modules/base/network.nix

@@ -1,4 +1,4 @@
-{config, ...}: {
+{lib, ...}: {
   # https://nixos.wiki/wiki/Networking
   # https://nixos.wiki/wiki/Systemd-networkd
 
@@ -10,7 +10,7 @@
       # Do not spam dmesg/journalctl with refused connections
       logRefusedConnections = false;
     };
-    nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
+    nameservers = ["127.0.0.1"]; # unbound
     search = ["caspervk.net"];
   };
 
@@ -19,36 +19,34 @@
   networking.useNetworkd = true;
   systemd.network.enable = true;
 
-  # systemd-resolved provides DNS resolution to local applications through
-  # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
-  # and DNSSEC validation. We configure it to only, and always, use
-  # dns.caspervk.net over TLS.
-  # https://nixos.wiki/wiki/Encrypted_DNS
-  # https://nixos.wiki/wiki/Systemd-resolved
-  services.resolved = {
-    enable = true;
-    dnsovertls = "true";
-    # TODO: DNSSEC support in systemd-resolved is considered experimental and
-    # incomplete. Upstream will validate for us anyway, and we trust it.
-    # https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
-    dnssec = "false";
-    # Resolved falls back to DNS servers operated by American internet
-    # surveillance and adtech companies by default. No thanks, I'd rather have
-    # no DNS at all.
-    fallbackDns = config.networking.nameservers;
-  };
+  # Force-disable the systemd-resolved stub resolver, which is enabled
+  # automatically in some cases, such as when enabling systemd-networkd.
+  services.resolved.enable = lib.mkForce false;
 
-  # It's surprisingly hard to get the system to always follow the custom DNS
-  # servers rather than the DHCP-provided ones. Force-ignore DHCP DNS on all
-  # interfaces. Check the traffic with:
-  # > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
-  # or
-  # > sudo resolvectl log-level debug
-  # > sudo journalctl -fu systemd-resolved.service
-  systemd.network.networks."00-no-dhcp-dns" = {
-    matchConfig.Name = "*";
-    dhcpV4Config.UseDNS = false;
-    dhcpV6Config.UseDNS = false;
+  # Unbound provides DNS resolution to local applications on 127.0.0.1. It
+  # enables caching and DNSSEC validation by default. We configure it to only,
+  # and always, use dns.caspervk.net over TLS.
+  # By the way, it's surprisingly hard to get the system to always follow the
+  # custom DNS servers rather than the DHCP-provided ones. Check the traffic
+  # with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
+  # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        interface = ["127.0.0.1"];
+      };
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "159.69.4.2#dns.caspervk.net"
+            "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
+          ];
+          forward-tls-upstream = "yes";
+        }
+      ];
+    };
   };
 
   # TCP BBR has significantly increased throughput and reduced latency. Note

modules/desktop/network.nix

@@ -4,7 +4,7 @@
     # Instead, we enable NetworkManager and the nmtui interface.
     networkmanager = {
       enable = true;
-      dns = lib.mkForce "none"; # see modules/base/network.nix
+      dns = lib.mkForce "none";
     };
   };