NixOS Wiki

Encrypted DNS: Difference between revisions

← Older edit
VisualWikitext
Tie-ling (talk | contribs)
69 edits
Secure DNS and Captive Portal
m from `services.dnscrypt-proxy2` to `services.dnscrypt-proxy` https://search.nixos.org/options?channel=unstable&show=services.dnscrypt-proxy.configFile&query=dnscrypt-proxy
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].
'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].


NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].
NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].


== Setting nameservers ==
== Setting nameservers ==
Line 44: Line 44:
{
{
   # See https://wiki.nixos.org/wiki/Encrypted_DNS
   # See https://wiki.nixos.org/wiki/Encrypted_DNS
   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
     # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
Line 73: Line 73:
   };
   };


   systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
   systemd.services.dnscrypt-proxy.serviceConfig.StateDirectory = StateDirectory;
}
}
</syntaxhighlight>
</syntaxhighlight>
Line 111: Line 111:
in
in
{
{
   services.dnscrypt-proxy2.settings.blocked_names.blocked_names_file = blocklist_txt;
   services.dnscrypt-proxy.settings.blocked_names.blocked_names_file = blocklist_txt;
}
}


Line 121: Line 121:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     settings = {
     settings = {
Line 142: Line 142:
   networking.nameservers = [ "::1" ];
   networking.nameservers = [ "::1" ];


   services.dnscrypt-proxy2 = {
   services.dnscrypt-proxy = {
     enable = true;
     enable = true;
     settings = {
     settings = {
Retrieved from "https://wiki.nixos.org/wiki/Encrypted_DNS"