Last active
April 24, 2025 16:18
-
-
Save giuseppe998e/14923d6e899089fcd1679ec0a2d9bdb8 to your computer and use it in GitHub Desktop.
RouteDNS Quad9 Secure DNS (DoH/DoT) Client Configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quad9 DoT/DoH Client | |
| # DoT Resolvers | |
| [resolvers.main-dot] | |
| protocol = "dot" | |
| address = "dns.quad9.net" | |
| bootstrap-address = "9.9.9.9" | |
| [resolvers.secondary-dot] | |
| protocol = "dot" | |
| address = "dns.quad9.net" | |
| bootstrap-address = "149.112.112.112" | |
| [groups.dot] | |
| type = "fail-back" | |
| resolvers = ["main-dot", "secondary-dot"] | |
| reset-after = 60 # sec | |
| servfail-error = true | |
| # DoH Resolvers | |
| [resolvers.main-doh] | |
| protocol = "doh" | |
| address = "https://dns.quad9.net/dns-query" | |
| bootstrap-address = "9.9.9.9" | |
| [resolvers.secondary-doh] | |
| protocol = "doh" | |
| address = "https://dns.quad9.net/dns-query" | |
| bootstrap-address = "149.112.112.112" | |
| [groups.doh] | |
| type = "fail-back" | |
| resolvers = ["main-doh", "secondary-doh"] | |
| reset-after = 60 # sec | |
| servfail-error = true | |
| # TTL modified, cached and fail-rotate resolver | |
| [groups.failrotate] | |
| type = "fail-rotate" | |
| resolvers = ["dot", "doh"] | |
| [groups.ttlmod] | |
| type = "ttl-modifier" | |
| resolvers = ["failrotate"] | |
| ttl-select = "average" | |
| ttl-max = 86400 | |
| [groups.cache] | |
| type = "cache" | |
| resolvers = ["ttlmod"] | |
| cache-answer-shuffle = "round-robin" | |
| cache-flush-query = "cache.flush." | |
| cache-prefetch-trigger = 30 | |
| cache-prefetch-eligible = 300 # 5min | |
| backend = { type = "memory", size = 4096, filename = "/var/cache/routedns.quad9.json" } | |
| [listeners.local-udp] | |
| address = "127.0.0.1:53" | |
| protocol = "udp" | |
| resolver = "cache" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Configuration Breakdown
This RouteDNS configuration sets up Quad9 as both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) upstream resolvers, applies fail-back and fail-rotate policies, modifies TTLs, adds caching, and listens locally on UDP.
DoT Resolvers
[resolvers.main-dot]protocol = "dot": use DNS-over-TLSaddress = "dns.quad9.net": hostname of the Quad9 DoT servicebootstrap-address = "9.9.9.9": IP to resolve the hostname initially[resolvers.secondary-dot]main-dot, but uses149.112.112.112as its bootstrap addressDoT Fail-Back Group
[groups.dot]type = "fail-back": normally usesmain-dot; on failure, falls back tosecondary-dot, then returns to primary afterreset-afterresolvers = ["main-dot", "secondary-dot"]reset-after = 60sec: retry primary every 60 secondsservfail-error = true: treat SERVFAIL as an error to trigger fail-overDoH Resolvers
[resolvers.main-doh]protocol = "doh": use DNS-over-HTTPSaddress = "https://dns.quad9.net/dns-query": Quad9 DoH endpointbootstrap-address = "9.9.9.9"[resolvers.secondary-doh]149.112.112.112DoH Fail-Back Group
[groups.doh]groups.dotbut for DoH resolversMixed Resolver Group (Fail-Rotate)
[groups.failrotate]type = "fail-rotate": rotate throughdotanddohresolvers on each query or on failureresolvers = ["dot", "doh"]TTL Modifier
[groups.ttlmod]type = "ttl-modifier": adjusts the TTL of answers before cachingresolvers = ["failrotate"]: applies to the output of the fail-rotate groupttl-select = "average": choose an average between the record’s TTL and any configured maximumttl-max = 86400: cap TTL at 24 hours (86 400 seconds)Cache
[groups.cache]type = "cache": enable caching of DNS answersresolvers = ["ttlmod"]: cache the TTL-modified answerscache-answer-shuffle = "round-robin": distribute cached answers in round-robin ordercache-flush-query = "cache.flush.": special query prefix to flush the cachecache-prefetch-trigger = 30: prefetch entries when they have ≤ 30 sec left before expirycache-prefetch-eligible = 300: only prefetch entries if they originally had ≥ 300 sec TTLbackend = { type = "memory", size = 4096, filename = "/var/cache/routedns.quad9.json" }: use a 4 KiB in-memory cache and persist to the given fileListener
[listeners.local-udp]address = "127.0.0.1:53": bind to localhost UDP port 53protocol = "udp": accept plain DNS over UDPresolver = "cache": forward queries into the cache group (and thus through TTL modifier, fail-rotate, DoT/DoH, etc.)