proper systemd-resolved dns
This commit is contained in:
parent
80d1256b96
commit
704f98ca14
2 changed files with 23 additions and 13 deletions
|
|
@ -1,4 +1,4 @@
|
|||
{...}: {
|
||||
{config, ...}: {
|
||||
# https://nixos.wiki/wiki/Networking
|
||||
# https://nixos.wiki/wiki/Systemd-networkd
|
||||
|
||||
|
|
@ -10,7 +10,7 @@
|
|||
# Do not spam dmesg/journalctl with refused connections
|
||||
logRefusedConnections = false;
|
||||
};
|
||||
nameservers = ["127.0.0.53"]; # resolved stub resolver
|
||||
nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
|
||||
search = ["caspervk.net"];
|
||||
};
|
||||
|
||||
|
|
@ -22,23 +22,33 @@
|
|||
# systemd-resolved provides DNS resolution to local applications through
|
||||
# D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
|
||||
# and DNSSEC validation. We configure it to only, and always, use
|
||||
# dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the
|
||||
# system to always follow the custom DNS servers rather than the
|
||||
# DHCP-provided ones. Check the traffic with:
|
||||
# sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
|
||||
# dns.caspervk.net over TLS.
|
||||
# https://nixos.wiki/wiki/Encrypted_DNS
|
||||
# https://nixos.wiki/wiki/Systemd-resolved
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
dnssec = "true";
|
||||
dnsovertls = "true";
|
||||
# TODO: DNSSEC support in systemd-resolved is considered experimental and
|
||||
# incomplete. Upstream will validate for us anyway, and we trust it.
|
||||
# https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
|
||||
dnssec = "false";
|
||||
# Resolved falls back to DNS servers operated by American internet
|
||||
# surveillance and adtech companies by default. No thanks, I'd rather have
|
||||
# no DNS at all.
|
||||
fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
|
||||
extraConfig = ''
|
||||
DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
|
||||
DNSOverTLS=yes
|
||||
'';
|
||||
fallbackDns = config.networking.nameservers;
|
||||
};
|
||||
|
||||
# It's surprisingly hard to get the system to always follow the custom DNS
|
||||
# servers rather than the DHCP-provided ones. Force-ignore DHCP DNS on all
|
||||
# interfaces. Check the traffic with:
|
||||
# > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
|
||||
# or
|
||||
# > sudo resolvectl log-level debug
|
||||
# > sudo journalctl -fu systemd-resolved.service
|
||||
systemd.network.networks."00-no-dhcp-dns" = {
|
||||
matchConfig.Name = "*";
|
||||
dhcpV4Config.UseDNS = false;
|
||||
dhcpV6Config.UseDNS = false;
|
||||
};
|
||||
|
||||
# TCP BBR has significantly increased throughput and reduced latency. Note
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
# Instead, we enable NetworkManager and the nmtui interface.
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
dns = lib.mkForce "none";
|
||||
dns = lib.mkForce "none"; # see modules/base/network.nix
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue