M nixos/systems/blowhole/firewall.nix => nixos/systems/blowhole/firewall.nix +13 -27
@@ 29,38 29,24 @@ in
# "net.ipv6.conf.${name}.autoconf" = 1;
};
- services.stubby = {
+ services.dnscrypt-proxy2 = {
enable = true;
- logLevel = 7;
+ upstreamDefaults = true;
settings = {
- resolution_type = "GETDNS_RESOLUTION_STUB";
- dns_transport_list = [
- "GETDNS_TRANSPORT_TLS"
- ];
- tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
- tls_query_padding_blocksize = 256;
- edns_client_subnet_private = 1;
- idle_timeout = 10000;
- listen_addresses = [
- "127.0.0.1@5353"
- ];
- dnssec_return_status = "GETDNS_EXTENSION_TRUE";
- appdata_dir = "/var/cache/stubby";
- round_robin_upstreams = 1;
- upstream_recursive_servers = [
- {
- address_data = "9.9.9.9";
- tls_auth_name = "dns.quad9.net";
- }
- {
- address_data = "149.112.112.112";
- tls_auth_name = "dns.quad9.net";
- }
- ];
+ listen_addresses = [ "127.0.0.1:5353" ];
+
+ dnscrypt_servers = false;
+ doh_servers = true;
+ odoh_servers = false;
+
+ block_ipv6 = true;
+
+ static."mullvad".stamp = "sdns://AgcAAAAAAAAAAAAPZG9oLm11bGx2YWQubmV0Ci9kbnMtcXVlcnk";
+ sources = {};
};
};
- systemd.services.stubby = {
+ systemd.services.dnscrypt-proxy2 = {
before = [ "network-online.target" ];
};