Mirror/nix-git
Mirror/nix-git
1
0
Fork 0
mirror of https://codeberg.org/privacy1st/nix-git synced 2024-11-21 22:03:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: working encrypted dns in restricted networks

Browse Source
This commit is contained in:
Daniel Langbein 2024-10-07 20:04:28 +02:00
parent b4d85c519d
commit 28959d7c3c
Signed by: langfingaz
GPG Key ID: 6C47C753F0823002
2 changed files with 32 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/yodaTab/configuration.nix
View File

@ -46,6 +46,7 @@
../../modules/firefox.nix ../../modules/firefox.nix
../../modules/thunderbird.nix ../../modules/thunderbird.nix
../../modules/tor-browser.nix ../../modules/tor-browser.nix
../../modules/tor.nix
#../../modules/digikam-rawtherapee-hugin-gimp.nix #../../modules/digikam-rawtherapee-hugin-gimp.nix
../../modules/freetube.nix ../../modules/freetube.nix
../../modules/ghostwriter.nix ../../modules/ghostwriter.nix

39
modules/dns.nix
View File

@ -26,6 +26,13 @@
# #
# Check if it is working # Check if it is working
# https://wiki.archlinux.org/title/Dnscrypt-proxy#Check_if_dnscrypt-proxy_is_working # https://wiki.archlinux.org/title/Dnscrypt-proxy#Check_if_dnscrypt-proxy_is_working
#
# View generated config file:
# cat "$(systemctl show -P FragmentPath dnscrypt-proxy2.service)" | grep 'ExecStart='
# cat ....toml
# Example: Running c in a container and routhing dnscrypt-proxy queries through it
# https://github.com/AtaraxiaSjel/nixos-config/blob/3510d178bafeb5d742806d25d5c6c34570c498e8/profiles/workspace/proxy.nix
# TODO # TODO
# create new config option # create new config option
@ -35,10 +42,6 @@
# don't use adguard and ffmuc DNS servers # don't use adguard and ffmuc DNS servers
# Firefox use system DNS # Firefox use system DNS
# TODO Does not work on some WiFi netowrks, e.g. Fritz!Box Guest WiFi
# https://docs.pi-hole.net/routers/fritzbox/
# The Fritz!Box always sets its own IP as DNS server for the guest network.
networking.nameservers = [ networking.nameservers = [
# IPv4 # IPv4
"127.0.0.1" "127.0.0.1"
@ -67,9 +70,6 @@
enable = true; enable = true;
settings = { settings = {
#listen_addresses = ['127.0.0.1:53']; #listen_addresses = ['127.0.0.1:53'];
# This can be useful if you need to route everything through Tor.
# Otherwise, leave this to `false`.
force_tcp = false;
# Enable a DNS cache to reduce latency and outgoing traffic # Enable a DNS cache to reduce latency and outgoing traffic
cache = true; cache = true;
# DNSCrypt: Create a new, unique key for every single DNS query. # DNSCrypt: Create a new, unique key for every single DNS query.
@ -214,6 +214,29 @@
# Skip resolvers incompatible with anonymization instead of using them directly. # Skip resolvers incompatible with anonymization instead of using them directly.
skip_incompatible = true; skip_incompatible = true;
}; };
};
# As this dict is converted to JSON, we can't use `proxy = lib.mkIf (...) "socks5://127.0.0.1:9050"` inside it - it won't be evaluated.
# Instead, we merge it with another dict below:
} // (
# On some networks dnscrypt-proxy can't resove DNS queries.
#
# Example: Fritz!Box Guest WiFi
# https://docs.pi-hole.net/routers/fritzbox/
# The Fritz!Box always sets its own IP as DNS server for the guest network.
#
# Solution: Proxy dnscrypt-proxy through Tor
# - Currently, we have this enabled.
# - The latency of DNS queries is higher than without Tor - at about 130ms.
if config.services.tor.torsocks.enable
then {
# Route all TCP connections to a local Tor node.
# As Tor doesn't support UDP, `force_tcp` has to be set to `true`.
proxy = "socks5://127.0.0.1:9050";
# This can be useful if you need to route everything through Tor.
# Otherwise, leave this to `false`.
force_tcp = true;
} else {}
);
}; };
} }