{ config, lib, ... }:

{
  services.dnsmasq = {
    enable = true;

    extraConfig = ''
      bogus-priv # do not forward revese lookups of internal addresses
      domain-needed # do not forward names without domain
      local-service # only respond to queries from local network
      no-hosts # do not resolve hosts from /etc/hosts
      no-resolv # only use explicitly configured resolvers

      server=/fritz.box/192.168.100.1

      domain=home.sbruder.de

      dhcp-range=192.168.100.20,192.168.100.150,12h
      dhcp-option=option:router,192.168.100.1
    '';
    servers = [
      # Digitalcourage
      "46.182.19.48"
      "2a02:2970:1002::18"

      # Hurricane Electric
      "74.82.42.42"
      "2001:470:20::2"

      # AS250
      "194.150.168.168"
      "2001:4ce8::53"
    ];
  };

  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
}