-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpdnsd.conf
197 lines (184 loc) · 7.15 KB
/
pdnsd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
// Sample pdnsd configuration file. Must be customized to obtain a working pdnsd setup!
// Read the pdnsd.conf(5) manpage for an explanation of the options.
// Add or remove '#' in front of options you want to disable or enable, respectively.
// Remove '/*' and '*/' to enable complete sections.
global {
perm_cache=40960;
cache_dir="/var/cache/pdnsd";
# pid_file = /var/run/pdnsd.pid;
run_as="nobody";
server_ip = 0.0.0.0; # Use eth0 here if you want to allow other
# machines on your network to query pdnsd.
status_ctl = on;
# paranoid=on; # This option reduces the chance of cache poisoning
# but may make pdnsd less efficient, unfortunately.
query_method=udp_tcp;
min_ttl=7d; # Retain cached entries at least 15 minutes.
max_ttl=12w; # One week.
timeout=10; # Global timeout option (10 seconds).
neg_domain_pol=off;
udpbufsize=1024; # Upper limit on the size of UDP messages.
par_queries=1; # only perform one request to upstream throught,
# query by client resolve
}
# The following section is most appropriate if you have a fixed connection to
# the Internet and an ISP which provides good DNS servers.
server {
label= "myisp";
ip = 218.85.157.99,218.85.152.99; # Put your ISP's DNS-server address(es) here.
reject = 218.85.148.250/32, # You may need to add additional address ranges
218.85.65.150/32, # this result can be deny by empty record witch
67.215.65.132/32; # Chinese Telecom often hijack with on user resolving
proxy_only=on; # Do not query any name servers beside your ISP's.
# This may be necessary if you are behind some
# kind of firewall and cannot receive replies
# from outside name servers.
timeout=4; # Server timeout; this may be much shorter
# that the global timeout option.
uptest=if; # Test if the network interface is active.
interface=br0; # The name of the interface to check.
interval=10m; # Check every 10 minutes.
purge_cache=off; # Keep stale cache entries in case the ISP's
# DNS servers go offline.
edns_query=yes; # Use EDNS for outgoing queries to allow UDP messages
# larger than 512 bytes. May cause trouble with some
# legacy systems.
# exclude=.thepiratebay.org, # If your ISP censors certain names, you may
# .thepiratebay.se, # want to exclude them here, and provide an
# .piratebay.org, # alternative server section below that will
# .piratebay.se; # successfully resolve the names.
}
/*
# The following section is more appropriate for dial-up connections.
# Read about how to use pdnsd-ctl for dynamic configuration in the documentation.
server {
label= "dialup";
file = "/etc/ppp/resolv.conf"; # Preferably do not use /etc/resolv.conf
proxy_only=on;
timeout=4;
uptest=if;
interface = ppp0;
interval=10; # Check the interface every 10 seconds.
purge_cache=off;
preset=off;
}
*/
# The servers provided by OpenDNS are fast, but they do not reply with
# NXDOMAIN for non-existant domains, instead they supply you with an
# address of one of their search engines. They also lie about the addresses of
# of the search engines of google, microsoft and yahoo.
# If you do not like this behaviour the "reject" option may be useful.
server {
label = "opendns";
ip = 208.67.222.222, 208.67.220.220;
port = 5353; # opendns has the unstandard port
reject = 208.69.32.0/24, # You may need to add additional address ranges
208.69.34.0/24, # here if the addresses of their search engines
208.67.219.0/24; # change.
query_method=udp_only;
reject_policy = fail; # If you do not provide any alternative server
# sections, like the following root-server
# example, "negate" may be more appropriate here.
timeout = 4;
uptest = ping; # Test availability using ICMP echo requests.
ping_timeout = 100; # ping test will time out after 10 seconds.
interval = 15m; # Test every 15 minutes.
preset = off;
include=.adobe.com, # include a list that resolve domain only use this server
.akamaihd.net,
.android.com,
.angrybirds.com,
.appspot.com,
.blogspot.com,
.chromium.org,
.dropbox.com,
.edgesuite.net,
.facebook.com,
.facebook.net,
.fbcdn.net,
.fbops.com,
.fbplugin.com,
.feedburner.com,
.flickr.com,
.g.co,
.ggpht.com,
.gmail.com,
.goo.gl,
.googleadservices.com,
.google-analytics.com,
.googleapis.com,
.google.cn,
.google.com.hk,
.googlecode.com,
.google.com,
.googlelabs.com,
.googlemail.com,
.googlesource.com,
.googlesyndication.com,
.googleusercontent.com,
.gstatic.cn,
.gstatic.com,
.keyhole.com,
.mediawiki.org,
.tfbnw.net,
.thefacebook.com,
.wikibooks.org,
.wikimediafoundation.org,
.wikimedia.org,
.wikinews.org,
.wikipedia.org,
.wikiquote.org,
.wikisource.org,
.wiktionary.org,
.yahoo.com,
.yimg.com,
.youtube.com,
.ytimg.com;
}
# This section is meant for resolving from root servers.
server {
label = "root-servers";
root_server = discover; # Query the name servers listed below
# to obtain a full list of root servers.
randomize_servers = on; # Give every root server an equal chance
# of being queried.
ip = 198.41.0.4, # This list will be expanded to the full
192.228.79.201; # list on start up.
timeout = 5;
uptest = query; # Test availability using empty DNS queries.
# query_test_name = .; # To be used if remote servers ignore empty queries.
interval = 30m; # Test every half hour.
ping_timeout = 300; # Test should time out after 30 seconds.
purge_cache = off;
# edns_query = yes; # Use EDNS for outgoing queries to allow UDP messages
# larger than 512 bytes. May cause trouble with some
# legacy systems.
exclude = .localdomain;
policy = included;
preset = off;
}
source {
owner=localhost;
# serve_aliases=on;
file="/etc/hosts";
}
/*
include {file="/etc/pdnsd.include";} # Read additional definitions from /etc/pdnsd.include.
*/
rr {
name=localhost;
reverse=on;
a=127.0.0.1;
owner=localhost;
soa=localhost,root.localhost,42,86400,900,86400,86400;
}
## Extensive domain name supported
## that cname bbs.operachina.com to operachina.com
rr {name=operachina.com; a=59.151.106.253;}
rr {name=*.operachina.com; cname=operachina.com;}
## an A record
rr {name=encrypted.google.com; a=203.208.46.130;}
## block all domains witch match *.51.la but not 51.la
neg {name=51.la; types=domain;}
## block domain ad.qq.com only
neg {name=ad.qq.com; types=A,AAAA;}