From 28959d7c3c6aff8d1309060ab7d24fd74224dc08 Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Mon, 7 Oct 2024 20:04:28 +0200 Subject: [PATCH] fix: working encrypted dns in restricted networks --- hosts/yodaTab/configuration.nix | 1 + modules/dns.nix | 39 ++++++++++++++++++++++++++------- 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/hosts/yodaTab/configuration.nix b/hosts/yodaTab/configuration.nix index 3087163..cd4e1d7 100644 --- a/hosts/yodaTab/configuration.nix +++ b/hosts/yodaTab/configuration.nix @@ -46,6 +46,7 @@ ../../modules/firefox.nix ../../modules/thunderbird.nix ../../modules/tor-browser.nix + ../../modules/tor.nix #../../modules/digikam-rawtherapee-hugin-gimp.nix ../../modules/freetube.nix ../../modules/ghostwriter.nix diff --git a/modules/dns.nix b/modules/dns.nix index 7f62a6f..5796d53 100644 --- a/modules/dns.nix +++ b/modules/dns.nix @@ -26,6 +26,13 @@ # # Check if it is working # https://wiki.archlinux.org/title/Dnscrypt-proxy#Check_if_dnscrypt-proxy_is_working + # + # View generated config file: + # cat "$(systemctl show -P FragmentPath dnscrypt-proxy2.service)" | grep 'ExecStart=' + # cat ....toml + + # Example: Running c in a container and routhing dnscrypt-proxy queries through it + # https://github.com/AtaraxiaSjel/nixos-config/blob/3510d178bafeb5d742806d25d5c6c34570c498e8/profiles/workspace/proxy.nix # TODO # create new config option @@ -35,10 +42,6 @@ # don't use adguard and ffmuc DNS servers # Firefox use system DNS - # TODO Does not work on some WiFi netowrks, e.g. Fritz!Box Guest WiFi - # https://docs.pi-hole.net/routers/fritzbox/ - # The Fritz!Box always sets its own IP as DNS server for the guest network. - networking.nameservers = [ # IPv4 "127.0.0.1" @@ -67,9 +70,6 @@ enable = true; settings = { #listen_addresses = ['127.0.0.1:53']; - # This can be useful if you need to route everything through Tor. - # Otherwise, leave this to `false`. - force_tcp = false; # Enable a DNS cache to reduce latency and outgoing traffic cache = true; # DNSCrypt: Create a new, unique key for every single DNS query. @@ -214,6 +214,29 @@ # Skip resolvers incompatible with anonymization instead of using them directly. skip_incompatible = true; }; - }; + + # As this dict is converted to JSON, we can't use `proxy = lib.mkIf (...) "socks5://127.0.0.1:9050"` inside it - it won't be evaluated. + # Instead, we merge it with another dict below: + } // ( + # On some networks dnscrypt-proxy can't resove DNS queries. + # + # Example: Fritz!Box Guest WiFi + # https://docs.pi-hole.net/routers/fritzbox/ + # The Fritz!Box always sets its own IP as DNS server for the guest network. + # + # Solution: Proxy dnscrypt-proxy through Tor + # - Currently, we have this enabled. + # - The latency of DNS queries is higher than without Tor - at about 130ms. + + if config.services.tor.torsocks.enable + then { + # Route all TCP connections to a local Tor node. + # As Tor doesn't support UDP, `force_tcp` has to be set to `true`. + proxy = "socks5://127.0.0.1:9050"; + # This can be useful if you need to route everything through Tor. + # Otherwise, leave this to `false`. + force_tcp = true; + } else {} + ); }; }