diff options
| author | Alan Pearce | 2025-02-15 22:48:30 +0100 |
|---|---|---|
| committer | Alan Pearce | 2025-02-15 22:48:30 +0100 |
| commit | 5b39acfa25c4e509572aafb5a21e76d269a2c178 (patch) | |
| tree | 256daeb81c74fcdddb66780997d29cd713c422e2 /system | |
| parent | be398db0342e4a5eab60f2afd613be8322cf4940 (diff) | |
| download | nixfiles-5b39acfa25c4e509572aafb5a21e76d269a2c178.tar.lz nixfiles-5b39acfa25c4e509572aafb5a21e76d269a2c178.tar.zst nixfiles-5b39acfa25c4e509572aafb5a21e76d269a2c178.zip | |
nano: enable DNS over TLS with systemd-resolved
Diffstat (limited to 'system')
| -rw-r--r-- | system/nano.nix | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/system/nano.nix b/system/nano.nix index d8f151e0..b9f32eaa 100644 --- a/system/nano.nix +++ b/system/nano.nix @@ -59,11 +59,11 @@ in "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; "192.168.100.1" = [ "modem" "pyur" ]; }; - nameservers = [ - "2620::fe:fe" - "2620::fe:9" - "9.9.9.9" - "149.112.112.112" + nameservers = map (ns: "${ns}#dns11.quad9.net") [ + "9.9.9.11" + "149.112.112.11" + "2620:fe::11" + "2620:fe::fe:11" ]; firewall = { trustedInterfaces = [ @@ -141,6 +141,9 @@ in IPv4Forwarding = true; LLMNR = false; MulticastDNS = false; + DNSDefaultRoute = true; + DNS = config.networking.nameservers; + DNSOverTLS = true; }; dhcpV4Config = { UseDNS = false; @@ -180,13 +183,12 @@ in services.resolved = { enable = true; llmnr = "false"; - fallbackDns = config.networking.nameservers; }; services.dnsmasq = { enable = dnsmasqEnable; alwaysKeepRunning = true; - resolveLocalQueries = true; + resolveLocalQueries = false; settings = { inherit domain; interface = lan; @@ -204,9 +206,7 @@ in quiet-ra = true; enable-ra = true; - dnssec = true; - trust-anchor = ".,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"; - server = config.networking.nameservers; + server = [ "127.0.0.53" ]; expand-hosts = true; localise-queries = true; |