Config reference
Config reference
| Key | Env | Default | Effect |
|---|---|---|---|
resolver |
DNS_RESOLVER |
socket |
Transport: socket (raw UDP/TCP) or doh (DNS-over-HTTPS JSON). |
nameserver |
DNS_NAMESERVER |
1.1.1.1 |
Recursive resolver the socket transport queries for ordinary lookups. |
timeout |
DNS_TIMEOUT |
3.0 |
Per-query timeout in seconds (both transports). |
doh_endpoint |
DNS_DOH_ENDPOINT |
https://dns.google/resolve |
JSON DoH endpoint used when resolver=doh. Cloudflare: https://cloudflare-dns.com/dns-query. |
challenge_prefix |
DNS_CHALLENGE_PREFIX |
_cbox-challenge |
Label prefixed to a domain for ownership-verification TXT records. |
allow_non_public_nameservers |
DNS_ALLOW_NON_PUBLIC_NAMESERVERS |
false |
Lifts the SSRF filter on authoritative reads. |
Transports
socket is the default and the only transport that can target a zone's own
authoritative nameservers — required for verifyDomain, checkPropagation, and
the authoritative parts of diagnose. Choose it unless outbound UDP/53 is
blocked in your environment.
doh queries a provider's recursive resolver over HTTPS. It is convenient where
UDP/53 is unavailable, but it cannot answer authoritative or propagation
queries — those methods will surface a resolution failure.
SSRF guard
allow_non_public_nameservers defaults to false. Authoritative reads then
refuse to connect to LAN, loopback, or reserved nameserver IPs, so a hostile zone
cannot point its NS records at an internal address (for example
169.254.169.254) and turn a lookup into a server-side request forgery probe.
Enable it only for local testing against private resolvers you control. Leave it off in production.