From b8337cd7bfc29a38a151c1df0db992e08ddbf2a7 Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Mon, 7 Oct 2024 12:47:50 +0200 Subject: [PATCH] configure encrypted dns --- modules/dns.nix | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/modules/dns.nix b/modules/dns.nix index 0a8ddb4..7f62a6f 100644 --- a/modules/dns.nix +++ b/modules/dns.nix @@ -13,8 +13,10 @@ # Encrypted, anonymized DNS queries. # - # NixOS networking options: https://nixos.wiki/wiki/Encrypted_DNS#Setting_nameservers - # Exmaple dnscrypt-proxy config: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml + # NixOS networking options: + # https://nixos.wiki/wiki/Encrypted_DNS#Setting_nameservers + # Exmaple dnscrypt-proxy config: + # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml # NixOS config examples: # https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2 # https://github.com/LudovicoPiero/dotfiles/blob/338b0585d195e6644df9bf8b63fd574af7c18e26/cells/workstations/nixosProfiles/dnscrypt2/default.nix @@ -33,6 +35,10 @@ # don't use adguard and ffmuc DNS servers # Firefox use system DNS + # TODO Does not work on some WiFi netowrks, e.g. Fritz!Box Guest WiFi + # https://docs.pi-hole.net/routers/fritzbox/ + # The Fritz!Box always sets its own IP as DNS server for the guest network. + networking.nameservers = [ # IPv4 "127.0.0.1" @@ -71,6 +77,36 @@ # Only enable if you don't have a lot of network load. #dnscrypt_ephemeral_keys = false + # The cipher suite can't be changed for TLS 1.3 connections, see + # https://github.com/dnscrypt/dnscrypt-proxy/wiki/Performance#cipher-suites-doh + # https://github.com/DNSCrypt/dnscrypt-proxy/issues/2359#issuecomment-1488501839 + #tls_cipher_suite = ... + + bootstrap_resolvers = [ + # + # Local DNS servers + # + + # DNS server of Fritz!Box guest WiFi + "192.168.179.1:53" + + # + # Public DNS servers + # + + # https://www.kuketz-blog.de/empfehlungsecke/#dns + # dot.ffmuc.net (supports DNSSEC) + "5.1.66.255:53" "185.150.99.255:53" + # https://www.kuketz-blog.de/empfehlungsecke/#dns + # unfiltered.adguard-dns.com (supports DNSSEC) + "94.140.14.140:853" "94.140.14.141:853" + + "9.9.9.11:53" # Quad9 + "1.1.1.1:53" # Cloudflare + "8.8.8.8:53" # Google + + ]; + # Use servers reachable over IPv4. ipv4_servers = true; # Use servers reachable over IPv6.