mirror of
https://github.com/okxlin/appstore.git
synced 2026-02-23 03:17:24 +08:00
368 lines
12 KiB
Plaintext
368 lines
12 KiB
Plaintext
# 监听53端口
|
|
bind [::]:53
|
|
# 配置上游服务器
|
|
#server 119.29.29.29
|
|
#server 223.5.5.5
|
|
#server 180.184.1.1
|
|
server-tls 1.1.1.1
|
|
server-https https://doh.pub/dns-query
|
|
server-https https://dns.alidns.com/dns-query
|
|
server-https https://cloudflare-dns.com/dns-query
|
|
|
|
force-qtype-SOA 65
|
|
log-level info
|
|
|
|
###########################################
|
|
# dns server name, default is host name
|
|
# server-name,
|
|
# example:
|
|
# server-name smartdns
|
|
#
|
|
|
|
# whether resolv local hostname to ip address
|
|
# resolv-hostname yes
|
|
|
|
# dns server run user
|
|
# user [username]
|
|
# example: run as nobody
|
|
# user nobody
|
|
#
|
|
|
|
# Include another configuration options
|
|
# conf-file [file]
|
|
# conf-file blacklist-ip.conf
|
|
|
|
# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
|
|
# bind udp server
|
|
# bind [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
|
|
# bind tcp server
|
|
# bind-tcp [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
|
|
# bind tls server
|
|
# bind-tls [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
|
|
# bind-cert-key-file [path to file]
|
|
# tls private key file
|
|
# bind-cert-file [path to file]
|
|
# tls cert file
|
|
# bind-cert-key-pass [password]
|
|
# tls private key password
|
|
# bind-https server
|
|
# bind-https [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
|
|
# option:
|
|
# -group: set domain request to use the appropriate server group.
|
|
# -no-rule-addr: skip address rule.
|
|
# -no-rule-nameserver: skip nameserver rule.
|
|
# -no-rule-ipset: skip ipset rule or nftset rule.
|
|
# -no-speed-check: do not check speed.
|
|
# -no-cache: skip cache.
|
|
# -no-rule-soa: Skip address SOA(#) rules.
|
|
# -no-dualstack-selection: Disable dualstack ip selection.
|
|
# -no-ip-alias: ignore ip alias.
|
|
# -force-aaaa-soa: force AAAA query return SOA.
|
|
# -ipset ipsetname: use ipset rule.
|
|
# -nftset nftsetname: use nftset rule.
|
|
# example:
|
|
# IPV4:
|
|
# bind :53
|
|
# bind :53@eth0
|
|
# bind :6053 -group office -no-speed-check
|
|
# IPV6:
|
|
# bind [::]:53
|
|
# bind [::]:53@eth0
|
|
# bind-tcp [::]:53
|
|
#bind [::]:53
|
|
|
|
# tcp connection idle timeout
|
|
# tcp-idle-time [second]
|
|
|
|
# dns cache size
|
|
# cache-size [number]
|
|
# 0: for no cache
|
|
# -1: auto set cache size
|
|
# cache-size 32768
|
|
|
|
# enable persist cache when restart
|
|
# cache-persist no
|
|
|
|
# cache persist file
|
|
# cache-file /tmp/smartdns.cache
|
|
|
|
# cache persist time
|
|
# cache-checkpoint-time [second]
|
|
# cache-checkpoint-time 86400
|
|
|
|
# prefetch domain
|
|
# prefetch-domain [yes|no]
|
|
# prefetch-domain yes
|
|
|
|
# cache serve expired
|
|
# serve-expired [yes|no]
|
|
# serve-expired yes
|
|
|
|
# cache serve expired TTL
|
|
# serve-expired-ttl [num]
|
|
# serve-expired-ttl 0
|
|
|
|
# reply TTL value to use when replying with expired data
|
|
# serve-expired-reply-ttl [num]
|
|
# serve-expired-reply-ttl 30
|
|
|
|
# List of hosts that supply bogus NX domain results
|
|
# bogus-nxdomain [ip/subnet]
|
|
|
|
# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
|
|
# blacklist-ip [ip/subnet]
|
|
|
|
# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
|
|
# whitelist-ip [ip/subnet]
|
|
|
|
# List of IPs that will be ignored
|
|
# ignore-ip [ip/subnet]
|
|
|
|
# alias of IPs
|
|
# ip-alias [ip/subnet] [ip1[,ip2]...]
|
|
# ip-alias 192.168.0.1/24 10.9.0.1,10.9.0.2
|
|
|
|
# speed check mode
|
|
# speed-check-mode [ping|tcp:port|none|,]
|
|
# example:
|
|
# speed-check-mode ping,tcp:80,tcp:443
|
|
# speed-check-mode tcp:443,ping
|
|
# speed-check-mode none
|
|
|
|
# force AAAA query return SOA
|
|
# force-AAAA-SOA [yes|no]
|
|
|
|
# force specific qtype return soa
|
|
# force-qtype-SOA [qtypeid |...]
|
|
# force-qtype-SOA [qtypeid|start_id-end_id|,...]
|
|
# force-qtype-SOA 65 28
|
|
# force-qtype-SOA 65,28
|
|
#force-qtype-SOA 65
|
|
|
|
# Enable IPV4, IPV6 dual stack IP optimization selection strategy
|
|
# dualstack-ip-selection-threshold [num] (0~1000)
|
|
# dualstack-ip-allow-force-AAAA [yes|no]
|
|
# dualstack-ip-selection [yes|no]
|
|
# dualstack-ip-selection no
|
|
|
|
# edns client subnet
|
|
# edns-client-subnet [ip/subnet]
|
|
# edns-client-subnet 192.168.1.1/24
|
|
# edns-client-subnet 8::8/56
|
|
|
|
# ttl for all resource record
|
|
# rr-ttl: ttl for all record
|
|
# rr-ttl-min: minimum ttl for resource record
|
|
# rr-ttl-max: maximum ttl for resource record
|
|
# rr-ttl-reply-max: maximum reply ttl for resource record
|
|
# example:
|
|
# rr-ttl 300
|
|
# rr-ttl-min 60
|
|
# rr-ttl-max 86400
|
|
# rr-ttl-reply-max 60
|
|
|
|
# Maximum number of IPs returned to the client|8|number of IPs, 1~16
|
|
# example:
|
|
# max-reply-ip-num 1
|
|
|
|
# response mode
|
|
# Experimental feature
|
|
# response-mode [first-ping|fastest-ip|fastest-response]
|
|
|
|
# set log level
|
|
# log-level: [level], level=off, fatal, error, warn, notice, info, debug
|
|
# log-file: file path of log file.
|
|
# log-console [yes|no]: output log to console.
|
|
# log-size: size of each log file, support k,m,g
|
|
# log-num: number of logs, 0 means disable log
|
|
#log-level info
|
|
|
|
# log-file /var/log/smartdns/smartdns.log
|
|
# log-size 128k
|
|
# log-num 2
|
|
# log-file-mode [mode]: file mode of log file.
|
|
|
|
# dns audit
|
|
# audit-enable [yes|no]: enable or disable audit.
|
|
# audit-enable yes
|
|
# audit-SOA [yes|no]: enable or disable log soa result.
|
|
# audit-size size of each audit file, support k,m,g
|
|
# audit-file /var/log/smartdns-audit.log
|
|
# audit-console [yes|no]: output audit log to console.
|
|
# audit-file-mode [mode]: file mode of audit file.
|
|
# audit-size 128k
|
|
# audit-num 2
|
|
|
|
# Support reading dnsmasq dhcp file to resolve local hostname
|
|
# dnsmasq-lease-file /var/lib/misc/dnsmasq.leases
|
|
|
|
# certificate file
|
|
# ca-file [file]
|
|
# ca-file /etc/ssl/certs/ca-certificates.crt
|
|
|
|
# certificate path
|
|
# ca-path [path]
|
|
# ca-path /etc/ss/certs
|
|
|
|
# remote udp dns server list
|
|
# server [IP]:[PORT]|URL [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
|
|
# default port is 53
|
|
# -blacklist-ip: filter result with blacklist ip
|
|
# -whitelist-ip: filter result with whitelist ip, result in whitelist-ip will be accepted.
|
|
# -check-edns: result must exist edns RR, or discard result.
|
|
# g|-group [group]: set server to group, use with nameserver /domain/group.
|
|
# e|-exclude-default-group: exclude this server from default group.
|
|
# p|-proxy [proxy-name]: use proxy to connect to server.
|
|
# -bootstrap-dns: set as bootstrap dns server.
|
|
# -set-mark: set mark on packets.
|
|
# -subnet [ip/subnet]: set edns client subnet.
|
|
# -host-ip [ip]: set dns server host ip.
|
|
# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
|
|
# server tls://dns.google:853
|
|
# server https://dns.google/dns-query
|
|
|
|
# remote tcp dns server list
|
|
# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
|
|
# default port is 53
|
|
# server-tcp 8.8.8.8
|
|
|
|
# remote tls dns server list
|
|
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
|
# -spki-pin: TLS spki pin to verify.
|
|
# -tls-host-verify: cert hostname to verify.
|
|
# -host-name: TLS sni hostname.
|
|
# k|-no-check-certificate: no check certificate.
|
|
# p|-proxy [proxy-name]: use proxy to connect to server.
|
|
# -bootstrap-dns: set as bootstrap dns server.
|
|
# Get SPKI with this command:
|
|
# echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
|
|
# default port is 853
|
|
# server-tls 8.8.8.8
|
|
# server-tls 1.0.0.1
|
|
|
|
# remote https dns server list
|
|
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
|
# -spki-pin: TLS spki pin to verify.
|
|
# -tls-host-verify: cert hostname to verify.
|
|
# -host-name: TLS sni hostname.
|
|
# -http-host: http host.
|
|
# k|-no-check-certificate: no check certificate.
|
|
# p|-proxy [proxy-name]: use proxy to connect to server.
|
|
# -bootstrap-dns: set as bootstrap dns server.
|
|
# default port is 443
|
|
# server-https https://cloudflare-dns.com/dns-query
|
|
|
|
# socks5 and http proxy list
|
|
# proxy-server URL -name [proxy name]
|
|
# URL: socks5://[username:password@]host:port
|
|
# http://[username:password@]host:port
|
|
# -name: proxy name, use with server -proxy [proxy-name]
|
|
# example:
|
|
# proxy-server socks5://user:pass@1.2.3.4:1080 -name proxy
|
|
# proxy-server http://user:pass@1.2.3.4:3128 -name proxy
|
|
|
|
# specific nameserver to domain
|
|
# nameserver /domain/[group|-]
|
|
# nameserver /www.example.com/office, Set the domain name to use the appropriate server group.
|
|
# nameserver /www.example.com/-, ignore this domain
|
|
|
|
# expand ptr record from address record
|
|
# expand-ptr-from-address yes
|
|
|
|
# specific address to domain
|
|
# address /domain/[ip1,ip2|-|-4|-6|#|#4|#6]
|
|
# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client
|
|
# address /www.example.com/1.2.3.4,5.6.7.8, return multiple ip addresses
|
|
# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
|
|
# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all
|
|
|
|
# specific cname to domain
|
|
# cname /domain/target
|
|
|
|
# enalbe DNS64 feature
|
|
# dns64 [ip/subnet]
|
|
# dns64 64:ff9b::/96
|
|
|
|
# enable ipset timeout by ttl feature
|
|
# ipset-timeout [yes]
|
|
|
|
# specific ipset to domain
|
|
# ipset /domain/[ipset|-]
|
|
# ipset /www.example.com/block, set ipset with ipset name of block
|
|
# ipset /www.example.com/-, ignore this domain
|
|
|
|
# add to ipset when ping is unreachable
|
|
# ipset-no-speed ipsetname
|
|
# ipset-no-speed pass
|
|
|
|
# enable nftset timeout by ttl feature
|
|
# nftset-timeout [yes|no]
|
|
# nftset-timeout yes
|
|
|
|
# add to nftset when ping is unreachable
|
|
# nftset-no-speed [#4:ip#table#set,#6:ipv6#table#setv6]
|
|
# nftset-no-speed #4:ip#table#set
|
|
|
|
# enable nftset debug, check nftset setting result, output log when error.
|
|
# nftset-debug [yes|no]
|
|
# nftset-debug yes
|
|
|
|
# specific nftset to domain
|
|
# nftset /domain/[#4:ip#table#set,#6:ipv6#table#setv6]
|
|
# nftset /www.example.com/ip#table#set, equivalent to 'nft add element ip table set { ... }'
|
|
# nftset /www.example.com/-, ignore this domain
|
|
# nftset /www.example.com/#6:-, ignore ipv6
|
|
|
|
# set ddns domain
|
|
# ddns-domain domain
|
|
|
|
# set domain rules
|
|
# domain-rules /domain/ [-speed-check-mode [...]]
|
|
# rules:
|
|
# [-c] -speed-check-mode [mode]: speed check mode
|
|
# speed-check-mode [ping|tcp:port|none|,]
|
|
# [-a] -address [address|-]: same as address option
|
|
# [-n] -nameserver [group|-]: same as nameserver option
|
|
# [-p] -ipset [ipset|-]: same as ipset option
|
|
# [-t] -nftset [nftset|-]: same as nftset option
|
|
# [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option
|
|
# -no-serve-expired: ignore expired domain
|
|
# -delete: delete domain rule
|
|
# -no-ip-alias: ignore ip alias
|
|
# -no-cache: ignore cache
|
|
|
|
# collection of domains
|
|
# the domain-set can be used with /domain/ for address, nameserver, ipset, etc.
|
|
# domain-set -name [set-name] -type list -file [/path/to/file]
|
|
# [-n] -name [set name]: domain set name
|
|
# [-t] -type [list]: domain set type, list only now
|
|
# [-f] -file [path/to/set]: file path of domain set
|
|
#
|
|
# example:
|
|
# domain-set -name domain-list -type list -file /etc/smartdns/domain-list.conf
|
|
# address /domain-set:domain-list/1.2.3.4
|
|
# nameserver /domain-set:domain-list/server-group
|
|
# ipset /domain-set:domain-list/ipset
|
|
# domain-rules /domain-set:domain-list/ -speed-check-mode ping
|
|
|
|
# set ip rules
|
|
# ip-rules ip-cidrs [-ip-alias [...]]
|
|
# rules:
|
|
# [-c] -ip-alias [ip1,ip2]: same as ip-alias option
|
|
# [-a] -whitelist-ip: same as whitelist-ip option
|
|
# [-n] -blacklist-ip: same as blacklist-ip option
|
|
# [-p] -bogus-nxdomain: same as bogus-nxdomain option
|
|
# [-t] -ignore-ip: same as ignore-ip option
|
|
|
|
# collection of IPs
|
|
# the ip-set can be used with /ip-cidr/ for ip-alias, ignore-ip, etc.
|
|
# ip-set -name [set-name] -type list -file [/path/to/file]
|
|
# [-n] -name [set name]: ip set name
|
|
# [-t] -type [list]: ip set type, list only now
|
|
# [-f] -file [path/to/set]: file path of ip set
|
|
#
|
|
# example:
|
|
# ip-set -name ip-list -file /etc/smartdns/ip-list.conf
|
|
# bogus-nxdomain ip-set:ip-list
|
|
# ip-alias ip-set:ip-list 1.2.3.4
|
|
# ip-alias ip-set:ip-list ip-set:ip-map-list |