Encrypted DNS: Difference between revisions

Pigs (talk | contribs)
m Basic configuration: Don't link to old wiki
DHCP (talk | contribs)
m improve formatting
 
(3 intermediate revisions by 2 users not shown)
Line 3: Line 3:
'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].
'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].


NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].
NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].


== Setting nameservers ==
== Setting nameservers ==
Line 24: Line 24:


If you'd prefer to keep using resolvconf then you can set <code>networking.resolvconf.useLocalResolver</code> instead. Note that it uses the IPv4 loopback address only.
If you'd prefer to keep using resolvconf then you can set <code>networking.resolvconf.useLocalResolver</code> instead. Note that it uses the IPv4 loopback address only.
== Secure DNS and Captive Portal ==
Secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.
In that case, use <code>networkctl status ${wlan interface}</code> to show the default DNS provided by the network, and temporarily change nameserver inside <code>/etc/resolv.conf</code> from <code>127.0.0.53</code> to the provided one.
Alternatively, if you have Chromium installed, you can use the <code>programs.captive-browser.enable</code> Chromium wrapper, which is "Dedicated Chrome instance to log into captive portals without messing with DNS settings".


== dnscrypt-proxy2 ==
== dnscrypt-proxy2 ==
Line 35: Line 44:
{
{
   # See https://wiki.nixos.org/wiki/Encrypted_DNS
   # See https://wiki.nixos.org/wiki/Encrypted_DNS
   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
     # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
Line 64: Line 73:
   };
   };


   systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
   systemd.services.dnscrypt-proxy.serviceConfig.StateDirectory = StateDirectory;
}
}
</syntaxhighlight>
</syntaxhighlight>
Line 72: Line 81:
=== Blocklist ===
=== Blocklist ===


Fetch a blocklist file (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">
Fetch a blocklist file (e.g. oisd) as a flake input:
# flake.nix
{{file|flake.nix|nix|3=
 
{
{
   inputs = {
   inputs = {
Line 91: Line 99:
     };
     };
}
}
</syntaxhighlight><syntaxhighlight lang="nixos">
}}
<syntaxhighlight lang="nixos">
{ config, lib, pkgs, inputs, ... }:
{ config, lib, pkgs, inputs, ... }:
let
let
Line 102: Line 111:
in
in
{
{
   services.dnscrypt-proxy2.settings.blocked_names.blocked_names_file = blocklist_txt;
   services.dnscrypt-proxy.settings.blocked_names.blocked_names_file = blocklist_txt;
}
}


Line 112: Line 121:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     settings = {
     settings = {
Line 133: Line 142:
   networking.nameservers = [ "::1" ];
   networking.nameservers = [ "::1" ];


   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     settings = {
     settings = {
Line 219: Line 228:


To update digests get the TLS certificate that signs the responses and calculate the digest:
To update digests get the TLS certificate that signs the responses and calculate the digest:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="console">
echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
$ echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
</syntaxhighlight>
</syntaxhighlight>
Or using <code>kdig</code> from <code>knot-dns</code>
Or using <code>kdig</code> from <code>knot-dns</code>
<syntaxhighlight lang="bash">
<syntaxhighlight lang="console">
kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com
$ kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com
</syntaxhighlight>
</syntaxhighlight>


[[Category:Networking]]
[[Category:Networking]]
[[Category:DNS]]
[[Category:DNS]]