Update config template in blocky-install.sh

install/blocky-install.sh

@@ -28,29 +28,37 @@ RELEASE=$(curl -s https://api.github.com/repos/0xERR0R/blocky/releases/latest |
 wget -qO- https://github.com/0xERR0R/blocky/releases/download/v${RELEASE}/blocky_v${RELEASE}_Linux_x86_64.tar.gz | tar -xzf - -C /opt/blocky/
 
 cat <<EOF >/opt/blocky/config.yml
-upstream:
+upstreams:
-  # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query
+  init:
-  # format for resolver: [net:]host:[port][/path]. net could be empty (default, shortcut for tcp+udp), tcp+udp, tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh))
+    # Configure startup behavior.
-  # this configuration is mandatory, please define at least one external DNS resolver
+    # accepted: blocking, failOnError, fast
-  default:
+    # default: blocking
-    # example for tcp+udp IPv4 server (https://digitalcourage.de/)
+    strategy: fast
-    #- 5.9.164.112
+  groups:
-    # Cloudflare
+    # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query
-    - 1.1.1.1
+    # format for resolver: [net:]host:[port][/path]. net could be empty (default, shortcut for tcp+udp), tcp+udp, tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh))
-    # example for DNS-over-TLS server (DoT)
+    # this configuration is mandatory, please define at least one external DNS resolver
-    #- tcp-tls:fdns1.dismail.de:853
+    default:
-    # example for DNS-over-HTTPS (DoH)
+      # example for tcp+udp IPv4 server (https://digitalcourage.de/)
-    #- https://dns.digitale-gesellschaft.ch/dns-query
+      #- 5.9.164.112
-  # optional: use client name (with wildcard support: * - sequence of any characters, [0-9] - range)
+      # Cloudflare
-  # or single ip address / client subnet as CIDR notation
+      - 1.1.1.1
-  #laptop*:
+      # example for DNS-over-TLS server (DoT)
-    #- 123.123.123.123
+      #- tcp-tls:fdns1.dismail.de:853
-
+      # example for DNS-over-HTTPS (DoH)
-# optional: timeout to query the upstream resolver. Default: 2s
+      #- https://dns.digitale-gesellschaft.ch/dns-query
-#upstreamTimeout: 2s
+    # optional: use client name (with wildcard support: * - sequence of any characters, [0-9] - range)
-
+    # or single ip address / client subnet as CIDR notation
-# optional: If true, blocky will fail to start unless at least one upstream server per group is reachable. Default: false
+    #laptop*:
-#startVerifyUpstream: true
+      #- 123.123.123.123
+  # optional: Determines what strategy blocky uses to choose the upstream servers.
+  # accepted: parallel_best, strict, random
+  # default: parallel_best
+  #strategy: parallel_best
+  # optional: timeout to query the upstream resolver. Default: 2s
+  #timeout: 2s
+  # optional: HTTP User Agent when connecting to upstreams. Default: none
+  #userAgent: "custom UA"
 
 # optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists.
 # accepted: dual, v4, v6
@@ -59,7 +67,7 @@ upstream:
 
 # optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma
 # example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3
-#customDNS:
+customDNS:
   #customTTL: 1h
   # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined).
   # if false, queries with unmapped types will be forwarded to the upstream resolver
@@ -72,9 +80,9 @@ upstream:
 
 # optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma
 # Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name
-#conditional:
+conditional:
   # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver
-  # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if  was set to , the original query "blog.example.com" will be sent upstream.
+  # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if 'fallbackUpstream' was set to 'true', the original query "blog.example.com" will be sent upstream.
   # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain.
   #fallbackUpstream: false
   # optional: replace domain in the query with other domain before resolver lookup in the mapping
@@ -84,31 +92,33 @@ upstream:
     #fritz.box: 192.168.178.1
     #lan.net: 192.168.178.1,192.168.178.2
 
-# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.)
+# optional: use allow/denylists to block queries (for example ads, trackers, adult pages etc.)
 blocking:
-  # definition of blacklist groups. Can be external link (http/https) or local file
+  # definition of denylist groups. Can be external link (http/https) or local file
-  blackLists:
+  denylists:
     ads:
       - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
       - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
       - http://sysctl.org/cameleon/hosts
       - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
-      - |
+      #- |
         # inline definition with YAML literal block scalar style
-        # hosts format
+        #someadsdomain.com
-        someadsdomain.com
+        #*.example.com
     special:
       - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
-  # definition of whitelist groups. Attention: if the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. If a group has only whitelist entries -> this means only domains from this list are allowed, all other domains will be blocked
+  # definition of allowlist groups.
-  whiteLists:
+  # Note: if the same group has both allow/denylists, allowlists take precedence. Meaning if a domain is both blocked and allowed, it will be allowed.
-    ads:
+  # If a group has only allowlist entries, only domains from this list are allowed, and all others be blocked.
-      - whitelist.txt
+  allowlists:
-      - |
+    #ads:
+      #- allowlist.txt
+      #- |
         # inline definition with YAML literal block scalar style
         # hosts format
-        whitelistdomain.com
+        #allowlistdomain.com
         # this is a regex
-        /^banners?[_.-]/
+        #/^banners?[_.-]/
   # definition: which groups should be applied for which client
   clientGroupsBlock:
     # default will be used, if no special definition for a client name exists
@@ -125,22 +135,38 @@ blocking:
   # zeroIp: 0.0.0.0 will be returned (default)
   # nxDomain: return NXDOMAIN as return code
   # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page.
-  blockType: zeroIp
+  #blockType: zeroIp
   # optional: TTL for answers to blocked domains
   # default: 6h
   blockTTL: 1m
-  # optional: automatically list refresh period (in duration format). Default: 4h.
+  # optional: Configure how lists, AKA sources, are loaded
-  # Negative value -> deactivate automatically refresh.
+  loading:
-  # 0 value -> use default
+    # optional: list refresh period in duration format.
-  refreshPeriod: 4h
+    # Set to a value <= 0 to disable.
-  # optional: timeout for list download (each url). Default: 60s. Use large values for big lists or slow internet connections
+    # default: 4h
-  downloadTimeout: 4m
+    #refreshPeriod: 24h
-  # optional: Download attempt timeout. Default: 60s
+    # optional: Applies only to lists that are downloaded (HTTP URLs).
-  downloadAttempts: 5
+    downloads:
-  # optional: Time between the download attempts. Default: 1s
+      # optional: timeout for list download (each url). Use large values for big lists or slow internet connections
-  downloadCooldown: 10s
+      # default: 5s
-  # optional: if failOnError, application startup will fail if at least one list can't be downloaded / opened. Default: blocking
+      timeout: 60s
-  #startStrategy: failOnError
+      # optional: Maximum download attempts
+      # default: 3
+      attempts: 5
+      # optional: Time between the download attempts
+      # default: 500ms
+      cooldown: 10s
+    # optional: Maximum number of lists to process in parallel.
+    # default: 4
+    #concurrency: 16
+    # Configure startup behavior.
+    # accepted: blocking, failOnError, fast
+    # default: blocking
+    #strategy: failOnError
+    # Number of errors allowed in a list before it is considered invalid.
+    # A value of -1 disables the limit.
+    # default: 5
+    #maxErrorsPerSource: 5
 
 # optional: configuration for caching of DNS responses
 caching:
@@ -170,6 +196,9 @@ caching:
   # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM.
   # Default (0): unlimited
   #prefetchMaxItemsCount: 0
+  # Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results.
+  # Default: 30m
+  #cacheTimeNegative: 30m
 
 # optional: configuration of client name resolution
 clientLookup:
@@ -184,6 +213,7 @@ clientLookup:
   #clients:
     #laptop:
       #- 192.168.178.29
+
 # optional: configuration for prometheus metrics endpoint
 prometheus:
   # enabled if true
@@ -194,7 +224,7 @@ prometheus:
 # optional: write query information (question, answer, client, duration etc.) to daily csv file
 queryLog:
   # optional one of: mysql, postgresql, csv, csv-client. If empty, log to console
-  #type: mysql
+  type:
   # directory (should be mounted as volume in docker) for csv, db connection string for mysql/postgresql
   #target: db_user:db_password@tcp(db_host_or_ip:3306)/db_name?charset=utf8mb4&parseTime=True&loc=Local
   #postgresql target: postgres://user:password@db_host_or_ip:5432/db_name
@@ -204,11 +234,19 @@ queryLog:
   #creationAttempts: 1
   # optional: Time between the creation attempts, default: 2s
   #creationCooldown: 2s
+  # optional: Which fields should be logged. You can choose one or more from: clientIP, clientName, responseReason, responseAnswer, question, duration. If not defined, it logs all fields
+  #fields:
+    #- clientIP
+    #- duration
+  # optional: Interval to write data in bulk to the external database, default: 30s
+  #flushInterval: 30s
 
 # optional: Blocky can synchronize its cache and blocking state between multiple instances through redis.
 redis:
-  # Server address and port
+  # Server address and port or master name if sentinel is used
-  #address: redis:6379
+  #address: redismaster
+  # Username if necessary
+  #username: usrname
   # Password if necessary
   #password: passwd
   # Database, default: 0
@@ -219,50 +257,123 @@ redis:
   #connectionAttempts: 10
   # Time between the connection attempts, default: 1s
   #connectionCooldown: 3s
+  # Sentinal username if necessary
+  #sentinelUsername: usrname
+  # Sentinal password if necessary
+  #sentinelPassword: passwd
+  # List with address and port of sentinel hosts(sentinel is activated if at least one sentinel address is configured)
+  #sentinelAddresses:
+    #- redis-sentinel1:26379
+    #- redis-sentinel2:26379
+    #- redis-sentinel3:26379
 
-# optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353"
-port: 553
-# optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853
-#tlsPort: 853
-# optional: HTTPS listener port(s) and bind ip address(es), default empty = no http listener. If > 0, will be used for prometheus metrics, pprof, REST API, DoH... Example: 443, :443, 127.0.0.1:443
-#httpPort: 4000
-#httpsPort: 443
 # optional: Mininal TLS version that the DoH and DoT server will use
 #minTlsServeVersion: 1.3
+
 # if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated
 #certFile: server.crt
 #keyFile: server.key
-# optional: use this DNS server to resolve blacklist urls and upstream DNS servers. Useful if no DNS resolver is configured and blocky needs to resolve a host name. Format net:IP:port, net must be udp or tcp
-#bootstrapDns: tcp+udp:1.1.1.1
 
-filtering:
+# optional: use these DNS servers to resolve denylist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries.
+bootstrapDns:
+  #- tcp+udp:1.1.1.1
+  #- https://1.1.1.1/dns-query
+  #- upstream: https://dns.digitale-gesellschaft.ch/dns-query
+    #ips:
+      #- 185.95.218.42
+
 # optional: drop all queries with following query types. Default: empty
+filtering:
   #queryTypes:
     #- AAAA
 
+# optional: return NXDOMAIN for queries that are not FQDNs.
+fqdnOnly:
+  # default: false
+  #enable: true
+
 # optional: if path defined, use this file for query resolution (A, AAAA and rDNS). Default: empty
 hostsFile:
-  # optional: Path to hosts file (e.g. /etc/hosts on Linux)
+  # optional: Hosts files to parse
-  #filePath: /etc/hosts
+  #sources:
+    #- /etc/hosts
+    #- https://example.com/hosts
+    #- |
+      # inline hosts
+      #127.0.0.1 example.com
   # optional: TTL, default: 1h
-  #hostsTTL: 60m
+  #hostsTTL: 30m
-  # optional: Time between hosts file refresh, default: 1h
+  # optional: Whether loopback hosts addresses (127.0.0.0/8 and ::1) should be filtered or not
-  #refreshPeriod: 30m
+  # default: false
-  # optional: Whether loopback hosts addresses (127.0.0.0/8 and ::1) should be filtered or not, default: false
   #filterLoopback: true
-# optional: Log level (one from debug, info, warn, error). Default: info
+  # optional: Configure how sources are loaded
-#logLevel: info
+  #loading:
-# optional: Log format (text or json). Default: text
+    # optional: file refresh period in duration format.
-#logFormat: text
+    # Set to a value <= 0 to disable.
-# optional: log timestamps. Default: true
+    # default: 4h
-#logTimestamp: true
+    #refreshPeriod: 24h
-# optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false
+    # optional: Applies only to files that are downloaded (HTTP URLs).
-#logPrivacy: false
+    #downloads:
+      # optional: timeout for file download (each url). Use large values for big files or slow internet connections
+      # default: 5s
+      #timeout: 60s
+      # optional: Maximum download attempts
+      # default: 3
+      #attempts: 5
+      # optional: Time between the download attempts
+      # default: 500ms
+      #cooldown: 10s
+    # optional: Maximum number of files to process in parallel.
+    # default: 4
+    #concurrency: 16
+    # Configure startup behavior.
+    # accepted: blocking, failOnError, fast
+    # default: blocking
+    #strategy: failOnError
+    # Number of errors allowed in a file before it is considered invalid.
+    # A value of -1 disables the limit.
+    # default: 5
+    #maxErrorsPerSource: 5
+
+# optional: ports configuration
+ports:
+  # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353"
+  dns: 53
+  # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853
+  tls: 853
+  # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443
+  https: 443
+  # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000
+  http: 4000
+
+# optional: logging configuration
+log:
+  # optional: Log level (one from trace, debug, info, warn, error). Default: info
+  level: info
+  # optional: Log format (text or json). Default: text
+  #format: text
+  # optional: log timestamps. Default: true
+  #timestamp: true
+  # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase #privacy. Default: false
+  #privacy: false
 
 # optional: add EDE error codes to dns response
-#ede: 
+ede:
   # enabled if true, Default: false
   #enable: true
+
+# optional: configure optional Special Use Domain Names (SUDN)
+#specialUseDomains:
+  # optional: block recomended private TLDs
+  # default: true
+  #rfc6762-appendixG: true
+
+# optional: configure extended client subnet (ECS) support
+ecs:
+  # optional: if the request ecs option with a max sice mask the address will be used as client ip
+  #useAsClient: true
+  # optional: if the request contains a ecs option it will be forwarded to the upstream resolver
+  #forward: true
 EOF
 msg_ok "Installed Blocky"