From 0b85b132678fef740cb60f89cc9e1288191ebefd Mon Sep 17 00:00:00 2001 From: Felix Tenley Date: Tue, 11 May 2021 20:58:03 +0200 Subject: [PATCH] feat: enable DNS over HTTPS --- home/browsers/firefox.nix | 3 +++ system/networking.nix | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 system/networking.nix diff --git a/home/browsers/firefox.nix b/home/browsers/firefox.nix index 101daf2..d9b33a6 100644 --- a/home/browsers/firefox.nix +++ b/home/browsers/firefox.nix @@ -30,6 +30,9 @@ let "browser.sessionstore.privacy_level" = 2; "network.IDN_show_punycode" = true; + # Disable DNS over HTTPS (done system-wide) + "network.trr.mode" = 5; + # Theme "ui.systemUsesDarkTheme" = prefer-dark-theme; "extensions.activeThemeID" = concatStrings [ diff --git a/system/networking.nix b/system/networking.nix new file mode 100644 index 0000000..1fcef6a --- /dev/null +++ b/system/networking.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +{ + services.resolved.enable = false; + + networking = { + nameservers = [ "127.0.0.1" "::1" ]; + resolvconf.enable = lib.mkForce false; + # If using dhcpcd: + dhcpcd.extraConfig = "nohook resolv.conf"; + # If using NetworkManager: + networkmanager.dns = "none"; + }; + + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = + "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + + server_names = [ "mullvad-doh" ]; + }; + }; + + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = lib.mkForce "dnscrypt-proxy2"; + }; +}