From 42f0bcdfa3a17d5c7a3b8f69daec9941416c0577 Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Mon, 1 Apr 2024 01:11:23 +0200 Subject: [PATCH] replace systemd-resolved with unbound Resolved seems to crash on some DNSSEC-enabled NXDOMANs?? --- modules/base/network.nix | 50 +++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/modules/base/network.nix b/modules/base/network.nix index b8560ee..806de2b 100644 --- a/modules/base/network.nix +++ b/modules/base/network.nix @@ -1,4 +1,4 @@ -{...}: { +{lib, ...}: { # https://nixos.wiki/wiki/Networking # https://nixos.wiki/wiki/Systemd-networkd @@ -10,7 +10,7 @@ # Do not spam dmesg/journalctl with refused connections logRefusedConnections = false; }; - nameservers = ["127.0.0.53"]; # resolved stub resolver + nameservers = ["127.0.0.1"]; # unbound search = ["caspervk.net"]; }; @@ -19,26 +19,34 @@ networking.useNetworkd = true; systemd.network.enable = true; - # systemd-resolved provides DNS resolution to local applications through - # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching - # and DNSSEC validation. We configure it to only, and always, use - # dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the - # system to always follow the custom DNS servers rather than the - # DHCP-provided ones. Check the traffic with: - # sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)' - # https://nixos.wiki/wiki/Encrypted_DNS - # https://nixos.wiki/wiki/Systemd-resolved - services.resolved = { + # Force-disable the systemd-resolved stub resolver, which is enabled + # automatically in some cases, such as when enabling systemd-networkd. + services.resolved.enable = lib.mkForce false; + + # Unbound provides DNS resolution to local applications on 127.0.0.1. It + # enables caching and DNSSEC validation by default. We configure it to only, + # and always, use dns.caspervk.net over TLS. + # By the way, it's surprisingly hard to get the system to always follow the + # custom DNS servers rather than the DHCP-provided ones. Check the traffic + # with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)' + # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html + services.unbound = { enable = true; - dnssec = "true"; - # Resolved falls back to DNS servers operated by American internet - # surveillance and adtech companies by default. No thanks, I'd rather have - # no DNS at all. - fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"]; - extraConfig = '' - DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net - DNSOverTLS=yes - ''; + settings = { + server = { + interface = ["127.0.0.1" "::1"]; + }; + forward-zone = [ + { + name = "."; + forward-addr = [ + "159.69.4.2#dns.caspervk.net" + "2a01:4f8:1c0c:70d1::1#dns.caspervk.net" + ]; + forward-tls-upstream = "yes"; + } + ]; + }; }; # TCP BBR has significantly increased throughput and reduced latency. Note