nixos-config/machines/fuuko/services/dnsmasq.nix

{ config, lib, pkgs, ... }:

{
  services.dnsmasq = {
    enable = true;

    extraConfig = ''
      bogus-priv # do not forward revese lookups of internal addresses
      domain-needed # do not forward names without domain
      local-service # only respond to queries from local network
      no-hosts # do not resolve hosts from /etc/hosts
      no-resolv # only use explicitly configured resolvers

      cache-size=10000

      server=/fritz.box/192.168.100.1

      domain=home.sbruder.de

      dhcp-range=192.168.100.20,192.168.100.150,12h
      dhcp-option=option:router,192.168.100.1
    '';
    servers = [
      "9.9.9.9" # dns.quad9.net
      "2620:fe::fe"
      "194.150.168.168" # dns.as250.net
    ];
  };

  # Make `local-service` work (requires network interface with all addresses)
  systemd.services.dnsmasq = {
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
  };

  services.prometheus.exporters.dnsmasq = {
    enable = true;
    listenAddress = config.sbruder.wireguard.home.address;
    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
  };

  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
}
fuuko/dnsmasq: Replace stubby/DoT with https-dns-proxy/DoH 2021-04-10 20:16:08 +02:00			`{ config, lib, pkgs, ... }:`
fuuko: Add dnsmasq 2021-03-06 17:11:36 +01:00
			`{`
			`services.dnsmasq = {`
			`enable = true;`

			`extraConfig = ''`
			`bogus-priv # do not forward revese lookups of internal addresses`
			`domain-needed # do not forward names without domain`
			`local-service # only respond to queries from local network`
			`no-hosts # do not resolve hosts from /etc/hosts`
			`no-resolv # only use explicitly configured resolvers`

fuuko/dnsmasq: Increase cache size 2021-08-29 18:56:00 +02:00			`cache-size=10000`

fuuko: Add dnsmasq 2021-03-06 17:11:36 +01:00			`server=/fritz.box/192.168.100.1`

			`domain=home.sbruder.de`

			`dhcp-range=192.168.100.20,192.168.100.150,12h`
			`dhcp-option=option:router,192.168.100.1`
			`'';`
			`servers = [`
dnsmasq: Add quad9 DNS servers Thanks Sony Music for bringing this to my attention. 2021-08-31 09:55:51 +02:00			`"9.9.9.9" # dns.quad9.net`
			`"2620:fe::fe"`
fuuko: Use plain DNS again DNS over HTTPS often is unreliable in practice (did not empirically test this). 2021-07-25 23:07:41 +02:00			`"194.150.168.168" # dns.as250.net`
fuuko/dnsmasq: Use DNS over TLS via stubby 2021-04-03 13:11:09 +02:00			`];`
			`};`
fuuko: Add dnsmasq 2021-03-06 17:11:36 +01:00
fuuko/dnsmasq: Reliably work after reboot 2021-04-10 23:23:46 +02:00			# Make `local-service` work (requires network interface with all addresses)
			`systemd.services.dnsmasq = {`
			`after = [ "network-online.target" ];`
			`wants = [ "network-online.target" ];`
			`};`

fuuko: Add dnsmasq prometheus exporter 2021-04-05 13:18:43 +02:00			`services.prometheus.exporters.dnsmasq = {`
			`enable = true;`
fuuko: Bind exporters to vpn address 2022-03-25 22:11:28 +01:00			`listenAddress = config.sbruder.wireguard.home.address;`
fuuko: Add dnsmasq prometheus exporter 2021-04-05 13:18:43 +02:00			`leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";`
			`};`

fuuko: Add dnsmasq 2021-03-06 17:11:36 +01:00			`networking.firewall.allowedUDPPorts = [ 53 67 ];`
fuuko/dnsmasq: Allow DNS queries over TCP Sharepoint manages to return enormous responses when querying for an AAAA record. $ dig sitename.sharepoint.com AAAA ;; Truncated, retrying in TCP mode. 2021-03-10 09:13:37 +01:00			`networking.firewall.allowedTCPPorts = [ 53 ];`
fuuko: Add dnsmasq 2021-03-06 17:11:36 +01:00			`}`