From 557cdc8cb4c902767d76a1bc9e6a0591157f9652 Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Fri, 5 Apr 2024 01:07:48 +0200 Subject: [PATCH] proper systemd-resolved dns --- modules/base/network.nix | 36 ++++++++++++++++++++++++------------ modules/desktop/network.nix | 2 +- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/modules/base/network.nix b/modules/base/network.nix index b8560ee..96be7c9 100644 --- a/modules/base/network.nix +++ b/modules/base/network.nix @@ -1,4 +1,4 @@ -{...}: { +{config, ...}: { # https://nixos.wiki/wiki/Networking # https://nixos.wiki/wiki/Systemd-networkd @@ -10,7 +10,7 @@ # Do not spam dmesg/journalctl with refused connections logRefusedConnections = false; }; - nameservers = ["127.0.0.53"]; # resolved stub resolver + nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"]; search = ["caspervk.net"]; }; @@ -22,23 +22,35 @@ # systemd-resolved provides DNS resolution to local applications through # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching # and DNSSEC validation. We configure it to only, and always, use - # dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the - # system to always follow the custom DNS servers rather than the - # DHCP-provided ones. Check the traffic with: - # sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)' + # dns.caspervk.net over TLS. + # NOTE: It's surprisingly hard to get the system to always follow the custom + # DNS servers rather than the DHCP-provided ones. Check the traffic with: + # > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)' + # or + # > sudo resolvectl log-level debug + # > sudo journalctl -fu systemd-resolved.service # https://nixos.wiki/wiki/Encrypted_DNS # https://nixos.wiki/wiki/Systemd-resolved services.resolved = { enable = true; - dnssec = "true"; + dnsovertls = "true"; + # TODO: DNSSEC support in systemd-resolved is considered experimental and + # incomplete. Upstream will validate for us anyway, and we trust it. + # https://wiki.archlinux.org/title/systemd-resolved#DNSSEC + dnssec = "false"; + # 'Domains' is used for two distinct purposes; first, any domains *not* + # prefixed with '~' are used as search suffixes when resolving single-label + # hostnames into FQDNs. The NixOS default is to set this to + # `config.networking.search`, which we maintain. Second, domains prefixed + # with '~' ("route-only domains") define a search path that preferably + # directs DNS queries to this interface. The '~.' construct use the DNS + # servers defined here preferably for the root (all) domain(s). + # https://man.archlinux.org/man/resolved.conf.5 + domains = config.networking.search ++ ["~."]; # Resolved falls back to DNS servers operated by American internet # surveillance and adtech companies by default. No thanks, I'd rather have # no DNS at all. - fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"]; - extraConfig = '' - DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net - DNSOverTLS=yes - ''; + fallbackDns = config.networking.nameservers; }; # TCP BBR has significantly increased throughput and reduced latency. Note diff --git a/modules/desktop/network.nix b/modules/desktop/network.nix index e46d08c..ba920fe 100644 --- a/modules/desktop/network.nix +++ b/modules/desktop/network.nix @@ -4,7 +4,7 @@ # Instead, we enable NetworkManager and the nmtui interface. networkmanager = { enable = true; - dns = lib.mkForce "none"; + dns = lib.mkForce "none"; # see modules/base/network.nix }; };