caspervk/nixos
1
0
Fork 0
Code Actions Activity

Revert "replace systemd-resolved with unbound"

Browse source 
This reverts commit d0b81511ff.
This commit is contained in:
Casper V. Kristensen 2024-04-04 23:32:08 +02:00
parent b67b843c13
commit 8c777c4e33
1 changed files with 21 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
modules/base/network.nix
View file

@ -1,4 +1,4 @@
{lib, ...}: { {...}: {
# https://nixos.wiki/wiki/Networking # https://nixos.wiki/wiki/Networking
# https://nixos.wiki/wiki/Systemd-networkd # https://nixos.wiki/wiki/Systemd-networkd
@ -10,7 +10,7 @@
# Do not spam dmesg/journalctl with refused connections # Do not spam dmesg/journalctl with refused connections
logRefusedConnections = false; logRefusedConnections = false;
}; };
nameservers = ["127.0.0.1"]; # unbound nameservers = ["127.0.0.53"]; # resolved stub resolver
search = ["caspervk.net"]; search = ["caspervk.net"];
}; };
@ -19,34 +19,26 @@
networking.useNetworkd = true; networking.useNetworkd = true;
systemd.network.enable = true; systemd.network.enable = true;
# Force-disable the systemd-resolved stub resolver, which is enabled # systemd-resolved provides DNS resolution to local applications through
# automatically in some cases, such as when enabling systemd-networkd. # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
services.resolved.enable = lib.mkForce false; # and DNSSEC validation. We configure it to only, and always, use
# dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the
# Unbound provides DNS resolution to local applications on 127.0.0.1. It # system to always follow the custom DNS servers rather than the
# enables caching and DNSSEC validation by default. We configure it to only, # DHCP-provided ones. Check the traffic with:
# and always, use dns.caspervk.net over TLS. # sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
# By the way, it's surprisingly hard to get the system to always follow the # https://nixos.wiki/wiki/Encrypted_DNS
# custom DNS servers rather than the DHCP-provided ones. Check the traffic # https://nixos.wiki/wiki/Systemd-resolved
# with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)' services.resolved = {
# https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
services.unbound = {
enable = true; enable = true;
settings = { dnssec = "true";
server = { # Resolved falls back to DNS servers operated by American internet
interface = ["127.0.0.1"]; # surveillance and adtech companies by default. No thanks, I'd rather have
}; # no DNS at all.
forward-zone = [ fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
{ extraConfig = ''
name = "."; DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
forward-addr = [ DNSOverTLS=yes
"159.69.4.2#dns.caspervk.net" '';
"2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
];
forward-tls-upstream = "yes";
}
];
};
}; };
# TCP BBR has significantly increased throughput and reduced latency. Note # TCP BBR has significantly increased throughput and reduced latency. Note