{ lib, ... }: with lib; { networking = { networkmanager.dns = mkForce "none"; nameservers = [ "127.0.0.1" "::1" ]; #resolvconf.enable = lib.mkForce false; resolvconf.useLocalResolver = true; dhcpcd.extraConfig = "nohook resolv.conf"; }; services.resolved.enable = false; # Create a user for matching egress on it in the firewall systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2"; users.users.dnscrypt-proxy2 = { isSystemUser = true; group = "dnscrypt-proxy2"; }; users.groups.dnscrypt-proxy2 = { }; services.dnscrypt-proxy2 = { enable = true; # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml upstreamDefaults = true; settings = { cache = true; disabled_server_names = [ "cloudflare" ]; dnscrypt_servers = true; doh_servers = true; fallback_resolvers = [ "9.9.9.9:53" # Quad9 "8.8.8.8:53" # Google ]; force_tcp = false; ignore_system_dns = true; ipv4_servers = true; ipv6_servers = true; log_level = 2; #proxy = "socks5://127.0.0.1:9050"; max_clients = 250; netprobe_timeout = 60; query_log = { file = "/dev/stdout"; format = "tsv"; ignored_qtypes = [ ]; }; require_dnssec = true; require_nofilter = true; require_nolog = true; sources.public-resolvers = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ]; cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; timeout = 5000; use_syslog = true; }; }; }