replace systemd-resolved with unbound
Resolved seems to crash on some DNSSEC-enabled NXDOMANs??
This commit is contained in:
parent
5108b95244
commit
d0b81511ff
|
|
@ -1,4 +1,4 @@
|
||||||
{...}: {
|
{lib, ...}: {
|
||||||
# https://nixos.wiki/wiki/Networking
|
# https://nixos.wiki/wiki/Networking
|
||||||
# https://nixos.wiki/wiki/Systemd-networkd
|
# https://nixos.wiki/wiki/Systemd-networkd
|
||||||
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
# Do not spam dmesg/journalctl with refused connections
|
# Do not spam dmesg/journalctl with refused connections
|
||||||
logRefusedConnections = false;
|
logRefusedConnections = false;
|
||||||
};
|
};
|
||||||
nameservers = ["127.0.0.53"]; # resolved stub resolver
|
nameservers = ["127.0.0.1"]; # unbound
|
||||||
search = ["caspervk.net"];
|
search = ["caspervk.net"];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -19,26 +19,34 @@
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
systemd.network.enable = true;
|
systemd.network.enable = true;
|
||||||
|
|
||||||
# systemd-resolved provides DNS resolution to local applications through
|
# Force-disable the systemd-resolved stub resolver, which is enabled
|
||||||
# D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
|
# automatically in some cases, such as when enabling systemd-networkd.
|
||||||
# and DNSSEC validation. We configure it to only, and always, use
|
services.resolved.enable = lib.mkForce false;
|
||||||
# dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the
|
|
||||||
# system to always follow the custom DNS servers rather than the
|
# Unbound provides DNS resolution to local applications on 127.0.0.1. It
|
||||||
# DHCP-provided ones. Check the traffic with:
|
# enables caching and DNSSEC validation by default. We configure it to only,
|
||||||
# sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
|
# and always, use dns.caspervk.net over TLS.
|
||||||
# https://nixos.wiki/wiki/Encrypted_DNS
|
# By the way, it's surprisingly hard to get the system to always follow the
|
||||||
# https://nixos.wiki/wiki/Systemd-resolved
|
# custom DNS servers rather than the DHCP-provided ones. Check the traffic
|
||||||
services.resolved = {
|
# with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
|
||||||
|
# https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
|
||||||
|
services.unbound = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dnssec = "true";
|
settings = {
|
||||||
# Resolved falls back to DNS servers operated by American internet
|
server = {
|
||||||
# surveillance and adtech companies by default. No thanks, I'd rather have
|
interface = ["127.0.0.1"];
|
||||||
# no DNS at all.
|
};
|
||||||
fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
|
forward-zone = [
|
||||||
extraConfig = ''
|
{
|
||||||
DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
|
name = ".";
|
||||||
DNSOverTLS=yes
|
forward-addr = [
|
||||||
'';
|
"159.69.4.2#dns.caspervk.net"
|
||||||
|
"2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
|
||||||
|
];
|
||||||
|
forward-tls-upstream = "yes";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# TCP BBR has significantly increased throughput and reduced latency. Note
|
# TCP BBR has significantly increased throughput and reduced latency. Note
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue