Acrylic DNS Proxy Configuration


The best way to learn about Acrylic features and configuration options is by looking at its commented configuration file:

;
; IF YOU MAKE ANY CHANGES TO THIS FILE YOU HAVE TO RESTART THE ACRYLIC DNS PROXY SERVICE IN ORDER TO SEE THEIR EFFECTS.
;
[GlobalSection]
;
; The IP address of your primary DNS server. You can specify here an IPv4 address in quad-dotted notation or an IPv6
; address in colon-separated groups.
;
; Upon installation it points to the primary Google Public DNS server.
;
PrimaryServerAddress=8.8.8.8
;
; The TCP or UDP port your primary DNS server is supposed to be listening to. The default value of 53 is the standard
; port for DNS resolution. You should change this value only if you are using a non standard DNS server.
;
PrimaryServerPort=53
;
; The protocol to use with your primary DNS server.
; The currently supported protocols are UDP, TCP and SOCKS5.
;
PrimaryServerProtocol=UDP
;
; The IP address of the proxy server to use to reach your primary DNS server, in case you instructed Acrylic to use the
; SOCKS5 protocol in the previous configuration option. You can specify here an IPv4 address in quad-dotted notation or
; an IPv6 address in colon-separated groups.
;
PrimaryServerProxyAddress=
;
; The TCP port the proxy server described above is supposed to be listening to.
;
PrimaryServerProxyPort=
;
; The cluster of domain names the primary DNS server is to resolve.
;
; The affinity mask is a list of semicolon separated values or wildcards that allows to restrict which DNS server is
; going to resolve a particular host name.
;
; In the following example only the requests for domain names ending with ".com" get forwarded to the primary DNS
; server:
;
; PrimaryServerDomainNameAffinityMask=*.com
;
; In the following example only the requests for domain names ending with ".com" and ".org" get forwarded to the primary
; DNS server:
;
; PrimaryServerDomainNameAffinityMask=*.com;*.org
;
; Negations can be expressed by prepending a caret (^) to the value or wildcard.
;
; In the following example only the requests for domain names NOT ending with ".com" or ".org" get forwarded to the
; primary DNS server (the last catch-all value is particularly important in this case as, if missing, no request would
; ever be forwarded to the primary DNS server):
;
; PrimaryServerDomainNameAffinityMask=^*.com;^*.org;*
;
PrimaryServerDomainNameAffinityMask=
;
; A list of semicolon separated values representing DNS query types that allows to restrict which DNS server is going to
; resolve a particular query type.
;
; In the following example only the requests for A, AAAA, CNAME, MX, NS, SOA, SRV and TXT query types get forwarded to
; the primary DNS server:
;
; PrimaryServerQueryTypeAffinityMask=A;AAAA;CNAME;MX;NS;SOA;SRV;TXT
;
; The supported query types are:
;
; A NS MD MF CNAME
; SOA MB MG MR NULL
; WKS PTR HINFO MINFO MX
; TXT RP AFSDB X25 ISDN
; RT NSAP NSAPPTR SIG KEY
; PX GPOS AAAA LOC NXT
; EID NIMLOC SRV ATMA NAPTR
; KX CERT A6 DNAME SINK
; OPT APL DS SSHFP IPSECKEY
; RRSIG NSEC DNSKEY DHCID NSEC3
; NSEC3PARAM TLSA HIP NINFO RKEY
; TALINK CDS CDNSKEY OPENPGPKEY CSYNC
; SPF UINFO UID GID UNSPEC
; NID L32 L64 LP EUI48
; EUI64 ADDRS TKEY TSIG IXFR
; AXFR MAILB MAILA ALL URI
; CAA TA DLV WINS WINSR
;
PrimaryServerQueryTypeAffinityMask=
;
; You can decide to ignore negative responses coming from the primary DNS server by choosing Yes instead of No.
;
IgnoreNegativeResponsesFromPrimaryServer=No
;
; The configuration of your secondary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
; Upon installation it points to the secondary Google Public DNS server.
;
SecondaryServerAddress=8.8.4.4
SecondaryServerPort=53
SecondaryServerProtocol=UDP
SecondaryServerProxyAddress=
SecondaryServerProxyPort=
SecondaryServerDomainNameAffinityMask=
SecondaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromSecondaryServer=No
;
; The configuration of your tertiary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
TertiaryServerAddress=
TertiaryServerPort=53
TertiaryServerProtocol=UDP
TertiaryServerProxyAddress=
TertiaryServerProxyPort=
TertiaryServerDomainNameAffinityMask=
TertiaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromTertiaryServer=No
;
; The configuration of your quaternary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
QuaternaryServerAddress=
QuaternaryServerPort=53
QuaternaryServerProtocol=UDP
QuaternaryServerProxyAddress=
QuaternaryServerProxyPort=
QuaternaryServerDomainNameAffinityMask=
QuaternaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromQuaternaryServer=No
;
; The configuration of your quinary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
QuinaryServerAddress=
QuinaryServerPort=53
QuinaryServerProtocol=UDP
QuinaryServerProxyAddress=
QuinaryServerProxyPort=
QuinaryServerDomainNameAffinityMask=
QuinaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromQuinaryServer=No
;
; The configuration of your senary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
SenaryServerAddress=
SenaryServerPort=53
SenaryServerProtocol=UDP
SenaryServerProxyAddress=
SenaryServerProxyPort=
SenaryServerDomainNameAffinityMask=
SenaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromSenaryServer=No
;
; The configuration of your septenary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
SeptenaryServerAddress=
SeptenaryServerPort=53
SeptenaryServerProtocol=UDP
SeptenaryServerProxyAddress=
SeptenaryServerProxyPort=
SeptenaryServerDomainNameAffinityMask=
SeptenaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromSeptenaryServer=No
;
; The configuration of your octonary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
OctonaryServerAddress=
OctonaryServerPort=53
OctonaryServerProtocol=UDP
OctonaryServerProxyAddress=
OctonaryServerProxyPort=
OctonaryServerDomainNameAffinityMask=
OctonaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromOctonaryServer=No
;
; The configuration of your nonary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
NonaryServerAddress=
NonaryServerPort=53
NonaryServerProtocol=UDP
NonaryServerProxyAddress=
NonaryServerProxyPort=
NonaryServerDomainNameAffinityMask=
NonaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromNonaryServer=No
;
; The configuration of your denary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
DenaryServerAddress=
DenaryServerPort=53
DenaryServerProtocol=UDP
DenaryServerProxyAddress=
DenaryServerProxyPort=
DenaryServerDomainNameAffinityMask=
DenaryServerQueryTypeAffinityMask=
IgnoreNegativeResponsesFromDenaryServer=No
;
; THE ACRYLIC DNS PROXY CACHING MECHANISM EXPLAINED
;
; When Acrylic receives a DNS request from a client the hosts cache (a static cache contained in the AcrylicHosts.txt
; file) is searched first. If nothing is found there the request is subsequently searched in the address cache (a
; dynamic cache contained in the AcrylicCache.dat file). At this point three things may happen:
;
; CASE 1: The request is not found in the address cache or its corresponding response is older than
; "AddressCacheScavengingTime" minutes: In this case the original request is forwarded to all of the configured DNS
; servers simultaneously. The response to the client is delayed until the first one of the DNS servers comes out with a
; valid response (all the others will be discarded).
;
; CASE 2: The request is found in the address cache and its corresponding response is older than
; "AddressCacheSilentUpdateTime" minutes but not older than "AddressCacheScavengingTime minutes": In this case the
; response to the client is sent immediately from the address cache and the original request is also forwarded to all of
; the configured DNS servers like in the previous case. The first response coming from one of the DNS servers will be
; used to silently update the address cache (all the others will be discarded).
;
; CASE 3: The request is found in the address cache and its corresponding response is younger than
; "AddressCacheSilentUpdateTime" minutes: In this case the response to the client is sent immediately from the address
; cache and no network activity with any of the configured DNS servers will occur.
;
; The dynamic cache contained in the AcrylicCache.dat file is not encrypted and it is composed of a series of binary
; records whose fields are:
;
; 1. Hash of DNS Request [8 bytes (UInt64)]
; 2. Arrival Time of DNS Response [4 bytes (UInt32, number of minutes since January, 1 1980 00:00)]
; 3. Length of DNS Response [4 bytes (UInt32)]
; 4. DNS Response Bytes [(Length of DNS Response) bytes]
; 5. Is Negative Response [1 byte (Boolean)]
;
; To minimize disk activity the cache is flushed from memory to disk only when the Acrylic DNS Proxy service is stopped
; or the system is shut down. Thus you won't see anything change in the AcrylicCache.dat file until you stop the Acrylic
; DNS Proxy service or shut down the system.
;
; And now about the caching parameters:
;
; The time to live (in minutes) of a negative response in the address cache.
;
AddressCacheNegativeTime=10
;
; The time to live (in minutes) of a positive response in the address cache.
;
AddressCacheScavengingTime=960
;
; The time (in minutes) elapsed which an item in the address cache must be silently updated should a request occur.
;
AddressCacheSilentUpdateTime=240
;
; You can disable the address cache by choosing Yes instead of No. If you do that Acrylic will work as a forwarding-only
; DNS proxy.
;
AddressCacheDisabled=No
;
; The local IPv4 address to which Acrylic binds. A value of 0.0.0.0 indicates that Acrylic should bind to all available
; addresses and as such it will be able to receive DNS requests coming from all of your network interfaces. A value
; corresponding to the IPv4 address of one of them instead will allow Acrylic to receive DNS requests only from that
; specific network interface. An empty value instead indicates that no binding should occur on IPv4.
;
LocalIPv4BindingAddress=0.0.0.0
;
; The local UDPv4 port to which Acrylic binds. The default value of 53 is the standard port for DNS resolution. You
; should change this value only if you are using a non standard DNS client.
;
LocalIPv4BindingPort=53
;
; The local IPv6 address to which Acrylic binds. A value of 0:0:0:0:0:0:0:0 indicates that Acrylic should bind to all
; available addresses and as such it will be able to receive DNS requests coming from all of your network interfaces. A
; value corresponding to the IPv6 address of one of them instead will allow Acrylic to receive DNS requests only from
; that specific network interface. An empty value instead indicates that no binding should occur on IPv6.
;
LocalIPv6BindingAddress=0:0:0:0:0:0:0:0
;
; The local UDPv6 port to which Acrylic binds. The default value of 53 is the standard port for DNS resolution. You
; should change this value only if you are using a non standard DNS client.
;
LocalIPv6BindingPort=53
;
; On Windows versions prior to Windows Vista or Windows Server 2008 the IPv6 protocol is usually not installed by
; default. For Windows 2000 there is a Microsoft IPv6 Technology Preview package available for download while for
; Windows XP the IPv6 protocol must be added to the list of available network protocols in your network connection
; Properties window.
;
; If you want to enable local IPv6 binding for Acrylic on Windows versions prior to Windows Vista or Windows Server 2008
; you can choose Yes below after having installed all the necessary prerequisites.
;
LocalIPv6BindingEnabledOnWindowsVersionsPriorToWindowsVistaOrWindowsServer2008=No
;
; The time to live (in seconds) set for DNS responses generated by Acrylic (e.g. the ones generated from mappings
; contained in the Acrylic HOSTS file).
;
GeneratedResponseTimeToLive=60
;
; The hit log is a text file into which every incoming DNS request seen by Acrylic can be logged.
;
; It is activated by specifying a value for the HitLogFileName configuration item and contains rows with the following
; TAB-separated fields:
;
; 1. A timestamp in the format YYYY-MM-DD HH:MM:SS.FFF.
; 2. The source IP address of the DNS request (for HCF destiny codes) or response (for RU destiny codes).
; 3. The destiny code (how Acrylic treated it).
; H => Resolved from the hosts cache
; C => Resolved from the address cache
; F => Forwarded to the configured DNS servers
; R => Received from one of the configured DNS servers
; U => Silent update from one of the configured DNS servers
; 4. The dissected DNS request (for HCF destiny codes) or response (for RU destiny codes).
;
; A dissected DNS request is similar to the following one:
;
; Q[1]=x.com;T[1]=A
;
; Where:
;
; 1. Q[1]=x.com means that DNS question 1 refers to the "x.com" domain name.
; 2. T[1]=A means that DNS question 1 is of type A (IPv4).
;
; A dissected DNS response is similar to the following one:
;
; RC=0;QDC=1;ANC=2;Q[1]=x.com;T[1]=CNAME;A[1]=x.com>y.com;T[2]=A;A[2]=y.com>1.2.3.4
;
; Where:
;
; 1. RC=0 means that the DNS response code (RCODE) is 0.
; 2. QDC=1 means that the number of questions (QDCOUNT) contained in the DNS response is 1.
; 3. ANC=2 means that the number of answers (ANCOUNT) contained in the DNS response is 2.
; 4. Q[1]=x.com means that the DNS question 1 refers to the "x.com" domain name.
; 5. T[1]=CNAME means that the DNS answer 1 is of type CNAME (canonical name).
; 6. A[1]=x.com>y.com means that the DNS answer 1 (of type CNAME) referring to the "x.com" domain name is "y.com".
; 7. T[2]=A means that the DNS answer 2 is of type A (IPv4).
; 8. A[2]=y.com>1.2.3.4 means that the DNS answer 2 (of type A) referring to the "y.com" domain name is "1.2.3.4".
;
; For performance reasons the hit log is flushed to disk only when Acrylic is idle or when its buffer is full, therefore
; you might experience a delay of a few seconds between when a DNS request is made and when its details get written into
; the hit log.
;
; Regarding the HitLogFileName you can specify an absolute or a relative path and a sort of daily log rotation can be
; achieved by including the %DATE% template within the file name. Furthermore here is the list of all the supported
; templates:
;
; %DATE%
; The current date in YYYYMMDD format.
;
; %TEMP%
; The current value of the TEMP environment variable.
;
; %APPDATA%
; The current value of the APPDATA environment variable.
;
; %LOCALAPPDATA%
; The current value of the LOCALAPPDATA environment variable.
;
; Examples:
;
; HitLogFileName=HitLog.%DATE%.txt
; HitLogFileName=%TEMP%\AcrylicDNSProxyHitLog.%DATE%.txt
;
HitLogFileName=
;
; The filter (a combination of one or more of the destiny codes shown in the above section) which controls what is
; written into the hit log and what isn't.
;
HitLogFileWhat=HCFRU
;
; You can force Acrylic to write the hit log using the old (0.9.24) format by uncommenting the following line. The new
; format contains more informations but you may still want to use the old one for compatibility with an already existing
; log analyzer.
;
; HitLogFileMode=Legacy
;
; The stats log is a text file into which Acrylic saves informations about the performance of your DNS servers and some
; statistical data about the fate of your DNS requests.
;
; Regarding the StatsLogFileName you can specify here an absolute or a relative path. All these templates are also
; supported within the file name:
;
; %TEMP%
; The current value of the TEMP environment variable.
;
; %APPDATA%
; The current value of the APPDATA environment variable.
;
; %LOCALAPPDATA%
; The current value of the LOCALAPPDATA environment variable.
;
; Examples:
;
; StatsLogFileName=StatsLog.txt
; StatsLogFileName=%TEMP%\AcrylicDNSProxyStatsLog.txt
;
StatsLogFileName=
;
; ALLOWING REQUESTS FROM OTHER COMPUTERS
;
; Although for security reasons the default behaviour of Acrylic is to refuse to handle requests coming from other
; computers it is possible to specify in the AllowedAddressesSection a list of IP addresses or IP subnets from which can
; come requests that Acrylic is allowed to handle. You have to specify a different key name for each entry, like in the
; following example:
;
; [AllowedAddressesSection]
; IP1=192.168.45.254 -- A single IP address
; IP2=192.168.44.100 -- Another single IP address
; IP3=192.168.100.* -- All addresses starting with 192.168.100
; IP4=172.16.* -- All addresses starting with 172.16
;
; For performance reasons keep the number of addresses listed in this section as low as possible (you should try to
; specify subnets instead of large lists of IP addresses whenever possible).
;
; Note: Wildcards (like 192.168.100.*) are allowed. Although not recommended for security reasons you can allow Acrylic
; to handle requests coming from any IP address, like in the following example:
;
; [AllowedAddressesSection]
; IP1=*
;
[AllowedAddressesSection]
;
; The CacheExceptionsSection section below may contain a list of domain names for which caching does not occur (requests
; are always forwarded to the DNS servers). This may be useful if you have a small subset of IP addresses that change
; rapidly but you don't want to loose the performance improvements of caching for all the other domain names.
;
; Example:
;
; [CacheExceptionsSection]
; NAME1=somemachine.mydomain.local
; NAME2=*.microsoft.com
;
; Note: Wildcards (like *.microsoft.com) are allowed.
;
[CacheExceptionsSection]

Go back to the Acrylic Home page.