~magic_rb/dotfiles

6bab5c17078b5956756f120c27bf4fd373928265 — Magic_RB 8 months ago 2b70788
Switch out stubby for dnscrypt-proxy2

Signed-off-by: Magic_RB <magic_rb@redalder.org>
1 files changed, 13 insertions(+), 27 deletions(-)

M nixos/systems/blowhole/firewall.nix
M nixos/systems/blowhole/firewall.nix => nixos/systems/blowhole/firewall.nix +13 -27
@@ 29,38 29,24 @@ in
    # "net.ipv6.conf.${name}.autoconf" = 1;
  };

  services.stubby = {
  services.dnscrypt-proxy2 = {
    enable = true;
    logLevel = 7;
    upstreamDefaults = true;
    settings = {
      resolution_type = "GETDNS_RESOLUTION_STUB";
      dns_transport_list = [
        "GETDNS_TRANSPORT_TLS"
      ];
      tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
      tls_query_padding_blocksize = 256;
      edns_client_subnet_private = 1;
      idle_timeout = 10000;
      listen_addresses = [
        "127.0.0.1@5353"
      ];
      dnssec_return_status = "GETDNS_EXTENSION_TRUE";
      appdata_dir = "/var/cache/stubby";
      round_robin_upstreams = 1;
      upstream_recursive_servers = [
        {
          address_data = "9.9.9.9";
          tls_auth_name = "dns.quad9.net";
        }
        {
          address_data = "149.112.112.112";
          tls_auth_name = "dns.quad9.net";
        }
      ];
      listen_addresses = [ "127.0.0.1:5353" ];

      dnscrypt_servers = false;
      doh_servers = true;
      odoh_servers = false;

      block_ipv6 = true;

      static."mullvad".stamp = "sdns://AgcAAAAAAAAAAAAPZG9oLm11bGx2YWQubmV0Ci9kbnMtcXVlcnk";
      sources = {};
    };
  };

  systemd.services.stubby = {
  systemd.services.dnscrypt-proxy2 = {
    before = [ "network-online.target" ];
  };