Acrylic DNS Proxy Configuration


The best way to learn about Acrylic features and configuration options is by looking at its default commented configuration file:

;
; IF YOU MAKE ANY CHANGES TO THIS FILE YOU HAVE TO RESTART THE ACRYLIC DNS PROXY SERVICE IN ORDER TO SEE THEIR EFFECTS.
;
[GlobalSection]
;
; The IP address of your primary DNS server. You can specify here an IPv4 address in quad-dotted notation or an IPv6 address in colon-separated groups.
;
; Upon installation it points to the primary Google Public DNS server.
;
PrimaryServerAddress=8.8.8.8
;
; The TCP or UDP port your primary DNS server is supposed to be listening to. The default value of 53 is the standard port for DNS resolution. You should change this value only if you are using a non standard DNS server.
;
PrimaryServerPort=53
;
; The protocol to use with your primary DNS server.
; The currently supported protocols are UDP, TCP and SOCKS5.
;
PrimaryServerProtocol=UDP
;
; The IP address of the proxy server to use to reach your primary DNS server, in case you instructed Acrylic to use the SOCKS5 protocol in the previous configuration option. You can specify here an IPv4 address in quad-dotted notation or an IPv6 address in colon-separated groups.
;
PrimaryServerProxyAddress=
;
; The TCP port the proxy server described above is supposed to be listening to.
;
PrimaryServerProxyPort=
;
; The domain name affinity mask is a list of semicolon separated values or wildcards that allows to restrict which DNS server is going to resolve a particular domain name.
;
; In the following example only the requests for domain names ending with ".com" get forwarded to the primary DNS server:
;
; PrimaryServerDomainNameAffinityMask=*.com
;
; In the following example only the requests for domain names ending with ".com" and ".org" get forwarded to the primary DNS server:
;
; PrimaryServerDomainNameAffinityMask=*.com;*.org
;
; Negations can be expressed by prepending a caret (^) to the value or wildcard.
;
; In the following example only the requests for domain names NOT ending with ".com" or ".org" get forwarded to the primary DNS server (the last catch-all value is particularly important in this case as, if missing, no request would ever be forwarded to the primary DNS server):
;
; PrimaryServerDomainNameAffinityMask=^*.com;^*.org;*
;
PrimaryServerDomainNameAffinityMask=
;
; The query type affinity mask is list of semicolon separated values that allows to restrict which DNS server is going to resolve a particular query type.
;
; In the following example only the requests for A, AAAA, CNAME, MX, NS, SOA, SRV and TXT query types get forwarded to the primary DNS server:
;
; PrimaryServerQueryTypeAffinityMask=A;AAAA;CNAME;MX;NS;SOA;SRV;TXT
;
; The supported query types are:
;
; A NS MD MF CNAME
; SOA MB MG MR NULL
; WKS PTR HINFO MINFO MX
; TXT RP AFSDB X25 ISDN
; RT NSAP NSAPPTR SIG KEY
; PX GPOS AAAA LOC NXT
; EID NIMLOC SRV ATMA NAPTR
; KX CERT A6 DNAME SINK
; OPT APL DS SSHFP IPSECKEY
; RRSIG NSEC DNSKEY DHCID NSEC3
; NSEC3PARAM TLSA HIP NINFO RKEY
; TALINK CDS CDNSKEY OPENPGPKEY CSYNC
; SPF UINFO UID GID UNSPEC
; NID L32 L64 LP EUI48
; EUI64 ADDRS TKEY TSIG IXFR
; AXFR MAILB MAILA ALL URI
; CAA TA DLV WINS WINSR
;
PrimaryServerQueryTypeAffinityMask=
;
; You can decide to ignore failure responses coming from the primary DNS server.
;
IgnoreFailureResponsesFromPrimaryServer=No
;
; You can decide to ignore negative responses coming from the primary DNS server.
;
IgnoreNegativeResponsesFromPrimaryServer=No
;
; The configuration of your secondary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
; Upon installation it points to the secondary Google Public DNS server.
;
SecondaryServerAddress=8.8.4.4
SecondaryServerPort=53
SecondaryServerProtocol=UDP
SecondaryServerProxyAddress=
SecondaryServerProxyPort=
SecondaryServerDomainNameAffinityMask=
SecondaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromSecondaryServer=No
IgnoreNegativeResponsesFromSecondaryServer=No
;
; The configuration of your tertiary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
TertiaryServerAddress=
TertiaryServerPort=53
TertiaryServerProtocol=UDP
TertiaryServerProxyAddress=
TertiaryServerProxyPort=
TertiaryServerDomainNameAffinityMask=
TertiaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromTertiaryServer=No
IgnoreNegativeResponsesFromTertiaryServer=No
;
; The configuration of your quaternary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
QuaternaryServerAddress=
QuaternaryServerPort=53
QuaternaryServerProtocol=UDP
QuaternaryServerProxyAddress=
QuaternaryServerProxyPort=
QuaternaryServerDomainNameAffinityMask=
QuaternaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromQuaternaryServer=No
IgnoreNegativeResponsesFromQuaternaryServer=No
;
; The configuration of your quinary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
QuinaryServerAddress=
QuinaryServerPort=53
QuinaryServerProtocol=UDP
QuinaryServerProxyAddress=
QuinaryServerProxyPort=
QuinaryServerDomainNameAffinityMask=
QuinaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromQuinaryServer=No
IgnoreNegativeResponsesFromQuinaryServer=No
;
; The configuration of your senary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
SenaryServerAddress=
SenaryServerPort=53
SenaryServerProtocol=UDP
SenaryServerProxyAddress=
SenaryServerProxyPort=
SenaryServerDomainNameAffinityMask=
SenaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromSenaryServer=No
IgnoreNegativeResponsesFromSenaryServer=No
;
; The configuration of your septenary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
SeptenaryServerAddress=
SeptenaryServerPort=53
SeptenaryServerProtocol=UDP
SeptenaryServerProxyAddress=
SeptenaryServerProxyPort=
SeptenaryServerDomainNameAffinityMask=
SeptenaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromSeptenaryServer=No
IgnoreNegativeResponsesFromSeptenaryServer=No
;
; The configuration of your octonary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
OctonaryServerAddress=
OctonaryServerPort=53
OctonaryServerProtocol=UDP
OctonaryServerProxyAddress=
OctonaryServerProxyPort=
OctonaryServerDomainNameAffinityMask=
OctonaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromOctonaryServer=No
IgnoreNegativeResponsesFromOctonaryServer=No
;
; The configuration of your nonary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
NonaryServerAddress=
NonaryServerPort=53
NonaryServerProtocol=UDP
NonaryServerProxyAddress=
NonaryServerProxyPort=
NonaryServerDomainNameAffinityMask=
NonaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromNonaryServer=No
IgnoreNegativeResponsesFromNonaryServer=No
;
; The configuration of your denary DNS server.
; For more details refer to the primary DNS server configuration comments.
;
DenaryServerAddress=
DenaryServerPort=53
DenaryServerProtocol=UDP
DenaryServerProxyAddress=
DenaryServerProxyPort=
DenaryServerDomainNameAffinityMask=
DenaryServerQueryTypeAffinityMask=
IgnoreFailureResponsesFromDenaryServer=No
IgnoreNegativeResponsesFromDenaryServer=No
;
; THE ACRYLIC DNS PROXY CACHING MECHANISM EXPLAINED
;
; When Acrylic receives a DNS request from a client the hosts cache (a static cache contained in the AcrylicHosts.txt file) is searched first. If nothing is found there the request is subsequently searched in the address cache (a dynamic cache contained in the AcrylicCache.dat file). At this point three things may happen:
;
; CASE 1: The request is not found in the address cache or its corresponding response is older than "AddressCacheScavengingTime" minutes: In this case the original request is forwarded to all of the configured DNS servers simultaneously. The response to the client is delayed until the first one of the DNS servers comes out with a valid response (all the others will be discarded).
;
; CASE 2: The request is found in the address cache and its corresponding response is older than "AddressCacheSilentUpdateTime" minutes but not older than "AddressCacheScavengingTime minutes": In this case the response to the client is sent immediately from the address cache and the original request is also forwarded to all of the configured DNS servers like in the previous case. The first response coming from one of the DNS servers will be used to silently update the address cache (all the others will be discarded).
;
; CASE 3: The request is found in the address cache and its corresponding response is younger than "AddressCacheSilentUpdateTime" minutes: In this case the response to the client is sent immediately from the address cache and no network activity with any of the configured DNS servers will occur.
;
; To minimize disk activity the address cache is flushed from memory to disk only when the Acrylic DNS Proxy service is stopped or the system is shut down. Thus you won't see anything change in the AcrylicCache.dat file until you stop the Acrylic DNS Proxy service or shut down the system.
;
; And now about the caching parameters:
;
; The time to live (in minutes) of a failure response in the address cache.
;
AddressCacheFailureTime=0
;
; The time to live (in minutes) of a negative response in the address cache.
;
AddressCacheNegativeTime=10
;
; The time to live (in minutes) of a positive response in the address cache.
;
AddressCacheScavengingTime=960
;
; The time (in minutes) elapsed which an item in the address cache must be silently updated should a request occur.
;
AddressCacheSilentUpdateTime=240
;
; You can disable any disk activity related to the address cache by choosing Yes instead of No. If you do that Acrylic will still use the address cache but won't load it from disk upon startup and won't save it to disk upon shutdown.
;
AddressCacheInMemoryOnly=No
;
; You can disable the address cache altogether by choosing Yes instead of No. If you do that Acrylic will work as a forwarding-only DNS proxy.
;
AddressCacheDisabled=No
;
; The local IPv4 address to which Acrylic binds. A value of 0.0.0.0 indicates that Acrylic should bind to all available addresses and as such it will be able to receive DNS requests coming from all of your network interfaces. A value corresponding to the IPv4 address of one of them instead will allow Acrylic to receive DNS requests only from that specific network interface. An empty value instead indicates that no binding should occur on IPv4.
;
LocalIPv4BindingAddress=0.0.0.0
;
; The local UDPv4 port to which Acrylic binds. The default value of 53 is the standard port for DNS resolution. You should change this value only if you are using a non standard DNS client.
;
LocalIPv4BindingPort=53
;
; The local IPv6 address to which Acrylic binds. A value of 0:0:0:0:0:0:0:0 indicates that Acrylic should bind to all available addresses and as such it will be able to receive DNS requests coming from all of your network interfaces. A value corresponding to the IPv6 address of one of them instead will allow Acrylic to receive DNS requests only from that specific network interface. An empty value instead indicates that no binding should occur on IPv6.
;
LocalIPv6BindingAddress=0:0:0:0:0:0:0:0
;
; The local UDPv6 port to which Acrylic binds. The default value of 53 is the standard port for DNS resolution. You should change this value only if you are using a non standard DNS client.
;
LocalIPv6BindingPort=53
;
; On Windows versions prior to Windows Vista or Windows Server 2008 the IPv6 protocol is usually not installed by default. For Windows 2000 there is a Microsoft IPv6 Technology Preview package available for download while for Windows XP the IPv6 protocol must be added to the list of available network protocols in your network connection Properties window.
;
; If you want to enable local IPv6 binding for Acrylic on Windows versions prior to Windows Vista or Windows Server 2008 you can choose Yes below after having installed all the necessary prerequisites.
;
LocalIPv6BindingEnabledOnWindowsVersionsPriorToWindowsVistaOrWindowsServer2008=No
;
; The time to live (in seconds) set for DNS responses generated by Acrylic (e.g. the ones generated from mappings contained in the Acrylic HOSTS file).
;
GeneratedResponseTimeToLive=300
;
; The maximum time (in milliseconds) to wait for a response coming from a DNS server configured with the UDP protocol.
;
ServerUdpProtocolResponseTimeout=4999
;
; The maximum time (in milliseconds) to wait for the first byte of a response coming from a DNS server configured with the TCP protocol.
;
ServerTcpProtocolResponseTimeout=4999
;
; The maximum time (in milliseconds) to wait for an intra communication packet of a response coming from a DNS server configured with the TCP protocol.
;
ServerTcpProtocolInternalTimeout=2477
;
; The maximum times (in milliseconds) to wait for the below events when communicating with a proxy server on behalf of a DNS server configured with the SOCKS5 protocol.
;
ServerSocks5ProtocolProxyFirstByteTimeout=2477
ServerSocks5ProtocolProxyOtherBytesTimeout=2477
ServerSocks5ProtocolProxyRemoteConnectTimeout=2477
ServerSocks5ProtocolProxyRemoteResponseTimeout=4999
;
; The hit log is a text file into which every DNS request and DNS response seen by Acrylic can be logged.
;
; It is activated by specifying a non-empty value for the HitLogFileName parameter and contains rows with the following TAB-separated fields:
;
; 1. A timestamp in the format YYYY-MM-DD HH:MM:SS.FFF.
; 2. The source IP address of the DNS request (for HCF description codes) or response (for RU description codes).
; 3. The description code:
; H => Resolved from the hosts cache
; C => Resolved from the address cache
; F => Forwarded to at least one of the DNS servers
; R => Received from one of the configured DNS servers
; U => Silent update from one of the configured DNS servers
; 4. The dissected DNS request (for HCF description codes) or response (for RU description codes).
;
; A dissected DNS request looks like:
;
; Q[1]=x.com;T[1]=A
;
; Where:
;
; 1. Q[1]=x.com means that DNS question 1 refers to the "x.com" domain name.
; 2. T[1]=A means that DNS question 1 is of type A (IPv4).
;
; A dissected DNS response is like:
;
; RC=0;QDC=1;ANC=2;Q[1]=x.com;T[1]=CNAME;A[1]=x.com>y.com;T[2]=A;A[2]=y.com>1.2.3.4
;
; Where:
;
; 1. RC=0 means that the DNS response code (RCODE) is 0.
; 2. QDC=1 means that the number of questions (QDCOUNT) contained in the DNS response is 1.
; 3. ANC=2 means that the number of answers (ANCOUNT) contained in the DNS response is 2.
; 4. Q[1]=x.com means that the DNS question 1 refers to the "x.com" domain name.
; 5. T[1]=CNAME means that the DNS answer 1 is of type CNAME (canonical name).
; 6. A[1]=x.com>y.com means that the DNS answer 1 that refers to the "x.com" domain name is "y.com".
; 7. T[2]=A means that the DNS answer 2 is of type A (IPv4).
; 8. A[2]=y.com>1.2.3.4 means that the DNS answer 2 that refers to the "y.com" domain name is "1.2.3.4".
;
; For performance reasons the hit log is flushed to disk only when Acrylic is idle or when the hit log memory buffer is full, therefore you might experience a delay of a few seconds between when a DNS request or a DNS response is received and when its details get written into the hit log. Furthermore, since writing each entry into the hit log requires its full dissection, activating the hit log does incur a performance penalty, although it might become noticeable only when Acrylic is used as the DNS server of a large number of clients.
;
; Regarding the HitLogFileName you can use an absolute or a relative path and a sort of daily log rotation can be achieved by including the %DATE% template within the file name. A complete list of all the templates you can use within the file name is shown below:
;
; %DATE%
; The current date in YYYYMMDD format.
;
; %TEMP%
; The current value of the TEMP environment variable.
;
; %APPDATA%
; The current value of the APPDATA environment variable.
;
; %LOCALAPPDATA%
; The current value of the LOCALAPPDATA environment variable.
;
; Examples:
;
; HitLogFileName=HitLog.%DATE%.txt
; HitLogFileName=%TEMP%\AcrylicDNSProxyHitLog.%DATE%.txt
;
HitLogFileName=
;
; The filter (a combination of one or more of the description codes shown above) which controls what is written into the hit log and what isn't.
;
HitLogFileWhat=HCFRU
;
; You can force Acrylic to write the hit log using the old (0.9.24) format by uncommenting the following line. The new format is richer but you may still want to use the old one for compatibility with an already existing log analyzer.
;
; HitLogFileMode=Legacy
;
; The minimum number of hit log entries that can be flushed to disk during Acrylic's idle cicle.
;
HitLogMinPendingHits=1
;
; The maximum number of hit log entries that can be kept in memory before they are flushed to disk outside of Acrylic's idle cicle.
;
HitLogMaxPendingHits=8192
;
; ALLOWING REQUESTS FROM OTHER COMPUTERS
;
; Although for security reasons the default behaviour of Acrylic is to refuse to handle requests coming from other computers, it is possible to specify in the AllowedAddressesSection a list of IP addresses or IP subnets from which can come requests that Acrylic is allowed to handle. You have to specify a different key name for each entry, like in the following example:
;
; [AllowedAddressesSection]
; IP1=192.168.45.254 -- A single IP address
; IP2=192.168.44.100 -- Another single IP address
; IP3=192.168.100.* -- All addresses starting with 192.168.100
; IP4=172.16.* -- All addresses starting with 172.16
;
; For performance reasons keep the number of addresses listed in this section as low as possible (you should try to specify subnets instead of large lists of IP addresses whenever possible).
;
; Note: Wildcards (like 192.168.100.*) are allowed. Although not recommended for security reasons you can allow Acrylic to handle requests coming from any IP address, like in the following example:
;
; [AllowedAddressesSection]
; IP1=*
;
[AllowedAddressesSection]
;
; The CacheExceptionsSection section below may contain a list of domain names for which caching does not occur (requests are always forwarded to the DNS servers). This may be useful if you have a small subset of IP addresses that change rapidly but you don't want to loose the performance improvements of Acrylic's address cache for all the other domain names.
;
; Example:
;
; [CacheExceptionsSection]
; NAME1=somemachine.mydomain.local
; NAME2=*.microsoft.com
;
; Note: Wildcards (like *.microsoft.com) are allowed.
;
[CacheExceptionsSection]
NCSI1=www.msftncsi.com
NCSI2=dns.msftncsi.com
NCSI3=ipv6.msftncsi.com

Go back to the Acrylic Home page.