docs: ✏️ added bogus_nxdomain

Andrey Meshkov 2020-05-08 18:59:49 +03:00
parent b5bb023b69
commit b4a9bd3052
1 changed files with 49 additions and 31 deletions

@ -144,34 +144,52 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
* `web_session_ttl` — Web session TTL (in hours) - a web user will stay signed in for this amount of time. * `web_session_ttl` — Web session TTL (in hours) - a web user will stay signed in for this amount of time.
* `rlimit_nofile` — Limit on the maximum number of open files for server process (Linux and macOS). Set to 0 to use the system default value. * `rlimit_nofile` — Limit on the maximum number of open files for server process (Linux and macOS). Set to 0 to use the system default value.
* `debug_pprof` — Enable pprof HTTP server listening on port 6060 for debugging. See section `Profiling with pprof`. * `debug_pprof` — Enable pprof HTTP server listening on port 6060 for debugging. See section `Profiling with pprof`.
* `dns` — DNS configuration section. * `dns` — DNS configuration section.
* **General settings**
* `bind_host` - DNS interface IP address to listen on. * `bind_host` - DNS interface IP address to listen on.
* `port` — DNS server port to listen on. * `port` — DNS server port to listen on.
* `statistics_interval` - time interval for statistics (in days)
* **Protection settings**
* `protection_enabled` — Whether any kind of filtering and protection should be done, when off it works as a plain dns forwarder. * `protection_enabled` — Whether any kind of filtering and protection should be done, when off it works as a plain dns forwarder.
* `filtering_enabled` — Filtering of DNS requests based on filter lists. * `filtering_enabled` — Filtering of DNS requests based on filter lists.
* `blocking_mode` — Specifies how to block DNS requests. "nxdomain" (default): respond with NXDOMAIN status; "null_ip": respond with the unspecified IP address (0.0.0.0). * `blocking_mode` — Specifies how to block DNS requests. "nxdomain" (default): respond with NXDOMAIN status; "null_ip": respond with the unspecified IP address (0.0.0.0); or "custom_ip": reponsd with `blocking_ipv4` or `blocking_ipv6`.
* `blocking_ipv4` - IP address to be returned for a blocked A request if `blocking_mode` is set to `custom_ip`
* `blocking_ipv6` - IP address to be returned for a blocked AAAA request if `blocking_mode` is set to `custom_ip`
* `blocked_response_ttl` — For how many seconds the clients should cache a filtered response. Low values are useful on LAN if you change filters very often, high values are useful to increase performance and save traffic. * `blocked_response_ttl` — For how many seconds the clients should cache a filtered response. Low values are useful on LAN if you change filters very often, high values are useful to increase performance and save traffic.
* `querylog_enabled` — Query logging (also used to calculate top 50 clients, blocked domains and requested domains for statistical purposes).
* `ratelimit` — DDoS protection, specifies in how many packets per second a client should receive. Anything above that is silently dropped. To disable set 0, default is 20. Safe to disable if DNS server is not available from internet.
* `ratelimit_whitelist` — If you want exclude some IP addresses from ratelimiting but keep ratelimiting on for others, put them here.
* `refuse_any` — Another DDoS protection mechanism. Requests of type ANY are rarely needed, so refusing to serve them mitigates against attackers trying to use your DNS as a reflection. Safe to disable if DNS server is not available from internet.
* `bootstrap_dns` — List of DNS servers used for initial hostname resolution in case an upstream server name is a hostname.
* `all_servers` — Enables parallel queries to all configured upstream servers to speed up resolving. If disabled, the queries are sent to each upstream server one-by-one and then sorted by RTT.
* `edns_client_subnet` — Enable EDNS Client Subnet option
* `aaaa_disabled` — Respond with an empty answer to all AAAA requests
* `fastest_addr` — Use Fastest Address algorithm. It finds an IP address with the lowest latency and returns this IP address in DNS response.
* `allowed_clients` — IP addresses of allowed clients
* `disallowed_clients` — IP addresses of clients that should be blocked
* `blocked_hosts` — hosts that should be blocked
* `parental_block_host` — IP (or domain name) which is used to respond to DNS requests blocked by parental control * `parental_block_host` — IP (or domain name) which is used to respond to DNS requests blocked by parental control
* `safebrowsing_block_host` — IP (or domain name) which is used to respond to DNS requests blocked by safe-browsing * `safebrowsing_block_host` — IP (or domain name) which is used to respond to DNS requests blocked by safe-browsing
* `parental_enabled` — Parental control-based DNS requests filtering. * `parental_enabled` — Parental control-based DNS requests filtering.
* `safesearch_enabled` — Enforcing "Safe search" option for search engines, when possible. * `safesearch_enabled` — Enforcing "Safe search" option for search engines, when possible.
* `safebrowsing_enabled` — Filtering of DNS requests based on safebrowsing. * `safebrowsing_enabled` — Filtering of DNS requests based on safebrowsing.
* **Query log settings**
* `querylog_enabled` — Query logging (also used to calculate top 50 clients, blocked domains and requested domains for statistical purposes).
* `querylog_interval` - Time interval for query log (in days)
* `querylog_size_memory` - Number of entries kept in memory before they are flushed to disk
* `anonymize_client_ip` - If true, anonymize clients' IP addresses in logs and stats
* **Anti-DNS amplification features**
* `ratelimit` — DDoS protection, specifies in how many packets per second a client should receive. Anything above that is silently dropped. To disable set 0, default is 20. Safe to disable if DNS server is not available from internet.
* `ratelimit_whitelist` — If you want exclude some IP addresses from ratelimiting but keep ratelimiting on for others, put them here.
* `refuse_any` — Another DDoS protection mechanism. Requests of type ANY are rarely needed, so refusing to serve them mitigates against attackers trying to use your DNS as a reflection. Safe to disable if DNS server is not available from internet.
* **Upstream DNS servers settings**
* `upstream_dns` — List of upstream DNS servers. * `upstream_dns` — List of upstream DNS servers.
* `bootstrap_dns` — List of DNS servers used for initial hostname resolution in case an upstream server name is a hostname.
* `all_servers` — Enables parallel queries to all configured upstream servers to speed up resolving. If disabled, the queries are sent to each upstream server one-by-one and then sorted by RTT.
* `fastest_addr` — Use Fastest Address algorithm. It finds an IP address with the lowest latency and returns this IP address in DNS response.
* **ECS settings**
* `edns_client_subnet` — Enable EDNS Client Subnet option
* **Access settings**
* `allowed_clients` — IP addresses of allowed clients
* `disallowed_clients` — IP addresses of clients that should be blocked
* `blocked_hosts` — hosts that should be blocked
* **DNS cache settings**
* `cache_size` — DNS cache size (in bytes) * `cache_size` — DNS cache size (in bytes)
* `cache_ttl_min` — override TTL value (minimum) received from upstream server. This value can't larger than 3600 (1 hour). * `cache_ttl_min` — override TTL value (minimum) received from upstream server. This value can't larger than 3600 (1 hour).
* `cache_ttl_max` — override TTL value (maximum) received from upstream server * `cache_ttl_max` — override TTL value (maximum) received from upstream server
* **Other settings**
* `bogus_nxdomain` - Transform responses with these IP addresses to NXDOMAIN
* `enable_dnssec` - Set DNSSEC flag in the outgoing DNS requests and check the result
* `aaaa_disabled` — Respond with an empty answer to all AAAA requests
* `safebrowsing_cache_size` — Safe Browsing cache size (in bytes) * `safebrowsing_cache_size` — Safe Browsing cache size (in bytes)
* `safesearch_cache_size` — Safe Search cache size (in bytes) * `safesearch_cache_size` — Safe Search cache size (in bytes)
* `parental_cache_size` — Parental Control cache size (in bytes) * `parental_cache_size` — Parental Control cache size (in bytes)