proper systemd-resolved dns
This commit is contained in:
parent
8c777c4e33
commit
557cdc8cb4
|
@ -1,4 +1,4 @@
|
||||||
{...}: {
|
{config, ...}: {
|
||||||
# https://nixos.wiki/wiki/Networking
|
# https://nixos.wiki/wiki/Networking
|
||||||
# https://nixos.wiki/wiki/Systemd-networkd
|
# https://nixos.wiki/wiki/Systemd-networkd
|
||||||
|
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
# Do not spam dmesg/journalctl with refused connections
|
# Do not spam dmesg/journalctl with refused connections
|
||||||
logRefusedConnections = false;
|
logRefusedConnections = false;
|
||||||
};
|
};
|
||||||
nameservers = ["127.0.0.53"]; # resolved stub resolver
|
nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
|
||||||
search = ["caspervk.net"];
|
search = ["caspervk.net"];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -22,23 +22,35 @@
|
||||||
# systemd-resolved provides DNS resolution to local applications through
|
# systemd-resolved provides DNS resolution to local applications through
|
||||||
# D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
|
# D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
|
||||||
# and DNSSEC validation. We configure it to only, and always, use
|
# and DNSSEC validation. We configure it to only, and always, use
|
||||||
# dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the
|
# dns.caspervk.net over TLS.
|
||||||
# system to always follow the custom DNS servers rather than the
|
# NOTE: It's surprisingly hard to get the system to always follow the custom
|
||||||
# DHCP-provided ones. Check the traffic with:
|
# DNS servers rather than the DHCP-provided ones. Check the traffic with:
|
||||||
# sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
|
# > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
|
||||||
|
# or
|
||||||
|
# > sudo resolvectl log-level debug
|
||||||
|
# > sudo journalctl -fu systemd-resolved.service
|
||||||
# https://nixos.wiki/wiki/Encrypted_DNS
|
# https://nixos.wiki/wiki/Encrypted_DNS
|
||||||
# https://nixos.wiki/wiki/Systemd-resolved
|
# https://nixos.wiki/wiki/Systemd-resolved
|
||||||
services.resolved = {
|
services.resolved = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dnssec = "true";
|
dnsovertls = "true";
|
||||||
|
# TODO: DNSSEC support in systemd-resolved is considered experimental and
|
||||||
|
# incomplete. Upstream will validate for us anyway, and we trust it.
|
||||||
|
# https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
|
||||||
|
dnssec = "false";
|
||||||
|
# 'Domains' is used for two distinct purposes; first, any domains *not*
|
||||||
|
# prefixed with '~' are used as search suffixes when resolving single-label
|
||||||
|
# hostnames into FQDNs. The NixOS default is to set this to
|
||||||
|
# `config.networking.search`, which we maintain. Second, domains prefixed
|
||||||
|
# with '~' ("route-only domains") define a search path that preferably
|
||||||
|
# directs DNS queries to this interface. The '~.' construct use the DNS
|
||||||
|
# servers defined here preferably for the root (all) domain(s).
|
||||||
|
# https://man.archlinux.org/man/resolved.conf.5
|
||||||
|
domains = config.networking.search ++ ["~."];
|
||||||
# Resolved falls back to DNS servers operated by American internet
|
# Resolved falls back to DNS servers operated by American internet
|
||||||
# surveillance and adtech companies by default. No thanks, I'd rather have
|
# surveillance and adtech companies by default. No thanks, I'd rather have
|
||||||
# no DNS at all.
|
# no DNS at all.
|
||||||
fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
|
fallbackDns = config.networking.nameservers;
|
||||||
extraConfig = ''
|
|
||||||
DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
|
|
||||||
DNSOverTLS=yes
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# TCP BBR has significantly increased throughput and reduced latency. Note
|
# TCP BBR has significantly increased throughput and reduced latency. Note
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Instead, we enable NetworkManager and the nmtui interface.
|
# Instead, we enable NetworkManager and the nmtui interface.
|
||||||
networkmanager = {
|
networkmanager = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dns = lib.mkForce "none";
|
dns = lib.mkForce "none"; # see modules/base/network.nix
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue