DNS-over-TLS

2021-10-26 01:04:58 +03:00 · 2021-10-26 01:04:58 +03:00 · 7d5d966668
commit 7d5d966668
parent d4a78796b2
1 changed files with 39 additions and 0 deletions
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -1,4 +1,43 @@
 { pkgs, config, lib, ... }: {
+  ## DNS-over-TLS
+  services.stubby = {
+    enable = true;
+    listenAddresses = [ "0::1" "127.0.0.1" ];
+    roundRobinUpstreams = false;
+    upstreamServers = ''
+      ## Quad9
+      - address_data: 2620:fe::fe
+        tls_auth_name: "dns.quad9.net"
+      - address_data: 2620:fe::9
+        tls_auth_name: "dns.quad9.net"
+      - address_data: 9.9.9.9
+        tls_auth_name: "dns.quad9.net"
+      - address_data: 149.112.112.112
+        tls_auth_name: "dns.quad9.net"
+      ## Cloudflare
+      - address_data: 2606:4700:4700::1112
+        tls_auth_name: "cloudflare-dns.com"
+      - address_data: 2606:4700:4700::1002
+        tls_auth_name: "cloudflare-dns.com"
+      - address_data: 1.1.1.2
+        tls_auth_name: "cloudflare-dns.com"
+      - address_data: 1.0.0.2
+        tls_auth_name: "cloudflare-dns.com"
+    '';
+    extraConfig = ''
+      # Set TLS 1.3 as minimum acceptable version
+      tls_min_version: GETDNS_TLS1_3
+      # Require DNSSEC validation
+      dnssec: GETDNS_EXTENSION_TRUE
+    '';
+  };
+
+  networking.nameservers = [ "::1" "127.0.0.1" ];
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
+  };
+
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;