From 9dab2d9f49a80976d158b9fb31462dd487e13e6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Fri, 20 Jun 2025 21:24:34 +0200
Subject: [PATCH] fix(networking): allow fallback to non-TLS DNS servers

---
 system/networking.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/system/networking.nix b/system/networking.nix
index 1aacee0..7524edf 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -70,7 +70,8 @@ in
   services.dnsmasq.enable = false;
   services.resolved = {
     enable = true;
-    dnsovertls = if isAdguardHost then "opportunistic" else "true";
+    # HINT with "true" even fallback or interface-specific DNS servers won't work if they don't support TLS
+    dnsovertls = "opportunistic";
     fallbackDns = [
       "194.242.2.2#dns.mullvad.net"
       "194.242.2.4#base.dns.mullvad.net"