proper systemd-resolved dns

This reverts commit d0b81511ff.

modules/base/network.nix

@@ -1,4 +1,4 @@
-{lib, ...}: {
+{config, ...}: {
   # https://nixos.wiki/wiki/Networking
   # https://nixos.wiki/wiki/Systemd-networkd
 
@@ -10,7 +10,7 @@
       # Do not spam dmesg/journalctl with refused connections
       logRefusedConnections = false;
     };
-    nameservers = ["127.0.0.1"]; # unbound
+    nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
     search = ["caspervk.net"];
   };
 
@@ -19,34 +19,36 @@
   networking.useNetworkd = true;
   systemd.network.enable = true;
 
-  # Force-disable the systemd-resolved stub resolver, which is enabled
+  # systemd-resolved provides DNS resolution to local applications through
-  # automatically in some cases, such as when enabling systemd-networkd.
+  # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
-  services.resolved.enable = lib.mkForce false;
+  # and DNSSEC validation. We configure it to only, and always, use
-
+  # dns.caspervk.net over TLS.
-  # Unbound provides DNS resolution to local applications on 127.0.0.1. It
+  # https://nixos.wiki/wiki/Encrypted_DNS
-  # enables caching and DNSSEC validation by default. We configure it to only,
+  # https://nixos.wiki/wiki/Systemd-resolved
-  # and always, use dns.caspervk.net over TLS.
+  services.resolved = {
-  # By the way, it's surprisingly hard to get the system to always follow the
-  # custom DNS servers rather than the DHCP-provided ones. Check the traffic
-  # with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
-  # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
-  services.unbound = {
     enable = true;
-    settings = {
+    dnsovertls = "true";
-      server = {
+    # TODO: DNSSEC support in systemd-resolved is considered experimental and
-        interface = ["127.0.0.1"];
+    # incomplete. Upstream will validate for us anyway, and we trust it.
-      };
+    # https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
-      forward-zone = [
+    dnssec = "false";
-        {
+    # Resolved falls back to DNS servers operated by American internet
-          name = ".";
+    # surveillance and adtech companies by default. No thanks, I'd rather have
-          forward-addr = [
+    # no DNS at all.
-            "159.69.4.2#dns.caspervk.net"
+    fallbackDns = config.networking.nameservers;
-            "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
+  };
-          ];
+
-          forward-tls-upstream = "yes";
+  # It's surprisingly hard to get the system to always follow the custom DNS
-        }
+  # servers rather than the DHCP-provided ones. Force-ignore DHCP DNS on all
-      ];
+  # interfaces. Check the traffic with:
-    };
+  # > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
+  # or
+  # > sudo resolvectl log-level debug
+  # > sudo journalctl -fu systemd-resolved.service
+  systemd.network.networks."00-no-dhcp-dns" = {
+    matchConfig.Name = "*";
+    dhcpV4Config.UseDNS = false;
+    dhcpV6Config.UseDNS = false;
   };
 
   # TCP BBR has significantly increased throughput and reduced latency. Note

modules/desktop/network.nix

@@ -4,7 +4,7 @@
     # Instead, we enable NetworkManager and the nmtui interface.
     networkmanager = {
       enable = true;
-      dns = lib.mkForce "none";
+      dns = lib.mkForce "none"; # see modules/base/network.nix
     };
   };