You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
262 lines
8.3 KiB
262 lines
8.3 KiB
# dns server name, default is host name
|
|
# server-name,
|
|
# example:
|
|
# server-name smartdns
|
|
#
|
|
server-name smartdns
|
|
|
|
# dns server run user
|
|
# user [username]
|
|
# example: run as nobody
|
|
# user nobody
|
|
#
|
|
user root
|
|
|
|
# Include another configuration options
|
|
# conf-file [file]
|
|
# conf-file blacklist-ip.conf
|
|
|
|
# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
|
|
# bind udp server
|
|
# bind [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
|
|
# bind tcp server
|
|
# bind-tcp [IP]:[port] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
|
|
# option:
|
|
# -group: set domain request to use the appropriate server group.
|
|
# -no-rule-addr: skip address rule.
|
|
# -no-rule-nameserver: skip nameserver rule.
|
|
# -no-rule-ipset: skip ipset rule.
|
|
# -no-speed-check: do not check speed.
|
|
# -no-cache: skip cache.
|
|
# -no-rule-soa: Skip address SOA(#) rules.
|
|
# -no-dualstack-selection: Disable dualstack ip selection.
|
|
# -force-aaaa-soa: force AAAA query return SOA.
|
|
# example:
|
|
# IPV4:
|
|
# bind :53
|
|
# bind :6053 -group office -no-speed-check
|
|
# IPV6:
|
|
# bind [::]:53
|
|
# bind-tcp [::]:53
|
|
bind :53
|
|
bind-tcp :53
|
|
|
|
# tcp connection idle timeout
|
|
# tcp-idle-time [second]
|
|
tcp-idle-time 3
|
|
|
|
# dns cache size
|
|
# cache-size [number]
|
|
# 0: for no cache
|
|
cache-size 4096
|
|
|
|
# enable persist cache when restart
|
|
cache-persist yes
|
|
|
|
# cache persist file
|
|
# cache-file /tmp/smartdns.cache
|
|
cache-file /smartdns/smartdns.cache
|
|
|
|
# prefetch domain
|
|
# prefetch-domain [yes|no]
|
|
prefetch-domain yes
|
|
|
|
# cache serve expired
|
|
# serve-expired [yes|no]
|
|
serve-expired yes
|
|
|
|
# cache serve expired TTL
|
|
# serve-expired-ttl [num]
|
|
serve-expired-ttl 0
|
|
|
|
# reply TTL value to use when replying with expired data
|
|
# serve-expired-reply-ttl [num]
|
|
# serve-expired-reply-ttl 30
|
|
|
|
# List of hosts that supply bogus NX domain results
|
|
# bogus-nxdomain [ip/subnet]
|
|
|
|
# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
|
|
# blacklist-ip [ip/subnet]
|
|
|
|
# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
|
|
# whitelist-ip [ip/subnet]
|
|
|
|
# List of IPs that will be ignored
|
|
# ignore-ip [ip/subnet]
|
|
|
|
# speed check mode
|
|
# speed-check-mode [ping|tcp:port|none|,]
|
|
# example:
|
|
# speed-check-mode ping,tcp:80,tcp:443
|
|
# speed-check-mode tcp:443,ping
|
|
# speed-check-mode none
|
|
speed-check-mode tcp:443,ping
|
|
|
|
# force AAAA query return SOA
|
|
# force-AAAA-SOA [yes|no]
|
|
|
|
# force specific qtype return soa
|
|
# force-qtype-SOA [qtypeid |...]
|
|
# force-qtype-SOA 65 28
|
|
|
|
# Enable IPV4, IPV6 dual stack IP optimization selection strategy
|
|
# dualstack-ip-selection-threshold [num] (0~1000)
|
|
# dualstack-ip-allow-force-AAAA [yes|no]
|
|
# dualstack-ip-selection [yes|no]
|
|
dualstack-ip-selection yes
|
|
|
|
# edns client subnet
|
|
# edns-client-subnet [ip/subnet]
|
|
# edns-client-subnet 192.168.1.1/24
|
|
# edns-client-subnet 8::8/56
|
|
|
|
# ttl for all resource record
|
|
# rr-ttl: ttl for all record
|
|
# rr-ttl-min: minimum ttl for resource record
|
|
# rr-ttl-max: maximum ttl for resource record
|
|
# rr-ttl-reply-max: maximum reply ttl for resource record
|
|
# example:
|
|
# rr-ttl 300
|
|
# rr-ttl-min 60
|
|
# rr-ttl-max 86400
|
|
# rr-ttl-reply-max 60
|
|
rr-ttl-min 60
|
|
rr-ttl-max 86400
|
|
|
|
# Maximum number of IPs returned to the client|8|number of IPs, 1~16
|
|
# example:
|
|
# max-reply-ip-num 1
|
|
max-reply-ip-num 4
|
|
|
|
# response mode
|
|
# Experimental feature
|
|
# response-mode [first-ping|fastest-ip|fastest-response]
|
|
response-mode first-ping
|
|
|
|
# set log level
|
|
# log-level: [level], level=fatal, error, warn, notice, info, debug
|
|
# log-file: file path of log file.
|
|
# log-size: size of each log file, support k,m,g
|
|
# log-num: number of logs
|
|
log-level error
|
|
# log-file /var/log/smartdns/smartdns.log
|
|
# log-size 128k
|
|
# log-num 2
|
|
|
|
# dns audit
|
|
# audit-enable [yes|no]: enable or disable audit.
|
|
# audit-enable yes
|
|
# audit-SOA [yes|no]: enable or disable log soa result.
|
|
# audit-size size of each audit file, support k,m,g
|
|
# audit-file /var/log/smartdns-audit.log
|
|
# audit-size 128k
|
|
# audit-num 2
|
|
|
|
# Support reading dnsmasq dhcp file to resolve local hostname
|
|
# dnsmasq-lease-file /var/lib/misc/dnsmasq.leases
|
|
|
|
# certificate file
|
|
# ca-file [file]
|
|
# ca-file /etc/ssl/certs/ca-certificates.crt
|
|
|
|
# certificate path
|
|
# ca-path [path]
|
|
# ca-path /etc/ss/certs
|
|
|
|
# remote udp dns server list
|
|
# server [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
|
|
# default port is 53
|
|
# -blacklist-ip: filter result with blacklist ip
|
|
# -whitelist-ip: filter result whth whitelist ip, result in whitelist-ip will be accepted.
|
|
# -check-edns: result must exist edns RR, or discard result.
|
|
# -group [group]: set server to group, use with nameserver /domain/group.
|
|
# -exclude-default-group: exclude this server from default group.
|
|
# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
|
|
|
|
# remote tcp dns server list
|
|
# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
|
|
# default port is 53
|
|
# server-tcp 8.8.8.8
|
|
|
|
# remote tls dns server list
|
|
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
|
# -spki-pin: TLS spki pin to verify.
|
|
# -tls-host-verify: cert hostname to verify.
|
|
# -host-name: TLS sni hostname.
|
|
# -no-check-certificate: no check certificate.
|
|
# Get SPKI with this command:
|
|
# echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
|
|
# default port is 853
|
|
# server-tls 8.8.8.8
|
|
# server-tls 1.0.0.1
|
|
server-tls 1.12.12.12
|
|
server-tls 223.5.5.5
|
|
server-tls 120.53.53.53
|
|
server-tls 223.6.6.6
|
|
server-tls 8.8.8.8
|
|
|
|
# remote https dns server list
|
|
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
|
# -spki-pin: TLS spki pin to verify.
|
|
# -tls-host-verify: cert hostname to verify.
|
|
# -host-name: TLS sni hostname.
|
|
# -http-host: http host.
|
|
# -no-check-certificate: no check certificate.
|
|
# default port is 443
|
|
# server-https https://cloudflare-dns.com/dns-query
|
|
|
|
# specific nameserver to domain
|
|
# nameserver /domain/[group|-]
|
|
# nameserver /www.example.com/office, Set the domain name to use the appropriate server group.
|
|
# nameserver /www.example.com/-, ignore this domain
|
|
|
|
# specific address to domain
|
|
# address /domain/[ip|-|-4|-6|#|#4|#6]
|
|
# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client
|
|
# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
|
|
# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all
|
|
address /nas.sigkill.top/192.168.64.64
|
|
address /pi.sigkill.top/192.168.64.64
|
|
address /aria2.sigkill.top/192.168.64.64
|
|
address /files.sigkill.top/192.168.64.64
|
|
address /media.sigkill.top/192.168.64.64
|
|
address /proxy.sigkill.top/192.168.64.64
|
|
address /speed.sigkill.top/192.168.64.64
|
|
|
|
address /git.oxfs.io/80.251.215.149
|
|
|
|
address /themoviedb.org/13.225.103.6
|
|
address /themoviedb.org/13.225.103.126
|
|
address /themoviedb.org/13.225.103.96
|
|
address /themoviedb.org/13.225.103.79
|
|
address /www.themoviedb.org/13.225.103.6
|
|
address /www.themoviedb.org/13.225.103.126
|
|
address /www.themoviedb.org/13.225.103.96
|
|
address /www.themoviedb.org/13.225.103.79
|
|
address /api.themoviedb.org/13.224.167.10
|
|
address /api.themoviedb.org/13.224.167.16
|
|
address /api.themoviedb.org/13.224.167.74
|
|
address /api.themoviedb.org/13.224.167.108
|
|
address /image.tmdb.org/108.138.246.102
|
|
address /image.tmdb.org/108.138.246.35
|
|
address /image.tmdb.org/108.138.246.49
|
|
address /image.tmdb.org/108.138.246.73
|
|
|
|
# enable ipset timeout by ttl feature
|
|
# ipset-timeout [yes]
|
|
|
|
# specific ipset to domain
|
|
# ipset /domain/[ipset|-]
|
|
# ipset /www.example.com/block, set ipset with ipset name of block
|
|
# ipset /www.example.com/-, ignore this domain
|
|
|
|
# set domain rules
|
|
# domain-rules /domain/ [-speed-check-mode [...]]
|
|
# rules:
|
|
# [-c] -speed-check-mode [mode]: speed check mode
|
|
# speed-check-mode [ping|tcp:port|none|,]
|
|
# [-a] -address [address|-]: same as address option
|
|
# [-n] -nameserver [group|-]: same as nameserver option
|
|
# [-p] -ipset [ipset|-]: same as ipset option
|
|
# [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option
|
|
|