Encrypted DNS: Difference between revisions

← Older edit Newer edit →

VisualWikitext

@@ Line 27: / Line 27: @@
 == dnscrypt-proxy2 ==
-=== Example configuration ===
+=== Basic configuration ===
 <syntaxhighlight lang="nixos">
 let
    hasIPv6Internet = true;
+  StateDirectory = "dnscrypt-proxy";
 in
 {
+  # See https://nixos.wiki/wiki/Encrypted_DNS
    services.dnscrypt-proxy2 = {
      enable = true;
+    # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
      settings = {
-      # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
-      ipv6_servers = hasIPv6Internet;
-      block_ipv6 = ! hasIPv6Internet;
-      require_dnssec = true;
        sources.public-resolvers = {
          urls = [
@@ Line 47: / Line 44: @@
            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
          ];
-         cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
+         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+         cache_file = "/var/lib/${StateDirectory}/public-resolvers.md";
        };
+      # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+      ipv6_servers = config.custom.hasIPv6Internet;
+      block_ipv6 = ! (config.custom.hasIPv6Internet);
+      require_dnssec = true;
+      require_nolog = false;
+      require_nofilter = true;
        # If you want, choose a specific set of servers that come from your sources.
@@ Line 59: / Line 64: @@
    };
-   systemd.services.dnscrypt-proxy2.serviceConfig = {
+   systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
-    StateDirectory = "dnscrypt-proxy";
-    # If you're trying to set up persistence with dnscrypt-proxy2 and it isn't working
-    # because of permission issues, try the following:
-    # StateDirectory = lib.mkForce "";
-    # ReadWritePaths = "/var/lib/dnscrypt-proxy"; # Cache directory for dnscrypt-proxy2, persist this
-  };
 }
 </syntaxhighlight>
@@ Line 71: / Line 70: @@
 See [https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml the upstream example configuration file] for more configuration options.
+BlocklistAdd a blocklist repo (e.g. oisd) as a flake input:<syntaxhighlight lang="nix">
+# flake.nix
+{
+  inputs = {
+    oisd = {
+      url = "github:sjhgvr/oisd";
+      flake = false;
+    };
+    # Your configuration
+  };
-==== Local network - Forwarding rules ====
+  outputs =
+    { self, nixpkgs, oisd, ... }@inputs:
+    {
+      # Your configuration
+    };
+}
+</syntaxhighlight><syntaxhighlight lang="nixos">
+{ config, lib, pkgs, inputs, ... }:
+let
+  blocklist_base = builtins.readFile "${inputs.oisd}/domainswild_big.txt";
+  extraBlocklist = '''';
+  blocklist_txt = pkgs.writeText "blocklist.txt" ''
+    ${extraBlocklist}
+    ${blocklist_base}
+  '';
+in
+{
+  services.dnscrypt-proxy2.settings.blocked_names.blocked_names_file = blocklist_txt;
+}
+</syntaxhighlight>
+=== Local network - Forwarding rules ===
 Maybe you'd like queries for your local domain to go to your router, and not to an upstream DNS resolver. By doing so, names of your local online devices can be found. For this you have to create a file with [https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-forwarding-rules.txt forwarding rules] which you then include in your config: