From d0a3ca96a3922183a3f8b1c41a452d4c47c720d3 Mon Sep 17 00:00:00 2001
From: Peter Dave Hello <hsu@peterdavehello.org>
Date: Sat, 3 Dec 2022 00:15:20 +0800
Subject: [PATCH] Initial commit

---
 .github/FUNDING.yml               |   5 +
 .gitignore                        |   3 +
 README.md                         |  23 ++
 adguardhome/conf/AdGuardHome.yaml | 431 ++++++++++++++++++++++++++++++
 blocky-dns-proxy-config.yml       |  99 +++++++
 docker-compose.yml                |  37 +++
 renovate.json                     |   6 +
 web/doh.dnslow.mobileconfig       |  65 +++++
 web/dot.dnslow.mobileconfig       |  65 +++++
 web/index.html                    |  50 ++++
 web/nrd7days.txt                  |   1 +
 web/paid-nrd7days.txt             |   1 +
 whitelist                         |   4 +
 13 files changed, 790 insertions(+)
 create mode 100644 .github/FUNDING.yml
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 adguardhome/conf/AdGuardHome.yaml
 create mode 100644 blocky-dns-proxy-config.yml
 create mode 100644 docker-compose.yml
 create mode 100644 renovate.json
 create mode 100644 web/doh.dnslow.mobileconfig
 create mode 100644 web/dot.dnslow.mobileconfig
 create mode 100644 web/index.html
 create mode 120000 web/nrd7days.txt
 create mode 120000 web/paid-nrd7days.txt
 create mode 100644 whitelist

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..7110f23
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,5 @@
+github: PeterDaveHello
+open_collective: peterdavehello
+ko_fi: peterdavehello
+liberapay: PeterDaveHello
+issuehunt: peterdavehello
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..97598be
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+adguardhome/work/
+adguardhome/conf/server.crt
+adguardhome/conf/server.key
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..a6f33b2
--- /dev/null
+++ b/README.md
@@ -0,0 +1,23 @@
+# dnslow.me
+
+Your advertisement and threat blocking, privacy-first, encrypted DNS.
+
+All DNS requests will be protected with [threat-intelligence feeds](https://github.com/PeterDaveHello/threat-hostlist), Newly Registered Domain feeds, AD-blocking feeds, and then randomly distributed to some other DNS resolvers for enhanced privacy.
+
+Only DoH(DNS over HTTPS), DoT(DNS over TLS), and DoQ(DNS over Quic) protocol are provided, plain-text DNS is not supported here.
+
+Encrypted DNS Endpoints:
+
+- DoH: `https://dnslow.me/dns-query` (port 443).
+- DoT: `dnslow.me` (port 853)
+- DoQ: `dnslow.me` (port 853)
+
+DNS Stamps(For AdGuard Home, DNSCrypt, and other compatiple applications):
+
+- DoH: `sdns://AgEAAAAAAAAAAAAJZG5zbG93Lm1lCi9kbnMtcXVlcnk`
+- DoT: `sdns://AwEAAAAAAAAAAAAJZG5zbG93Lm1l`
+- DoQ: `sdns://BAEAAAAAAAAAAAAJZG5zbG93Lm1l`
+
+Privacy policy: Logging is only enabled to debug, and improve the service itself, minimize the false-positive blocking. All logs will only be existing for a very short time. No logs will be shared, sold, or exchanged with any 3rd-party.
+
+Thank you for using dnslow.me.
diff --git a/adguardhome/conf/AdGuardHome.yaml b/adguardhome/conf/AdGuardHome.yaml
new file mode 100644
index 0000000..6904c14
--- /dev/null
+++ b/adguardhome/conf/AdGuardHome.yaml
@@ -0,0 +1,431 @@
+bind_host: 0.0.0.0
+bind_port: 3000
+beta_bind_port: 0
+users:
+  - name: admin
+    password: $2a$10$0541.OISg2O67M9BNAWOFe0IRzaJdN9newEyplHYTishWT8PcyuXG
+auth_attempts: 5
+block_auth_min: 15
+http_proxy: ""
+language: en
+debug_pprof: false
+web_session_ttl: 720
+dns:
+  bind_hosts:
+    - 0.0.0.0
+  port: 53
+  statistics_interval: 90
+  querylog_enabled: true
+  querylog_file_enabled: true
+  querylog_interval: 6h
+  querylog_size_memory: 1000
+  anonymize_client_ip: true
+  protection_enabled: true
+  blocking_mode: null_ip
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_response_ttl: 10
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  ratelimit: 1996
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+    - dnslow.me-blocky
+  upstream_dns_file: ""
+  bootstrap_dns:
+    - 9.9.9.9
+    - 101.101.101.101
+  all_servers: false
+  fastest_addr: false
+  fastest_timeout: 1s
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 172.16.0.0/12
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 4194304
+  cache_ttl_min: 30
+  cache_ttl_max: 864000
+  cache_optimistic: true
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: true
+  edns_client_subnet: false
+  max_goroutines: 300
+  handle_ddr: true
+  ipset: []
+  ipset_file: ""
+  filtering_enabled: true
+  filters_update_interval: 1
+  parental_enabled: false
+  safesearch_enabled: false
+  safebrowsing_enabled: false
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  rewrites: []
+  blocked_services: []
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: true
+  local_ptr_upstreams: []
+  serve_http3: false
+  use_http3_upstreams: false
+tls:
+  enabled: true
+  server_name: dnslow.me
+  force_https: false
+  port_https: 444
+  port_dns_over_tls: 853
+  port_dns_over_quic: 853
+  port_dnscrypt: 0
+  dnscrypt_config_file: ""
+  allow_unencrypted_doh: true
+  strict_sni_check: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: /opt/adguardhome/conf/server.crt
+  private_key_path: /opt/adguardhome/conf/server.key
+filters:
+  - enabled: true
+    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: true
+    url: https://adaway.org/hosts.txt
+    name: AdAway Default Blocklist
+    id: 2
+  - enabled: true
+    url: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
+    name: WindowsSpyBlocker - Hosts spy rules
+    id: 1657974818
+  - enabled: true
+    url: https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
+    name: NoCoin Filter List
+    id: 1657974819
+  - enabled: true
+    url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
+    name: Scam Blocklist by DurableNapkin
+    id: 1657974820
+  - enabled: true
+    url: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Dead/hosts
+    name: add.Dead
+    id: 1657974821
+  - enabled: true
+    url: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
+    name: add.Risk
+    id: 1657974822
+  - enabled: true
+    url: https://github.com/DandelionSprout/adfilt/raw/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
+    name: Anti Malware List
+    id: 1657974823
+  - enabled: true
+    url: https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
+    name: Anti-Malware Blocklists
+    id: 1657974824
+  - enabled: true
+    url: https://azorult-tracker.net/api/list/domain?format=plain
+    name: AZORult Tracker
+    id: 1657974825
+  - enabled: true
+    url: https://raw.githubusercontent.com/mitchellkrogza/Badd-Boyz-Hosts/master/hosts
+    name: Badd-Boyz-Hosts
+    id: 1657974826
+  - enabled: true
+    url: https://raw.githubusercontent.com/stamparm/blackbook/master/blackbook.txt
+    name: blackbook
+    id: 1657974827
+  - enabled: true
+    url: https://gitlab.com/ZeroDot1/CoinBlockerLists/-/raw/master/hosts
+    name: CoinBlockerLists
+    id: 1657974828
+  - enabled: true
+    url: https://kriskintel.com/feeds/ktip_covid_domains.txt
+    name: COVID-19 phishing sites
+    id: 1657974829
+  - enabled: true
+    url: https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/master/src/hosts.txt
+    name: eth-phishing-detect
+    id: 1657974830
+  - enabled: true
+    url: https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt
+    name: Fraud block list
+    id: 1657974831
+  - enabled: true
+    url: https://raw.githubusercontent.com/FiltersHeroes/KADhosts/master/KADhosts.txt
+    name: KADhosts(KAD host version)
+    id: 1657974832
+  - enabled: true
+    url: https://raw.githubusercontent.com/RPiList/specials/master/Blocklisten/malware
+    name: Malware
+    id: 1657974833
+  - enabled: true
+    url: https://hole.cert.pl/domains/domains.txt
+    name: Malicious Domain list
+    id: 1657974834
+  - enabled: true
+    url: https://kriskintel.com/feeds/ktip_malicious_domains.txt
+    name: Malicious Domain list
+    id: 1657974835
+  - enabled: true
+    url: https://rescure.me/rescure_domain_blacklist.txt
+    name: Malicious Domain Blacklist
+    id: 1657974836
+  - enabled: true
+    url: https://raw.githubusercontent.com/HexxiumCreations/threat-list/gh-pages/hosts.txt
+    name: Malicious Domain Blocking
+    id: 1657974837
+  - enabled: true
+    url: https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt
+    name: Maltrail
+    id: 1657979058
+  - enabled: true
+    url: https://openphish.com/feed.txt
+    name: OpenPhish
+    id: 1657979059
+  - enabled: true
+    url: https://phishing.army/download/phishing_army_blocklist_extended.txt
+    name: Phishing Army Extended
+    id: 1657979060
+  - enabled: true
+    url: https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt
+    name: Phishing block list
+    id: 1657979061
+  - enabled: true
+    url: https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt
+    name: Phishing Domain Database
+    id: 1657979062
+  - enabled: true
+    url: https://securereload.tech/Phishing/Lists/Latest/
+    name: Phishing List
+    id: 1657979063
+  - enabled: true
+    url: https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt
+    name: Phishing URL Blocklist
+    id: 1657979064
+  - enabled: true
+    url: https://raw.githubusercontent.com/RPiList/specials/master/Blocklisten/Phishing-Angriffe
+    name: Phishing Attack
+    id: 1657979065
+  - enabled: true
+    url: https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt
+    name: Ransomware block list
+    id: 1657979066
+  - enabled: true
+    url: https://kriskintel.com/feeds/ktip_ransomware_feeds.txt
+    name: Ransomware Feeds
+    id: 1657979067
+  - enabled: true
+    url: https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt
+    name: Scam block list
+    id: 1657979068
+  - enabled: true
+    url: https://threatfox.abuse.ch/downloads/hostfile
+    name: ThreatFox IOCs host file
+    id: 1657979070
+  - enabled: true
+    url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
+    name: Threat-Intel
+    id: 1657979071
+  - enabled: true
+    url: https://www.stopforumspam.com/downloads/toxic_domains_whole.txt
+    name: Toxic Domains
+    id: 1657979072
+  - enabled: true
+    url: https://urlhaus.abuse.ch/downloads/hostfile/
+    name: URLhaus
+    id: 1657979073
+  - enabled: true
+    url: https://ipinfo.tw/dns/UT1.domains
+    name: UT1 malware/phishing Category
+    id: 1657979075
+  - enabled: true
+    url: https://raw.githubusercontent.com/nextdns/metadata/master/privacy/native/apple
+    name: NextDNS Apple
+    id: 1657979076
+  - enabled: true
+    url: https://raw.githubusercontent.com/nextdns/metadata/master/privacy/native/huawei
+    name: NextDNS Huawei
+    id: 1657979077
+  - enabled: true
+    url: https://raw.githubusercontent.com/nextdns/metadata/master/privacy/native/samsung
+    name: NextDNS Samsung
+    id: 1657979078
+  - enabled: true
+    url: https://raw.githubusercontent.com/nextdns/metadata/master/privacy/native/windows
+    name: NextDNS Windows
+    id: 1657979079
+  - enabled: true
+    url: https://raw.githubusercontent.com/nextdns/metadata/master/privacy/native/xiaomi
+    name: NextDNS Xiaomi
+    id: 1657979080
+  - enabled: true
+    url: https://raw.githubusercontent.com/badmojr/1Hosts/master/mini/domains.txt
+    name: 1Hosts
+    id: 1657979081
+  - enabled: true
+    url: https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
+    name: notrack-blocklists
+    id: 1657979082
+  - enabled: true
+    url: https://v.firebog.net/hosts/Easylist.txt
+    name: Easylist
+    id: 1657979084
+  - enabled: true
+    url: https://v.firebog.net/hosts/Easyprivacy.txt
+    name: Easyprivacy
+    id: 1657979085
+  - enabled: true
+    url: https://v.firebog.net/hosts/Prigent-Malware.txt
+    name: Prigent-Malware
+    id: 1657979086
+  - enabled: true
+    url: https://v.firebog.net/hosts/Prigent-Phishing.txt
+    name: Prigent-Phishing
+    id: 1657979087
+  - enabled: true
+    url: https://www.joewein.net/dl/bl/dom-bl-base.txt
+    name: joewein.net dom-bl-base
+    id: 1657979088
+  - enabled: true
+    url: https://block.energized.pro/extensions/regional/formats/domains.txt
+    name: energized regional
+    id: 1657979089
+  - enabled: true
+    url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+    name: StevenBlack
+    id: 1657979090
+  - enabled: true
+    url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
+    name: StevenBlack KADhosts
+    id: 1657979091
+  - enabled: true
+    url: https://raw.githubusercontent.com/0Zinc/easylists-for-pihole/master/easyprivacy.txt
+    name: 0Zinc/easylists-for-pihole easyprivacy
+    id: 1657979092
+  - enabled: true
+    url: https://raw.githubusercontent.com/0Zinc/easylists-for-pihole/master/language/chinese.txt
+    name: 0Zinc/easylists-for-pihole easylist-chinese
+    id: 1657979093
+  - enabled: true
+    url: https://raw.githubusercontent.com/Ewpratten/youtube_ad_blocklist/gh-pages/domains.txt
+    name: Ewpratten/youtube_ad_blocklist
+    id: 1657979094
+  - enabled: true
+    url: https://raw.githubusercontent.com/AdguardTeam/cname-trackers/master/combined_disguised_trackers_justdomains.txt
+    name: AdguardTeam/cname-trackers
+    id: 1657979095
+  - enabled: true
+    url: https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
+    name: nextdns/cname-cloaking-blocklist
+    id: 1657979096
+  - enabled: true
+    url: https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/EasyPrivacyCNAME.txt
+    name: r-a-y/mobile-hosts EasyPrivacyCNAME
+    id: 1657979097
+  - enabled: true
+    url: https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardTracking.txt
+    name: r-a-y/mobile-hosts AdguardTracking
+    id: 1657979098
+  - enabled: true
+    url: https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileSpyware.txt
+    name: r-a-y/mobile-hosts AdguardMobileSpyware
+    id: 1657979099
+  - enabled: true
+    url: https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileAds.txt
+    name: r-a-y/mobile-hosts AdguardMobileAds
+    id: 1657979100
+  - enabled: true
+    url: https://dnslow.me/nrd7days.txt
+    name: nrd
+    id: 1663857609
+  - enabled: true
+    url: https://dnslow.me/paid-nrd7days.txt
+    name: paid-nrd
+    id: 1665499066
+whitelist_filters:
+  - enabled: true
+    url: https://raw.githubusercontent.com/PeterDaveHello/url-shorteners/master/list
+    name: url-shorteners
+    id: 1657979101
+  - enabled: true
+    url: https://raw.githubusercontent.com/nextdns/metadata/master/privacy/affiliate-tracking-domains
+    name: affiliate-tracking-domains
+    id: 1657979102
+  - enabled: true
+    url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
+    name: anudeepND
+    id: 1657979103
+  - enabled: true
+    url: https://raw.githubusercontent.com/RPiList/specials/master/dev/whitelist
+    name: RPiList
+    id: 1657979104
+  - enabled: true
+    url: https://raw.githubusercontent.com/Ultimate-Hosts-Blacklist/whitelist/master/domains.list
+    name: Ultimate-Hosts-Blacklist
+    id: 1657979105
+  - enabled: true
+    url: https://raw.githubusercontent.com/EnergizedProtection/unblock/master/basic/formats/domains.txt
+    name: EnergizedProtection
+    id: 1657979106
+  - enabled: true
+    url: https://raw.githubusercontent.com/badmojr/1Hosts/master/submit_here/exclude_for_all.txt
+    name: 1Hosts exclude_for_all
+    id: 1657979107
+  - enabled: true
+    url: https://raw.githubusercontent.com/badmojr/1Hosts/master/submit_here/exclude_for_mini_Lite_only.txt
+    name: 1Hosts exclude_for_mini_Lite_only
+    id: 1657979108
+  - enabled: true
+    url: https://raw.githubusercontent.com/PeterDaveHello/dnslow.me/master/whitelist
+    name: Custom whitelist
+    id: 1660240101
+  - enabled: true
+    url: https://raw.githubusercontent.com/privacy-protection-tools/dead-horse/master/anti-ad-white-list.txt
+    name: anti-AD whitelist
+    id: 1663857605
+user_rules: []
+dhcp:
+  enabled: false
+  interface_name: ""
+  local_domain_name: lan
+  dhcpv4:
+    gateway_ip: ""
+    subnet_mask: ""
+    range_start: ""
+    range_end: ""
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
+log_file: ""
+log_max_backups: 0
+log_max_size: 100
+log_max_age: 3
+log_compress: false
+log_localtime: false
+verbose: false
+os:
+  group: ""
+  user: ""
+  rlimit_nofile: 0
+schema_version: 14
diff --git a/blocky-dns-proxy-config.yml b/blocky-dns-proxy-config.yml
new file mode 100644
index 0000000..e7d9347
--- /dev/null
+++ b/blocky-dns-proxy-config.yml
@@ -0,0 +1,99 @@
+upstream:
+  default:
+    - tcp-tls:8.8.8.8
+    - https://8.8.8.8/dns-query
+    - tcp-tls:9.9.9.9
+    - https://9.9.9.9/dns-query
+    - tcp-tls:101.102.103.104
+    - https://101.102.103.104/dns-query
+    - tcp-tls:101.101.101.101
+    - https://101.101.101.101/dns-query
+    - https://1.0.0.2/dns-query
+    - https://1.1.1.2/dns-query
+    - tcp-tls:security.cloudflare-dns.com
+    - tcp-tls:dns.nextdns.io
+    - https://dns.nextdns.io
+    - tcp-tls:anycast.dns.nextdns.io
+    - https://anycast.dns.nextdns.io
+    - tcp-tls:p1.freedns.controld.com
+    - https://freedns.controld.com/p1
+    - tcp-tls:protected.canadianshield.cira.ca
+    - https://protected.canadianshield.cira.ca/dns-query
+    - tcp-tls:max.rethinkdns.com
+    - https://max.rethinkdns.com
+    - tcp-tls:uncensored.dns.dnswarden.com
+    - https://dns.dnswarden.com/uncensored
+    - tcp-tls:dns-unfiltered.adguard.com
+    - https://dns-unfiltered.adguard.com/dns-query
+    - tcp-tls:doh.mullvad.net
+    - https://doh.mullvad.net/dns-query
+    - tcp-tls:dns.switch.ch
+    - https://dns.switch.ch/dns-query
+    - tcp-tls:security-filter-dns.cleanbrowsing.org
+    - https://doh.cleanbrowsing.org/doh/security-filter/
+    - tcp-tls:dot1.applied-privacy.net
+    - https://doh.applied-privacy.net/query
+    - tcp-tls:dns.digitale-gesellschaft.ch
+    - https://dns.digitale-gesellschaft.ch/dns-query
+    - tcp-tls:unicast.uncensoreddns.org
+    - https://unicast.uncensoreddns.org/dns-query
+    - tcp-tls:anycast.uncensoreddns.org
+    - https://anycast.uncensoreddns.org/dns-query
+    - tcp-tls:dot.libredns.gr
+    - https://doh.libredns.gr/dns-query
+    - tcp-tls:dot.seby.io
+    - https://doh.seby.io:8443/dns-query
+    - https://doh-2.seby.io/dns-query
+    - tcp-tls:doh.dnslify.com
+    - https://doh.dnslify.com/dns-query
+    - tcp-tls:getdnsapi.net
+    - https://doh.opendns.com/dns-query
+    - https://dns.hinet.net/dns-query
+    - https://ordns.he.net/dns-query
+    - tcp-tls:eu1.dns.lavate.ch
+    - https://eu1.dns.lavate.ch/dns-query
+    - tcp-tls:eu2.dns.lavate.ch
+    - https://eu2.dns.lavate.ch/dns-query
+    - tcp-tls:dns.hostux.net
+    - https://dns.hostux.net/dns-query
+    - tcp-tls:puredns.org
+    - https://puredns.org/dns-query
+    - tcp-tls:dns.wevpn.com
+    - https://dns.wevpn.com/dns-query
+    - tcp-tls:www.morbitzer.de
+    - https://www.morbitzer.de/dns-query
+    - tcp-tls:ns1.opennameserver.org
+    - https://ns1.opennameserver.org/dns-query
+    - https://opennic1.eth-services.de:853/
+    - https://opennic2.eth-services.de:853/
+    - https://pluton.plan9-dns.com/dns-query
+    - https://helios.plan9-dns.com/dns-query
+    - https://kronos.plan9-dns.com/dns-query
+    - https://sby-doh.limotelu.org/dns-query
+    - https://chewbacca.meganerd.nl/dns-query
+    - https://secure.avastdns.com/dns-query
+
+caching:
+  minTime: 10s
+  prefetching: true
+  prefetchExpires: 3h
+  prefetchThreshold: 100
+  prefetchMaxItemsCount: 5000
+
+queryLog:
+  logRetentionDays: 7
+  creationCooldown: 2s
+
+redis:
+  address: 172.17.0.1:6379
+
+port: 53
+bootstrapDns:
+  upstream: https://dns.quad9.net/dns-query
+  ips:
+    - 9.9.9.9
+
+disableIPv6: false
+logLevel: warn
+logFormat: text
+logPrivacy: true
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..221720a
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,37 @@
+---
+
+version: "2.1"
+services:
+  adguardhome:
+    image: adguard/adguardhome:v0.107.16
+    container_name: dnslow.me-adguardhome
+    restart: unless-stopped
+    healthcheck:
+      test: nslookup www.google.com || exit 1
+      timeout: 5s
+      interval: 60s
+      start_period: 10s
+      retries: 1
+    ports:
+      - "127.0.0.1:3000:3000/tcp"
+      - "127.0.0.1:53:53/tcp"
+      - "127.0.0.1:53:53/udp"
+      - "853:853/tcp"
+      - "853:853/udp"
+    volumes:
+      - ./adguardhome/work:/opt/adguardhome/work
+      - ./adguardhome/conf:/opt/adguardhome/conf
+    depends_on:
+      - blocky
+  blocky:
+    image: spx01/blocky:v0.20
+    container_name: dnslow.me-blocky
+    restart: unless-stopped
+    healthcheck:
+      test: nslookup www.google.com || exit 1
+      timeout: 5s
+      interval: 60s
+      start_period: 10s
+      retries: 1
+    volumes:
+      - ./blocky-dns-proxy-config.yml:/app/config.yml
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..39a2b6e
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}
diff --git a/web/doh.dnslow.mobileconfig b/web/doh.dnslow.mobileconfig
new file mode 100644
index 0000000..d0c217c
--- /dev/null
+++ b/web/doh.dnslow.mobileconfig
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<key>PayloadContent</key>
+<array>
+<dict>
+<key>DNSSettings</key>
+<dict>
+<key>DNSProtocol</key>
+<string>HTTPS</string>
+<key>ServerURL</key>
+<string>https://dnslow.me/dns-query</string>
+</dict>
+<key>OnDemandRules</key>
+<array>
+<dict>
+<key>Action</key>
+<string>Connect</string>
+<key>InterfaceTypeMatch</key>
+<string>WiFi</string>
+</dict>
+<dict>
+<key>Action</key>
+<string>Connect</string>
+<key>InterfaceTypeMatch</key>
+<string>Cellular</string>
+</dict>
+<dict>
+<key>Action</key>
+<string>Disconnect</string>
+</dict>
+</array>
+<key>PayloadDescription</key>
+<string>Configures device to use dnslow.me Encrypted DNS over HTTPS</string>
+<key>PayloadDisplayName</key>
+<string>dnslow.me DNS over HTTPS</string>
+<key>PayloadIdentifier</key>
+<string>com.apple.dnsSettings.managed.bd7b3cad-38ae-48d8-9bb0-70845a491758</string>
+<key>PayloadType</key>
+<string>com.apple.dnsSettings.managed</string>
+<key>PayloadUUID</key>
+<string>c96be0fb-9544-4778-bb09-ecc2deb6d7fb</string>
+<key>PayloadVersion</key>
+<integer>1</integer>
+<key>ProhibitDisablement</key>
+<false/>
+</dict>
+</array>
+<key>PayloadDescription</key>
+<string>Adds different encrypted DNS configurations to Big Sur and iOS 14 based systems</string>
+<key>PayloadDisplayName</key>
+<string>Encrypted DNS (DoH)</string>
+<key>PayloadIdentifier</key>
+<string>com.dnslow.apple-dns.16b1508d-1649-43a2-86dc-c09d5a6a49f1</string>
+<key>PayloadRemovalDisallowed</key>
+<false/>
+<key>PayloadType</key>
+<string>Configuration</string>
+<key>PayloadUUID</key>
+<string>e55e51f2-8d59-4ce9-b70a-536c620b75d9</string>
+<key>PayloadVersion</key>
+<integer>1</integer>
+</dict>
+</plist>
diff --git a/web/dot.dnslow.mobileconfig b/web/dot.dnslow.mobileconfig
new file mode 100644
index 0000000..e5b30c2
--- /dev/null
+++ b/web/dot.dnslow.mobileconfig
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<key>PayloadContent</key>
+<array>
+<dict>
+<key>DNSSettings</key>
+<dict>
+<key>DNSProtocol</key>
+<string>TLS</string>
+<key>ServerName</key>
+<string>dnslow.me</string>
+</dict>
+<key>OnDemandRules</key>
+<array>
+<dict>
+<key>Action</key>
+<string>Connect</string>
+<key>InterfaceTypeMatch</key>
+<string>WiFi</string>
+</dict>
+<dict>
+<key>Action</key>
+<string>Connect</string>
+<key>InterfaceTypeMatch</key>
+<string>Cellular</string>
+</dict>
+<dict>
+<key>Action</key>
+<string>Disconnect</string>
+</dict>
+</array>
+<key>PayloadDescription</key>
+<string>Configures device to use dnslow.me Encrypted DNS over TLS</string>
+<key>PayloadDisplayName</key>
+<string>dnslow.me DNS over TLS</string>
+<key>PayloadIdentifier</key>
+<string>com.apple.dnsSettings.managed.6276138b-3ef3-4d2b-90bf-53b0d9b87cf0</string>
+<key>PayloadType</key>
+<string>com.apple.dnsSettings.managed</string>
+<key>PayloadUUID</key>
+<string>d5b8e068-dbfa-479f-8340-b6ff6608caa7</string>
+<key>PayloadVersion</key>
+<integer>1</integer>
+<key>ProhibitDisablement</key>
+<false/>
+</dict>
+</array>
+<key>PayloadDescription</key>
+<string>Adds different encrypted DNS configurations to Big Sur and iOS 14 based systems</string>
+<key>PayloadDisplayName</key>
+<string>Encrypted DNS (DoH, DoT)</string>
+<key>PayloadIdentifier</key>
+<string>com.dnslow.apple-dns.4009a9fd-946a-421a-9264-5fb56d9dada3</string>
+<key>PayloadRemovalDisallowed</key>
+<false/>
+<key>PayloadType</key>
+<string>Configuration</string>
+<key>PayloadUUID</key>
+<string>dac7587d-2a10-41e8-af23-5bce627287a8</string>
+<key>PayloadVersion</key>
+<integer>1</integer>
+</dict>
+</plist>
diff --git a/web/index.html b/web/index.html
new file mode 100644
index 0000000..24ffa54
--- /dev/null
+++ b/web/index.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to dnslow.me!</title>
+</head>
+<body>
+
+<h1>Welcome to dnslow.me!</h1>
+
+<h2>Your advertisement and threat blocking, privacy-first, encrypted DNS.</h2>
+
+<h3>All DNS requests will be protected(filtered) with <a href="https://github.com/PeterDaveHello/threat-hostlist">threat-intelligence feeds</a>, Newly Registered Domain feeds, AD-blocking feeds, and then randomly distributed to some other DNS resolvers for enhanced privacy.</h3>
+
+<h4>dnslow.me is an free and open source project, plesae feel free to contribute on our <a href="https://github.com/PeterDaveHello/dnslow.me">GitHub repository</a></h4>
+
+<p>Only <strong>DoH</strong>(DNS over HTTPS), <strong>DoT</strong>(DNS over TLS), and <strong>DoQ</strong>(DNS over Quic) protocol are provided, plain-text DNS is <i>not</i> supported here.</p>
+
+<p>
+Encrypted DNS Endpoints:
+<ul>
+<li>DoH: <code>https://dnslow.me/dns-query</code> (port 443).</li>
+<li>DoT: <code>dnslow.me</code> (port 853)</li>
+<li>DoQ: <code>dnslow.me</code> (port 853)</li>
+</ul>
+</p>
+
+<p>
+DNS Stamps(For AdGuard Home, DNSCrypt, and other compatiple applications):
+<ul>
+<li>DoH: <code>sdns://AgEAAAAAAAAAAAAJZG5zbG93Lm1lCi9kbnMtcXVlcnk</code></li>
+<li>DoT: <code>sdns://AwEAAAAAAAAAAAAJZG5zbG93Lm1l</code></li>
+<li>DoQ: <code>sdns://BAEAAAAAAAAAAAAJZG5zbG93Lm1l</code></li>
+</ul>
+</p>
+
+<p>
+Apple Configuration for iOS v14+ and macOS v11+ (Big Sur and later)
+<ul>
+<li><a href="./doh.dnslow.mobileconfig" target="_blank">DoH profile</a></li>
+<li><a href="./dot.dnslow.mobileconfig" target="_blank">DoT profile</a></li>
+</ul>
+</p>
+
+<p>
+Privacy policy: Logging is only enabled to debug, and improve the service itself, minimize the false-positive blocking. All logs will only be existing for a very short time. No logs will be shared, sold, or exchanged with any 3rd-party.
+</p>
+
+<p><em>Thank you for using dnslow.me.</em></p>
+</body>
+</html>
diff --git a/web/nrd7days.txt b/web/nrd7days.txt
new file mode 120000
index 0000000..251a624
--- /dev/null
+++ b/web/nrd7days.txt
@@ -0,0 +1 @@
+/home/peterhsu/nrd-list-downloader/nrd7days.txt
\ No newline at end of file
diff --git a/web/paid-nrd7days.txt b/web/paid-nrd7days.txt
new file mode 120000
index 0000000..351d05a
--- /dev/null
+++ b/web/paid-nrd7days.txt
@@ -0,0 +1 @@
+/home/peterhsu/nrd-list-downloader/paid-nrd7days.txt
\ No newline at end of file
diff --git a/whitelist b/whitelist
new file mode 100644
index 0000000..80ddbd7
--- /dev/null
+++ b/whitelist
@@ -0,0 +1,4 @@
+nelo2-col.linecorp.com          # LINE APP message sending, blocked by AdGuard
+mailgun.org                     # Email links
+topcashbackdigitalsolutions.com # topcashback
+ipdata.co                       # IP geolocation api