Encrypted DNS: Difference between revisions

Line 3:

'''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].

NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language.

NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].

== Setting nameservers ==

Line 154:

Note that you can still access the other DNS server locally through the non-loopback interface (e.g. by using your server's external IP).

== dnsproxy ==

dnsproxy is a simple DNS proxy server with the widest protocol support.

=== Example configuration ===

{

services.dnsproxy = {

enable = true;

settings = {

# Plain DNS upstream

upstream = [ "1.1.1.1:53" ];

# DNS over TLS upstream

upstream = [ "tls://dns.adguard.com" ];

# DNS over HTTPS upstream

upstream = [ "https://dns.adguard.com/dns-query" ];

listen-addrs = [ "0.0.0.0" ];

# Plain DNS server

listen-ports = [ 53 ];

# DNS over TLS server

tls-port = [ 853 ];

# DNS over HTTPS server

https-port = [ 443 ];

# Certificate for encrypted DNS server

tls-crt = "/var/lib/acme/example.org/fullchain.pem";

tls-key = "/var/lib/acme/example.org/key.pem";

};

# Additional launch flags

flags = [ "--verbose" ];

};

}

</syntaxhighlight>

== Stubby ==

@@ Line 3: / Line 3: @@
 '''Encrypted DNS''' protocols aim to address this hole by encrypting queries and responses in transit between DNS resolvers and clients; the most widely deployed ones are [[wikipedia:DNS over HTTPS|DNS over HTTPS]] (DoH), [[wikipedia:DNS over TLS|DNS over TLS]] (DoT), and [https://dnscrypt.info/ DNSCrypt].
-NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language.
+NixOS has modules for multiple encrypted DNS proxies, including [https://github.com/DNSCrypt/dnscrypt-proxy dnscrypt-proxy 2], [https://github.com/AdguardTeam/dnsproxy dnsproxy] and [https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby]. <code>services.dnscrypt-proxy2</code> is generally recommended, as it has the widest protocol and feature support, and is written in a memory-safe language. For DNS over TLS (DoT) support, <code>services.dnsproxy</code> can be used. Detailed comparison of DNS proxies can be found on [https://wiki.archlinux.org/title/Domain_name_resolution#DNS_servers ArchLinux Wiki].
 == Setting nameservers ==
@@ Line 154: / Line 154: @@
 Note that you can still access the other DNS server locally through the non-loopback interface (e.g. by using your server's external IP).
+== dnsproxy ==
+dnsproxy is a simple DNS proxy server with the widest protocol support.
+=== Example configuration ===
+<syntaxhighlight lang="nix">
+{
+  services.dnsproxy = {
+    enable = true;
+    settings = {
+      # Plain DNS upstream
+      upstream = [ "1.1.1.1:53" ];
+      # DNS over TLS upstream
+      upstream = [ "tls://dns.adguard.com" ];
+      # DNS over HTTPS upstream
+      upstream = [ "https://dns.adguard.com/dns-query" ];
+      listen-addrs = [ "0.0.0.0" ];
+      # Plain DNS server
+      listen-ports = [ 53 ];
+      # DNS over TLS server
+      tls-port = [ 853 ];
+      # DNS over HTTPS server
+      https-port = [ 443 ];
+      # Certificate for encrypted DNS server
+      tls-crt = "/var/lib/acme/example.org/fullchain.pem";
+      tls-key = "/var/lib/acme/example.org/key.pem";
+    };
+    # Additional launch flags
+    flags = [ "--verbose" ];
+  };
+}
+</syntaxhighlight>
 == Stubby ==