# 监听53端口 bind [::]:53 # 配置上游服务器 #server 119.29.29.29 #server 223.5.5.5 #server 180.184.1.1 server-tls 1.1.1.1 server-https https://doh.pub/dns-query server-https https://dns.alidns.com/dns-query server-https https://cloudflare-dns.com/dns-query force-qtype-SOA 65 log-level info ########################################### # dns server name, default is host name # server-name, # example: # server-name smartdns # # whether resolv local hostname to ip address # resolv-hostname yes # dns server run user # user [username] # example: run as nobody # user nobody # # Include another configuration options # conf-file [file] # conf-file blacklist-ip.conf # dns server bind ip and port, default dns server port is 53, support binding multi ip and port # bind udp server # bind [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] # bind tcp server # bind-tcp [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] # bind tls server # bind-tls [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] # bind-cert-key-file [path to file] # tls private key file # bind-cert-file [path to file] # tls cert file # bind-cert-key-pass [password] # tls private key password # bind-https server # bind-https [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] # option: # -group: set domain request to use the appropriate server group. # -no-rule-addr: skip address rule. # -no-rule-nameserver: skip nameserver rule. # -no-rule-ipset: skip ipset rule or nftset rule. # -no-speed-check: do not check speed. # -no-cache: skip cache. # -no-rule-soa: Skip address SOA(#) rules. # -no-dualstack-selection: Disable dualstack ip selection. # -no-ip-alias: ignore ip alias. # -force-aaaa-soa: force AAAA query return SOA. # -ipset ipsetname: use ipset rule. # -nftset nftsetname: use nftset rule. # example: # IPV4: # bind :53 # bind :53@eth0 # bind :6053 -group office -no-speed-check # IPV6: # bind [::]:53 # bind [::]:53@eth0 # bind-tcp [::]:53 #bind [::]:53 # tcp connection idle timeout # tcp-idle-time [second] # dns cache size # cache-size [number] # 0: for no cache # -1: auto set cache size # cache-size 32768 # enable persist cache when restart # cache-persist no # cache persist file # cache-file /tmp/smartdns.cache # cache persist time # cache-checkpoint-time [second] # cache-checkpoint-time 86400 # prefetch domain # prefetch-domain [yes|no] # prefetch-domain yes # cache serve expired # serve-expired [yes|no] # serve-expired yes # cache serve expired TTL # serve-expired-ttl [num] # serve-expired-ttl 0 # reply TTL value to use when replying with expired data # serve-expired-reply-ttl [num] # serve-expired-reply-ttl 30 # List of hosts that supply bogus NX domain results # bogus-nxdomain [ip/subnet] # List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter # blacklist-ip [ip/subnet] # List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter # whitelist-ip [ip/subnet] # List of IPs that will be ignored # ignore-ip [ip/subnet] # alias of IPs # ip-alias [ip/subnet] [ip1[,ip2]...] # ip-alias 192.168.0.1/24 10.9.0.1,10.9.0.2 # speed check mode # speed-check-mode [ping|tcp:port|none|,] # example: # speed-check-mode ping,tcp:80,tcp:443 # speed-check-mode tcp:443,ping # speed-check-mode none # force AAAA query return SOA # force-AAAA-SOA [yes|no] # force specific qtype return soa # force-qtype-SOA [qtypeid |...] # force-qtype-SOA [qtypeid|start_id-end_id|,...] # force-qtype-SOA 65 28 # force-qtype-SOA 65,28 #force-qtype-SOA 65 # Enable IPV4, IPV6 dual stack IP optimization selection strategy # dualstack-ip-selection-threshold [num] (0~1000) # dualstack-ip-allow-force-AAAA [yes|no] # dualstack-ip-selection [yes|no] # dualstack-ip-selection no # edns client subnet # edns-client-subnet [ip/subnet] # edns-client-subnet 192.168.1.1/24 # edns-client-subnet 8::8/56 # ttl for all resource record # rr-ttl: ttl for all record # rr-ttl-min: minimum ttl for resource record # rr-ttl-max: maximum ttl for resource record # rr-ttl-reply-max: maximum reply ttl for resource record # example: # rr-ttl 300 # rr-ttl-min 60 # rr-ttl-max 86400 # rr-ttl-reply-max 60 # Maximum number of IPs returned to the client|8|number of IPs, 1~16 # example: # max-reply-ip-num 1 # response mode # Experimental feature # response-mode [first-ping|fastest-ip|fastest-response] # set log level # log-level: [level], level=off, fatal, error, warn, notice, info, debug # log-file: file path of log file. # log-console [yes|no]: output log to console. # log-size: size of each log file, support k,m,g # log-num: number of logs, 0 means disable log #log-level info # log-file /var/log/smartdns/smartdns.log # log-size 128k # log-num 2 # log-file-mode [mode]: file mode of log file. # dns audit # audit-enable [yes|no]: enable or disable audit. # audit-enable yes # audit-SOA [yes|no]: enable or disable log soa result. # audit-size size of each audit file, support k,m,g # audit-file /var/log/smartdns-audit.log # audit-console [yes|no]: output audit log to console. # audit-file-mode [mode]: file mode of audit file. # audit-size 128k # audit-num 2 # Support reading dnsmasq dhcp file to resolve local hostname # dnsmasq-lease-file /var/lib/misc/dnsmasq.leases # certificate file # ca-file [file] # ca-file /etc/ssl/certs/ca-certificates.crt # certificate path # ca-path [path] # ca-path /etc/ss/certs # remote udp dns server list # server [IP]:[PORT]|URL [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group] # default port is 53 # -blacklist-ip: filter result with blacklist ip # -whitelist-ip: filter result with whitelist ip, result in whitelist-ip will be accepted. # -check-edns: result must exist edns RR, or discard result. # g|-group [group]: set server to group, use with nameserver /domain/group. # e|-exclude-default-group: exclude this server from default group. # p|-proxy [proxy-name]: use proxy to connect to server. # -bootstrap-dns: set as bootstrap dns server. # -set-mark: set mark on packets. # -subnet [ip/subnet]: set edns client subnet. # -host-ip [ip]: set dns server host ip. # server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2 # server tls://dns.google:853 # server https://dns.google/dns-query # remote tcp dns server list # server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group] # default port is 53 # server-tcp 8.8.8.8 # remote tls dns server list # server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] # -spki-pin: TLS spki pin to verify. # -tls-host-verify: cert hostname to verify. # -host-name: TLS sni hostname. # k|-no-check-certificate: no check certificate. # p|-proxy [proxy-name]: use proxy to connect to server. # -bootstrap-dns: set as bootstrap dns server. # Get SPKI with this command: # echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 # default port is 853 # server-tls 8.8.8.8 # server-tls 1.0.0.1 # remote https dns server list # server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] # -spki-pin: TLS spki pin to verify. # -tls-host-verify: cert hostname to verify. # -host-name: TLS sni hostname. # -http-host: http host. # k|-no-check-certificate: no check certificate. # p|-proxy [proxy-name]: use proxy to connect to server. # -bootstrap-dns: set as bootstrap dns server. # default port is 443 # server-https https://cloudflare-dns.com/dns-query # socks5 and http proxy list # proxy-server URL -name [proxy name] # URL: socks5://[username:password@]host:port # http://[username:password@]host:port # -name: proxy name, use with server -proxy [proxy-name] # example: # proxy-server socks5://user:pass@1.2.3.4:1080 -name proxy # proxy-server http://user:pass@1.2.3.4:3128 -name proxy # specific nameserver to domain # nameserver /domain/[group|-] # nameserver /www.example.com/office, Set the domain name to use the appropriate server group. # nameserver /www.example.com/-, ignore this domain # expand ptr record from address record # expand-ptr-from-address yes # specific address to domain # address /domain/[ip1,ip2|-|-4|-6|#|#4|#6] # address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client # address /www.example.com/1.2.3.4,5.6.7.8, return multiple ip addresses # address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all # address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all # specific cname to domain # cname /domain/target # enalbe DNS64 feature # dns64 [ip/subnet] # dns64 64:ff9b::/96 # enable ipset timeout by ttl feature # ipset-timeout [yes] # specific ipset to domain # ipset /domain/[ipset|-] # ipset /www.example.com/block, set ipset with ipset name of block # ipset /www.example.com/-, ignore this domain # add to ipset when ping is unreachable # ipset-no-speed ipsetname # ipset-no-speed pass # enable nftset timeout by ttl feature # nftset-timeout [yes|no] # nftset-timeout yes # add to nftset when ping is unreachable # nftset-no-speed [#4:ip#table#set,#6:ipv6#table#setv6] # nftset-no-speed #4:ip#table#set # enable nftset debug, check nftset setting result, output log when error. # nftset-debug [yes|no] # nftset-debug yes # specific nftset to domain # nftset /domain/[#4:ip#table#set,#6:ipv6#table#setv6] # nftset /www.example.com/ip#table#set, equivalent to 'nft add element ip table set { ... }' # nftset /www.example.com/-, ignore this domain # nftset /www.example.com/#6:-, ignore ipv6 # set ddns domain # ddns-domain domain # set domain rules # domain-rules /domain/ [-speed-check-mode [...]] # rules: # [-c] -speed-check-mode [mode]: speed check mode # speed-check-mode [ping|tcp:port|none|,] # [-a] -address [address|-]: same as address option # [-n] -nameserver [group|-]: same as nameserver option # [-p] -ipset [ipset|-]: same as ipset option # [-t] -nftset [nftset|-]: same as nftset option # [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option # -no-serve-expired: ignore expired domain # -delete: delete domain rule # -no-ip-alias: ignore ip alias # -no-cache: ignore cache # collection of domains # the domain-set can be used with /domain/ for address, nameserver, ipset, etc. # domain-set -name [set-name] -type list -file [/path/to/file] # [-n] -name [set name]: domain set name # [-t] -type [list]: domain set type, list only now # [-f] -file [path/to/set]: file path of domain set # # example: # domain-set -name domain-list -type list -file /etc/smartdns/domain-list.conf # address /domain-set:domain-list/1.2.3.4 # nameserver /domain-set:domain-list/server-group # ipset /domain-set:domain-list/ipset # domain-rules /domain-set:domain-list/ -speed-check-mode ping # set ip rules # ip-rules ip-cidrs [-ip-alias [...]] # rules: # [-c] -ip-alias [ip1,ip2]: same as ip-alias option # [-a] -whitelist-ip: same as whitelist-ip option # [-n] -blacklist-ip: same as blacklist-ip option # [-p] -bogus-nxdomain: same as bogus-nxdomain option # [-t] -ignore-ip: same as ignore-ip option # collection of IPs # the ip-set can be used with /ip-cidr/ for ip-alias, ignore-ip, etc. # ip-set -name [set-name] -type list -file [/path/to/file] # [-n] -name [set name]: ip set name # [-t] -type [list]: ip set type, list only now # [-f] -file [path/to/set]: file path of ip set # # example: # ip-set -name ip-list -file /etc/smartdns/ip-list.conf # bogus-nxdomain ip-set:ip-list # ip-alias ip-set:ip-list 1.2.3.4 # ip-alias ip-set:ip-list ip-set:ip-map-list