config: Update example configs to listen on all IPv4 addresses

Signed-off-by: Kyle Harding <kyle@balena.io>

Author: klutchell

Dockerfile

@@ -19,9 +19,11 @@ RUN --mount=type=cache,target=/home/nonroot/.cache/go-build,uid=65532,gid=65532
 
 WORKDIR /config
 
-RUN cp -a /src/dnscrypt-proxy/example-* ./
+# Copy example configs for reference and update listen address
+RUN cp -a /src/dnscrypt-proxy/example-* ./ \
+	&& sed -i '/^listen_addresses/s/127.0.0.1/0.0.0.0/' ./example-dnscrypt-proxy.toml
 
-COPY dnscrypt-proxy.toml ./
+COPY config/dnscrypt-proxy.toml ./
 
 ARG NONROOT_UID=65532
 ARG NONROOT_GID=65532
@@ -32,8 +34,8 @@ RUN addgroup -S -g ${NONROOT_GID} nonroot \
 # ----------------------------------------------------------------------------
 FROM scratch AS conf-example
 
-# docker build . --target conf-example --output .
-COPY --from=build /config/example-dnscrypt-proxy.toml /dnscrypt-proxy.toml.example
+# docker build . --target conf-example --output ./config
+COPY --from=build /config/example-* /
 
 # ----------------------------------------------------------------------------
 FROM --platform=$BUILDPLATFORM golang:1.25.5-alpine3.21@sha256:b4dbd292a0852331c89dfd64e84d16811f3e3aae4c73c13d026c4d200715aff6 AS probe

dnscrypt-proxy.toml config/dnscrypt-proxy.tomldnscrypt-proxy.toml renamed to config/dnscrypt-proxy.toml

@@ -0,0 +1,7 @@
+##############################
+#   Allowed IPs List         #
+##############################
+
+#192.168.0.*
+#fe80:53:*          # IPv6 prefix example
+#81.169.145.105

config/example-allowed-ips.txt

@@ -0,0 +1,32 @@
+
+###########################
+#        Allowlist        #
+###########################
+
+## Rules for allowing queries based on name, one per line
+##
+## Example of valid patterns:
+##
+## ads.*                    | matches anything with an "ads." prefix
+## *.example.com            | matches example.com and all names within that zone such as www.example.com
+## example.com              | identical to the above
+## =example.com             | allows example.com but not *.example.com
+## [a-z0-9\-_]*.example.com | allows *.example.com but not example.com
+## *sex*                    | matches any name containing that substring
+## ads[0-9]*                | matches "ads" followed by one or more digits
+## ads*.example*            | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
+
+
+# That one may be blocked due to 'tracker' being in the name.
+tracker.debian.org
+
+# That one may be blocked due to 'ads' being in the name.
+# However, blocking it prevents all sponsored links from the Google
+# search engine from being opened.
+googleadservices.com
+
+
+## Time-based rules
+
+# *.youtube.*  @time-to-play
+# facebook.com @play

config/example-allowed-names.txt

@@ -0,0 +1,17 @@
+##############################
+#        IP blocklist        #
+##############################
+
+## Rules for blocking DNS responses if they contain
+## IP addresses matching patterns.
+##
+## Sample feeds of suspect IP addresses:
+## - https://github.com/stamparm/ipsum
+## - https://github.com/tg12/bad_packets_blocklist
+## - https://isc.sans.edu/block.txt
+## - https://block.energized.pro/extensions/ips/formats/list.txt
+## - https://www.iblocklist.com/lists
+
+163.5.1.4
+94.46.118.*
+fe80:53:*          # IPv6 prefix example

config/example-blocked-ips.txt

@@ -0,0 +1,46 @@
+
+###########################
+#        Blocklist        #
+###########################
+
+## Rules for name-based query blocking, one per line
+##
+## Example of valid patterns:
+##
+## ads.*                    | matches anything with an "ads." prefix
+## *.example.com            | matches example.com and all names within that zone such as www.example.com
+## example.com              | identical to the above
+## =example.com             | blocks example.com but not *.example.com
+## [a-z0-9\-_]*.example.com | blocks *.example.com but not example.com
+## *sex*                    | matches any name containing that substring
+## ads[0-9]*                | matches "ads" followed by one or more digits
+## ads*.example*            | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
+
+ad.*
+ads.*
+banner.*
+banners.*
+creatives.*
+oas.*
+oascentral.*        # inline comments are allowed after a pound sign
+stats.*
+tag.*
+telemetry.*
+tracker.*
+*.local
+eth0.me
+*.workgroup
+
+
+## Prevent usage of Apple private relay, that bypasses DNS
+
+# mask.apple-dns.net
+# mask.icloud.com
+# mask-api.icloud.com
+# doh.dns.apple.com
+
+
+## Time-based rules
+
+# *.youtube.*  @time-to-sleep
+# facebook.com @work

config/example-blocked-names.txt

@@ -0,0 +1,27 @@
+###########################################
+#        Captive portal test names        #
+###########################################
+
+## Some operating systems send queries to these names after a network change,
+## in order to check if connectivity beyond the router is possible without
+## going through a captive portal.
+##
+## This is a list of hard-coded IP addresses that will be returned when queries
+## for these names are received, even before the operating system reports an interface
+## as usable for reaching the Internet.
+##
+## Note that IPv6 addresses don't need to be specified within brackets,
+## as there are no port numbers.
+
+captive.apple.com               17.253.109.201, 17.253.113.202
+connectivitycheck.gstatic.com   64.233.162.94, 64.233.164.94, 64.233.165.94, 64.233.177.94, 64.233.185.94, 74.125.132.94, 74.125.136.94, 74.125.20.94, 74.125.21.94, 74.125.28.94
+connectivitycheck.android.com   64.233.162.100, 64.233.162.101, 64.233.162.102, 64.233.162.113, 64.233.162.138, 64.233.162.139
+www.msftncsi.com                2.16.106.89, 2.16.106.91, 23.0.175.137, 23.0.175.146, 23.192.47.155, 23.192.47.203, 23.199.63.160, 23.199.63.184, 23.199.63.208, 23.204.146.160, 23.204.146.163, 23.46.238.243, 23.46.239.24, 23.48.39.16, 23.48.39.48, 23.55.38.139, 23.55.38.146, 23.59.190.185, 23.59.190.195
+dns.msftncsi.com                131.107.255.255, fd3e:4f5a:5b81::1
+www.msftconnecttest.com         13.107.4.52
+ipv6.msftconnecttest.com        2a01:111:2003::52
+ipv4only.arpa                   192.0.0.170, 192.0.0.171
+
+## Adding IP addresses of NTP servers is also a good idea
+
+time.google.com                 216.239.35.0, 2001:4860:4806::

config/example-captive-portals.txt

@@ -0,0 +1,44 @@
+################################
+#        Cloaking rules        #
+################################
+
+# The following example rules force "safe" (without adult content) search
+# results from Google, Bing and YouTube.
+#
+# This has to be enabled with the `cloaking_rules` parameter in the main
+# configuration file
+
+
+www.google.*             forcesafesearch.google.com
+
+www.bing.com             strict.bing.com
+
+yandex.ru                familysearch.yandex.ru       # inline comments are allowed after a pound sign
+
+=duckduckgo.com          safe.duckduckgo.com
+
+www.youtube.com          restrictmoderate.youtube.com
+m.youtube.com            restrictmoderate.youtube.com
+youtubei.googleapis.com  restrictmoderate.youtube.com
+youtube.googleapis.com   restrictmoderate.youtube.com
+www.youtube-nocookie.com restrictmoderate.youtube.com
+
+# Multiple IP entries for the same name are supported.
+# In the following example, the same name maps both to IPv4 and IPv6 addresses:
+
+localhost                127.0.0.1
+localhost                ::1
+
+# For load-balancing, multiple IP addresses of the same class can also be
+# provided using the same format, one <pattern> <ip> pair per line.
+
+# ads.*                 192.168.100.1
+# ads.*                 192.168.100.2
+# ads.*                 ::1
+
+# PTR records can be created by setting cloak_ptr in the main configuration file
+# Entries with wild cards will not have PTR records created, but multiple
+# names for the same IP are supported
+
+# example.com           192.168.100.1
+# my.example.com        192.168.100.1