Update config and add ordering

2025-09-01 10:09:11 +00:00 · 2020-04-21 15:02:17 +02:00 · 2020-04-21 15:02:17 +02:00 · e262ad1db9
commit e262ad1db9
parent f78dd18869
5 changed files with 181 additions and 68 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -41,6 +41,14 @@
  revision = "78b5fff24e6df8886ef8eca9411f683a884349a5"
  version = "v0.4.1"

+[[projects]]
+  digest = "1:0deddd908b6b4b768cfc272c16ee61e7088a60f7fe2f06c547bd3d8e1f8b8e77"
+  name = "github.com/davecgh/go-spew"
+  packages = ["spew"]
+  pruneopts = ""
+  revision = "8991bc29aa16c548c550c7ff78260e27b9ab7c73"
+  version = "v1.1.1"
+
 [[projects]]
  digest = "1:b6581f9180e0f2d5549280d71819ab951db9d511478c87daca95669589d505c0"
  name = "github.com/go-ole/go-ole"
@ -120,6 +128,14 @@
  revision = "2905694a1b00c5574f1418a7dbf8a22a7d247559"
  version = "v1.3.1"

+[[projects]]
+  digest = "1:256484dbbcd271f9ecebc6795b2df8cad4c458dd0f5fd82a8c2fa0c29f233411"
+  name = "github.com/pmezard/go-difflib"
+  packages = ["difflib"]
+  pruneopts = ""
+  revision = "792786c7400a136282c1664665ae0a8db921c6c2"
+  version = "v1.0.0"
+
 [[projects]]
  digest = "1:7f569d906bdd20d906b606415b7d794f798f91a62fcfb6a4daa6d50690fb7a3f"
  name = "github.com/satori/go.uuid"
@ -166,6 +182,14 @@
  revision = "298182f68c66c05229eb03ac171abe6e309ee79a"
  version = "v1.0.3"

+[[projects]]
+  digest = "1:cc4eb6813da8d08694e557fcafae8fcc24f47f61a0717f952da130ca9a486dfc"
+  name = "github.com/stretchr/testify"
+  packages = ["assert"]
+  pruneopts = ""
+  revision = "3ebf1ddaeb260c4b1ae502a01c7844fa8c1fa0e9"
+  version = "v1.5.1"
+
 [[projects]]
  branch = "master"
  digest = "1:86e6712cfd4070a2120c03fcec41cfcbbc51813504a74e28d74479edfaf669ee"
@ -259,6 +283,14 @@
  revision = "342b2e1fbaa52c93f31447ad2c6abc048c63e475"
  version = "v0.3.2"

+[[projects]]
+  digest = "1:2efc9662a6a1ff28c65c84fc2f9030f13d3afecdb2ecad445f3b0c80e75fc281"
+  name = "gopkg.in/yaml.v2"
+  packages = ["."]
+  pruneopts = ""
+  revision = "53403b58ad1b561927d19068c655246f2db79d48"
+  version = "v2.2.8"
+
 [solve-meta]
  analyzer-name = "dep"
  analyzer-version = 1
@ -278,6 +310,7 @@
    "github.com/satori/go.uuid",
    "github.com/shirou/gopsutil/process",
    "github.com/spf13/cobra",
+    "github.com/stretchr/testify/assert",
    "github.com/tevino/abool",
    "github.com/umahmood/haversine",
    "golang.org/x/net/icmp",
--- a/firewall/config.go
+++ b/firewall/config.go
@ -8,11 +8,13 @@ import (
 var (
 	CfgOptionEnableFilterKey = "filter/enable"

-	CfgOptionPermanentVerdictsKey = "filter/permanentVerdicts"
-	permanentVerdicts             config.BoolOption
+	CfgOptionPromptTimeoutKey   = "filter/promptTimeout"
+	CfgOptionPromptTimeoutOrder = 2
+	promptTimeout               config.IntOption

-	CfgOptionPromptTimeoutKey = "filter/promptTimeout"
-	promptTimeout             config.IntOption
+	CfgOptionPermanentVerdictsKey   = "filter/permanentVerdicts"
+	CfgOptionPermanentVerdictsOrder = 128
+	permanentVerdicts               config.BoolOption

 	devMode          config.BoolOption
 	apiListenAddress config.StringOption
@ -23,6 +25,7 @@ func registerConfig() error {
 		Name:           "Permanent Verdicts",
 		Key:            CfgOptionPermanentVerdictsKey,
 		Description:    "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.",
+		Order:          CfgOptionPermanentVerdictsOrder,
 		OptType:        config.OptTypeBool,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelExperimental,
@ -37,6 +40,7 @@ func registerConfig() error {
 		Name:           "Timeout for prompt notifications",
 		Key:            CfgOptionPromptTimeoutKey,
 		Description:    "Amount of time how long Portmaster will wait for a response when prompting about a connection via a notification. In seconds.",
+		Order:          CfgOptionPromptTimeoutOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelUser,
 		ReleaseLevel:   config.ReleaseLevelBeta,
--- a/profile/config.go
+++ b/profile/config.go
@ -12,53 +12,75 @@ var (
 	cfgIntOptions         = make(map[string]config.IntOption)
 	cfgBoolOptions        = make(map[string]config.BoolOption)

-	CfgOptionDefaultActionKey = "filter/defaultAction"
-	cfgOptionDefaultAction    config.StringOption
+	// Enable Filter Order = 0

-	CfgOptionDisableAutoPermitKey = "filter/disableAutoPermit"
-	cfgOptionDisableAutoPermit    config.IntOption // security level option
+	CfgOptionDefaultActionKey   = "filter/defaultAction"
+	cfgOptionDefaultAction      config.StringOption
+	cfgOptionDefaultActionOrder = 1

-	CfgOptionEndpointsKey = "filter/endpoints"
-	cfgOptionEndpoints    config.StringArrayOption
+	// Prompt Timeout Order = 2

-	CfgOptionServiceEndpointsKey = "filter/serviceEndpoints"
-	cfgOptionServiceEndpoints    config.StringArrayOption
+	CfgOptionBlockScopeInternetKey   = "filter/blockInternet"
+	cfgOptionBlockScopeInternet      config.IntOption // security level option
+	cfgOptionBlockScopeInternetOrder = 16

-	CfgOptionFilterListKey = "filter/lists"
-	cfgOptionFilterLists   config.StringArrayOption
+	CfgOptionBlockScopeLANKey   = "filter/blockLAN"
+	cfgOptionBlockScopeLAN      config.IntOption // security level option
+	cfgOptionBlockScopeLANOrder = 17

-	CfgOptionFilterSubDomainsKey = "filter/includeSubdomains"
-	cfgOptionFilterSubDomains    config.IntOption // security level option
+	CfgOptionBlockScopeLocalKey   = "filter/blockLocal"
+	cfgOptionBlockScopeLocal      config.IntOption // security level option
+	cfgOptionBlockScopeLocalOrder = 18

-	CfgOptionFilterCNAMEKey = "filter/includeCNAMEs"
-	cfgOptionFilterCNAME    config.IntOption // security level option
+	CfgOptionBlockP2PKey   = "filter/blockP2P"
+	cfgOptionBlockP2P      config.IntOption // security level option
+	cfgOptionBlockP2POrder = 19

-	CfgOptionBlockScopeLocalKey = "filter/blockLocal"
-	cfgOptionBlockScopeLocal    config.IntOption // security level option
+	CfgOptionBlockInboundKey   = "filter/blockInbound"
+	cfgOptionBlockInbound      config.IntOption // security level option
+	cfgOptionBlockInboundOrder = 20

-	CfgOptionBlockScopeLANKey = "filter/blockLAN"
-	cfgOptionBlockScopeLAN    config.IntOption // security level option
+	CfgOptionEndpointsKey   = "filter/endpoints"
+	cfgOptionEndpoints      config.StringArrayOption
+	cfgOptionEndpointsOrder = 32

-	CfgOptionBlockScopeInternetKey = "filter/blockInternet"
-	cfgOptionBlockScopeInternet    config.IntOption // security level option
+	CfgOptionServiceEndpointsKey   = "filter/serviceEndpoints"
+	cfgOptionServiceEndpoints      config.StringArrayOption
+	cfgOptionServiceEndpointsOrder = 33

-	CfgOptionBlockP2PKey = "filter/blockP2P"
-	cfgOptionBlockP2P    config.IntOption // security level option
+	CfgOptionPreventBypassingKey   = "filter/preventBypassing"
+	cfgOptionPreventBypassing      config.IntOption // security level option
+	cfgOptionPreventBypassingOrder = 48

-	CfgOptionBlockInboundKey = "filter/blockInbound"
-	cfgOptionBlockInbound    config.IntOption // security level option
+	CfgOptionFilterListsKey   = "filter/lists"
+	cfgOptionFilterLists      config.StringArrayOption
+	cfgOptionFilterListsOrder = 64

-	CfgOptionEnforceSPNKey = "filter/enforceSPN"
-	cfgOptionEnforceSPN    config.IntOption // security level option
+	CfgOptionFilterSubDomainsKey   = "filter/includeSubdomains"
+	cfgOptionFilterSubDomains      config.IntOption // security level option
+	cfgOptionFilterSubDomainsOrder = 65

-	CfgOptionRemoveOutOfScopeDNSKey = "filter/removeOutOfScopeDNS"
-	cfgOptionRemoveOutOfScopeDNS    config.IntOption // security level option
+	CfgOptionFilterCNAMEKey   = "filter/includeCNAMEs"
+	cfgOptionFilterCNAME      config.IntOption // security level option
+	cfgOptionFilterCNAMEOrder = 66

-	CfgOptionRemoveBlockedDNSKey = "filter/removeBlockedDNS"
-	cfgOptionRemoveBlockedDNS    config.IntOption // security level option
+	CfgOptionDisableAutoPermitKey   = "filter/disableAutoPermit"
+	cfgOptionDisableAutoPermit      config.IntOption // security level option
+	cfgOptionDisableAutoPermitOrder = 80

-	CfgOptionPreventBypassingKey = "filter/preventBypassing"
-	cfgOptionPreventBypassing    config.IntOption // security level option
+	CfgOptionEnforceSPNKey   = "filter/enforceSPN"
+	cfgOptionEnforceSPN      config.IntOption // security level option
+	cfgOptionEnforceSPNOrder = 96
+
+	CfgOptionRemoveOutOfScopeDNSKey   = "filter/removeOutOfScopeDNS"
+	cfgOptionRemoveOutOfScopeDNS      config.IntOption // security level option
+	cfgOptionRemoveOutOfScopeDNSOrder = 112
+
+	CfgOptionRemoveBlockedDNSKey   = "filter/removeBlockedDNS"
+	cfgOptionRemoveBlockedDNS      config.IntOption // security level option
+	cfgOptionRemoveBlockedDNSOrder = 113
+
+	// Permanent Verdicts Order = 128
 )

 func registerConfiguration() error {
@ -70,6 +92,7 @@ func registerConfiguration() error {
 		Name:            "Default Filter Action",
 		Key:             CfgOptionDefaultActionKey,
 		Description:     `The default filter action when nothing else permits or blocks a connection.`,
+		Order:           cfgOptionDefaultActionOrder,
 		OptType:         config.OptTypeString,
 		DefaultValue:    "permit",
 		ExternalOptType: "string list",
@ -86,6 +109,7 @@ func registerConfiguration() error {
 		Name:            "Disable Auto Permit",
 		Key:             CfgOptionDisableAutoPermitKey,
 		Description:     "Auto Permit searches for a relation between an app and the destionation of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where higher settings are better.",
+		Order:           cfgOptionDisableAutoPermitOrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelsAll,
@ -121,6 +145,7 @@ Examples:
 	+ .example.com */HTTP
 	- .example.com
 	+ 192.168.0.1/24`,
+		Order:           cfgOptionEndpointsOrder,
 		OptType:         config.OptTypeStringArray,
 		DefaultValue:    []string{},
 		ExternalOptType: "endpoint list",
@ -156,6 +181,7 @@ Examples:
 	+ .example.com */HTTP
 	- .example.com
 	+ 192.168.0.1/24`,
+		Order:           cfgOptionServiceEndpointsOrder,
 		OptType:         config.OptTypeStringArray,
 		DefaultValue:    []string{},
 		ExternalOptType: "endpoint list",
@ -170,8 +196,9 @@ Examples:
 	// Filter list IDs
 	err = config.Register(&config.Option{
 		Name:            "Filter List",
-		Key:             CfgOptionFilterListKey,
+		Key:             CfgOptionFilterListsKey,
 		Description:     "Filter connections by matching the endpoint against configured filterlists",
+		Order:           cfgOptionFilterListsOrder,
 		OptType:         config.OptTypeStringArray,
 		DefaultValue:    []string{"TRAC", "MAL"},
 		ExternalOptType: "filter list",
@ -180,14 +207,15 @@ Examples:
 	if err != nil {
 		return err
 	}
-	cfgOptionFilterLists = config.Concurrent.GetAsStringArray(CfgOptionFilterListKey, []string{})
-	cfgStringArrayOptions[CfgOptionFilterListKey] = cfgOptionFilterLists
+	cfgOptionFilterLists = config.Concurrent.GetAsStringArray(CfgOptionFilterListsKey, []string{})
+	cfgStringArrayOptions[CfgOptionFilterListsKey] = cfgOptionFilterLists

 	// Include CNAMEs
 	err = config.Register(&config.Option{
 		Name:            "Filter CNAMEs",
 		Key:             CfgOptionFilterCNAMEKey,
 		Description:     "Also filter requests where a CNAME would be blocked",
+		Order:           cfgOptionFilterCNAMEOrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelsAll,
@ -205,6 +233,7 @@ Examples:
 		Name:            "Filter SubDomains",
 		Key:             CfgOptionFilterSubDomainsKey,
 		Description:     "Also filter sub-domains if a parent domain is blocked by a filter list",
+		Order:           cfgOptionFilterSubDomainsOrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelOff,
@ -221,6 +250,7 @@ Examples:
 		Name:            "Block Scope Local",
 		Key:             CfgOptionBlockScopeLocalKey,
 		Description:     "Block connections to your own device, ie. localhost.",
+		Order:           cfgOptionBlockScopeLocalOrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelOff,
@ -237,6 +267,7 @@ Examples:
 		Name:            "Block Scope LAN",
 		Key:             CfgOptionBlockScopeLANKey,
 		Description:     "Block connections to the Local Area Network.",
+		Order:           cfgOptionBlockScopeLANOrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelOff,
@ -253,6 +284,7 @@ Examples:
 		Name:            "Block Scope Internet",
 		Key:             CfgOptionBlockScopeInternetKey,
 		Description:     "Block connections to the Internet.",
+		Order:           cfgOptionBlockScopeInternetOrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelOff,
@ -269,6 +301,7 @@ Examples:
 		Name:            "Block Peer to Peer Connections",
 		Key:             CfgOptionBlockP2PKey,
 		Description:     "Block peer to peer connections. These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.",
+		Order:           cfgOptionBlockP2POrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelsAll,
@ -285,6 +318,7 @@ Examples:
 		Name:            "Block Inbound Connections",
 		Key:             CfgOptionBlockInboundKey,
 		Description:     "Block inbound connections to your device. This will usually only be the case if you are running a network service or are using peer to peer software.",
+		Order:           cfgOptionBlockInboundOrder,
 		OptType:         config.OptTypeInt,
 		ExternalOptType: "security level",
 		DefaultValue:    status.SecurityLevelsHighAndExtreme,
@ -301,6 +335,7 @@ Examples:
 		Name:            "Enforce SPN",
 		Key:             CfgOptionEnforceSPNKey,
 		Description:     "This setting enforces connections to be routed over the SPN. If this is not possible for any reason, connections will be blocked.",
+		Order:           cfgOptionEnforceSPNOrder,
 		OptType:         config.OptTypeInt,
 		ReleaseLevel:    config.ReleaseLevelExperimental,
 		ExternalOptType: "security level",
@ -318,6 +353,7 @@ Examples:
 		Name:            "Filter Out-of-Scope DNS Records",
 		Key:             CfgOptionRemoveOutOfScopeDNSKey,
 		Description:     "Filter DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.",
+		Order:           cfgOptionRemoveOutOfScopeDNSOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelBeta,
@ -336,6 +372,7 @@ Examples:
 		Name:            "Filter DNS Records that would be blocked",
 		Key:             CfgOptionRemoveBlockedDNSKey,
 		Description:     "Pre-filter DNS answers that an application would not be allowed to connect to.",
+		Order:           cfgOptionRemoveBlockedDNSOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelBeta,
@ -353,6 +390,7 @@ Examples:
 		Name:            "Prevent Bypassing",
 		Key:             CfgOptionPreventBypassingKey,
 		Description:     "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs",
+		Order:           cfgOptionPreventBypassingOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelUser,
 		ReleaseLevel:    config.ReleaseLevelBeta,
--- a/profile/profile.go
+++ b/profile/profile.go
@ -143,7 +143,7 @@ func (profile *Profile) parseConfig() error {
 		}
 	}

-	list, ok = profile.configPerspective.GetAsStringArray(CfgOptionFilterListKey)
+	list, ok = profile.configPerspective.GetAsStringArray(CfgOptionFilterListsKey)
 	if ok {
 		profile.filterListIDs, err = filterlists.ResolveListIDs(list)
 		if err != nil {
--- a/resolver/config.go
+++ b/resolver/config.go
@ -22,28 +22,28 @@ var (
 		// - Available logging data may not be used against the user, ie. unethically.

 		// Sadly, only a few services come close to fulfilling these requirements.
-		// For now, we have settled for two bigger and well known services: Cloudflare and Quad9.
+		// For now, we have settled for two bigger and well known services: Quad9 and Cloudflare.
 		// TODO: monitor situation and re-evaluate when new services become available
 		// TODO: explore other methods of making queries more private

 		// We encourage everyone who has the technical abilities to set their own preferred servers.

-		// Default 1: Cloudflare
-		"dot://1.1.1.1:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare
-		"dot://1.0.0.1:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare
-
-		// Default 2: Quad9
+		// Default 1: Quad9
 		"dot://9.9.9.9:853?verify=dns.quad9.net&name=Quad9&blockedif=empty",         // Quad9
 		"dot://149.112.112.112:853?verify=dns.quad9.net&name=Quad9&blockedif=empty", // Quad9

-		// Fallback 1: Cloudflare
-		"dns://1.1.1.1:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
-		"dns://1.0.0.1:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
+		// Default 2: Cloudflare
+		"dot://1.1.1.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare
+		"dot://1.0.0.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare

-		// Fallback 2: Quad9
+		// Fallback 1: Quad9
 		"dns://9.9.9.9:53?name=Quad9&blockedif=empty",         // Quad9
 		"dns://149.112.112.112:53?name=Quad9&blockedif=empty", // Quad9

+		// Fallback 2: Cloudflare
+		"dns://1.1.1.2:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
+		"dns://1.0.0.2:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
+
 		// supported parameters
 		// - `verify=domain`: verify domain (dot only)
 		// future parameters:
@ -55,38 +55,70 @@ var (
 		//	- `zeroip`: Answer only contains zeroip
 	}

-	CfgOptionNameServersKey = "dns/nameservers"
-	configuredNameServers   config.StringArrayOption
+	CfgOptionNameServersKey   = "dns/nameservers"
+	configuredNameServers     config.StringArrayOption
+	cfgOptionNameServersOrder = 0

-	CfgOptionNameserverRetryRateKey = "dns/nameserverRetryRate"
-	nameserverRetryRate             config.IntOption
+	CfgOptionNoAssignedNameserversKey   = "dns/noAssignedNameservers"
+	noAssignedNameservers               status.SecurityLevelOption
+	cfgOptionNoAssignedNameserversOrder = 1

-	CfgOptionNoMulticastDNSKey = "dns/noMulticastDNS"
-	noMulticastDNS             status.SecurityLevelOption
+	CfgOptionNoMulticastDNSKey   = "dns/noMulticastDNS"
+	noMulticastDNS               status.SecurityLevelOption
+	cfgOptionNoMulticastDNSOrder = 2

-	CfgOptionNoAssignedNameserversKey = "dns/noAssignedNameservers"
-	noAssignedNameservers             status.SecurityLevelOption
+	CfgOptionNoInsecureProtocolsKey   = "dns/noInsecureProtocols"
+	noInsecureProtocols               status.SecurityLevelOption
+	cfgOptionNoInsecureProtocolsOrder = 3

-	CfgOptionNoInsecureProtocolsKey = "dns/noInsecureProtocols"
-	noInsecureProtocols             status.SecurityLevelOption
+	CfgOptionDontResolveSpecialDomainsKey   = "dns/dontResolveSpecialDomains"
+	dontResolveSpecialDomains               status.SecurityLevelOption
+	cfgOptionDontResolveSpecialDomainsOrder = 16

-	CfgOptionDontResolveSpecialDomainsKey = "dns/dontResolveSpecialDomains"
-	dontResolveSpecialDomains             status.SecurityLevelOption
+	CfgOptionDontResolveTestDomainsKey   = "dns/dontResolveTestDomains"
+	dontResolveTestDomains               status.SecurityLevelOption
+	cfgOptionDontResolveTestDomainsOrder = 17

-	CfgOptionDontResolveTestDomainsKey = "dns/dontResolveTestDomains"
-	dontResolveTestDomains             status.SecurityLevelOption
+	CfgOptionNameserverRetryRateKey   = "dns/nameserverRetryRate"
+	nameserverRetryRate               config.IntOption
+	cfgOptionNameserverRetryRateOrder = 32
 )

 func prepConfig() error {
 	err := config.Register(&config.Option{
-		Name:            "DNS Servers",
-		Key:             CfgOptionNameServersKey,
-		Description:     "DNS Servers to use for resolving DNS requests.",
+		Name:        "DNS Servers",
+		Key:         CfgOptionNameServersKey,
+		Description: "DNS Servers to use for resolving DNS requests.",
+		Help: `Format:
+
+DNS Servers are configured in a URL format. This allows you to specify special settings for a resolver. If you just want to use a resolver at IP 10.2.3.4, please enter: dns://10.2.3.4:53
+The format is: protocol://ip:port?parameter=value&parameter=value
+
+Protocols:
+	dot: DNS-over-TLS (recommended)
+	dns: plain old DNS
+	tcp: plain old DNS over TCP
+
+IP:
+	always use the IP address and _not_ the domain name!
+
+Port:
+	always add the port!
+
+Parameters:
+	name: give your DNS Server a name that is used for messages and logs
+	verify: domain name to verify for "dot", required and only valid for "dot"
+	blockedif: detect if the name server blocks a query, options:
+		empty: server replies with NXDomain status, but without any other record in any section
+		refused: server replies with Refused status
+		zeroip: server replies with an IP address, but it is zero
+`,
+		Order:           cfgOptionNameServersOrder,
 		OptType:         config.OptTypeStringArray,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
 		DefaultValue:    defaultNameServers,
-		ValidationRegex: "^(dns|dot|tls)://.*",
+		ValidationRegex: fmt.Sprintf("^(%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDNS, ServerTypeTCP),
 	})
 	if err != nil {
 		return err
@ -97,6 +129,7 @@ func prepConfig() error {
 		Name:           "DNS Server Retry Rate",
 		Key:            CfgOptionNameserverRetryRateKey,
 		Description:    "Rate at which to retry failed DNS Servers, in seconds.",
+		Order:          cfgOptionNameserverRetryRateOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelStable,
@ -111,6 +144,7 @@ func prepConfig() error {
 		Name:            "Do not use Multicast DNS",
 		Key:             CfgOptionNoMulticastDNSKey,
 		Description:     "Multicast DNS queries other devices in the local network",
+		Order:           cfgOptionNoMulticastDNSOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
@ -127,6 +161,7 @@ func prepConfig() error {
 		Name:            "Do not use assigned Nameservers",
 		Key:             CfgOptionNoAssignedNameserversKey,
 		Description:     "that were acquired by the network (dhcp) or system",
+		Order:           cfgOptionNoAssignedNameserversOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
@ -143,6 +178,7 @@ func prepConfig() error {
 		Name:            "Do not resolve insecurely",
 		Key:             CfgOptionNoInsecureProtocolsKey,
 		Description:     "Do not resolve domains with insecure protocols, ie. plain DNS",
+		Order:           cfgOptionNoInsecureProtocolsOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
@ -159,6 +195,7 @@ func prepConfig() error {
 		Name:            "Do not resolve special domains",
 		Key:             CfgOptionDontResolveSpecialDomainsKey,
 		Description:     fmt.Sprintf("Do not resolve the special top level domains %s", formatScopeList(specialServiceScopes)),
+		Order:           cfgOptionDontResolveSpecialDomainsOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
@ -175,6 +212,7 @@ func prepConfig() error {
 		Name:            "Do not resolve test domains",
 		Key:             CfgOptionDontResolveTestDomainsKey,
 		Description:     fmt.Sprintf("Do not resolve the special testing top level domains %s", formatScopeList(localTestScopes)),
+		Order:           cfgOptionDontResolveTestDomainsOrder,
 		OptType:         config.OptTypeInt,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,