Compare commits
3 commits
9fd6e50710
...
4ba1b63e13
Author | SHA1 | Date | |
---|---|---|---|
4ba1b63e13 | |||
51d62d1fcd | |||
bd6b841e7d |
5 changed files with 55 additions and 25 deletions
|
@ -1,8 +1,4 @@
|
||||||
{
|
{pkgs, ...}: {
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
# Knot Resolver is a minimalistic implementation of a caching validating DNS
|
# Knot Resolver is a minimalistic implementation of a caching validating DNS
|
||||||
# resolver. Modular architecture keeps the core tiny and efficient, and it
|
# resolver. Modular architecture keeps the core tiny and efficient, and it
|
||||||
# provides a state-machine like API for extensions.
|
# provides a state-machine like API for extensions.
|
||||||
|
@ -21,23 +17,52 @@
|
||||||
# https://knot-resolver.readthedocs.io/en/stable/daemon-scripting.html
|
# https://knot-resolver.readthedocs.io/en/stable/daemon-scripting.html
|
||||||
services.kresd = {
|
services.kresd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# For maximum performance, there should be as many kresd processes as there
|
# For maximum performance there should be as many kresd processes as there
|
||||||
# are available CPU threads.
|
# are available CPU threads.
|
||||||
|
# We double it to account for the SYSTEMD_INSTANCE scheme below.
|
||||||
# https://knot-resolver.readthedocs.io/en/stable/systemd-multiinst.html
|
# https://knot-resolver.readthedocs.io/en/stable/systemd-multiinst.html
|
||||||
instances = 2;
|
instances = 4;
|
||||||
extraConfig =
|
extraConfig =
|
||||||
# lua
|
# lua
|
||||||
''
|
''
|
||||||
-- Explicitly listen to DNS/DoH/DoT on the external interface(s). This
|
-- Explicitly only listen on external addresses to allow
|
||||||
-- allows systemd-resolved to listen on localhost as on every other system.
|
-- systemd-resolved to use localhost:53 as on every other system.
|
||||||
local ipv4 = "159.69.4.2"
|
local ipv4 = "159.69.4.2"
|
||||||
local ipv6 ="2a01:4f8:1c0c:70d1::1"
|
local ipv6_1 = "2a01:4f8:1c0c:70d1::1"
|
||||||
|
local ipv6_2 = "2a01:4f8:1c0c:70d1::2"
|
||||||
|
-- We want to apply different query policies based on the listening
|
||||||
|
-- address, but doing so is difficult. Instead, we define bind address
|
||||||
|
-- and query policies together based on the systemd instance number.
|
||||||
|
-- https://knot-resolver.readthedocs.io/en/stable/systemd-multiinst.html#instance-specific-configuration
|
||||||
|
local systemd_instance = tonumber(os.getenv("SYSTEMD_INSTANCE"))
|
||||||
|
if systemd_instance % 2 == 0 then
|
||||||
|
-- IPv4 and IPv6-1: Block spam and advertising domains.
|
||||||
net.listen(ipv4, 53, {kind = "dns"})
|
net.listen(ipv4, 53, {kind = "dns"})
|
||||||
net.listen(ipv6, 53, {kind = "dns"})
|
net.listen(ipv6_1, 53, {kind = "dns"})
|
||||||
net.listen(ipv4, 853, {kind = "tls"})
|
net.listen(ipv4, 853, {kind = "tls"})
|
||||||
net.listen(ipv6, 853, {kind = "tls"})
|
net.listen(ipv6_1, 853, {kind = "tls"})
|
||||||
net.listen(ipv4, 443, {kind = "doh2"})
|
net.listen(ipv4, 443, {kind = "doh2"})
|
||||||
net.listen(ipv6, 443, {kind = "doh2"})
|
net.listen(ipv6_1, 443, {kind = "doh2"})
|
||||||
|
-- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones
|
||||||
|
policy.add(
|
||||||
|
policy.rpz(
|
||||||
|
-- Beware that cache is shared by *all* requests. For example, it is
|
||||||
|
-- safe to refuse (policy.DENY) answer based on who asks the resolver,
|
||||||
|
-- but trying to serve different data to different clients (policy.ANSWER)
|
||||||
|
-- will result in unexpected behavior.
|
||||||
|
-- https://knot-resolver.readthedocs.io/en/stable/modules-view.html:
|
||||||
|
policy.DENY,
|
||||||
|
"${pkgs.runCommand "stevenblack-blocklist-rpz" {} ''grep '^0\.0\.0\.0' ${pkgs.stevenblack-blocklist}/hosts | awk '{print $2 " 600 IN CNAME .\n*." $2 " 600 IN CNAME ."}' > $out''}"
|
||||||
|
)
|
||||||
|
)
|
||||||
|
else
|
||||||
|
-- IPv6-2: Don't censor anything.
|
||||||
|
-- This is primarily for the tor exit relay, since not censoring
|
||||||
|
-- anything is kind of the whole point of tor.
|
||||||
|
net.listen(ipv6_2, 53, {kind = "dns"})
|
||||||
|
net.listen(ipv6_2, 853, {kind = "tls"})
|
||||||
|
net.listen(ipv6_2, 443, {kind = "doh2"})
|
||||||
|
end
|
||||||
-- TLS certificate for DoT and DoH
|
-- TLS certificate for DoT and DoH
|
||||||
-- https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html
|
-- https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html
|
||||||
net.tls(
|
net.tls(
|
||||||
|
@ -53,14 +78,6 @@
|
||||||
-- expire, they get refreshed.
|
-- expire, they get refreshed.
|
||||||
-- https://knot-resolver.readthedocs.io/en/stable/modules-predict.html
|
-- https://knot-resolver.readthedocs.io/en/stable/modules-predict.html
|
||||||
modules.load("predict")
|
modules.load("predict")
|
||||||
-- Block spam and advertising domains
|
|
||||||
-- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones
|
|
||||||
policy.add(
|
|
||||||
policy.rpz(
|
|
||||||
policy.ANSWER({ [kres.type.A] = {rdata=kres.str2ip("0.0.0.0"), ttl = 600} }),
|
|
||||||
"${pkgs.runCommand "stevenblack-blocklist-rpz" {} ''grep '^0\.0\.0\.0' ${pkgs.stevenblack-blocklist}/hosts | awk '{print $2 " 600 IN CNAME .\n*." $2 " 600 IN CNAME ."}' > $out''}"
|
|
||||||
)
|
|
||||||
)
|
|
||||||
-- Test domain to verify DNS server is being used
|
-- Test domain to verify DNS server is being used
|
||||||
policy.add(
|
policy.add(
|
||||||
policy.domains(
|
policy.domains(
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
address = [
|
address = [
|
||||||
"159.69.4.2/32"
|
"159.69.4.2/32"
|
||||||
"2a01:4f8:1c0c:70d1::1/64"
|
"2a01:4f8:1c0c:70d1::1/64"
|
||||||
|
"2a01:4f8:1c0c:70d1::2/64"
|
||||||
];
|
];
|
||||||
routes = [
|
routes = [
|
||||||
{routeConfig = {Destination = "172.31.1.1";};}
|
{routeConfig = {Destination = "172.31.1.1";};}
|
||||||
|
|
|
@ -1,4 +1,11 @@
|
||||||
{...}: {
|
{...}: {
|
||||||
|
networking = {
|
||||||
|
# Use dns.caspervk.net IPv6 address ::2 for uncensored DNS
|
||||||
|
nameservers = [
|
||||||
|
"[2a01:4f8:1c0c:70d1::2]#dns.caspervk.net"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
networks."10-lan" = {
|
networks."10-lan" = {
|
||||||
# IPv4 settings are from `sudo dhcpcd --test`.
|
# IPv4 settings are from `sudo dhcpcd --test`.
|
||||||
|
|
|
@ -10,7 +10,10 @@
|
||||||
# Do not spam dmesg/journalctl with refused connections
|
# Do not spam dmesg/journalctl with refused connections
|
||||||
logRefusedConnections = false;
|
logRefusedConnections = false;
|
||||||
};
|
};
|
||||||
nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
|
nameservers = [
|
||||||
|
"159.69.4.2#dns.caspervk.net"
|
||||||
|
"[2a01:4f8:1c0c:70d1::1]#dns.caspervk.net"
|
||||||
|
];
|
||||||
search = ["caspervk.net"];
|
search = ["caspervk.net"];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -211,6 +211,8 @@
|
||||||
-- Less pronounced indent lines
|
-- Less pronounced indent lines
|
||||||
IblIndent = { fg = theme.ui.bg_p2 },
|
IblIndent = { fg = theme.ui.bg_p2 },
|
||||||
IblScope = { fg = theme.ui.whitespace },
|
IblScope = { fg = theme.ui.whitespace },
|
||||||
|
-- Don't overwrite syntax-highlighting on deleted lines
|
||||||
|
DiffDelete = { fg = "none" },
|
||||||
}
|
}
|
||||||
end,
|
end,
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in a new issue