23%20Server%20must%20not%20enforce%20its%20own%20blocklist%20(for%20parental%20control%2C%20ads%20blocking...)%0Arequire_nofilter%20%3D%20true%0A%0A%23%20Server%20names%20to%20avoid%20even%20if%20they%20match%20all%20criteria%0Adisabled_server_names%20%3D%20%5B%5D%0A%0A%0A%23%23%20Always%20use%20TCP%20to%20connect%20to%20upstream%20servers.%0A%23%23%20This%20can%20be%20useful%20if%20you%20need%20to%20route%20everything%20through%20Tor.%0A%23%23%20Otherwise%2C%20leave%20this%20to%20%60false%60%2C%20as%20it%20doesn't%20improve%20security%0A%23%23%20(dnscrypt-proxy%20will%20always%20encrypt%20everything%20even%20using%20UDP)%2C%20and%20can%0A%23%23%20only%20increase%20latency.%0A%0Aforce_tcp%20%3D%20false%0A%0A%0A%23%23%20SOCKS%20proxy%0A%23%23%20Uncomment%20the%20following%20line%20to%20route%20all%20TCP%20connections%20to%20a%20local%20Tor%20node%0A%23%23%20Tor%20doesn't%20support%20UDP%2C%20so%20set%20%60force_tcp%60%20to%20%60true%60%20as%20well.%0A%0A%23%20proxy%20%3D%20'socks5%3A%2F%2F127.0.0.1%3A9050'%0A%0A%0A%23%23%20HTTP%2FHTTPS%20proxy%0A%23%23%20Only%20for%20DoH%20servers%0A%0A%23%20http_proxy%20%3D%20'http%3A%2F%2F127.0.0.1%3A8888'%0A%0A%0A%23%23%20How%20long%20a%20DNS%20query%20will%20wait%20for%20a%20response%2C%20in%20milliseconds.%0A%23%23%20If%20you%20have%20a%20network%20with%20*a%20lot*%20of%20latency%2C%20you%20may%20need%20to%0A%23%23%20increase%20this.%20Startup%20may%20be%20slower%20if%20you%20do%20so.%0A%23%23%20Don't%20increase%20it%20too%20much.%2010000%20is%20the%20highest%20reasonable%20value.%0A%0Atimeout%20%3D%203000%0A%0A%0A%23%23%20Keepalive%20for%20HTTP%20(HTTPS%2C%20HTTP%2F2)%20queries%2C%20in%20seconds%0A%0Akeepalive%20%3D%205%0A%0A%0A%23%23%20Add%20EDNS-client-subnet%20information%20to%20outgoing%20queries%0A%23%23%0A%23%23%20Multiple%20networks%20can%20be%20listed%3B%20they%20will%20be%20randomly%20chosen.%0A%23%23%20These%20networks%20don't%20have%20to%20match%20your%20actual%20networks.%0A%0Aedns_client_subnet%20%3D%20%5B%220.0.0.0%2F0%22%2C%20%222001%3Adb8%3A%3A%2F32%22%5D%0A%0A%0A%23%23%20Response%20for%20blocked%20queries.%20Options%20are%20%60refused%60%2C%20%60hinfo%60%20(default)%20or%0A%23%23%20an%20IP%20response.%20To%20give%20an%20IP%20response%2C%20use%20the%20format%20%60a%3A%3CIPV4%3E%2Caaaa%3A%3CIPV6%3E%60.%0A%23%23%20Using%20the%20%60hinfo%60%20option%20means%20that%20some%20responses%20will%20be%20lies.%0A%23%23%20Unfortunately%2C%20the%20%60hinfo%60%20option%20appears%20to%20be%20required%20for%20Android%208%2B%0A%0Ablocked_query_response%20%3D%20'refused'%0A%0A%0A%23%23%20Load-balancing%20strategy%3A%20'p2'%20(default)%2C%20'ph'%2C%20'p%3CN%3E'%2C%20'first'%20or%20'random'%0A%23%23%20Randomly%20choose%201%20of%20the%20fastest%202%2C%20half%2C%20n%2C%201%20or%20all%20live%20servers%20by%20latency.%0A%23%23%20The%20response%20quality%20still%20depends%20on%20the%20server%20itself.%0A%0Alb_strategy%20%3D%20'p2'%0A%0A%23%23%20Set%20to%20%60true%60%20to%20constantly%20try%20to%20estimate%20the%20latency%20of%20all%20the%20resolvers%0A%23%23%20and%20adjust%20the%20load-balancing%20parameters%20accordingly%2C%20or%20to%20%60false%60%20to%20disable.%0A%23%23%20Default%20is%20%60true%60%20that%20makes%20'p2'%20%60lb_strategy%60%20work%20well.%0A%0Alb_estimator%20%3D%20true%0A%0A%0A%23%23%20Log%20level%20(0-6%2C%20default%3A%202%20-%200%20is%20very%20verbose%2C%206%20only%20contains%20fatal%20errors)%0A%0A%23%20log_level%20%3D%206%0A%0A%0A%23%23%20Log%20file%20for%20the%20application%2C%20as%20an%20alternative%20to%20sending%20logs%20to%0A%23%23%20the%20standard%20system%20logging%20service%20(syslog%2FWindows%20event%20log).%0A%23%23%0A%23%23%20This%20file%20is%20different%20from%20other%20log%20files%2C%20and%20will%20not%20be%0A%23%23%20automatically%20rotated%20by%20the%20application.%0A%0A%23%20log_file%20%3D%20'dnscrypt-proxy.log'%0A%0A%0A%23%23%20When%20using%20a%20log%20file%2C%20only%20keep%20logs%20from%20the%20most%20recent%20launch.%0A%0A%23%20log_file_latest%20%3D%20true%0A%0A%0A%23%23%20Use%20the%20system%20logger%20(syslog%20on%20Unix%2C%20Event%20Log%20on%20Windows)%0A%0Ause_syslog%20%3D%20false%0A%0A%0A%23%23%20Delay%2C%20in%20minutes%2C%20after%20which%20certificates%20are%20reloaded%0A%0Acert_refresh_delay%20%3D%20240%0A%0A%0A%23%23%20DNSCrypt%3A%20Create%20a%20new%2C%20unique%20key%20for%20every%20single%20DNS%20query%0A%23%23%20This%20may%20improve%20privacy%20but%20can%20also%20have%20a%20significant%20impact%20on%20CPU%20usage%0A%23%23%20Only%20enable%20if%20you%20don't%20have%20a%20lot%20of%20network%20load%0A%0Adnscrypt_ephemeral_keys%20%3D%20true%0A%0A%0A%23%23%20DoH%3A%20Disable%20TLS%20session%20tickets%20-%20increases%20privacy%20but%20also%20latency%0A%0Atls_disable_session_tickets%20%3D%20true%0A%0A%0A%23%23%20Cipher%20Suites%0A%0A%23%23%20DoH%3A%20Use%20a%20specific%20cipher%20suite%20instead%20of%20the%20server%20preference%0A%23%23%0A%23%23%20TLS%201.3%0A%23%23%0A%23%23%204866%20%3D%20TLS_AES_256_GCM_SHA384%20(0x1302)%20ECDH%20secp384r1%20(eq.%207680%20bits%20RSA)%20FS%20256%0A%23%23%0A%23%23%20TLS%201.2%0A%23%23%0A%23%23%2049196%20%3D%20TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%20(0xc02c)%20ECDH%20secp384r1%20(eq.%207680%20bits%20RSA)%20FS%20256%0A%23%23%2049200%20%3D%20TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%20(0xc030)%20ECDH%20secp384r1%20(eq.%207680%20bits%20RSA)%20FS%20256%0A%23%23%0A%23%23%20On%20non-Intel%20CPUs%20such%20as%20MIPS%20routers%20and%20ARM%20systems%20(Android%2C%20Raspberry%20Pi...)%2C%0A%23%23%20the%20following%20suite%20improves%20performance.%0A%23%23%20This%20may%20also%20help%20on%20Intel%20CPUs%20running%2032-bit%20operating%20systems.%0A%23%23%0A%23%23%20Keep%20tls_cipher_suite%20empty%20if%20you%20have%20issues%20fetching%20sources%20or%0A%23%23%20connecting%20to%20some%20DoH%20servers.%20Google%20and%20Cloudflare%20are%20fine%20with%20it.%0A%0Atls_cipher_suite%20%3D%20%5B4866%2C%2049196%2C%2049200%5D%0A%0A%0A%23%23%20Bootstrap%20resolvers%0A%23%23%0A%23%23%20These%20are%20normal%2C%20non-encrypted%20DNS%20resolvers%2C%20that%20will%20be%20only%20used%0A%23%23%20for%20one-shot%20queries%20when%20retrieving%20the%20initial%20resolvers%20list%20and%20the%0A%23%23%20the%20system%20DNS%20configuration%20doesn't%20work.%0A%23%23%0A%23%23%20No%20user%20queries%20will%20ever%20be%20leaked%20through%20these%20resolvers%2C%20and%20they%20will%0A%23%23%20not%20be%20used%20after%20IP%20addresses%20of%20DoH%20resolvers%20have%20been%20found%20(if%20you%20are%0A%23%23%20using%20DoH).%0A%23%23%0A%23%23%20They%20will%20never%20be%20used%20if%20lists%20have%20already%20been%20cached%2C%20and%20if%20the%20stamps%0A%23%23%20of%20the%20configured%20servers%20already%20include%20IP%20addresses%20(which%20is%20the%20case%20for%0A%23%23%20most%20of%20DoH%20servers%2C%20and%20for%20all%20DNSCrypt%20servers%20and%20relays).%0A%23%23%0A%23%23%20They%20will%20not%20be%20used%20if%20the%20configured%20system%20DNS%20works%2C%20or%20after%20the%0A%23%23%20proxy%20already%20has%20at%20least%20one%20usable%20secure%20resolver.%0A%23%23%0A%23%23%20Resolvers%20supporting%20DNSSEC%20are%20recommended%2C%20and%2C%20if%20you%20are%20using%0A%23%23%20DoH%2C%20bootstrap%20resolvers%20should%20ideally%20be%20operated%20by%20a%20different%20entity%0A%23%23%20than%20the%20DoH%20servers%20you%20will%20be%20using%2C%20especially%20if%20you%20have%20IPv6%20enabled.%0A%23%23%0A%23%23%20People%20in%20China%20may%20want%20to%20use%20114.114.114.114%3A53%20here.%0A%23%23%20Other%20popular%20options%20include%208.8.8.8%2C%209.9.9.9%20and%201.1.1.1.%0A%23%23%0A%23%23%20If%20more%20than%20one%20resolver%20is%20specified%2C%20they%20will%20be%20tried%20in%20sequence.%0A%23%23%0A%23%23%20TL%3BDR%3A%20put%20valid%20standard%20resolver%20addresses%20here.%20Your%20actual%20queries%20will%0A%23%23%20not%20be%20sent%20there.%20If%20you're%20using%20DNSCrypt%20or%20Anonymized%20DNS%20and%20your%0A%23%23%20lists%20are%20up%20to%20date%2C%20these%20resolvers%20will%20not%20even%20be%20used.%0A%0Abootstrap_resolvers%20%3D%20%5B'9.9.9.11%3A53'%2C%20'149.112.112.11%3A53'%5D%0A%0A%0A%23%23%20Always%20use%20the%20bootstrap%20resolver%20before%20the%20system%20DNS%20settings.%0A%0Aignore_system_dns%20%3D%20true%0A%0A%23%23%20Maximum%20time%20(in%20seconds)%20to%20wait%20for%20network%20connectivity%20before%0A%23%23%20initializing%20the%20proxy.%0A%23%23%20Useful%20if%20the%20proxy%20is%20automatically%20started%20at%20boot%2C%20and%20network%0A%23%23%20connectivity%20is%20not%20guaranteed%20to%20be%20immediately%20available.%0A%23%23%20Use%200%20to%20not%20test%20for%20connectivity%20at%20all%20(not%20recommended)%2C%0A%23%23%20and%20-1%20to%20wait%20as%20much%20as%20possible.%0A%0Anetprobe_timeout%20%3D%20-1%0A%0A%23%23%20Address%20and%20port%20to%20try%20initializing%20a%20connection%20to%2C%20just%20to%20check%0A%23%23%20if%20the%20network%20is%20up.%20It%20can%20be%20any%20address%20and%20any%20port%2C%20even%20if%0A%23%23%20there%20is%20nothing%20answering%20these%20on%20the%20other%20side.%20Just%20don't%20use%0A%23%23%20a%20local%20address%2C%20as%20the%20goal%20is%20to%20check%20for%20Internet%20connectivity.%0A%23%23%20On%20Windows%2C%20a%20datagram%20with%20a%20single%2C%20nul%20byte%20will%20be%20sent%2C%20only%0A%23%23%20when%20the%20system%20starts.%0A%23%23%20On%20other%20operating%20systems%2C%20the%20connection%20will%20be%20initialized%0A%23%23%20but%20nothing%20will%20be%20sent%20at%20all.%0A%0Anetprobe_address%20%3D%20'9.9.9.11%3A53'%0A%0A%0A%23%23%20Offline%20mode%20-%20Do%20not%20use%20any%20remote%20encrypted%20servers.%0A%23%23%20The%20proxy%20will%20remain%20fully%20functional%20to%20respond%20to%20queries%20that%0A%23%23%20plugins%20can%20handle%20directly%20(forwarding%2C%20cloaking%2C%20...)%0A%0A%23%20offline_mode%20%3D%20false%0A%0A%0A%23%23%20Additional%20data%20to%20attach%20to%20outgoing%20queries.%0A%23%23%20These%20strings%20will%20be%20added%20as%20TXT%20records%20to%20queries.%0A%23%23%20Do%20not%20use%2C%20except%20on%20servers%20explicitly%20asking%20for%20extra%20data%0A%23%23%20to%20be%20present.%0A%23%23%20encrypted-dns-server%20can%20be%20configured%20to%20use%20this%20for%20access%20control%0A%23%23%20in%20the%20%5Baccess_control%5D%20section%0A%0A%23%20query_meta%20%3D%20%5B'key1%3Avalue1'%2C%20'key2%3Avalue2'%2C%20'token%3AMySecretToken'%5D%0A%0A%0A%23%23%20Automatic%20log%20files%20rotation%0A%0A%23%20Maximum%20log%20files%20size%20in%20MB%20-%20Set%20to%200%20for%20unlimited.%0Alog_files_max_size%20%3D%201%0A%0A%23%20How%20long%20to%20keep%20backup%20files%2C%20in%20days%0Alog_files_max_age%20%3D%201%0A%0A%23%20Maximum%20log%20files%20backups%20to%20keep%20(or%200%20to%20keep%20all%20backups)%0Alog_files_max_backups%20%3D%201%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Filters%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Note%3A%20if%20you%20are%20using%20dnsmasq%2C%20disable%20the%20%60dnssec%60%20option%20in%20dnsmasq%20if%20you%0A%23%23%20configure%20dnscrypt-proxy%20to%20do%20any%20kind%20of%20filtering%20(including%20the%20filters%0A%23%23%20below%20and%20blocklists).%0A%23%23%20You%20can%20still%20choose%20resolvers%20that%20do%20DNSSEC%20validation.%0A%0A%0A%23%23%20Immediately%20respond%20to%20IPv6-related%20queries%20with%20an%20empty%20response%0A%23%23%20This%20makes%20things%20faster%20when%20there%20is%20no%20IPv6%20connectivity%2C%20but%20can%0A%23%23%20also%20cause%20reliability%20issues%20with%20some%20stub%20resolvers.%0A%0Ablock_ipv6%20%3D%20true%0A%0A%0A%23%23%20Immediately%20respond%20to%20A%20and%20AAAA%20queries%20for%20host%20names%20without%20a%20domain%20name%0A%0Ablock_unqualified%20%3D%20true%0A%0A%0A%23%23%20Immediately%20respond%20to%20queries%20for%20local%20zones%20instead%20of%20leaking%20them%20to%0A%23%23%20upstream%20resolvers%20(always%20causing%20errors%20or%20timeouts).%0A%0Ablock_undelegated%20%3D%20true%0A%0A%0A%23%23%20TTL%20for%20synthetic%20responses%20sent%20when%20a%20request%20has%20been%20blocked%20(due%20to%0A%23%23%20IPv6%20or%20blocklists).%0A%0Areject_ttl%20%3D%20600%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Route%20queries%20for%20specific%20domains%20to%20a%20dedicated%20set%20of%20servers%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20See%20the%20%60example-forwarding-rules.txt%60%20file%20for%20an%20example%0A%0A%23%20forwarding_rules%20%3D%20'forwarding-rules.txt'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Cloaking%20rules%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Cloaking%20returns%20a%20predefined%20address%20for%20a%20specific%20name.%0A%23%23%20In%20addition%20to%20acting%20as%20a%20HOSTS%20file%2C%20it%20can%20also%20return%20the%20IP%20address%0A%23%23%20of%20a%20different%20name.%20It%20will%20also%20do%20CNAME%20flattening.%0A%23%23%0A%23%23%20See%20the%20%60example-cloaking-rules.txt%60%20file%20for%20an%20example%0A%0A%23%20cloaking_rules%20%3D%20'cloaking-rules.txt'%0A%0A%23%23%20TTL%20used%20when%20serving%20entries%20in%20cloaking-rules.txt%0A%0A%23%20cloak_ttl%20%3D%20600%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20DNS%20cache%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Enable%20a%20DNS%20cache%20to%20reduce%20latency%20and%20outgoing%20traffic%0A%0Acache%20%3D%20true%0A%0A%0A%23%23%20Cache%20size%0A%0Acache_size%20%3D%20262144%0A%0A%0A%23%23%20Minimum%20TTL%20for%20cached%20entries%0A%0Acache_min_ttl%20%3D%202400%0A%0A%0A%23%23%20Maximum%20TTL%20for%20cached%20entries%0A%0Acache_max_ttl%20%3D%2086400%0A%0A%0A%23%23%20Minimum%20TTL%20for%20negatively%20cached%20entries%0A%0Acache_neg_min_ttl%20%3D%2060%0A%0A%0A%23%23%20Maximum%20TTL%20for%20negatively%20cached%20entries%0A%0Acache_neg_max_ttl%20%3D%20600%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Captive%20portal%20handling%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%5Bcaptive_portals%5D%0A%0A%23%23%20A%20file%20that%20contains%20a%20set%20of%20names%20used%20by%20operating%20systems%20to%0A%23%23%20check%20for%20connectivity%20and%20captive%20portals%2C%20along%20with%20hard-coded%0A%23%23%20IP%20addresses%20to%20return.%0A%0A%23%20map_file%20%3D%20'example-captive-portals.txt'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Local%20DoH%20server%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%5Blocal_doh%5D%0A%0A%23%23%20dnscrypt-proxy%20can%20act%20as%20a%20local%20DoH%20server.%20By%20doing%20so%2C%20web%20browsers%0A%23%23%20requiring%20a%20direct%20connection%20to%20a%20DoH%20server%20in%20order%20to%20enable%20some%0A%23%23%20features%20will%20enable%20these%2C%20without%20bypassing%20your%20DNS%20proxy.%0A%0A%23%23%20Addresses%20that%20the%20local%20DoH%20server%20should%20listen%20to%0A%0A%23%23%20listen_addresses%20%3D%20%5B'127.0.0.1%3A5555'%5D%0A%0A%23%23%20Path%20of%20the%20DoH%20URL.%20This%20is%20not%20a%20file%2C%20but%20the%20part%20after%20the%20hostname%0A%23%23%20in%20the%20URL.%20By%20convention%2C%20%60%2Fdns-query%60%20is%20frequently%20chosen.%0A%23%23%20For%20each%20%60listen_address%60%20the%20complete%20URL%20to%20access%20the%20server%20will%20be%3A%0A%23%23%20%60https%3A%2F%2F%3CLISTEN_ADDRESS%3E%3CPATH%3E%60%20(ex%3A%20%60https%3A%2F%2F127.0.0.1%2Fdns-query%60)%0A%0A%23%23%20path%20%3D%20'%2Fdns-query'%0A%0A%23%23%20Certificate%20file%20and%20key%20-%20Note%20that%20the%20certificate%20has%20to%20be%20trusted.%0A%23%23%20See%20the%20documentation%20(wiki)%20for%20more%20information.%0A%0A%23%23%20cert_file%20%3D%20'_Cert.pem'%0A%23%23%20cert_key_file%20%3D%20'_Key.pem'%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Query%20logging%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Log%20client%20queries%20to%20a%20file%0A%0A%5Bquery_log%5D%0A%0A%20%20%23%23%20Path%20to%20the%20query%20log%20file%20(absolute%2C%20or%20relative%20to%20the%20same%20directory%20as%20the%20config%20file)%0A%20%20%23%23%20Can%20be%20set%20to%20%2Fdev%2Fstdout%20in%20order%20to%20log%20to%20the%20standard%20output.%0A%0A%20%20%23%20file%20%3D%20'query.log'%0A%0A%0A%20%20%23%23%20Query%20log%20format%20(currently%20supported%3A%20tsv%20and%20ltsv)%0A%0A%20%20format%20%3D%20'tsv'%0A%0A%0A%20%20%23%23%20Do%20not%20log%20these%20query%20types%2C%20to%20reduce%20verbosity.%20Keep%20empty%20to%20log%20everything.%0A%0A%20%20%23%20ignored_qtypes%20%3D%20%5B'DNSKEY'%2C%20'NS'%5D%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Suspicious%20queries%20logging%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Log%20queries%20for%20nonexistent%20zones%0A%23%23%20These%20queries%20can%20reveal%20the%20presence%20of%20malware%2C%20broken%2Fobsolete%20applications%2C%0A%23%23%20and%20devices%20signaling%20their%20presence%20to%203rd%20parties.%0A%0A%5Bnx_log%5D%0A%0A%20%20%23%23%20Path%20to%20the%20query%20log%20file%20(absolute%2C%20or%20relative%20to%20the%20same%20directory%20as%20the%20config%20file)%0A%0A%20%20%23%20file%20%3D%20'nx.log'%0A%0A%0A%20%20%23%23%20Query%20log%20format%20(currently%20supported%3A%20tsv%20and%20ltsv)%0A%0A%20%20format%20%3D%20'tsv'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Pattern-based%20blocking%20(blocklists)%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Blocklists%20are%20made%20of%20one%20pattern%20per%20line.%20Example%20of%20valid%20patterns%3A%0A%23%23%0A%23%23%20%20%20example.com%0A%23%23%20%20%20%3Dexample.com%0A%23%23%20%20%20*sex*%0A%23%23%20%20%20ads.*%0A%23%23%20%20%20ads*.example.*%0A%23%23%20%20%20ads*.example%5B0-9%5D*.com%0A%23%23%0A%23%23%20Example%20blocklist%20files%20can%20be%20found%20at%20https%3A%2F%2Fdownload.dnscrypt.info%2Fblocklists%2F%0A%23%23%20A%20script%20to%20build%20blocklists%20from%20public%20feeds%20can%20be%20found%20in%20the%0A%23%23%20%60utils%2Fgenerate-domains-blocklists%60%20directory%20of%20the%20dnscrypt-proxy%20source%20code.%0A%0A%5Bblocked_names%5D%0A%0A%20%20%23%23%20Path%20to%20the%20file%20of%20blocking%20rules%20(absolute%2C%20or%20relative%20to%20the%20same%20directory%20as%20the%20config%20file)%0A%0A%20%20%23%20Site%3A%20https%3A%2F%2Foisd.nl%2Fdownloads%0A%20%20%23%20Selection%3A%20Domains%20(wildcards)%20-%20full%0A%0A%20%20%23%20blocked_names_file%20%3D%20'oisd_dblw_full.txt'%0A%0A%0A%20%20%23%23%20Optional%20path%20to%20a%20file%20logging%20blocked%20queries%0A%0A%20%20%23%20log_file%20%3D%20'blocked-names.log'%0A%0A%0A%20%20%23%23%20Optional%20log%20format%3A%20tsv%20or%20ltsv%20(default%3A%20tsv)%0A%0A%20%20%23%20log_format%20%3D%20'tsv'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Pattern-based%20IP%20blocking%20(IP%20blocklists)%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20IP%20blocklists%20are%20made%20of%20one%20pattern%20per%20line.%20Example%20of%20valid%20patterns%3A%0A%23%23%0A%23%23%20%20%20127.*%0A%23%23%20%20%20fe80%3Aabcd%3A*%0A%23%23%20%20%20192.168.1.4%0A%0A%5Bblocked_ips%5D%0A%0A%20%20%23%23%20Path%20to%20the%20file%20of%20blocking%20rules%20(absolute%2C%20or%20relative%20to%20the%20same%20directory%20as%20the%20config%20file)%0A%0A%20%20%23%20blocked_ips_file%20%3D%20'blocked-ips.txt'%0A%0A%0A%20%20%23%23%20Optional%20path%20to%20a%20file%20logging%20blocked%20queries%0A%0A%20%20%23%20log_file%20%3D%20'blocked-ips.log'%0A%0A%0A%20%20%23%23%20Optional%20log%20format%3A%20tsv%20or%20ltsv%20(default%3A%20tsv)%0A%0A%20%20%23%20log_format%20%3D%20'tsv'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20Pattern-based%20allow%20lists%20(blocklists%20bypass)%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Allowlists%20support%20the%20same%20patterns%20as%20blocklists%0A%23%23%20If%20a%20name%20matches%20an%20allowlist%20entry%2C%20the%20corresponding%20session%0A%23%23%20will%20bypass%20names%20and%20IP%20filters.%0A%23%23%0A%23%23%20Time-based%20rules%20are%20also%20supported%20to%20make%20some%20websites%20only%20accessible%20at%20specific%20times%20of%20the%20day.%0A%0A%5Ballowed_names%5D%0A%0A%20%20%23%23%20Path%20to%20the%20file%20of%20allow%20list%20rules%20(absolute%2C%20or%20relative%20to%20the%20same%20directory%20as%20the%20config%20file)%0A%0A%20%20%23%20allowed_names_file%20%3D%20'allowed-names.txt'%0A%0A%0A%20%20%23%23%20Optional%20path%20to%20a%20file%20logging%20allowed%20queries%0A%0A%20%20%23%20log_file%20%3D%20'allowed-names.log'%0A%0A%0A%20%20%23%23%20Optional%20log%20format%3A%20tsv%20or%20ltsv%20(default%3A%20tsv)%0A%0A%20%20%23%20log_format%20%3D%20'tsv'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20Pattern-based%20allowed%20IPs%20lists%20(blocklists%20bypass)%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Allowed%20IP%20lists%20support%20the%20same%20patterns%20as%20IP%20blocklists%0A%23%23%20If%20an%20IP%20response%20matches%20an%20allow%20ip%20entry%2C%20the%20corresponding%20session%0A%23%23%20will%20bypass%20IP%20filters.%0A%23%23%0A%23%23%20Time-based%20rules%20are%20also%20supported%20to%20make%20some%20websites%20only%20accessible%20at%20specific%20times%20of%20the%20day.%0A%0A%5Ballowed_ips%5D%0A%0A%20%20%23%23%20Path%20to%20the%20file%20of%20allowed%20ip%20rules%20(absolute%2C%20or%20relative%20to%20the%20same%20directory%20as%20the%20config%20file)%0A%0A%20%20%23%20allowed_ips_file%20%3D%20'allowed-ips.txt'%0A%0A%0A%20%20%23%23%20Optional%20path%20to%20a%20file%20logging%20allowed%20queries%0A%0A%20%20%23%20log_file%20%3D%20'allowed-ips.log'%0A%0A%20%20%23%23%20Optional%20log%20format%3A%20tsv%20or%20ltsv%20(default%3A%20tsv)%0A%0A%20%20%23%20log_format%20%3D%20'tsv'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Time%20access%20restrictions%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20One%20or%20more%20weekly%20schedules%20can%20be%20defined%20here.%0A%23%23%20Patterns%20in%20the%20name-based%20blocked_names%20file%20can%20optionally%20be%20followed%20with%20%40schedule_name%0A%23%23%20to%20apply%20the%20pattern%20'schedule_name'%20only%20when%20it%20matches%20a%20time%20range%20of%20that%20schedule.%0A%23%23%0A%23%23%20For%20example%2C%20the%20following%20rule%20in%20a%20blocklist%20file%3A%0A%23%23%20*.youtube.*%20%40time-to-sleep%0A%23%23%20would%20block%20access%20to%20YouTube%20during%20the%20times%20defined%20by%20the%20'time-to-sleep'%20schedule.%0A%23%23%0A%23%23%20%7Bafter%3D'21%3A00'%2C%20before%3D%20'7%3A00'%7D%20matches%200%3A00-7%3A00%20and%2021%3A00-0%3A00%0A%23%23%20%7Bafter%3D%20'9%3A00'%2C%20before%3D'18%3A00'%7D%20matches%209%3A00-18%3A00%0A%0A%5Bschedules%5D%0A%0A%20%20%23%20%5Bschedules.'time-to-sleep'%5D%0A%20%20%23%20mon%20%3D%20%5B%7Bafter%3D'21%3A00'%2C%20before%3D'7%3A00'%7D%5D%0A%20%20%23%20tue%20%3D%20%5B%7Bafter%3D'21%3A00'%2C%20before%3D'7%3A00'%7D%5D%0A%20%20%23%20wed%20%3D%20%5B%7Bafter%3D'21%3A00'%2C%20before%3D'7%3A00'%7D%5D%0A%20%20%23%20thu%20%3D%20%5B%7Bafter%3D'21%3A00'%2C%20before%3D'7%3A00'%7D%5D%0A%20%20%23%20fri%20%3D%20%5B%7Bafter%3D'23%3A00'%2C%20before%3D'7%3A00'%7D%5D%0A%20%20%23%20sat%20%3D%20%5B%7Bafter%3D'23%3A00'%2C%20before%3D'7%3A00'%7D%5D%0A%20%20%23%20sun%20%3D%20%5B%7Bafter%3D'21%3A00'%2C%20before%3D'7%3A00'%7D%5D%0A%0A%20%20%23%20%5Bschedules.'work'%5D%0A%20%20%23%20mon%20%3D%20%5B%7Bafter%3D'9%3A00'%2C%20before%3D'18%3A00'%7D%5D%0A%20%20%23%20tue%20%3D%20%5B%7Bafter%3D'9%3A00'%2C%20before%3D'18%3A00'%7D%5D%0A%20%20%23%20wed%20%3D%20%5B%7Bafter%3D'9%3A00'%2C%20before%3D'18%3A00'%7D%5D%0A%20%20%23%20thu%20%3D%20%5B%7Bafter%3D'9%3A00'%2C%20before%3D'18%3A00'%7D%5D%0A%20%20%23%20fri%20%3D%20%5B%7Bafter%3D'9%3A00'%2C%20before%3D'17%3A00'%7D%5D%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Servers%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Remote%20lists%20of%20available%20servers%0A%23%23%20Multiple%20sources%20can%20be%20used%20simultaneously%2C%20but%20every%20source%0A%23%23%20requires%20a%20dedicated%20cache%20file.%0A%23%23%0A%23%23%20Refer%20to%20the%20documentation%20for%20URLs%20of%20public%20sources.%0A%23%23%0A%23%23%20A%20prefix%20can%20be%20prepended%20to%20server%20names%20in%20order%20to%0A%23%23%20avoid%20collisions%20if%20different%20sources%20share%20the%20same%20for%0A%23%23%20different%20servers.%20In%20that%20case%2C%20names%20listed%20in%20%60server_names%60%0A%23%23%20must%20include%20the%20prefixes.%0A%23%23%0A%23%23%20If%20the%20%60urls%60%20property%20is%20missing%2C%20cache%20files%20and%20valid%20signatures%0A%23%23%20must%20already%20be%20present.%20This%20doesn't%20prevent%20these%20cache%20files%20from%0A%23%23%20expiring%20after%20%60refresh_delay%60%20hours.%0A%23%23%20Cache%20freshness%20is%20checked%20every%2024%20hours%2C%20so%20values%20for%20'refresh_delay'%0A%23%23%20of%20less%20than%2024%20hours%20will%20have%20no%20effect.%0A%23%23%20A%20maximum%20delay%20of%20168%20hours%20(1%20week)%20is%20imposed%20to%20ensure%20cache%20freshness.%0A%0A%5Bsources%5D%0A%0A%20%20%23%23%20An%20example%20of%20a%20remote%20source%20from%20https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-resolvers%0A%0A%20%20%20%20%23%20%5Bsources.'public-resolvers'%5D%0A%20%20%20%20%23%20urls%20%3D%20%5B'https%3A%2F%2Fraw.githubusercontent.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fmaster%2Fv3%2Fpublic-resolvers.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.info%2Fresolvers-list%2Fv3%2Fpublic-resolvers.md'%2C%20'https%3A%2F%2Fipv6.download.dnscrypt.info%2Fresolvers-list%2Fv3%2Fpublic-resolvers.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.net%2Fresolvers-list%2Fv3%2Fpublic-resolvers.md'%5D%0A%20%20%20%20%23%20cache_file%20%3D%20'public-resolvers.md'%0A%20%20%20%20%23%20minisign_key%20%3D%20'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'%0A%20%20%20%20%23%20refresh_delay%20%3D%20168%0A%20%20%20%20%23%20prefix%20%3D%20''%0A%0A%20%20%23%23%20Anonymized%20DNS%20relays%0A%0A%20%20%20%20%23%20%5Bsources.'relays'%5D%0A%20%20%20%20%23%20urls%20%3D%20%5B'https%3A%2F%2Fraw.githubusercontent.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fmaster%2Fv3%2Frelays.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.info%2Fresolvers-list%2Fv3%2Frelays.md'%2C%20'https%3A%2F%2Fipv6.download.dnscrypt.info%2Fresolvers-list%2Fv3%2Frelays.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.net%2Fresolvers-list%2Fv3%2Frelays.md'%5D%0A%20%20%20%20%23%20cache_file%20%3D%20'relays.md'%0A%20%20%20%20%23%20minisign_key%20%3D%20'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'%0A%20%20%20%20%23%20refresh_delay%20%3D%20168%0A%20%20%20%20%23%20prefix%20%3D%20''%0A%0A%20%20%23%23%20ODoH%20(Oblivious%20DoH)%20servers%20and%20relays%0A%0A%20%20%20%20%5Bsources.'odoh-servers'%5D%0A%20%20%20%20%20%20urls%20%3D%20%5B'https%3A%2F%2Fraw.githubusercontent.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fmaster%2Fv3%2Fodoh-servers.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.info%2Fresolvers-list%2Fv3%2Fodoh-servers.md'%2C%20'https%3A%2F%2Fipv6.download.dnscrypt.info%2Fresolvers-list%2Fv3%2Fodoh-servers.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.net%2Fresolvers-list%2Fv3%2Fodoh-servers.md'%5D%0A%20%20%20%20%20%20cache_file%20%3D%20'odoh-servers.md'%0A%20%20%20%20%20%20minisign_key%20%3D%20'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'%0A%20%20%20%20%20%20refresh_delay%20%3D%20168%0A%20%20%20%20%20%20prefix%20%3D%20''%0A%20%20%20%20%5Bsources.'odoh-relays'%5D%0A%20%20%20%20%20%20urls%20%3D%20%5B'https%3A%2F%2Fraw.githubusercontent.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fmaster%2Fv3%2Fodoh-relays.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.info%2Fresolvers-list%2Fv3%2Fodoh-relays.md'%2C%20'https%3A%2F%2Fipv6.download.dnscrypt.info%2Fresolvers-list%2Fv3%2Fodoh-relays.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.net%2Fresolvers-list%2Fv3%2Fodoh-relays.md'%5D%0A%20%20%20%20%20%20cache_file%20%3D%20'odoh-relays.md'%0A%20%20%20%20%20%20minisign_key%20%3D%20'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'%0A%20%20%20%20%20%20refresh_delay%20%3D%20168%0A%20%20%20%20%20%20prefix%20%3D%20''%0A%0A%20%20%23%23%20Quad9%0A%0A%20%20%23%20%5Bsources.quad9-resolvers%5D%0A%20%20%23%20%20%20urls%20%3D%20%5B'https%3A%2F%2Fwww.quad9.net%2Fquad9-resolvers.md'%5D%0A%20%20%23%20%20%20minisign_key%20%3D%20'RWQBphd2%2Bf6eiAqBsvDZEBXBGHQBJfeG6G%2BwJPPKxCZMoEQYpmoysKUN'%0A%20%20%23%20%20%20cache_file%20%3D%20'quad9-resolvers.md'%0A%20%20%23%20%20%20prefix%20%3D%20'quad9-'%0A%0A%20%20%23%23%20Another%20example%20source%2C%20with%20resolvers%20censoring%20some%20websites%20not%20appropriate%20for%20children%0A%20%20%23%23%20This%20is%20a%20subset%20of%20the%20%60public-resolvers%60%20list%2C%20so%20enabling%20both%20is%20useless%0A%0A%20%20%23%20%20%5Bsources.'parental-control'%5D%0A%20%20%23%20%20%20%20urls%20%3D%20%5B'https%3A%2F%2Fraw.githubusercontent.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Fmaster%2Fv3%2Fparental-control.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.info%2Fresolvers-list%2Fv3%2Fparental-control.md'%2C%20'https%3A%2F%2Fipv6.download.dnscrypt.info%2Fresolvers-list%2Fv3%2Fparental-control.md'%2C%20'https%3A%2F%2Fdownload.dnscrypt.net%2Fresolvers-list%2Fv3%2Fparental-control.md'%5D%0A%20%20%23%20%20%20%20cache_file%20%3D%20'parental-control.md'%0A%20%20%23%20%20%20%20minisign_key%20%3D%20'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Servers%20with%20known%20bugs%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%5Bbroken_implementations%5D%0A%0A%23%20Cisco%20servers%20currently%20cannot%20handle%20queries%20larger%20than%201472%20bytes%2C%20and%20don't%0A%23%20truncate%20reponses%20larger%20than%20questions%20as%20expected%20by%20the%20DNSCrypt%20protocol.%0A%23%20This%20prevents%20large%20responses%20from%20being%20received%20over%20UDP%20and%20over%20relays.%0A%23%0A%23%20Older%20versions%20of%20the%20%60dnsdist%60%20server%20software%20had%20a%20bug%20with%20queries%20larger%0A%23%20than%201500%20bytes.%20This%20is%20fixed%20since%20%60dnsdist%60%20version%201.5.0%2C%20but%0A%23%20some%20server%20may%20still%20run%20an%20outdated%20version.%0A%23%0A%23%20The%20list%20below%20enables%20workarounds%20to%20make%20non-relayed%20usage%20more%20reliable%0A%23%20until%20the%20servers%20are%20fixed.%0A%0Afragments_blocked%20%3D%20%5B'cisco'%2C%20'cisco-ipv6'%2C%20'cisco-familyshield'%2C%20'cisco-familyshield-ipv6'%2C%20'cleanbrowsing-adult'%2C%20'cleanbrowsing-adult-ipv6'%2C%20'cleanbrowsing-family'%2C%20'cleanbrowsing-family-ipv6'%2C%20'cleanbrowsing-security'%2C%20'cleanbrowsing-security-ipv6'%5D%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Certificate-based%20client%20authentication%20for%20DoH%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%20Use%20a%20X509%20certificate%20to%20authenticate%20yourself%20when%20connecting%20to%20DoH%20servers.%0A%23%20This%20is%20only%20useful%20if%20you%20are%20operating%20your%20own%2C%20private%20DoH%20server(s).%0A%23%20'creds'%20maps%20servers%20to%20certificates%2C%20and%20supports%20multiple%20entries.%0A%23%20If%20you%20are%20not%20using%20the%20standard%20root%20CA%2C%20an%20optional%20%22root_ca%22%0A%23%20property%20set%20to%20the%20path%20to%20a%20root%20CRT%20file%20can%20be%20added%20to%20a%20server%20entry.%0A%0A%5Bdoh_client_x509_auth%5D%0A%0A%23%0A%23%20creds%20%3D%20%5B%0A%23%20%20%20%20%7B%20server_name%3D'*'%2C%20client_cert%3D'client.crt'%2C%20client_key%3D'client.key'%20%7D%0A%23%20%5D%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20Anonymized%20DNS%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%5Banonymized_dns%5D%0A%0A%23%23%20Routes%20are%20indirect%20ways%20to%20reach%20DNSCrypt%20servers.%0A%23%23%0A%23%23%20A%20route%20maps%20a%20server%20name%20(%22server_name%22)%20to%20one%20or%20more%20relays%20that%20will%20be%0A%23%23%20used%20to%20connect%20to%20that%20server.%0A%23%23%0A%23%23%20A%20relay%20can%20be%20specified%20as%20a%20DNS%20Stamp%20(either%20a%20relay%20stamp%2C%20or%20a%0A%23%23%20DNSCrypt%20stamp)%20or%20a%20server%20name.%0A%23%23%0A%23%23%20The%20following%20example%20routes%20%22example-server-1%22%20via%20%60anon-example-1%60%20or%20%60anon-example-2%60%2C%0A%23%23%20and%20%22example-server-2%22%20via%20the%20relay%20whose%20relay%20DNS%20stamp%20is%0A%23%23%20%22sdns%3A%2F%2FgRIxMzcuNzQuMjIzLjIzNDo0NDM%22.%0A%23%23%0A%23%23%20!!!%20THESE%20ARE%20JUST%20EXAMPLES%20!!!%0A%23%23%0A%23%23%20Review%20the%20list%20of%20available%20relays%20from%20the%20%22relays.md%22%20file%2C%20and%2C%20for%20each%0A%23%23%20server%20you%20want%20to%20use%2C%20define%20the%20relays%20you%20want%20connections%20to%20go%20through.%0A%23%23%0A%23%23%20Carefully%20choose%20relays%20and%20servers%20so%20that%20they%20are%20run%20by%20different%20entities.%0A%23%23%0A%23%23%20%22server_name%22%20can%20also%20be%20set%20to%20%22*%22%20to%20define%20a%20default%20route%2C%20for%20all%20servers%3A%0A%23%23%20%7B%20server_name%3D'*'%2C%20via%3D%5B'anon-example-1'%2C%20'anon-example-2'%5D%20%7D%0A%23%23%0A%23%23%20If%20a%20route%20is%20%5B%22*%22%5D%2C%20the%20proxy%20automatically%20picks%20a%20relay%20on%20a%20distinct%20network.%0A%23%23%20%7B%20server_name%3D'*'%2C%20via%3D%5B'*'%5D%20%7D%20is%20also%20an%20option%2C%20but%20is%20likely%20to%20be%20suboptimal.%0A%23%23%0A%23%23%20Manual%20selection%20is%20always%20recommended%20over%20automatic%20selection%2C%20so%20that%20you%20can%0A%23%23%20select%20(relay%2Cserver)%20pairs%20that%20work%20well%20and%20fit%20your%20own%20criteria%20(close%20by%20or%0A%23%23%20in%20different%20countries%2C%20operated%20by%20different%20entities%2C%20on%20distinct%20ISPs...)%0A%0A%20%20routes%20%3D%20%5B%0A%23%20%20%20%20%7B%20server_name%3D'example-server-1'%2C%20via%3D%5B'anon-example-1'%2C%20'anon-example-2'%5D%20%7D%2C%0A%20%20%20%20%20%7B%20server_name%3D'*'%2C%20via%3D%5B'odohrelay-crypto-sx'%2C%20'odohrelay-koki-ams'%2C%20'odohrelay-koki-se'%2C%20'odohrelay-koki-bcn'%2C%20'odohrelay-surf'%5D%20%7D%0A%23%20%20%20%20%7B%20server_name%3D'example-server-2'%2C%20via%3D%5B'sdns%3A%2F%2FgRIxMzcuNzQuMjIzLjIzNDo0NDM'%5D%20%7D%0A%20%20%5D%0A%0A%0A%23%20Skip%20resolvers%20incompatible%20with%20anonymization%20instead%20of%20using%20them%20directly%0A%0Askip_incompatible%20%3D%20true%0A%0A%0A%23%20If%20public%20server%20certificates%20for%20a%20non-conformant%20server%20cannot%20be%0A%23%20retrieved%20via%20a%20relay%2C%20try%20getting%20them%20directly.%20Actual%20queries%0A%23%20will%20then%20always%20go%20through%20relays.%0A%0A%23%20direct_cert_fallback%20%3D%20false%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20DNS64%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20DNS64%20is%20a%20mechanism%20for%20synthesizing%20AAAA%20records%20from%20A%20records.%0A%23%23%20It%20is%20used%20with%20an%20IPv6%2FIPv4%20translator%20to%20enable%20client-server%0A%23%23%20communication%20between%20an%20IPv6-only%20client%20and%20an%20IPv4-only%20server%2C%0A%23%23%20without%20requiring%20any%20changes%20to%20either%20the%20IPv6%20or%20the%20IPv4%20node%2C%0A%23%23%20for%20the%20class%20of%20applications%20that%20work%20through%20NATs.%0A%23%23%0A%23%23%20There%20are%20two%20options%20to%20synthesize%20such%20records%3A%0A%23%23%20Option%201%3A%20Using%20a%20set%20of%20static%20IPv6%20prefixes%3B%0A%23%23%20Option%202%3A%20By%20discovering%20the%20IPv6%20prefix%20from%20DNS64-enabled%20resolver.%0A%23%23%0A%23%23%20If%20both%20options%20are%20configured%20-%20only%20static%20prefixes%20are%20used.%0A%23%23%20(Ref.%20RFC6147%2C%20RFC6052%2C%20RFC7050)%0A%23%23%0A%23%23%20Do%20not%20enable%20unless%20you%20know%20what%20DNS64%20is%20and%20why%20you%20need%20it%2C%20or%20else%0A%23%23%20you%20won't%20be%20able%20to%20connect%20to%20anything%20at%20all.%0A%0A%5Bdns64%5D%0A%0A%23%23%20(Option%201)%20Static%20prefix(es)%20as%20Pref64%3A%3A%2Fn%20CIDRs.%0A%23%20prefix%20%3D%20%5B'64%3Aff9b%3A%3A%2F96'%5D%0A%0A%23%23%20(Option%202)%20DNS64-enabled%20resolver(s)%20to%20discover%20Pref64%3A%3A%2Fn%20CIDRs.%0A%23%23%20These%20resolvers%20are%20used%20to%20query%20for%20Well-Known%20IPv4-only%20Name%20(WKN)%20%22ipv4only.arpa.%22%20to%20discover%20only.%0A%23%23%20Set%20with%20your%20ISP's%20resolvers%20in%20case%20of%20custom%20prefixes%20(other%20than%20Well-Known%20Prefix%2064%3Aff9b%3A%3A%2F96).%0A%23%23%20IMPORTANT%3A%20Default%20resolvers%20listed%20below%20support%20Well-Known%20Prefix%2064%3Aff9b%3A%3A%2F96%20only.%0A%23%20resolver%20%3D%20%5B'%5B2606%3A4700%3A4700%3A%3A64%5D%3A53'%2C%20'%5B2001%3A4860%3A4860%3A%3A64%5D%3A53'%5D%0A%0A%0A%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20Static%20entries%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%23%20Optional%2C%20local%2C%20static%20list%20of%20additional%20servers%0A%23%23%20Mostly%20useful%20for%20testing%20your%20own%20servers.%0A%0A%5Bstatic%5D%0A%0A%20%20%23%20%5Bstatic.'myserver'%5D%0A%20%20%23%20stamp%20%3D%20'sdns%3A%2F%2FAQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'%3C%2FPATH%3E%3C%2FLISTEN_ADDRESS%3E%3C%2FN%3E%3C%2FIPV6%3E%3C%2FIPV4%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E6A.)%20Run%20%22C%3A%5CProgram%20Files%5Cdnscrypt-proxy%5Cservice-install.bat%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENOTE%3A%20Do%20not%20install%20or%20start%20the%20service%20until%20you%20have%20the%20resolvers%20and%20configuration%20file%20in%20place%20(or%20it%20won't%20load)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENOTE%3A%20If%20this%20does%20not%20work%2C%20the%20process%20must%20be%20terminated%20in%20memory%20(dnscrypt-proxy.exe)%2C%20the%20resolvers%20must%20be%20copied%20over%20again%20manually%2C%20and%20the%20service%20must%20be%20restarted%20with%20an%20active%20network%20connection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOpen%20the%20Command%20Prompt%20-%26gt%3B%20Start%20Menu%20-%26gt%3B%20Run%20-%26gt%3B%20taskmgr%20-%26gt%3B%20File%20-%26gt%3B%20Run%20new%20Task%20-%26gt%3B%20%25SystemRoot%25%5CSystem32%5Ccmd.exe%20-%26gt%3B%20Select%20%22Create%20this%20task%20with%20administrative%20privileges.%22%20-%26gt%3B%20Click%20OK.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERun%20the%20following%20list%20of%20commands%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Esc%20failureflag%20dnscrypt-proxy%201%0Asc%20config%20dnscrypt-proxy%20group%3D%20NetworkProvider%20displayname%3D%20%22DNSCrypt%20Client%20Proxy%22%0Asc%20failure%20dnscrypt-proxy%20reset%3D%2060%20actions%3D%20restart%2F30000%2Frestart%2F30000%2Frestart%2F30000%2F%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E6B.)%20Alternate%3A%20Apply%20the%20following%20registry%20patch%3A%20dns-proxy.reg%20(you%20must%20restart%20if%20you%20use%20the%20registry%20patch%20instead%20of%20the%20command%20line%20install%20process)%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3EWindows%20Registry%20Editor%20Version%205.00%0A%0A%5BHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5Cdnscrypt-proxy%5D%0A%22Type%22%3Ddword%3A00000010%0A%22Start%22%3Ddword%3A00000002%0A%22ErrorControl%22%3Ddword%3A00000000%0A%22ImagePath%22%3Dhex(2)%3A22%2C00%2C43%2C00%2C3a%2C00%2C5c%2C00%2C50%2C00%2C72%2C00%2C6f%2C00%2C67%2C00%2C72%2C00%2C61%2C00%2C%5C%0A%20%206d%2C00%2C20%2C00%2C46%2C00%2C69%2C00%2C6c%2C00%2C65%2C00%2C73%2C00%2C5c%2C00%2C64%2C00%2C6e%2C00%2C73%2C00%2C63%2C00%2C72%2C%5C%0A%20%2000%2C79%2C00%2C70%2C00%2C74%2C00%2C2d%2C00%2C70%2C00%2C72%2C00%2C6f%2C00%2C78%2C00%2C79%2C00%2C5c%2C00%2C64%2C00%2C6e%2C00%2C%5C%0A%20%2073%2C00%2C63%2C00%2C72%2C00%2C79%2C00%2C70%2C00%2C74%2C00%2C2d%2C00%2C70%2C00%2C72%2C00%2C6f%2C00%2C78%2C00%2C79%2C00%2C2e%2C%5C%0A%20%2000%2C65%2C00%2C78%2C00%2C65%2C00%2C22%2C00%2C20%2C00%2C2d%2C00%2C63%2C00%2C6f%2C00%2C6e%2C00%2C66%2C00%2C69%2C00%2C67%2C00%2C%5C%0A%20%2020%2C00%2C64%2C00%2C6e%2C00%2C73%2C00%2C63%2C00%2C72%2C00%2C79%2C00%2C70%2C00%2C74%2C00%2C2d%2C00%2C70%2C00%2C72%2C00%2C6f%2C%5C%0A%20%2000%2C78%2C00%2C79%2C00%2C2e%2C00%2C74%2C00%2C6f%2C00%2C6d%2C00%2C6c%2C00%2C00%2C00%0A%22DisplayName%22%3D%22DNSCrypt%20Client%20Proxy%22%0A%22ObjectName%22%3D%22LocalSystem%22%0A%22Description%22%3D%22Encrypted%2FAuthenticated%20DNS%20Proxy%22%0A%22FailureActionsOnNonCrashFailures%22%3Ddword%3A00000001%0A%22FailureActions%22%3Dhex%3A3c%2C00%2C00%2C00%2C00%2C00%2C00%2C00%2C00%2C00%2C00%2C00%2C03%2C00%2C00%2C00%2C14%2C00%2C00%2C%5C%0A%20%2000%2C01%2C00%2C00%2C00%2C30%2C75%2C00%2C00%2C01%2C00%2C00%2C00%2C30%2C75%2C00%2C00%2C01%2C00%2C00%2C00%2C30%2C75%2C00%2C00%0A%22Group%22%3D%22NetworkProvider%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E7.)%20Start%20Powershell%20-%26gt%3B%20Start%20Menu%20-%26gt%3B%20Run%20-%26gt%3B%20taskmgr%20-%26gt%3B%20File%20-%26gt%3B%20Run%20new%20Task%20-%26gt%3B%20%25SystemRoot%25%5CSystem32%5CWindowsPowerShell%5Cv1.0%5Cpowershell.exe%20-%26gt%3B%20Select%20%22Create%20this%20task%20with%20administrative%20privileges.%22%20-%26gt%3B%20Click%20OK.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E7A.)%20You%20must%20run%20this%20script%20first%20in%20PowerShell%20to%20change%20the%20execution%20policy%20in%20PowerShell%20(and%20also%20disable%20the%20command%20line%20history)%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3E%23%20ExecutionPolicy%20-List%0ASet-ExecutionPolicy%20-ExecutionPolicy%20Bypass%20-Scope%20CurrentUser%20-Force%0ASet-ExecutionPolicy%20-ExecutionPolicy%20Bypass%20-Scope%20LocalMachine%20-Force%3B%0ASet-PSReadLineOption%20-HistorySaveStyle%20SaveNothing%20-MaximumHistoryCount%201%3B%0ASet-Content%20-Value%20%22Remove-Module%20PSReadline%22%20-NoNewline%20-Path%20%24PROFILE%3B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E7B.)%20NOTE%3A%20If%20you%20have%20a%20VPN%20you%20have%20to%20run%20this%20batch%20file%20(.BAT)%20every%20time%20it%20connects%20to%20a%20new%20server%20(change%20%22WireGuard%22%20to%20the%20name%20of%20the%20adapter.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENOTE%3A%20This%20requires%20Sdelete64.exe%20to%20be%20extracted%20to%20the%20%22C%3A%5CWindows%5CSystem32%22%20folder%20(%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fsysinternals-suite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fsysinternals-suite%3C%2FA%3E%20)%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3E%40ECHO%20OFF%0ASETLOCAL%0Apowershell%20-noprofile%20-file%20%25UserProfile%25%5CDesktop%5CWin64%5CsetDNS.ps1%0A%25SYSTEMROOT%25%5CSystem32%5CCMD.EXE%20%2FQ%20%2FC%20START%20%2FMIN%20%2FREALTIME%20sdelete64%20-nobanner%20-r%20%22%25AppData%25%5CMicrosoft%5CWindows%5CPowerShell%5CPSReadLine%5CConsoleHost_history.txt%22%0AMOVE%20NUL%202%26gt%3B%26amp%3B0%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EExample%20of%20%22setDNS.ps1%22%20(Edit%20these%20scripts%20to%20match%20whatever%20folder%20layout%20you%20have%20in%20mind)%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3ESet-DnsClientServerAddress%20-InterfaceAlias%20WireGuard%20-ResetServerAddresses%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-AllBindings%20-IncludeHidden%20-componentid%20%22ms_netbios%22%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-componentid%20%22ms_tcpip6%22%3B%0ASet-DnsClientServerAddress%20-InterfaceAlias%20WireGuard%20-ResetServerAddresses%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-AllBindings%20-IncludeHidden%20-componentid%20%22ms_netbios%22%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-componentid%20%22ms_msclient%22%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-componentid%20%22ms_server%22%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-componentid%20%22ms_pacer%22%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-componentid%20%22ms_implat%22%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-componentid%20%22ms_rspndr%22%3B%0ADisable-NetAdapterBinding%20-Name%20WireGuard%20-componentid%20%22ms_lldp%22%3B%0AGet-DnsClient%20%7C%20Set-DnsClientServerAddress%20-ResetServerAddresses%3B%0AGet-DnsClient%20%7C%20Set-DnsClientServerAddress%20-ServerAddresses%20(%22127.0.0.1%22%2C%229.9.9.11%22)%3B%0AGet-DnsClient%20%7C%20Set-DNSClient%20-RegisterThisConnectionsAddress%20%24False%20-UseSuffixWhenRegistering%20%24False%20-ConnectionSpecificSuffix%20%22%20%22%3B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E8.)%20Restart%20the%20computer%20(%20only%20if%20you%20used%20the%20registry%20patch%20instead%20of%20the%20command%20line%20version%20%2F%20or%20if%20you%20have%20a%20VPN%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELinks%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-proxy%2Freleases%2Flatest%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDNSCrypt-Proxy%3C%2FA%3E%20%7C%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FDNSCrypt%2Fdnscrypt-resolvers%2Ftree%2Fmaster%2Fv3%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDNSCrypt%20Resolvers%3C%2FA%3E%20%7C%20%3CA%20href%3D%22https%3A%2F%2Foisd.nl%2Fdownloads%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EOISD%20Downloads%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Note: This stub resolver example utilizes ODoH (DNS-CryptProxy 2.x), can be used in conjunction with a VPN, and an optional Caching-Only DNS / Name Server behind it.

 

1.) Install the latest version of WinRAR

 

2.) Download DNS-CryptProxy (win64 . zip) and extract the following files to this folder: "C:\Program Files\dnscrypt-proxy"

 

dnscrypt-proxy.exe, localhost.pem, service-install.bat

 

3.) Download the following resolvers and place them in: "C:\Program Files\dnscrypt-proxy"

 

odoh-relays.md | odoh-relays.md.minisig

odoh-servers.md | odoh-servers.md.minisig

 

4.) Download the [ OISD FULL - Domains (wildcards) ] blacklist and place it in: "C:\Program Files\dnscrypt-proxy"

 

oisd_dblw_full.txt

 

5.) Copy the following and save it as "dnscrypt-proxy.toml" in this folder: "C:\Program Files\dnscrypt-proxy"

##############################################
#                                            #
#        dnscrypt-proxy configuration        #
#                                            #
##############################################

## This is an example configuration file.
## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
##
## Online documentation is available here: https://dnscrypt.info/doc



##################################
#         Global settings        #
##################################

## List of servers to use
##
## Servers from the "public-resolvers" source (see down below) can
## be viewed here: https://dnscrypt.info/public-servers
##
## The proxy will automatically pick working servers from this list.
## Note that the require_* filters do NOT apply when using this setting.
##
## By default, this list is empty and all registered servers matching the
## require_* filters will be used instead.
##
## Remove the leading # first to enable this; lines starting with # are ignored.

# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']


## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
## Example with both IPv4 and IPv6:
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
##
## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`

listen_addresses = ['127.0.0.1:53']


## Maximum number of simultaneous client connections to accept

max_clients = 25000


## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user

# user_name = 'nobody'


## Require servers (from remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = false

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

# Use servers implementing the Oblivious DoH protocol
odoh_servers = true

## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = true

# Server must not log user queries (declarative)
require_nolog = true

# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true

# Server names to avoid even if they match all criteria
disabled_server_names = []


## Always use TCP to connect to upstream servers.
## This can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.

force_tcp = false


## SOCKS proxy
## Uncomment the following line to route all TCP connections to a local Tor node
## Tor doesn't support UDP, so set `force_tcp` to `true` as well.

# proxy = 'socks5://127.0.0.1:9050'


## HTTP/HTTPS proxy
## Only for DoH servers

# http_proxy = 'http://127.0.0.1:8888'


## How long a DNS query will wait for a response, in milliseconds.
## If you have a network with *a lot* of latency, you may need to
## increase this. Startup may be slower if you do so.
## Don't increase it too much. 10000 is the highest reasonable value.

timeout = 3000


## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 5


## Add EDNS-client-subnet information to outgoing queries
##
## Multiple networks can be listed; they will be randomly chosen.
## These networks don't have to match your actual networks.

edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"]


## Response for blocked queries. Options are `refused`, `hinfo` (default) or
## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
## Using the `hinfo` option means that some responses will be lies.
## Unfortunately, the `hinfo` option appears to be required for Android 8+

blocked_query_response = 'refused'


## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
## The response quality still depends on the server itself.

lb_strategy = 'p2'

## Set to `true` to constantly try to estimate the latency of all the resolvers
## and adjust the load-balancing parameters accordingly, or to `false` to disable.
## Default is `true` that makes 'p2' `lb_strategy` work well.

lb_estimator = true


## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

# log_level = 6


## Log file for the application, as an alternative to sending logs to
## the standard system logging service (syslog/Windows event log).
##
## This file is different from other log files, and will not be
## automatically rotated by the application.

# log_file = 'dnscrypt-proxy.log'


## When using a log file, only keep logs from the most recent launch.

# log_file_latest = true


## Use the system logger (syslog on Unix, Event Log on Windows)

use_syslog = false


## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240


## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

dnscrypt_ephemeral_keys = true


## DoH: Disable TLS session tickets - increases privacy but also latency

tls_disable_session_tickets = true


## Cipher Suites

## DoH: Use a specific cipher suite instead of the server preference
##
## TLS 1.3
##
## 4866 = TLS_AES_256_GCM_SHA384 (0x1302) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
##
## TLS 1.2
##
## 49196 = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
## 49200 = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
##
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
## This may also help on Intel CPUs running 32-bit operating systems.
##
## Keep tls_cipher_suite empty if you have issues fetching sources or
## connecting to some DoH servers. Google and Cloudflare are fine with it.

tls_cipher_suite = [4866, 49196, 49200]


## Bootstrap resolvers
##
## These are normal, non-encrypted DNS resolvers, that will be only used
## for one-shot queries when retrieving the initial resolvers list and the
## the system DNS configuration doesn't work.
##
## No user queries will ever be leaked through these resolvers, and they will
## not be used after IP addresses of DoH resolvers have been found (if you are
## using DoH).
##
## They will never be used if lists have already been cached, and if the stamps
## of the configured servers already include IP addresses (which is the case for
## most of DoH servers, and for all DNSCrypt servers and relays).
##
## They will not be used if the configured system DNS works, or after the
## proxy already has at least one usable secure resolver.
##
## Resolvers supporting DNSSEC are recommended, and, if you are using
## DoH, bootstrap resolvers should ideally be operated by a different entity
## than the DoH servers you will be using, especially if you have IPv6 enabled.
##
## People in China may want to use 114.114.114.114:53 here.
## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
##
## If more than one resolver is specified, they will be tried in sequence.
##
## TL;DR: put valid standard resolver addresses here. Your actual queries will
## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
## lists are up to date, these resolvers will not even be used.

bootstrap_resolvers = ['9.9.9.11:53', '149.112.112.11:53']


## Always use the bootstrap resolver before the system DNS settings.

ignore_system_dns = true

## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.
## Useful if the proxy is automatically started at boot, and network
## connectivity is not guaranteed to be immediately available.
## Use 0 to not test for connectivity at all (not recommended),
## and -1 to wait as much as possible.

netprobe_timeout = -1

## Address and port to try initializing a connection to, just to check
## if the network is up. It can be any address and any port, even if
## there is nothing answering these on the other side. Just don't use
## a local address, as the goal is to check for Internet connectivity.
## On Windows, a datagram with a single, nul byte will be sent, only
## when the system starts.
## On other operating systems, the connection will be initialized
## but nothing will be sent at all.

netprobe_address = '9.9.9.11:53'


## Offline mode - Do not use any remote encrypted servers.
## The proxy will remain fully functional to respond to queries that
## plugins can handle directly (forwarding, cloaking, ...)

# offline_mode = false


## Additional data to attach to outgoing queries.
## These strings will be added as TXT records to queries.
## Do not use, except on servers explicitly asking for extra data
## to be present.
## encrypted-dns-server can be configured to use this for access control
## in the [access_control] section

# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']


## Automatic log files rotation

# Maximum log files size in MB - Set to 0 for unlimited.
log_files_max_size = 1

# How long to keep backup files, in days
log_files_max_age = 1

# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 1



#########################
#        Filters        #
#########################

## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
## configure dnscrypt-proxy to do any kind of filtering (including the filters
## below and blocklists).
## You can still choose resolvers that do DNSSEC validation.


## Immediately respond to IPv6-related queries with an empty response
## This makes things faster when there is no IPv6 connectivity, but can
## also cause reliability issues with some stub resolvers.

block_ipv6 = true


## Immediately respond to A and AAAA queries for host names without a domain name

block_unqualified = true


## Immediately respond to queries for local zones instead of leaking them to
## upstream resolvers (always causing errors or timeouts).

block_undelegated = true


## TTL for synthetic responses sent when a request has been blocked (due to
## IPv6 or blocklists).

reject_ttl = 600



##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################

## See the `example-forwarding-rules.txt` file for an example

# forwarding_rules = 'forwarding-rules.txt'



###############################
#        Cloaking rules       #
###############################

## Cloaking returns a predefined address for a specific name.
## In addition to acting as a HOSTS file, it can also return the IP address
## of a different name. It will also do CNAME flattening.
##
## See the `example-cloaking-rules.txt` file for an example

# cloaking_rules = 'cloaking-rules.txt'

## TTL used when serving entries in cloaking-rules.txt

# cloak_ttl = 600



###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true


## Cache size

cache_size = 262144


## Minimum TTL for cached entries

cache_min_ttl = 2400


## Maximum TTL for cached entries

cache_max_ttl = 86400


## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60


## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600



########################################
#        Captive portal handling       #
########################################

[captive_portals]

## A file that contains a set of names used by operating systems to
## check for connectivity and captive portals, along with hard-coded
## IP addresses to return.

# map_file = 'example-captive-portals.txt'



##################################
#        Local DoH server        #
##################################

[local_doh]

## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
## requiring a direct connection to a DoH server in order to enable some
## features will enable these, without bypassing your DNS proxy.

## Addresses that the local DoH server should listen to

## listen_addresses = ['127.0.0.1:5555']

## Path of the DoH URL. This is not a file, but the part after the hostname
## in the URL. By convention, `/dns-query` is frequently chosen.
## For each `listen_address` the complete URL to access the server will be:
## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)

## path = '/dns-query'

## Certificate file and key - Note that the certificate has to be trusted.
## See the documentation (wiki) for more information.

## cert_file = '_Cert.pem'
## cert_key_file = '_Key.pem'

###############################
#        Query logging        #
###############################

## Log client queries to a file

[query_log]

  ## Path to the query log file (absolute, or relative to the same directory as the config file)
  ## Can be set to /dev/stdout in order to log to the standard output.

  # file = 'query.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'


  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.

  # ignored_qtypes = ['DNSKEY', 'NS']



############################################
#        Suspicious queries logging        #
############################################

## Log queries for nonexistent zones
## These queries can reveal the presence of malware, broken/obsolete applications,
## and devices signaling their presence to 3rd parties.

[nx_log]

  ## Path to the query log file (absolute, or relative to the same directory as the config file)

  # file = 'nx.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'



######################################################
#        Pattern-based blocking (blocklists)        #
######################################################

## Blocklists are made of one pattern per line. Example of valid patterns:
##
##   example.com
##   =example.com
##   *sex*
##   ads.*
##   ads*.example.*
##   ads*.example[0-9]*.com
##
## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
## A script to build blocklists from public feeds can be found in the
## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.

[blocked_names]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

  # Site: https://oisd.nl/downloads
  # Selection: Domains (wildcards) - full

  # blocked_names_file = 'oisd_dblw_full.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'blocked-names.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



###########################################################
#        Pattern-based IP blocking (IP blocklists)        #
###########################################################

## IP blocklists are made of one pattern per line. Example of valid patterns:
##
##   127.*
##   fe80:abcd:*
##   192.168.1.4

[blocked_ips]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

  # blocked_ips_file = 'blocked-ips.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'blocked-ips.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



######################################################
#   Pattern-based allow lists (blocklists bypass)   #
######################################################

## Allowlists support the same patterns as blocklists
## If a name matches an allowlist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.

[allowed_names]

  ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)

  # allowed_names_file = 'allowed-names.txt'


  ## Optional path to a file logging allowed queries

  # log_file = 'allowed-names.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



#########################################################
#   Pattern-based allowed IPs lists (blocklists bypass) #
#########################################################

## Allowed IP lists support the same patterns as IP blocklists
## If an IP response matches an allow ip entry, the corresponding session
## will bypass IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.

[allowed_ips]

  ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)

  # allowed_ips_file = 'allowed-ips.txt'


  ## Optional path to a file logging allowed queries

  # log_file = 'allowed-ips.log'

  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



##########################################
#        Time access restrictions        #
##########################################

## One or more weekly schedules can be defined here.
## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
## For example, the following rule in a blocklist file:
## *.youtube.* @time-to-sleep
## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
##
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
## {after= '9:00', before='18:00'} matches 9:00-18:00

[schedules]

  # [schedules.'time-to-sleep']
  # mon = [{after='21:00', before='7:00'}]
  # tue = [{after='21:00', before='7:00'}]
  # wed = [{after='21:00', before='7:00'}]
  # thu = [{after='21:00', before='7:00'}]
  # fri = [{after='23:00', before='7:00'}]
  # sat = [{after='23:00', before='7:00'}]
  # sun = [{after='21:00', before='7:00'}]

  # [schedules.'work']
  # mon = [{after='9:00', before='18:00'}]
  # tue = [{after='9:00', before='18:00'}]
  # wed = [{after='9:00', before='18:00'}]
  # thu = [{after='9:00', before='18:00'}]
  # fri = [{after='9:00', before='17:00'}]



#########################
#        Servers        #
#########################

## Remote lists of available servers
## Multiple sources can be used simultaneously, but every source
## requires a dedicated cache file.
##
## Refer to the documentation for URLs of public sources.
##
## A prefix can be prepended to server names in order to
## avoid collisions if different sources share the same for
## different servers. In that case, names listed in `server_names`
## must include the prefixes.
##
## If the `urls` property is missing, cache files and valid signatures
## must already be present. This doesn't prevent these cache files from
## expiring after `refresh_delay` hours.
## Cache freshness is checked every 24 hours, so values for 'refresh_delay'
## of less than 24 hours will have no effect.
## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness.

[sources]

  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

    # [sources.'public-resolvers']
    # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
    # cache_file = 'public-resolvers.md'
    # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    # refresh_delay = 168
    # prefix = ''

  ## Anonymized DNS relays

    # [sources.'relays']
    # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
    # cache_file = 'relays.md'
    # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    # refresh_delay = 168
    # prefix = ''

  ## ODoH (Oblivious DoH) servers and relays

    [sources.'odoh-servers']
      urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-servers.md']
      cache_file = 'odoh-servers.md'
      minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
      refresh_delay = 168
      prefix = ''
    [sources.'odoh-relays']
      urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-relays.md']
      cache_file = 'odoh-relays.md'
      minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
      refresh_delay = 168
      prefix = ''

  ## Quad9

  # [sources.quad9-resolvers]
  #   urls = ['https://www.quad9.net/quad9-resolvers.md']
  #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
  #   cache_file = 'quad9-resolvers.md'
  #   prefix = 'quad9-'

  ## Another example source, with resolvers censoring some websites not appropriate for children
  ## This is a subset of the `public-resolvers` list, so enabling both is useless

  #  [sources.'parental-control']
  #    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md']
  #    cache_file = 'parental-control.md'
  #    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'



#########################################
#        Servers with known bugs        #
#########################################

[broken_implementations]

# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
# truncate reponses larger than questions as expected by the DNSCrypt protocol.
# This prevents large responses from being received over UDP and over relays.
#
# Older versions of the `dnsdist` server software had a bug with queries larger
# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
# some server may still run an outdated version.
#
# The list below enables workarounds to make non-relayed usage more reliable
# until the servers are fixed.

fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']



#################################################################
#        Certificate-based client authentication for DoH        #
#################################################################

# Use a X509 certificate to authenticate yourself when connecting to DoH servers.
# This is only useful if you are operating your own, private DoH server(s).
# 'creds' maps servers to certificates, and supports multiple entries.
# If you are not using the standard root CA, an optional "root_ca"
# property set to the path to a root CRT file can be added to a server entry.

[doh_client_x509_auth]

#
# creds = [
#    { server_name='*', client_cert='client.crt', client_key='client.key' }
# ]



################################
#        Anonymized DNS        #
################################

[anonymized_dns]

## Routes are indirect ways to reach DNSCrypt servers.
##
## A route maps a server name ("server_name") to one or more relays that will be
## used to connect to that server.
##
## A relay can be specified as a DNS Stamp (either a relay stamp, or a
## DNSCrypt stamp) or a server name.
##
## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
## and "example-server-2" via the relay whose relay DNS stamp is
## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
##
## !!! THESE ARE JUST EXAMPLES !!!
##
## Review the list of available relays from the "relays.md" file, and, for each
## server you want to use, define the relays you want connections to go through.
##
## Carefully choose relays and servers so that they are run by different entities.
##
## "server_name" can also be set to "*" to define a default route, for all servers:
## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
##
## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
##
## Manual selection is always recommended over automatic selection, so that you can
## select (relay,server) pairs that work well and fit your own criteria (close by or
## in different countries, operated by different entities, on distinct ISPs...)

  routes = [
#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
     { server_name='*', via=['odohrelay-crypto-sx', 'odohrelay-koki-ams', 'odohrelay-koki-se', 'odohrelay-koki-bcn', 'odohrelay-surf'] }
#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
  ]


# Skip resolvers incompatible with anonymization instead of using them directly

skip_incompatible = true


# If public server certificates for a non-conformant server cannot be
# retrieved via a relay, try getting them directly. Actual queries
# will then always go through relays.

# direct_cert_fallback = false



###############################
#            DNS64            #
###############################

## DNS64 is a mechanism for synthesizing AAAA records from A records.
## It is used with an IPv6/IPv4 translator to enable client-server
## communication between an IPv6-only client and an IPv4-only server,
## without requiring any changes to either the IPv6 or the IPv4 node,
## for the class of applications that work through NATs.
##
## There are two options to synthesize such records:
## Option 1: Using a set of static IPv6 prefixes;
## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
##
## If both options are configured - only static prefixes are used.
## (Ref. RFC6147, RFC6052, RFC7050)
##
## Do not enable unless you know what DNS64 is and why you need it, or else
## you won't be able to connect to anything at all.

[dns64]

## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
# prefix = ['64:ff9b::/96']

## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']



########################################
#            Static entries            #
########################################

## Optional, local, static list of additional servers
## Mostly useful for testing your own servers.

[static]

  # [static.'myserver']
  # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

6A.) Run "C:\Program Files\dnscrypt-proxy\service-install.bat"

 

NOTE: Do not install or start the service until you have the resolvers and configuration file in place (or it won't load)

 

NOTE: If this does not work, the process must be terminated in memory (dnscrypt-proxy.exe), the resolvers must be copied over again manually, and the service must be restarted with an active network connection.

 

Open the Command Prompt -> Start Menu -> Run -> taskmgr -> File -> Run new Task -> %SystemRoot%\System32\cmd.exe -> Select "Create this task with administrative privileges." -> Click OK.

 

Run the following list of commands:

sc failureflag dnscrypt-proxy 1
sc config dnscrypt-proxy group= NetworkProvider displayname= "DNSCrypt Client Proxy"
sc failure dnscrypt-proxy reset= 60 actions= restart/30000/restart/30000/restart/30000/

6B.) Alternate: Apply the following registry patch: dns-proxy.reg (you must restart if you use the registry patch instead of the command line install process)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscrypt-proxy]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
  6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,64,00,6e,00,73,00,63,00,72,\
  00,79,00,70,00,74,00,2d,00,70,00,72,00,6f,00,78,00,79,00,5c,00,64,00,6e,00,\
  73,00,63,00,72,00,79,00,70,00,74,00,2d,00,70,00,72,00,6f,00,78,00,79,00,2e,\
  00,65,00,78,00,65,00,22,00,20,00,2d,00,63,00,6f,00,6e,00,66,00,69,00,67,00,\
  20,00,64,00,6e,00,73,00,63,00,72,00,79,00,70,00,74,00,2d,00,70,00,72,00,6f,\
  00,78,00,79,00,2e,00,74,00,6f,00,6d,00,6c,00,00,00
"DisplayName"="DNSCrypt Client Proxy"
"ObjectName"="LocalSystem"
"Description"="Encrypted/Authenticated DNS Proxy"
"FailureActionsOnNonCrashFailures"=dword:00000001
"FailureActions"=hex:3c,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,30,75,00,00,01,00,00,00,30,75,00,00,01,00,00,00,30,75,00,00
"Group"="NetworkProvider"

7.) Start Powershell -> Start Menu -> Run -> taskmgr -> File -> Run new Task -> %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -> Select "Create this task with administrative privileges." -> Click OK.

 

7A.) You must run this script first in PowerShell to change the execution policy in PowerShell (and also disable the command line history)

# ExecutionPolicy -List
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser -Force
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine -Force;
Set-PSReadLineOption -HistorySaveStyle SaveNothing -MaximumHistoryCount 1;
Set-Content -Value "Remove-Module PSReadline" -NoNewline -Path $PROFILE;

7B.) NOTE: If you have a VPN you have to run this batch file (.BAT) every time it connects to a new server (change "WireGuard" to the name of the adapter.)

 

NOTE: This requires Sdelete64.exe to be extracted to the "C:\Windows\System32" folder ( https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite )

@ECHO OFF
SETLOCAL
powershell -noprofile -file %UserProfile%\Desktop\Win64\setDNS.ps1
%SYSTEMROOT%\System32\CMD.EXE /Q /C START /MIN /REALTIME sdelete64 -nobanner -r "%AppData%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
MOVE NUL 2>&0

Example of "setDNS.ps1" (Edit these scripts to match whatever folder layout you have in mind)

Set-DnsClientServerAddress -InterfaceAlias WireGuard -ResetServerAddresses
Disable-NetAdapterBinding -Name WireGuard -AllBindings -IncludeHidden -componentid "ms_netbios";
Disable-NetAdapterBinding -Name WireGuard -componentid "ms_tcpip6";
Set-DnsClientServerAddress -InterfaceAlias WireGuard -ResetServerAddresses;
Disable-NetAdapterBinding -Name WireGuard -AllBindings -IncludeHidden -componentid "ms_netbios";
Disable-NetAdapterBinding -Name WireGuard -componentid "ms_msclient";
Disable-NetAdapterBinding -Name WireGuard -componentid "ms_server";
Disable-NetAdapterBinding -Name WireGuard -componentid "ms_pacer";
Disable-NetAdapterBinding -Name WireGuard -componentid "ms_implat";
Disable-NetAdapterBinding -Name WireGuard -componentid "ms_rspndr";
Disable-NetAdapterBinding -Name WireGuard -componentid "ms_lldp";
Get-DnsClient | Set-DnsClientServerAddress -ResetServerAddresses;
Get-DnsClient | Set-DnsClientServerAddress -ServerAddresses ("127.0.0.1","9.9.9.11");
Get-DnsClient | Set-DNSClient -RegisterThisConnectionsAddress $False -UseSuffixWhenRegistering $False -ConnectionSpecificSuffix " ";

8.) Restart the computer ( only if you used the registry patch instead of the command line version / or if you have a VPN )

 

Links: DNSCrypt-Proxy | DNSCrypt Resolvers | OISD Downloads

0 Replies