configure encrypted dns

2024-11-24 22:29:33 +01:00 · 2024-10-07 12:47:50 +02:00 · 2024-10-07 12:47:50 +02:00 · b8337cd7bf
commit b8337cd7bf
parent dcda81fe98
1 changed files with 38 additions and 2 deletions
--- a/modules/dns.nix
+++ b/modules/dns.nix
@ -13,8 +13,10 @@

  # Encrypted, anonymized DNS queries.
  #
-  # NixOS networking options: https://nixos.wiki/wiki/Encrypted_DNS#Setting_nameservers
-  # Exmaple dnscrypt-proxy config: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+  # NixOS networking options:
+  #   https://nixos.wiki/wiki/Encrypted_DNS#Setting_nameservers
+  # Exmaple dnscrypt-proxy config:
+  #   https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
  # NixOS config examples:
  #   https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2
  #   https://github.com/LudovicoPiero/dotfiles/blob/338b0585d195e6644df9bf8b63fd574af7c18e26/cells/workstations/nixosProfiles/dnscrypt2/default.nix
@ -33,6 +35,10 @@
  #     don't use adguard and ffmuc DNS servers
  #     Firefox use system DNS

+  # TODO Does not work on some WiFi netowrks, e.g. Fritz!Box Guest WiFi
+  # https://docs.pi-hole.net/routers/fritzbox/
+  #   The Fritz!Box always sets its own IP as DNS server for the guest network.
+
  networking.nameservers = [
    # IPv4
    "127.0.0.1"
@ -71,6 +77,36 @@
      # Only enable if you don't have a lot of network load.
      #dnscrypt_ephemeral_keys = false

+      # The cipher suite can't be changed for TLS 1.3 connections, see
+      #   https://github.com/dnscrypt/dnscrypt-proxy/wiki/Performance#cipher-suites-doh
+      #   https://github.com/DNSCrypt/dnscrypt-proxy/issues/2359#issuecomment-1488501839
+      #tls_cipher_suite = ...
+
+      bootstrap_resolvers = [
+        #
+        # Local DNS servers
+        #
+
+        # DNS server of Fritz!Box guest WiFi
+        "192.168.179.1:53"
+
+        #
+        # Public DNS servers
+        #
+
+        # https://www.kuketz-blog.de/empfehlungsecke/#dns
+        # dot.ffmuc.net (supports DNSSEC)
+       "5.1.66.255:53" "185.150.99.255:53"
+        # https://www.kuketz-blog.de/empfehlungsecke/#dns
+        # unfiltered.adguard-dns.com (supports DNSSEC)
+       "94.140.14.140:853" "94.140.14.141:853"
+
+        "9.9.9.11:53" # Quad9
+        "1.1.1.1:53" # Cloudflare
+        "8.8.8.8:53" # Google
+
+      ];
+
      # Use servers reachable over IPv4.
      ipv4_servers = true;
      # Use servers reachable over IPv6.