From ac7e1c11231c120fa09fe1e9ef4c77a2255e9582 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Sat, 3 Apr 2021 13:11:09 +0200 Subject: [PATCH] fuuko/dnsmasq: Use DNS over TLS via stubby --- machines/fuuko/services/dnsmasq.nix | 45 ++++++++++++++++++++++------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/machines/fuuko/services/dnsmasq.nix b/machines/fuuko/services/dnsmasq.nix index 509221f..a586492 100644 --- a/machines/fuuko/services/dnsmasq.nix +++ b/machines/fuuko/services/dnsmasq.nix @@ -19,20 +19,43 @@ dhcp-option=option:router,192.168.100.1 ''; servers = [ - # Digitalcourage - "46.182.19.48" - "2a02:2970:1002::18" - - # Hurricane Electric - "74.82.42.42" - "2001:470:20::2" - - # AS250 - "194.150.168.168" - "2001:4ce8::53" + "127.0.0.1#5353" + "::1#5353" ]; }; + services.stubby = { + enable = true; + listenAddresses = [ + "127.0.0.1@5353" + "0::1@5353" + ]; + upstreamServers = (lib.concatMapStrings + (server: with server; " - { address_data: ${addr}, tls_auth_name: \"${authName}\" }\n") + (lib.flatten + (lib.mapAttrsToList + (authName: addrs: map (addr: { inherit addr authName; }) addrs) + { + "dns.digitale-gesellschaft.ch" = [ + "185.95.218.42" + "185.95.218.43" + "2a05:fc84::42" + "2a05:fc84::43" + ]; + "dns3.digitalcourage.de" = [ + "5.9.164.112" + ]; + "dnsovertls.sinodun.com" = [ + "145.100.185.15" + "2001:610:1:40ba:145:100:185:15" + ]; + "dnsovertls1.sinodun.com" = [ + "145.100.185.16" + "2001:610:1:40ba:145:100:185:16" + ]; + }))); + }; + networking.firewall.allowedUDPPorts = [ 53 67 ]; networking.firewall.allowedTCPPorts = [ 53 ]; }