-
Notifications
You must be signed in to change notification settings - Fork 0
/
sample-config.yml
267 lines (263 loc) · 10.5 KB
/
sample-config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
pintle:
# the home directory is where pintle stores all of the
# runtime data that it needs or collects. things like the
# query database, statistics, metrics, and lists are stored
# in the home directory
home: ./.pintle
# when this file changes reload pintle subsystems to
# take the new configuration into account. this requires
# _material_ changes in the file not just changes to comments,
# spacing, or otherwise
reload-on-change: true
# various logging settings that control the output of the logging. in
# general application issues and information are logged to stdout
# and access/queries are logged to the database in the data directory
log:
# simple setting to disable all logging, the default value is true.
enabled: true
# controls what percentage of queries are logged, max value is 100
# anything less than that will randomly select if the line should be
# logged. a value of 0 effectively disables all log output. the
# default value is 100 percent.
sample-percent: 50
# if queries should be logged to stdout. by default queries are
# only logged to the database. this can be quite noisy. this
# is disabled (false) by default.
stdout: false
# this section controls the database
database:
# enabled by default
enabled: true
# logs answers to the database. disabling this reduces the size of the database.
# the default value is true.
answers: true
# the endpoints where clients make requests to pintle over the network. pintle
# supports udp, tcp, and mdns.
listeners:
- # all listeners have a name so that they can be
# referenced by the application.
name: basic-udp
# the available types are tcp, udp, and mdns
type: udp
# udp and tcp need address to bind on, if none is given
# the default is "0.0.0.0" or "all"
addresses:
- 0.0.0.0
# udp and tcp need a port to listen on
port: 5353
- # this is a basic tcp listener, generally this is used for specialty cases
# and larger data streams but pintle supports tcp as well
name: basic-tcp
type: tcp
port: 5353
# pintle has the ability to read device names and address. what this means is that
# when a mdns query is answered the answers will be placed in the cache.
# mdns only supports answers that end in `.local` so dns queries looking
# for something in the `.local` TLD can be answered by pintle using
# this method. this also allows it to name-resolve IoT and device clients in the UI.
mdns:
# mdns will only be activated on the following interfaces. if no
# interfaces are listed mdns is disabled. if the key word "all" is
# found in this list then all interfaces will be tried.
interfaces:
- "all"
# lists are the sources of blocking/allowing information for queries. before a query is serviced
# by a resolver it can be routed through lists and an action (explicit block, explicit allow) can
# be taken. this is used to stop traffic from going outbound or explicitly allowing certain hostnames
# to be resolved.
lists:
- # each list has a name so that it can be referenced elsewhere in the configuration
name: basic-blocking
# typical pi-hole style blocklists are hostfile-based and come in that
# format.
type: hostfile
# the action to take, typically block. an allow list can be used in a group
# to override certain blocks
action: block
sources:
# the path to a list
- /path/to/block.list
# if a relative path is given it is _relative to this file_
- relative/path/to/block.list
# if you use a http or https url it will be downloaded and cached to the cache dir
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
- # regex lists can also be provided but they are more intensive and should be used
# only if absolutely necessary
name: regex-blocking
type: regex
action: block
sources:
# the path to a regex list
- /path/to/regex.list
# if a relative path is given it is _relative to this file_
- relative/path/to/regex.list
# resolvers are the upstream sources of dns information. these can take the form of dns servers
# supporting several protocols, flat files with lists of DNS information, or zone files.
resolvers:
- # resolvers are identified by name so that they can be used elsewhere in the configuration
name: google
# by default sources are tried
# in order until a match is found,
# the number of resolvers is exceeded,
# or the timeout limit is reached
sources:
# if no port is specified the default port is used
- uri: 8.8.8.8
# if a port is given it will be used
- uri: 8.8.4.4:53
- # tcp resolvers are also supported
name: google-tcp
# the balance option (default: false) allows
# the resolver to balance requests between
# the sources
balance: true
sources:
- uri: 8.8.8.8
# tcp is a source-specific configuration
type: tcp
# just like udp the sources can specify a port
- uri: 8.8.4.4:53
type: tcp
- name: cloudflare
sources:
# if no port is specified the default port is used
- uri: 8.8.8.8
type: tcp
# if a port is given it will be used
- uri: 8.8.4.4:53
- # some specific resolvers might exist for
# a given isp
name: att-resolver
# the resolver can be configured to only
# respond to specific domains. the resolver
# will be skipped if the question is for
# a domain or subdomain listed here
domains:
# the resolver will respond for any
# domain that ends in att.com, ex: store.att.com
- att.com
# the resolver will respond for any
# domain that ends in att.net, ex: login.att.net
- att.net
sources:
- uri: 68.94.156.1
- uri: 68.94.157.1
- # resolvers can reference other resolvers
name: parent-resolver
type: resolver
# without the balance option these resolvers
# would be tried, in order, until a match
# is found (or a timeout or retry limit reached)
balance: true
sources:
- uri: google
type: resolver
- uri: cloudflare
type: resolver
- # a flat file in the format of a hosts file is supported
# ex:
# 127.0.0.1 home.lan
# 192.168.0.2 storage
name: flat-file
type: hostfile # alias: hosts
sources:
# the file format tbd
- uri: /path/to/file.entries
# if a relative path is given it is _relative to this file_
- uri: relative/path
- # zone files are also supported
name: zone-file
type: zone
sources:
# uses the BIND zone file format
- uri: path/to/zone.db
# if a relative path is given it is _relative to this file_
# a group combines client characteristics (listener, ip, subnet, mac address, etc.) with
# the other elements of this configuration (lists, resolver) to produce a dns resolution
# result.
groups:
- # groups are given by name, this group is the default group which is an implicit
# group with a configuration of _no lists_ and _all resolvers_ unless otherwise
# configured here. unless specified all clients use this group. no other groups
# will inherit this groups configuration unless explicitly configured.
name: default
# lists are applied _in order_ and once a match is found no further action is
# taken. an allow coming after a block will not have any affect because the
# first thing that happened was to block.
lists:
- basic-blocking
# if a group does not have resolvers
# it will fall back to responding with NXDOMAIN
# when the groups are configured a warning
# will be printed if no resolver is attached to a group
resolvers:
- google-tcp
# the default group cannot have matchers. if any matchers
# are defined for the default group a warning will be
# written to the log and the matchers will be ignored.
matchers: []
- # this group demonstrates matching against a listener and
# will match all traffic from that listener
name: tcp-listener-group
# resolvers are tried, in order. if multiple resolvers
# are configured. if you would like load balancing, configure
# a single resolver that has it configured. this is so that
# fallback/priority can be established for a group.
resolvers:
- google-udp
- google-tcp
lists: [] # in this example _no lists_ will be applied
# matchers are applied in the order they are encountered
# but multiple groups can be attached to a single query.
# however only one block is required to block the query
# unless an allow is encountered first.
matchers:
# matchers have a type and a list of matches, this
# one matches against any traffic that comes through
# the basic-udp listener
- type: listener
values:
- basic-tcp
- # this group demonstrates the ability to match clients
# that come from particular ips. useful for allowing
# certain clients to resolve special
name: match-by-ip
# no resolvers given means the default group's resolvers will be used
# resolvers: []
# basic blocking list
lists:
- basic-blocking
# matching in this list is the against the ip
matchers:
# a single ip can be provided
- type: ip
values:
- 192.168.0.22
# or multiple ips
- type: ip
values:
# when multiple values are listed
# it functions as an `or` where
# if any value matches the
# request is matched to the group
- 192.168.0.44
- 192.168.0.55
# you can also combine matchers
- type: or
matchers:
- type: ip
values:
- 192.168.0.10
- type: range
from: 192.168.1.30
to: 192.168.1.50
- # this demonstrates matching to the requested hostname
name: att-suffix-group
resolvers:
- att-resolver
matchers:
- type: hostname
values:
- att.net
- att.com