From 704f98ca14770ec91f2bdc4669393b9322cb2e60 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Fri, 5 Apr 2024 01:07:48 +0200
Subject: [PATCH] proper systemd-resolved dns

---
 modules/base/network.nix    | 34 ++++++++++++++++++++++------------
 modules/desktop/network.nix |  2 +-
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/modules/base/network.nix b/modules/base/network.nix
index b8560ee..efd8b8b 100644
--- a/modules/base/network.nix
+++ b/modules/base/network.nix
@@ -1,4 +1,4 @@
-{...}: {
+{config, ...}: {
   # https://nixos.wiki/wiki/Networking
   # https://nixos.wiki/wiki/Systemd-networkd
 
@@ -10,7 +10,7 @@
       # Do not spam dmesg/journalctl with refused connections
       logRefusedConnections = false;
     };
-    nameservers = ["127.0.0.53"]; # resolved stub resolver
+    nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
     search = ["caspervk.net"];
   };
 
@@ -22,23 +22,33 @@
   # systemd-resolved provides DNS resolution to local applications through
   # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
   # and DNSSEC validation. We configure it to only, and always, use
-  # dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the
-  # system to always follow the custom DNS servers rather than the
-  # DHCP-provided ones. Check the traffic with:
-  # sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
+  # dns.caspervk.net over TLS.
   # https://nixos.wiki/wiki/Encrypted_DNS
   # https://nixos.wiki/wiki/Systemd-resolved
   services.resolved = {
     enable = true;
-    dnssec = "true";
+    dnsovertls = "true";
+    # TODO: DNSSEC support in systemd-resolved is considered experimental and
+    # incomplete. Upstream will validate for us anyway, and we trust it.
+    # https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
+    dnssec = "false";
     # Resolved falls back to DNS servers operated by American internet
     # surveillance and adtech companies by default. No thanks, I'd rather have
     # no DNS at all.
-    fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
-    extraConfig = ''
-      DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
-      DNSOverTLS=yes
-    '';
+    fallbackDns = config.networking.nameservers;
+  };
+
+  # It's surprisingly hard to get the system to always follow the custom DNS
+  # servers rather than the DHCP-provided ones. Force-ignore DHCP DNS on all
+  # interfaces. Check the traffic with:
+  # > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
+  # or
+  # > sudo resolvectl log-level debug
+  # > sudo journalctl -fu systemd-resolved.service
+  systemd.network.networks."00-no-dhcp-dns" = {
+    matchConfig.Name = "*";
+    dhcpV4Config.UseDNS = false;
+    dhcpV6Config.UseDNS = false;
   };
 
   # TCP BBR has significantly increased throughput and reduced latency. Note
diff --git a/modules/desktop/network.nix b/modules/desktop/network.nix
index e46d08c..ba920fe 100644
--- a/modules/desktop/network.nix
+++ b/modules/desktop/network.nix
@@ -4,7 +4,7 @@
     # Instead, we enable NetworkManager and the nmtui interface.
     networkmanager = {
       enable = true;
-      dns = lib.mkForce "none";
+      dns = lib.mkForce "none"; # see modules/base/network.nix
     };
   };