esh/cinc-repo/policyfiles/dns.rb

name 'dns'

###
# Cookbooks location
###

# ESH
default_source :chef_repo, '../cookbooks'

# Community
default_source :supermarket, 'https://supermarket.chef.io'

###
# Run List
###

run_list %w(
  esh_go_mmproxy::default
  esh_adguard::default
)

###
# Attributes
###

###
# esh_go_mmproxy
###

# to:listen
default['esh']['go_mmproxy']['proxies'] = {
  '853': '10853',
}
default['esh']['go_mmproxy']['prefixes'] = <<~EOT
10.0.0.0/8
EOT

###
# esh_adguard
###

default['esh']['adguard']['cert_pub'] = 'http://10.10.10.1:8898/dns.benoit.jp.net/fullchain.pem'
default['esh']['adguard']['cert_priv'] = 'http://10.10.10.1:8898/dns.benoit.jp.net/privkey.pem'
default['esh']['adguard']['cert_auth'] = ''

default['esh']['adguard']['version'] = '0.107.55'

default['esh']['adguard']['config'] = <<~EOT
http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:80
  session_ttl: 720h
users:
  - name: benoit
    password:
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: dark
dns:
  bind_hosts:
    - 0.0.0.0
  port: 1053
  anonymize_client_ip: false
  ratelimit: 100
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '# Quad9'
    - https://dns11.quad9.net/dns-query
    - '# CloudFlare'
    - tls://1dot1dot1dot1.cloudflare-dns.com
    - https://dns.cloudflare.com/dns-query
    - '# IIJ'
    - tls://public.dns.iij.jp
    - https://public.dns.iij.jp/dns-query
    - '# NextDNS'
    - tls://dns.nextdns.io
    - https://dns.nextdns.io
    - https://anycast.dns.nextdns.io
    - tls://anycast.dns.nextdns.io
    - '# AdGuard'
    - https://unfiltered.adguard-dns.com/dns-query
    - tls://unfiltered.adguard-dns.com
    - quic://unfiltered.adguard-dns.com
    - '# Cisco OpenDNS'
    - https://doh.opendns.com/dns-query
    - '# Google'
    - https://dns.google/dns-query
    - tls://dns.google
    - '# Tailscale'
    - '[/taile088c7.ts.net/]100.100.100.100'
  upstream_dns_file: ""
  bootstrap_dns:
    - 94.140.14.140
  fallback_dns: []
  upstream_mode: load_balance
  fastest_timeout: 1s
  allowed_clients:
    - chiisai-firefox
    - bluejay
    - chiisai-chromium
    - tangorpro
    - reven
    - lavie-firefox
    - lavie-chromium
    - caiman
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
    - 10.0.0.0/8
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 50
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: false
  hostsfile_enabled: true
tls:
  enabled: true
  server_name: dns.benoit.jp.net
  force_https: true
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 784
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: /etc/adguard/fullchain.pem
  private_key_path: /etc/adguard/privkey.pem
  strict_sni_check: false
querylog:
  dir_path: ""
  ignored: []
  interval: 2160h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: ""
  ignored: []
  interval: 2160h
  enabled: true
filters:
  - enabled: true
    url: https://logroid.github.io/adaway-hosts/hosts.txt
    name: AdAway Blocking Hosts File for Japan
    id: 1598087715
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt
    name: The NoTracking blocklist
    id: 1686439100
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1686439101
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 1686439102
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt
    name: WindowsSpyBlocker - Hosts spy rules
    id: 1686439103
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt
    name: Dandelion Sprout's Game Console Adblock List
    id: 1686439104
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt
    name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
    id: 1686439105
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt
    name: Malicious URL Blocklist (URLHaus)
    id: 1686439106
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt
    name: The Big List of Hacked Malware Web Sites
    id: 1686439107
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt
    name: Stalkerware Indicators List
    id: 1686439108
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_42.txt
    name: ShadowWhisperer's Malware List
    id: 1686439109
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt
    name: Scam Blocklist by DurableNapkin
    id: 1686439110
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt
    name: NoCoin Filter List
    id: 1686439111
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt
    name: Dandelion Sprout's Anti-Malware List
    id: 1686439112
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt
    name: Phishing URL Blocklist (PhishTank and OpenPhish)
    id: 1686439113
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt
    name: 1Hosts (Lite)
    id: 1686439114
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt
    name: Dan Pollock's List
    id: 1686439115
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
    name: OISD Blocklist Big
    id: 1686439117
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
    name: Peter Lowe's Blocklist
    id: 1686439118
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt
    name: Steven Black's List
    id: 1686439119
whitelist_filters: []
user_rules:
  - '@@||rd.rakuten.co.jp^$important'
  - '@@||fls-fe.amazon.co.jp^$important'
  - '@@||searchapi.agoda.com^$important'
  - '@@||auth.split.io^$important'
  - '@@||sdk.split.io^$important'
  - ""
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: Local
    ids:
      - facebook
      - twitter
      - snapchat
      - origin
      - epic_games
      - vk
      - mail_ru
      - discord
      - ok
      - tiktok
      - 9gag
      - hulu
      - whatsapp
      - wechat
      - tinder
      - skype
      - pinterest
      - disneyplus
      - qq
      - weibo
      - telegram
      - roblox
      - icloud_private_relay
      - zhihu
      - minecraft
      - douban
      - deezer
      - bilibili
      - instagram
      - iqiyi
      - lazada
      - riot_games
      - tidal
      - twitch
      - voot
      - xboxlive
      - rakuten_viki
      - leagueoflegends
      - kakaotalk
      - hbomax
      - crunchyroll
      - kik
      - onlyfans
      - shopee
      - soundcloud
      - valorant
      - shein
      - temu
      - yy
      - xiaohongshu
      - wargaming
      - ubisoft
      - wizz
      - samsung_tv_plus
      - nebula
      - lionsgateplus
      - fifa
      - dropbox
      - discoveryplus
      - coolapk
      - claro
      - bluesky
      - betfair
      - apple_streaming
      - 500px
      - amino
      - betano
      - bigo_live
      - blizzard_entertainment
      - canais_globo
      - clubhouse
      - electronic_arts
      - globoplay
      - linkedin
      - paramountplus
      - plenty_of_fish
      - privacy
      - rockstar_games
      - pluto_tv
      - mercado_libre
      - looke
      - kook
      - iheartradio
      - espn
      - directvgo
      - box
      - blaze
      - betway
      - battle_net
      - activision_blizzard
      - 4chan
      - ebay
      - olvid
      - peacock_tv
      - slack
      - spotify
      - tumblr
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    ecosia: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: null_ip
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safe_fs_patterns:
    - /var/lib/adguard/data/userfilters/*
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: true
  safebrowsing_enabled: true
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  enabled: true
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 29
EOT