DNSCrypt: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
imported>Makefu
add custom resolver
imported>Emily
article uses old version of dnscrypt-proxy; redirect to more generic article that has information on the Go rewrite
 
Line 1: Line 1:
Usually DNS is not encrypted and unauthenticated by default. Some countries or provider may change the result of domain resolution.
#REDIRECT [[Encrypted DNS]]
 
= Enable DNSCrypt =
 
The following snippet will enable DNSCrypt and set it as the default system resolver.
 
<syntaxhighlight lang="nix">{ # configuration.nix
  services.dnscrypt-proxy = {
    enable = true;
    # the official default resolver is unreliable from time to time
    # either use a different, trust-worthy one from here:
    #  https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
    # or setup your own.
    #resolverName = "cs-de";
  };
  networking.nameservers = ["127.0.0.1"];
}</syntaxhighlight>
 
 
= DNSCrypt with custom resolver =
At some point you want to run your own resolver for privacy/functionality/stability reasons. Setting up the <code>dnscrypt-wrapper</code> is straight forward in NixOS
 
 
 
== Server Configuration ==
put this in <code>dnscrypt-server.nix</code> and import it your <code>configuration.nix</code>:
<syntaxHighlight lang="nix">
{ config, ... }:
let
  port = 15200;
in {
  services.dnscrypt-wrapper = {
    enable = true;
    address = "0.0.0.0";
    upstream.address = "8.8.8.8";
    providerName = "2.dnscrypt-cert.<your server name>";
    inherit port;
  };
  networking.firewall.allowedUDPPorts = [ port ];
}
</syntaxHighlight>
 
== Client Configuration ==
put this in <code>dnscrypt-client.nix</code> and import it your configuration.nix:
<syntaxHighlight lang="nix">
{ ... }:
let
  customResolver = {
    address = <your server ip>;
    port = 15200;
    name = "2.dnscrypt-cert.<your server name>";
    ## log into the server and run this command in /var/lib/dnscrypt-wrapper
    # dnscrypt-wrapper --show-provider-publickey --provider-publickey-file public.key
    key = "0000:1111:2222:3333:4444:5555:6666:7777:8888:9999:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF";
  };
in {
  services.dnscrypt-proxy = {
    enable = true;
    inherit customResolver;
  };
  networking.extraResolvconfConf = ''
    name_servers='127.0.0.1'
  '';
}
</syntaxHighlight>

Latest revision as of 20:32, 17 April 2020

Redirect to:

Retrieved from "https://wiki.nixos.org/w/index.php?title=DNSCrypt&oldid=1769"