{ pkgs, lib, config, ... }: { networking = { networkmanager.dns = lib.mkForce "none"; nameservers = [ "127.0.0.1" "::1" ]; #resolvconf.enable = lib.mkForce false; resolvconf.useLocalResolver = true; dhcpcd.extraConfig = "nohook resolv.conf"; }; # Create a user for matching egress on it in the firewall systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2"; users.users.dnscrypt-proxy2 = { isSystemUser = true; group = "dnscrypt-proxy2"; }; users.groups.dnscrypt-proxy2 = { }; services.dnscrypt-proxy2 = { enable = true; # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml upstreamDefaults = true; settings = { bootstrap_resolvers = [ "9.9.9.9:53" # Quad9 "8.8.8.8:53" # Google ]; cache = true; cloaking_rules = # ExplanationNote: DNSSEC does not work for NTP servers # on machine with a clock set to far in the past. pkgs.writeText "dnscrypt-proxy2-cloaking_rules" '' 0.nixos.pool.ntp.org 77.104.162.218 0.nixos.pool.ntp.org 129.250.35.250 0.nixos.pool.ntp.org 176.58.109.199 0.nixos.pool.ntp.org 213.210.39.123 1.nixos.pool.ntp.org 192.33.214.57 1.nixos.pool.ntp.org 31.3.135.232 1.nixos.pool.ntp.org 212.25.15.128 1.nixos.pool.ntp.org 109.233.182.115 2.nixos.pool.ntp.org 195.58.34.161 2.nixos.pool.ntp.org 81.0.208.219 2.nixos.pool.ntp.org 81.200.57.13 2.nixos.pool.ntp.org 188.124.59.142 2.nixos.pool.ntp.org 2606:4700:f1::123 2.nixos.pool.ntp.org 2001:470:6f:483::101 2.nixos.pool.ntp.org 2001:67c:d74:66::71be 2.nixos.pool.ntp.org 2001:718:801:230::8c 3.nixos.pool.ntp.org 88.198.200.96 3.nixos.pool.ntp.org 78.47.168.188 3.nixos.pool.ntp.org 62.128.1.18 3.nixos.pool.ntp.org 80.153.195.191 ''; disabled_server_names = [ "cloudflare" ]; dnscrypt_servers = true; doh_servers = true; fallback_resolvers = [ "9.9.9.9:53" # Quad9 "8.8.8.8:53" # Google ]; force_tcp = false; forwarding_rules = pkgs.writeText "dnscrypt-proxy2-forwarding_rules" ''''; ignore_system_dns = true; ipv4_servers = true; ipv6_servers = true; log_level = 2; #proxy = "socks5://127.0.0.1:9050"; max_clients = 250; netprobe_timeout = 60; query_log = { file = "/dev/stdout"; format = "tsv"; ignored_qtypes = [ ]; }; require_dnssec = true; require_nofilter = true; require_nolog = true; sources.public-resolvers = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ]; cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; timeout = 5000; use_syslog = true; blocked_names = { blocked_names_file = pkgs.writeText "dnscrypt-proxy2-blocked_names_file" '' *.local *.sp ''; #log_file = 'dnscrypt-blacklist-domains.log' #log_format = 'tsv' }; }; }; networking.nftables.ruleset = '' table inet filter { chain output-net { meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS" tcp dport https skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS over HTTPS" } } ''; }