DNSCrypt: Difference between revisions
imported>Fadenb m Syntaxhighlight |
imported>Makefu add custom resolver |
||
| Line 16: | Line 16: | ||
networking.nameservers = ["127.0.0.1"]; | networking.nameservers = ["127.0.0.1"]; | ||
}</syntaxhighlight> | }</syntaxhighlight> | ||
= DNSCrypt with custom resolver = | |||
At some point you want to run your own resolver for privacy/functionality/stability reasons. Setting up the <code>dnscrypt-wrapper</code> is straight forward in NixOS | |||
== Server Configuration == | |||
put this in <code>dnscrypt-server.nix</code> and import it your <code>configuration.nix</code>: | |||
<syntaxHighlight lang="nix"> | |||
{ config, ... }: | |||
let | |||
port = 15200; | |||
in { | |||
services.dnscrypt-wrapper = { | |||
enable = true; | |||
address = "0.0.0.0"; | |||
upstream.address = "8.8.8.8"; | |||
providerName = "2.dnscrypt-cert.<your server name>"; | |||
inherit port; | |||
}; | |||
networking.firewall.allowedUDPPorts = [ port ]; | |||
} | |||
</syntaxHighlight> | |||
== Client Configuration == | |||
put this in <code>dnscrypt-client.nix</code> and import it your configuration.nix: | |||
<syntaxHighlight lang="nix"> | |||
{ ... }: | |||
let | |||
customResolver = { | |||
address = <your server ip>; | |||
port = 15200; | |||
name = "2.dnscrypt-cert.<your server name>"; | |||
## log into the server and run this command in /var/lib/dnscrypt-wrapper | |||
# dnscrypt-wrapper --show-provider-publickey --provider-publickey-file public.key | |||
key = "0000:1111:2222:3333:4444:5555:6666:7777:8888:9999:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF"; | |||
}; | |||
in { | |||
services.dnscrypt-proxy = { | |||
enable = true; | |||
inherit customResolver; | |||
}; | |||
networking.extraResolvconfConf = '' | |||
name_servers='127.0.0.1' | |||
''; | |||
} | |||
</syntaxHighlight> | |||
Revision as of 08:23, 4 September 2017
Usually DNS is not encrypted and unauthenticated by default. Some countries or provider may change the result of domain resolution.
Enable DNSCrypt
The following snippet will enable DNSCrypt and set it as the default system resolver.
{ # configuration.nix
services.dnscrypt-proxy = {
enable = true;
# the official default resolver is unreliable from time to time
# either use a different, trust-worthy one from here:
# https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
# or setup your own.
#resolverName = "cs-de";
};
networking.nameservers = ["127.0.0.1"];
}
DNSCrypt with custom resolver
At some point you want to run your own resolver for privacy/functionality/stability reasons. Setting up the dnscrypt-wrapper is straight forward in NixOS
Server Configuration
put this in dnscrypt-server.nix and import it your configuration.nix:
{ config, ... }:
let
port = 15200;
in {
services.dnscrypt-wrapper = {
enable = true;
address = "0.0.0.0";
upstream.address = "8.8.8.8";
providerName = "2.dnscrypt-cert.<your server name>";
inherit port;
};
networking.firewall.allowedUDPPorts = [ port ];
}
Client Configuration
put this in dnscrypt-client.nix and import it your configuration.nix:
{ ... }:
let
customResolver = {
address = <your server ip>;
port = 15200;
name = "2.dnscrypt-cert.<your server name>";
## log into the server and run this command in /var/lib/dnscrypt-wrapper
# dnscrypt-wrapper --show-provider-publickey --provider-publickey-file public.key
key = "0000:1111:2222:3333:4444:5555:6666:7777:8888:9999:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF";
};
in {
services.dnscrypt-proxy = {
enable = true;
inherit customResolver;
};
networking.extraResolvconfConf = ''
name_servers='127.0.0.1'
'';
}