NixOS Wiki

Encrypted DNS: Difference between revisions

← Older edit
VisualWikitext
m Typo
m from `services.dnscrypt-proxy2` to `services.dnscrypt-proxy` https://search.nixos.org/options?channel=unstable&show=services.dnscrypt-proxy.configFile&query=dnscrypt-proxy
 
(7 intermediate revisions by 7 users not shown)
Line 3: Line 3:
'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].
'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].


NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language.
NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].


== Setting nameservers ==
== Setting nameservers ==
Line 24: Line 24:


If you'd prefer to keep using resolvconf then you can set <code>networking.resolvconf.useLocalResolver</code> instead. Note that it uses the IPv4 loopback address only.
If you'd prefer to keep using resolvconf then you can set <code>networking.resolvconf.useLocalResolver</code> instead. Note that it uses the IPv4 loopback address only.
== Secure DNS and Captive Portal ==
Secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.
In that case, use <code>networkctl status ${wlan interface}</code> to show the default DNS provided by the network, and temporarily change nameserver inside <code>/etc/resolv.conf</code> from <code>127.0.0.53</code> to the provided one.
Alternatively, if you have Chromium installed, you can use the <code>programs.captive-browser.enable</code> Chromium wrapper, which is "Dedicated Chrome instance to log into captive portals without messing with DNS settings".


== dnscrypt-proxy2 ==
== dnscrypt-proxy2 ==
Line 34: Line 43:
in
in
{
{
   # See https://nixos.wiki/wiki/Encrypted_DNS
   # See https://wiki.nixos.org/wiki/Encrypted_DNS
   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
     # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
Line 49: Line 58:


       # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
       # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
       ipv6_servers = config.custom.hasIPv6Internet;
       ipv6_servers = hasIPv6Internet;
       block_ipv6 = ! (config.custom.hasIPv6Internet);
       block_ipv6 = ! (hasIPv6Internet);


       require_dnssec = true;
       require_dnssec = true;
Line 64: Line 73:
   };
   };


   systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
   systemd.services.dnscrypt-proxy.serviceConfig.StateDirectory = StateDirectory;
}
}
</syntaxhighlight>
</syntaxhighlight>
Line 72: Line 81:
=== Blocklist ===
=== Blocklist ===


Add a blocklist repo (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">
Fetch a blocklist file (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">
# flake.nix
# flake.nix


Line 78: Line 87:
   inputs = {
   inputs = {
     oisd = {
     oisd = {
       url = "github:sjhgvr/oisd";
       url = "https://big.oisd.nl/domainswild";
       flake = false;
       flake = false;
     };
     };
Line 94: Line 103:
{ config, lib, pkgs, inputs, ... }:
{ config, lib, pkgs, inputs, ... }:
let
let
   blocklist_base = builtins.readFile "${inputs.oisd}/domainswild_big.txt";
   blocklist_base = builtins.readFile inputs.oisd;
   extraBlocklist = '''';
   extraBlocklist = '''';
   blocklist_txt = pkgs.writeText "blocklist.txt" ''
   blocklist_txt = pkgs.writeText "blocklist.txt" ''
Line 102: Line 111:
in
in
{
{
   services.dnscrypt-proxy2.settings.blocked_names.blocked_names_file = blocklist_txt;
   services.dnscrypt-proxy.settings.blocked_names.blocked_names_file = blocklist_txt;
}
}


Line 112: Line 121:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     settings = {
     settings = {
Line 133: Line 142:
   networking.nameservers = [ "::1" ];
   networking.nameservers = [ "::1" ];


   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     settings = {
     settings = {
Line 154: Line 163:


Note that you can still access the other DNS server locally through the non-loopback interface (e.g. by using your server's external IP).
Note that you can still access the other DNS server locally through the non-loopback interface (e.g. by using your server's external IP).
== dnsproxy ==
dnsproxy is a simple DNS proxy server with the widest protocol support.
=== Example configuration ===
<syntaxhighlight lang="nix">
{
  services.dnsproxy = {
    enable = true;
    settings = {
      # Plain DNS upstream
      upstream = [ "1.1.1.1:53" ];
      # DNS over TLS upstream
      upstream = [ "tls://dns.adguard.com" ];
      # DNS over HTTPS upstream
      upstream = [ "https://dns.adguard.com/dns-query" ];
      listen-addrs = [ "0.0.0.0" ];
      # Plain DNS server
      listen-ports = [ 53 ];
      # DNS over TLS server
      tls-port = [ 853 ];
      # DNS over HTTPS server
      https-port = [ 443 ];
      # Certificate for encrypted DNS server
      tls-crt = "/var/lib/acme/example.org/fullchain.pem";
      tls-key = "/var/lib/acme/example.org/key.pem";
    };
    # Additional launch flags
    flags = [ "--verbose" ];
  };
}
</syntaxhighlight>


== Stubby ==
== Stubby ==
Line 194: Line 236:
</syntaxhighlight>
</syntaxhighlight>


[[Category: Networking]]
[[Category:Networking]]
[[Category:DNS]]
Retrieved from "https://wiki.nixos.org/wiki/Encrypted_DNS"