m2kar · December 8, 2024 13:29
diff --git a/smartdns.conf b/smartdns.conf
 # 权衡DNS劫持和速度的方案，使用了国内外的doh+dot作为上游

 bind [::]:53
 bind-tcp [::]:53


 # china

 #默认组
 server-https https://223.6.6.6/dns-query
 server-https https://dns.alidns.com/dns-query
 server-tls dns.alidns.com
 server-https https://doh.pub/dns-query
 server-tls dot.pub
 server-https https://doh.360.cn/dns-query
 server-tls dot.360.cn

 # oversea
 server https://doh.apad.pro/dns-query
 server tls://8.8.8.8:853
 server tls://8.8.4.4:853
 server https://doh.dns.sb/dns-query
 server https://dns.cloudflare.com/dns-query
 server https://dns.twnic.tw/dns-query

 # speedcheck
 speed-check-mode tcp:443,tcp:80,ping

 # cache
 cache-persist yes
 prefetch-domain yes
 serve-expired yes
 serve-expired-ttl 259200
 serve-expired-reply-ttl 3

 # prefetch-domain yes
 # serve-expired-prefetch-time 21600
 cache-checkpoint-time 86400

 # log
 log-level info
 # log-level debug
 log-file /var/log/smartdns/smartdns.log
 log-size 128k
 log-num 2

 # dns server name, default is host name
 # server-name, 
 # example:
 #   server-name smartdns
 #

 # whether resolv local hostname to ip address
 # resolv-hostname yes

 # dns server run user
 # user [username]
 # example: run as nobody
 #   user nobody
 #

 # Include another configuration options
 # conf-file [file]
 # conf-file blacklist-ip.conf

 # dns server bind ip and port, default dns server port is 53, support binding multi ip and port
 # bind udp server
 #   bind [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
 # bind tcp server
 #   bind-tcp [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
 # bind tls server
 #   bind-tls [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
 #   bind-cert-key-file [path to file]
 #      tls private key file
 #   bind-cert-file [path to file]
 #      tls cert file
 #   bind-cert-key-pass [password]
 #      tls private key password
 # option:
 #   -group: set domain request to use the appropriate server group.
 #   -no-rule-addr: skip address rule.
 #   -no-rule-nameserver: skip nameserver rule.
 #   -no-rule-ipset: skip ipset rule or nftset rule.
 #   -no-speed-check: do not check speed.
 #   -no-cache: skip cache.
 #   -no-rule-soa: Skip address SOA(#) rules.
 #   -no-dualstack-selection: Disable dualstack ip selection.
 #   -force-aaaa-soa: force AAAA query return SOA.
 #   -set-mark: set mark on packets.
 # example: 
 #  IPV4: 
 #    bind :53
 #    bind :53@eth0
 #    bind :6053 -group office -no-speed-check
 #  IPV6:
 #    bind [::]:53
 #    bind [::]:53@eth0
 #    bind-tcp [::]:53
 # bind [::]:53

 # tcp connection idle timeout
 # tcp-idle-time [second]

 # dns cache size
 # cache-size [number]
 #   0: for no cache
 # cache-size 32768

 # enable persist cache when restart
 # cache-persist no

 # cache persist file
 # cache-file /tmp/smartdns.cache

 # prefetch domain
 # prefetch-domain [yes|no]
 # prefetch-domain yes

 # cache serve expired 
 # serve-expired [yes|no]
 # serve-expired yes

 # cache serve expired TTL
 # serve-expired-ttl [num]
 # serve-expired-ttl 0

 # reply TTL value to use when replying with expired data
 # serve-expired-reply-ttl [num]
 # serve-expired-reply-ttl 30

 # List of hosts that supply bogus NX domain results 
 # bogus-nxdomain [ip/subnet]

 # List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
 # blacklist-ip [ip/subnet]

 # List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
 # whitelist-ip [ip/subnet]

 # List of IPs that will be ignored
 # ignore-ip [ip/subnet]

 # speed check mode
 # speed-check-mode [ping|tcp:port|none|,]
 # example:
 #   speed-check-mode ping,tcp:80,tcp:443
 #   speed-check-mode tcp:443,ping
 #   speed-check-mode none

 # force AAAA query return SOA
 # force-AAAA-SOA [yes|no]

 # force specific qtype return soa
 # force-qtype-SOA [qtypeid |...]
 # force-qtype-SOA 65 28
 force-qtype-SOA 65

 # Enable IPV4, IPV6 dual stack IP optimization selection strategy
 # dualstack-ip-selection-threshold [num] (0~1000)
 # dualstack-ip-allow-force-AAAA [yes|no]
 # dualstack-ip-selection [yes|no]
 # dualstack-ip-selection no

 # edns client subnet
 # edns-client-subnet [ip/subnet]
 # edns-client-subnet 192.168.1.1/24
 # edns-client-subnet 8::8/56

 # ttl for all resource record
 # rr-ttl: ttl for all record
 # rr-ttl-min: minimum ttl for resource record
 # rr-ttl-max: maximum ttl for resource record
 # rr-ttl-reply-max: maximum reply ttl for resource record
 # example:
 # rr-ttl 300
 # rr-ttl-min 60
 # rr-ttl-max 86400
 # rr-ttl-reply-max 60

 # Maximum number of IPs returned to the client|8|number of IPs, 1~16
 # example:
 # max-reply-ip-num 1

 # response mode
 # Experimental feature
 # response-mode [first-ping|fastest-ip|fastest-response]

 # set log level
 # log-level: [level], level=fatal, error, warn, notice, info, debug
 # log-file: file path of log file.
 # log-console [yes|no]: output log to console.
 # log-size: size of each log file, support k,m,g
 # log-num: number of logs, 0 means disable log
 # log-level info

 # log-file /var/log/smartdns/smartdns.log
 # log-size 128k
 # log-num 2
 # log-file-mode [mode]: file mode of log file.

 # dns audit
 # audit-enable [yes|no]: enable or disable audit.
 # audit-enable yes
 # audit-SOA [yes|no]: enable or disable log soa result.
 # audit-size size of each audit file, support k,m,g
 # audit-file /var/log/smartdns-audit.log
 # audit-console [yes|no]: output audit log to console.
 # audit-file-mode [mode]: file mode of audit file.
 # audit-size 128k
 # audit-num 2

 # Support reading dnsmasq dhcp file to resolve local hostname
 # dnsmasq-lease-file /var/lib/misc/dnsmasq.leases

 # certificate file
 # ca-file [file]
 # ca-file /etc/ssl/certs/ca-certificates.crt

 # certificate path
 # ca-path [path]
 # ca-path /etc/ss/certs

 # remote udp dns server list
 # server [IP]:[PORT]|URL [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
 # default port is 53
 #   -blacklist-ip: filter result with blacklist ip
 #   -whitelist-ip: filter result with whitelist ip,  result in whitelist-ip will be accepted.
 #   -check-edns: result must exist edns RR, or discard result.
 #   -group [group]: set server to group, use with nameserver /domain/group.
 #   -exclude-default-group: exclude this server from default group.
 #   -proxy [proxy-name]: use proxy to connect to server.
 #   -bootstrap-dns: set as bootstrap dns server.
 # server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
 # server tls://dns.google:853 
 # server https://dns.google/dns-query

 # remote tcp dns server list
 # server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
 # default port is 53
 # server-tcp 8.8.8.8

 # remote tls dns server list
 # server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
 #   -spki-pin: TLS spki pin to verify.
 #   -tls-host-verify: cert hostname to verify.
 #   -host-name: TLS sni hostname.
 #   -no-check-certificate: no check certificate.
 #   -proxy [proxy-name]: use proxy to connect to server.
 #   -bootstrap-dns: set as bootstrap dns server.
 # Get SPKI with this command:
 #    echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
 # default port is 853
 # server-tls 8.8.8.8
 # server-tls 1.0.0.1

 # remote https dns server list
 # server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
 #   -spki-pin: TLS spki pin to verify.
 #   -tls-host-verify: cert hostname to verify.
 #   -host-name: TLS sni hostname.
 #   -http-host: http host.
 #   -no-check-certificate: no check certificate.
 #   -proxy [proxy-name]: use proxy to connect to server.
 #   -bootstrap-dns: set as bootstrap dns server.
 # default port is 443
 # server-https https://cloudflare-dns.com/dns-query

 # socks5 and http proxy list
 # proxy-server URL -name [proxy name]
 #   URL: socks5://[username:password@]host:port
 #        http://[username:password@]host:port
 #   -name: proxy name, use with server -proxy [proxy-name]
 # example:
 #   proxy-server socks5://user:[email protected]:1080 -name proxy
 #   proxy-server http://user:[email protected]:3128 -name proxy

 # specific nameserver to domain
 # nameserver /domain/[group|-]
 # nameserver /www.example.com/office, Set the domain name to use the appropriate server group.
 # nameserver /www.example.com/-, ignore this domain

 # specific address to domain
 # address /domain/[ip|-|-4|-6|#|#4|#6]
 # address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client
 # address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
 # address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all

 # specific cname to domain
 # cname /domain/target

 # enalbe DNS64 feature
 # dns64 [ip/subnet]
 # dns64 64:ff9b::/96

 # enable ipset timeout by ttl feature
 # ipset-timeout [yes]

 # specific ipset to domain
 # ipset /domain/[ipset|-]
 # ipset /www.example.com/block, set ipset with ipset name of block 
 # ipset /www.example.com/-, ignore this domain

 # add to ipset when ping is unreachable
 # ipset-no-speed ipsetname
 # ipset-no-speed pass

 # enable nftset timeout by ttl feature
 # nftset-timeout [yes|no]
 # nftset-timeout yes

 # add to nftset when ping is unreachable
 # nftset-no-speed [#4:ip#table#set,#6:ipv6#table#setv6]
 # nftset-no-speed #4:ip#table#set

 # enable nftset debug, check nftset setting result, output log when error.
 # nftset-debug [yes|no]
 # nftset-debug yes

 # specific nftset to domain
 # nftset /domain/[#4:ip#table#set,#6:ipv6#table#setv6]
 # nftset /www.example.com/ip#table#set, equivalent to 'nft add element ip table set { ... }'
 # nftset /www.example.com/-, ignore this domain
 # nftset /www.example.com/#6:-, ignore ipv6

 # set domain rules
 # domain-rules /domain/ [-speed-check-mode [...]]
 # rules:
 #   [-c] -speed-check-mode [mode]: speed check mode
 #                             speed-check-mode [ping|tcp:port|none|,]
 #   [-a] -address [address|-]: same as address option
 #   [-n] -nameserver [group|-]: same as nameserver option
 #   [-p] -ipset [ipset|-]: same as ipset option
 #   [-t] -nftset [nftset|-]: same as nftset option
 #   [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option
 #   -no-serve-expired: ignore expired domain
 #   -delete: delete domain rule

 # collection of domains 
 # the domain-set can be used with /domain/ for address, nameserver, ipset, etc.
 # domain-set -name [set-name] -type list -file [/path/to/file]
 #   [-n] -name [set name]: domain set name
 #   [-t] -type [list]: domain set type, list only now
 #   [-f] -file [path/to/set]: file path of domain set
 # 
 # example:
 # domain-set -name domain-list -type list -file /etc/smartdns/domain-list.conf
 # address /domain-set:domain-list/1.2.3.4
 # nameserver /domain-set:domain-list/server-group
 # ipset /domain-set:domain-list/ipset
 # domain-rules /domain-set:domain-list/ -speed-check-mode ping
	# 权衡DNS劫持和速度的方案，使用了国内外的doh+dot作为上游

	bind [::]:53
	bind-tcp [::]:53


	# china

	#默认组
	server-https https://223.6.6.6/dns-query
	server-https https://dns.alidns.com/dns-query
	server-tls dns.alidns.com
	server-https https://doh.pub/dns-query
	server-tls dot.pub
	server-https https://doh.360.cn/dns-query
	server-tls dot.360.cn

	# oversea
	server https://doh.apad.pro/dns-query
	server tls://8.8.8.8:853
	server tls://8.8.4.4:853
	server https://doh.dns.sb/dns-query
	server https://dns.cloudflare.com/dns-query
	server https://dns.twnic.tw/dns-query

	# speedcheck
	speed-check-mode tcp:443,tcp:80,ping

	# cache
	cache-persist yes
	prefetch-domain yes
	serve-expired yes
	serve-expired-ttl 259200
	serve-expired-reply-ttl 3

	# prefetch-domain yes
	# serve-expired-prefetch-time 21600
	cache-checkpoint-time 86400

	# log
	log-level info
	# log-level debug
	log-file /var/log/smartdns/smartdns.log
	log-size 128k
	log-num 2

	# dns server name, default is host name
	# server-name,
	# example:
	# server-name smartdns
	#

	# whether resolv local hostname to ip address
	# resolv-hostname yes

	# dns server run user
	# user [username]
	# example: run as nobody
	# user nobody
	#

	# Include another configuration options
	# conf-file [file]
	# conf-file blacklist-ip.conf

	# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
	# bind udp server
	# bind [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
	# bind tcp server
	# bind-tcp [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
	# bind tls server
	# bind-tls [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
	# bind-cert-key-file [path to file]
	# tls private key file
	# bind-cert-file [path to file]
	# tls cert file
	# bind-cert-key-pass [password]
	# tls private key password
	# option:
	# -group: set domain request to use the appropriate server group.
	# -no-rule-addr: skip address rule.
	# -no-rule-nameserver: skip nameserver rule.
	# -no-rule-ipset: skip ipset rule or nftset rule.
	# -no-speed-check: do not check speed.
	# -no-cache: skip cache.
	# -no-rule-soa: Skip address SOA(#) rules.
	# -no-dualstack-selection: Disable dualstack ip selection.
	# -force-aaaa-soa: force AAAA query return SOA.
	# -set-mark: set mark on packets.
	# example:
	# IPV4:
	# bind :53
	# bind :53@eth0
	# bind :6053 -group office -no-speed-check
	# IPV6:
	# bind [::]:53
	# bind [::]:53@eth0
	# bind-tcp [::]:53
	# bind [::]:53

	# tcp connection idle timeout
	# tcp-idle-time [second]

	# dns cache size
	# cache-size [number]
	# 0: for no cache
	# cache-size 32768

	# enable persist cache when restart
	# cache-persist no

	# cache persist file
	# cache-file /tmp/smartdns.cache

	# prefetch domain
	# prefetch-domain [yes\|no]
	# prefetch-domain yes

	# cache serve expired
	# serve-expired [yes\|no]
	# serve-expired yes

	# cache serve expired TTL
	# serve-expired-ttl [num]
	# serve-expired-ttl 0

	# reply TTL value to use when replying with expired data
	# serve-expired-reply-ttl [num]
	# serve-expired-reply-ttl 30

	# List of hosts that supply bogus NX domain results
	# bogus-nxdomain [ip/subnet]

	# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
	# blacklist-ip [ip/subnet]

	# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
	# whitelist-ip [ip/subnet]

	# List of IPs that will be ignored
	# ignore-ip [ip/subnet]

	# speed check mode
	# speed-check-mode [ping\|tcp:port\|none\|,]
	# example:
	# speed-check-mode ping,tcp:80,tcp:443
	# speed-check-mode tcp:443,ping
	# speed-check-mode none

	# force AAAA query return SOA
	# force-AAAA-SOA [yes\|no]

	# force specific qtype return soa
	# force-qtype-SOA [qtypeid \|...]
	# force-qtype-SOA 65 28
	force-qtype-SOA 65

	# Enable IPV4, IPV6 dual stack IP optimization selection strategy
	# dualstack-ip-selection-threshold [num] (0~1000)
	# dualstack-ip-allow-force-AAAA [yes\|no]
	# dualstack-ip-selection [yes\|no]
	# dualstack-ip-selection no

	# edns client subnet
	# edns-client-subnet [ip/subnet]
	# edns-client-subnet 192.168.1.1/24
	# edns-client-subnet 8::8/56

	# ttl for all resource record
	# rr-ttl: ttl for all record
	# rr-ttl-min: minimum ttl for resource record
	# rr-ttl-max: maximum ttl for resource record
	# rr-ttl-reply-max: maximum reply ttl for resource record
	# example:
	# rr-ttl 300
	# rr-ttl-min 60
	# rr-ttl-max 86400
	# rr-ttl-reply-max 60

	# Maximum number of IPs returned to the client\|8\|number of IPs, 1~16
	# example:
	# max-reply-ip-num 1

	# response mode
	# Experimental feature
	# response-mode [first-ping\|fastest-ip\|fastest-response]

	# set log level
	# log-level: [level], level=fatal, error, warn, notice, info, debug
	# log-file: file path of log file.
	# log-console [yes\|no]: output log to console.
	# log-size: size of each log file, support k,m,g
	# log-num: number of logs, 0 means disable log
	# log-level info

	# log-file /var/log/smartdns/smartdns.log
	# log-size 128k
	# log-num 2
	# log-file-mode [mode]: file mode of log file.

	# dns audit
	# audit-enable [yes\|no]: enable or disable audit.
	# audit-enable yes
	# audit-SOA [yes\|no]: enable or disable log soa result.
	# audit-size size of each audit file, support k,m,g
	# audit-file /var/log/smartdns-audit.log
	# audit-console [yes\|no]: output audit log to console.
	# audit-file-mode [mode]: file mode of audit file.
	# audit-size 128k
	# audit-num 2

	# Support reading dnsmasq dhcp file to resolve local hostname
	# dnsmasq-lease-file /var/lib/misc/dnsmasq.leases

	# certificate file
	# ca-file [file]
	# ca-file /etc/ssl/certs/ca-certificates.crt

	# certificate path
	# ca-path [path]
	# ca-path /etc/ss/certs

	# remote udp dns server list
	# server [IP]:[PORT]\|URL [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
	# default port is 53
	# -blacklist-ip: filter result with blacklist ip
	# -whitelist-ip: filter result with whitelist ip, result in whitelist-ip will be accepted.
	# -check-edns: result must exist edns RR, or discard result.
	# -group [group]: set server to group, use with nameserver /domain/group.
	# -exclude-default-group: exclude this server from default group.
	# -proxy [proxy-name]: use proxy to connect to server.
	# -bootstrap-dns: set as bootstrap dns server.
	# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
	# server tls://dns.google:853
	# server https://dns.google/dns-query

	# remote tcp dns server list
	# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
	# default port is 53
	# server-tcp 8.8.8.8

	# remote tls dns server list
	# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
	# -spki-pin: TLS spki pin to verify.
	# -tls-host-verify: cert hostname to verify.
	# -host-name: TLS sni hostname.
	# -no-check-certificate: no check certificate.
	# -proxy [proxy-name]: use proxy to connect to server.
	# -bootstrap-dns: set as bootstrap dns server.
	# Get SPKI with this command:
	# echo \| openssl s_client -connect '[ip]:853' \| openssl x509 -pubkey -noout \| openssl pkey -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64
	# default port is 853
	# server-tls 8.8.8.8
	# server-tls 1.0.0.1

	# remote https dns server list
	# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
	# -spki-pin: TLS spki pin to verify.
	# -tls-host-verify: cert hostname to verify.
	# -host-name: TLS sni hostname.
	# -http-host: http host.
	# -no-check-certificate: no check certificate.
	# -proxy [proxy-name]: use proxy to connect to server.
	# -bootstrap-dns: set as bootstrap dns server.
	# default port is 443
	# server-https https://cloudflare-dns.com/dns-query

	# socks5 and http proxy list
	# proxy-server URL -name [proxy name]
	# URL: socks5://[username:password@]host:port
	# http://[username:password@]host:port
	# -name: proxy name, use with server -proxy [proxy-name]
	# example:
	# proxy-server socks5://user:[email protected]:1080 -name proxy
	# proxy-server http://user:[email protected]:3128 -name proxy

	# specific nameserver to domain
	# nameserver /domain/[group\|-]
	# nameserver /www.example.com/office, Set the domain name to use the appropriate server group.
	# nameserver /www.example.com/-, ignore this domain

	# specific address to domain
	# address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6]
	# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client
	# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
	# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all

	# specific cname to domain
	# cname /domain/target

	# enalbe DNS64 feature
	# dns64 [ip/subnet]
	# dns64 64:ff9b::/96

	# enable ipset timeout by ttl feature
	# ipset-timeout [yes]

	# specific ipset to domain
	# ipset /domain/[ipset\|-]
	# ipset /www.example.com/block, set ipset with ipset name of block
	# ipset /www.example.com/-, ignore this domain

	# add to ipset when ping is unreachable
	# ipset-no-speed ipsetname
	# ipset-no-speed pass

	# enable nftset timeout by ttl feature
	# nftset-timeout [yes\|no]
	# nftset-timeout yes

	# add to nftset when ping is unreachable
	# nftset-no-speed [#4:ip#table#set,#6:ipv6#table#setv6]
	# nftset-no-speed #4:ip#table#set

	# enable nftset debug, check nftset setting result, output log when error.
	# nftset-debug [yes\|no]
	# nftset-debug yes

	# specific nftset to domain
	# nftset /domain/[#4:ip#table#set,#6:ipv6#table#setv6]
	# nftset /www.example.com/ip#table#set, equivalent to 'nft add element ip table set { ... }'
	# nftset /www.example.com/-, ignore this domain
	# nftset /www.example.com/#6:-, ignore ipv6

	# set domain rules
	# domain-rules /domain/ [-speed-check-mode [...]]
	# rules:
	# [-c] -speed-check-mode [mode]: speed check mode
	# speed-check-mode [ping\|tcp:port\|none\|,]
	# [-a] -address [address\|-]: same as address option
	# [-n] -nameserver [group\|-]: same as nameserver option
	# [-p] -ipset [ipset\|-]: same as ipset option
	# [-t] -nftset [nftset\|-]: same as nftset option
	# [-d] -dualstack-ip-selection [yes\|no]: same as dualstack-ip-selection option
	# -no-serve-expired: ignore expired domain
	# -delete: delete domain rule

	# collection of domains
	# the domain-set can be used with /domain/ for address, nameserver, ipset, etc.
	# domain-set -name [set-name] -type list -file [/path/to/file]
	# [-n] -name [set name]: domain set name
	# [-t] -type [list]: domain set type, list only now
	# [-f] -file [path/to/set]: file path of domain set
	#
	# example:
	# domain-set -name domain-list -type list -file /etc/smartdns/domain-list.conf
	# address /domain-set:domain-list/1.2.3.4
	# nameserver /domain-set:domain-list/server-group
	# ipset /domain-set:domain-list/ipset
	# domain-rules /domain-set:domain-list/ -speed-check-mode ping