all repos — nixfiles @ 5b39acfa25c4e509572aafb5a21e76d269a2c178

System and user configuration, managed by nix and home-manager

nano: enable DNS over TLS with systemd-resolved
Alan Pearce alan@alanpearce.eu
Sat, 15 Feb 2025 22:48:30 +0100
commit

5b39acfa25c4e509572aafb5a21e76d269a2c178

parent

be398db0342e4a5eab60f2afd613be8322cf4940

1 files changed, 10 insertions(+), 10 deletions(-)

jump to
M system/nano.nixsystem/nano.nix
@@ -59,11 +59,11 @@ hosts = {       "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ];
       "192.168.100.1" = [ "modem" "pyur" ];
     };
-    nameservers = [
-      "2620::fe:fe"
-      "2620::fe:9"
-      "9.9.9.9"
-      "149.112.112.112"
+    nameservers = map (ns: "${ns}#dns11.quad9.net") [
+      "9.9.9.11"
+      "149.112.112.11"
+      "2620:fe::11"
+      "2620:fe::fe:11"
     ];
     firewall = {
       trustedInterfaces = [
@@ -141,6 +141,9 @@ IPv6AcceptRA = true;           IPv4Forwarding = true;
           LLMNR = false;
           MulticastDNS = false;
+          DNSDefaultRoute = true;
+          DNS = config.networking.nameservers;
+          DNSOverTLS = true;
         };
         dhcpV4Config = {
           UseDNS = false;
@@ -180,13 +183,12 @@ };   services.resolved = {
     enable = true;
     llmnr = "false";
-    fallbackDns = config.networking.nameservers;
   };
 
   services.dnsmasq = {
     enable = dnsmasqEnable;
     alwaysKeepRunning = true;
-    resolveLocalQueries = true;
+    resolveLocalQueries = false;
     settings = {
       inherit domain;
       interface = lan;
@@ -204,9 +206,7 @@ quiet-dhcp6 = true;       quiet-ra = true;
       enable-ra = true;
 
-      dnssec = true;
-      trust-anchor = ".,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
-      server = config.networking.nameservers;
+      server = [ "127.0.0.53" ];
 
       expand-hosts = true;
       localise-queries = true;