fuuko/dnsmasq: Use DNS over TLS via stubby

2021-04-03 13:11:09 +02:00 · 2021-04-03 13:11:09 +02:00 · ac7e1c1123
parent 891697f80c
commit ac7e1c1123
1 changed files with 34 additions and 11 deletions
--- a/machines/fuuko/services/dnsmasq.nix
+++ b/machines/fuuko/services/dnsmasq.nix
@ -19,20 +19,43 @@
      dhcp-option=option:router,192.168.100.1
    '';
    servers = [
-      # Digitalcourage
-      "46.182.19.48"
-      "2a02:2970:1002::18"
-
-      # Hurricane Electric
-      "74.82.42.42"
-      "2001:470:20::2"
-
-      # AS250
-      "194.150.168.168"
-      "2001:4ce8::53"
+      "127.0.0.1#5353"
+      "::1#5353"
    ];
  };

+  services.stubby = {
+    enable = true;
+    listenAddresses = [
+      "127.0.0.1@5353"
+      "0::1@5353"
+    ];
+    upstreamServers = (lib.concatMapStrings
+      (server: with server; "  - { address_data: ${addr}, tls_auth_name: \"${authName}\" }\n")
+      (lib.flatten
+        (lib.mapAttrsToList
+          (authName: addrs: map (addr: { inherit addr authName; }) addrs)
+          {
+            "dns.digitale-gesellschaft.ch" = [
+              "185.95.218.42"
+              "185.95.218.43"
+              "2a05:fc84::42"
+              "2a05:fc84::43"
+            ];
+            "dns3.digitalcourage.de" = [
+              "5.9.164.112"
+            ];
+            "dnsovertls.sinodun.com" = [
+              "145.100.185.15"
+              "2001:610:1:40ba:145:100:185:15"
+            ];
+            "dnsovertls1.sinodun.com" = [
+              "145.100.185.16"
+              "2001:610:1:40ba:145:100:185:16"
+            ];
+          })));
+  };
+
  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
 }