Encrypted DNS: Difference between revisions

(4 intermediate revisions by 3 users not shown)

Line 3:

'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].

NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language.

NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].

== Setting nameservers ==

Line 49:

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity

ipv6_servers = ~~config.custom.~~hasIPv6Internet;

ipv6_servers = hasIPv6Internet;

block_ipv6 = ! (~~config.custom.~~hasIPv6Internet);

block_ipv6 = ! (hasIPv6Internet);

require_dnssec = true;

Line 70:

See [https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml the upstream example configuration file] for more configuration options.

~~BlocklistAdd~~ a blocklist ~~repo~~ (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">

=== Blocklist ===

Fetch a blocklist file (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">

# flake.nix

Line 76:

Line 78:

inputs = {

oisd = {

url = "~~github~~:~~sjhgvr~~/oisd";

url = "https://big.oisd.nl/domainswild";

flake = false;

};

Line 92:

Line 94:

{ config, lib, pkgs, inputs, ... }:

let

blocklist_base = builtins.readFile ~~"${~~inputs.oisd~~}/domainswild_big.txt"~~;

blocklist_base = builtins.readFile inputs.oisd;

extraBlocklist = '''';

blocklist_txt = pkgs.writeText "blocklist.txt" ''

Line 152:

Line 154:

Note that you can still access the other DNS server locally through the non-loopback interface (e.g. by using your server's external IP).

== dnsproxy ==

dnsproxy is a simple DNS proxy server with the widest protocol support.

=== Example configuration ===

{

services.dnsproxy = {

enable = true;

settings = {

# Plain DNS upstream

upstream = [ "1.1.1.1:53" ];

# DNS over TLS upstream

upstream = [ "tls://dns.adguard.com" ];

# DNS over HTTPS upstream

upstream = [ "https://dns.adguard.com/dns-query" ];

listen-addrs = [ "0.0.0.0" ];

# Plain DNS server

listen-ports = [ 53 ];

# DNS over TLS server

tls-port = [ 853 ];

# DNS over HTTPS server

https-port = [ 443 ];

# Certificate for encrypted DNS server

tls-crt = "/var/lib/acme/example.org/fullchain.pem";

tls-key = "/var/lib/acme/example.org/key.pem";

};

# Additional launch flags

flags = [ "--verbose" ];

};

}

</syntaxhighlight>

== Stubby ==

Line 192:

Line 227:

</syntaxhighlight>

[[Category: Networking]]

[[Category:Networking]]

[[Category:DNS]]

@@ Line 3: / Line 3: @@
 '''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].
-NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language.
+NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].
 == Setting nameservers ==
@@ Line 49: / Line 49: @@
        # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
-       ipv6_servers = config.custom.hasIPv6Internet;
+       ipv6_servers = hasIPv6Internet;
-       block_ipv6 = ! (config.custom.hasIPv6Internet);
+       block_ipv6 = ! (hasIPv6Internet);
        require_dnssec = true;
@@ Line 70: / Line 70: @@
 See [https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml the upstream example configuration file] for more configuration options.
-BlocklistAdd a blocklist repo (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">
+=== Blocklist ===
+Fetch a blocklist file (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">
 # flake.nix
@@ Line 76: / Line 78: @@
    inputs = {
      oisd = {
-       url = "github:sjhgvr/oisd";
+       url = "https://big.oisd.nl/domainswild";
        flake = false;
      };
@@ Line 92: / Line 94: @@
 { config, lib, pkgs, inputs, ... }:
 let
-   blocklist_base = builtins.readFile "${inputs.oisd}/domainswild_big.txt";
+   blocklist_base = builtins.readFile inputs.oisd;
    extraBlocklist = '''';
    blocklist_txt = pkgs.writeText "blocklist.txt" ''
@@ Line 152: / Line 154: @@
 Note that you can still access the other DNS server locally through the non-loopback interface (e.g. by using your server's external IP).
+== dnsproxy ==
+dnsproxy is a simple DNS proxy server with the widest protocol support.
+=== Example configuration ===
+<syntaxhighlight lang="nix">
+{
+  services.dnsproxy = {
+    enable = true;
+    settings = {
+      # Plain DNS upstream
+      upstream = [ "1.1.1.1:53" ];
+      # DNS over TLS upstream
+      upstream = [ "tls://dns.adguard.com" ];
+      # DNS over HTTPS upstream
+      upstream = [ "https://dns.adguard.com/dns-query" ];
+      listen-addrs = [ "0.0.0.0" ];
+      # Plain DNS server
+      listen-ports = [ 53 ];
+      # DNS over TLS server
+      tls-port = [ 853 ];
+      # DNS over HTTPS server
+      https-port = [ 443 ];
+      # Certificate for encrypted DNS server
+      tls-crt = "/var/lib/acme/example.org/fullchain.pem";
+      tls-key = "/var/lib/acme/example.org/key.pem";
+    };
+    # Additional launch flags
+    flags = [ "--verbose" ];
+  };
+}
+</syntaxhighlight>
 == Stubby ==
@@ Line 192: / Line 227: @@
 </syntaxhighlight>
-[[Category: Networking]]
+[[Category:Networking]]
+[[Category:DNS]]