In this article

Use these optional configuration parameters to improve DNS Relay performance and reliability in specific deployment environments.

Set custom DNS servers during installation

As of Relay version 1.3.0, custom DNS servers can be used when registering or validating with the remote API. This allows deployments behind restrictive or custom DNS setups to direct registration traffic through specific DNS servers, improving reliability and flexibility.

[client.registration_override_dns]
enabled = true
address = "103.247.36.36:53"
protocol = "udp"
timeout = "5s"

Reduce high latency during Relay failover

In some environments, the Relay may experience high latency when failing over between two relays. Relay version 0.2.0 and higher supports two optional configuration parameters for resolver validation.

Add these parameters to relay.conf before the [log] section. The example configuration below shows the correct placement:

...
# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others
upstream_order = [ "udp", "tcp", "tcp-tls" ]

# Ping DNS servers settings, defaults to 60 seconds and ping is disabled
#ping_upstream_servers = true
#ping_upstream_servers_interval = "60s"

[log]
# Console error log, defaults to "error"
# Set to "debug" for troubleshooting
level = "debug"
verbose = true
...

Parameter descriptions

Parameter examples

Enable resolver validation with a 60-second interval:

ping_upstream_servers = true
#ping_upstream_servers_interval = "60s"

Enable resolver validation with a 30-second interval:

ping_upstream_servers = true
ping_upstream_servers_interval = "30s"

Disable resolver validation:

ping_upstream_servers = false
ping_upstream_servers_interval = "60s"

Alternatively, comment out the parameter to disable:

#ping_upstream_servers = true
ping_upstream_servers_interval = "60s"

DNSSEC configuration

Review DNSSEC recommendations before implementing this configuration.

1. Update the Relay's upstream order to DoT
2. Edit relay.conf to include DNSSEC. Insert the following snippet directly below the local_dns_server section:

# DNSFilter DNSSEC
[[tls_upstream_server]]
auth_name = "dns1.dnsfilter.com"
ip_address = "103.247.36.9"
[[tls_upstream_server]]
auth_name = "dns2.dnsfilter.com"
ip_address = "103.247.37.9"

Example configuration:

# Proxy listening address, optional, defaults to :53
#listen_addresses = [ "127.0.0.1:28000" ]
# SO reuse port true/false, defaults to false
so_reuse_port = true

# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others
upstream_order = [ "tcp-tls", "tcp", "udp" ]

[log]
# Console error log, defaults to "error"
# Set to "debug" for troubleshooting
level = "info"

[client]
name = "DNSFilter"
secret_key = "xxxxxxxx"
hostname = "DNSFilter"

# Local DNS servers to forward domain specific requests
[[local_dns_server]]
#addresses = [ "10.0.0.1:53", "10.0.0.2:53" ]
#local_domains = [ "local.domain", "my.lan" ]

# DNSFilter DNSSEC
[[tls_upstream_server]]
auth_name = "dns1.dnsfilter.com"
ip_address = "103.247.36.9"
[[tls_upstream_server]]
auth_name = "dns2.dnsfilter.com"
ip_address = "103.247.37.9"

# The sections below are for testing purposes only
# ------------------------------------------------
# "Normal" Upstream servers, defaults to DNSFilter DNS Servers 103.247.36.36 and 103.247.37.37
#[[upstream_server]]
#ip_address = "45.77.74.115"
# Optional, defaults to 53
#port = 53
# Optional, defaults to 853
#port = 853
# Optional, useful for self-signed certs
#[[tls_upstream_server.pinhash]]
#digest = "sha256"
#hash = "lrdOgE4H0RyJiSVe9360dSqAu8w0iA8O1cjAsUMijAY="
#[[tls_upstream_server.pinhash]]
#digest = "sha256"
#hash = "this is an invalid hash"