Encrypted DNS: Difference between revisions

(4 intermediate revisions by 4 users not shown)

Line 3:

'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].

NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-~~proxy2~~</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].

NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].

== Setting nameservers ==

Line 24:

If you'd prefer to keep using resolvconf then you can set <code>networking.resolvconf.useLocalResolver</code> instead. Note that it uses the IPv4 loopback address only.

== Secure DNS and Captive Portal ==

Secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.

In that case, use <code>networkctl status ${wlan interface}</code> to show the default DNS provided by the network, and temporarily change nameserver inside <code>/etc/resolv.conf</code> from <code>127.0.0.53</code> to the provided one.

Alternatively, if you have Chromium installed, you can use the <code>programs.captive-browser.enable</code> Chromium wrapper, which is "Dedicated Chrome instance to log into captive portals without messing with DNS settings".

== dnscrypt-proxy2 ==

Line 34:

Line 43:

in

{

# See https://nixos.~~wiki~~/wiki/Encrypted_DNS

# See https://wiki.nixos.org/wiki/Encrypted_DNS

services.dnscrypt-~~proxy2~~ = {

services.dnscrypt-proxy = {

enable = true;

# See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

Line 64:

Line 73:

};

systemd.services.dnscrypt-~~proxy2~~.serviceConfig.StateDirectory = StateDirectory;

systemd.services.dnscrypt-proxy.serviceConfig.StateDirectory = StateDirectory;

}

</syntaxhighlight>

Line 102:

Line 111:

in

{

services.dnscrypt-~~proxy2~~.settings.blocked_names.blocked_names_file = blocklist_txt;

services.dnscrypt-proxy.settings.blocked_names.blocked_names_file = blocklist_txt;

}

Line 112:

Line 121:

{

services.dnscrypt-~~proxy2~~ = {

services.dnscrypt-proxy = {

enable = true;

settings = {

Line 133:

Line 142:

networking.nameservers = [ "::1" ];

services.dnscrypt-~~proxy2~~ = {

services.dnscrypt-proxy = {

enable = true;

settings = {

Line 227:

Line 236:

</syntaxhighlight>

[[Category: Networking]]

[[Category:Networking]]

[[Category:DNS]]

@@ Line 3: / Line 3: @@
 '''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].
-NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].
+NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].
 == Setting nameservers ==
@@ Line 24: / Line 24: @@
 If you'd prefer to keep using resolvconf then you can set <code>networking.resolvconf.useLocalResolver</code> instead. Note that it uses the IPv4 loopback address only.
+== Secure DNS and Captive Portal ==
+Secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.
+In that case, use <code>networkctl status ${wlan interface}</code> to show the default DNS provided by the network, and temporarily change nameserver inside <code>/etc/resolv.conf</code> from <code>127.0.0.53</code> to the provided one.
+Alternatively, if you have Chromium installed, you can use the <code>programs.captive-browser.enable</code> Chromium wrapper, which is "Dedicated Chrome instance to log into captive portals without messing with DNS settings".
 == dnscrypt-proxy2 ==
@@ Line 34: / Line 43: @@
 in
 {
-   # See https://nixos.wiki/wiki/Encrypted_DNS
+   # See https://wiki.nixos.org/wiki/Encrypted_DNS
-   services.dnscrypt-proxy2 = {
+   services.dnscrypt-proxy = {
      enable = true;
      # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
@@ Line 64: / Line 73: @@
    };
-   systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
+   systemd.services.dnscrypt-proxy.serviceConfig.StateDirectory = StateDirectory;
 }
 </syntaxhighlight>
@@ Line 102: / Line 111: @@
 in
 {
-   services.dnscrypt-proxy2.settings.blocked_names.blocked_names_file = blocklist_txt;
+   services.dnscrypt-proxy.settings.blocked_names.blocked_names_file = blocklist_txt;
 }
@@ Line 112: / Line 121: @@
 <syntaxhighlight lang="nix">
 {
-   services.dnscrypt-proxy2 = {
+   services.dnscrypt-proxy = {
      enable = true;
      settings = {
@@ Line 133: / Line 142: @@
    networking.nameservers = [ "::1" ];
-   services.dnscrypt-proxy2 = {
+   services.dnscrypt-proxy = {
      enable = true;
      settings = {
@@ Line 227: / Line 236: @@
 </syntaxhighlight>
-[[Category: Networking]]
+[[Category:Networking]]
+[[Category:DNS]]