Working DNS proxy over HTTPS

2020-06-22 11:10:36 -07:00 · 2020-06-22 11:10:36 -07:00 · 318579ff8a
parent 51fcf8609b
commit 318579ff8a
3 changed files with 73 additions and 5 deletions
--- a/config/fudo/secure-dns-proxy.nix
+++ b/config/fudo/secure-dns-proxy.nix
@ -0,0 +1,62 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+let
+  cfg = config.fudo.secure-dns-proxy;
+
+in {
+  options.fudo.secure-dns-proxy = {
+    enable = mkEnableOption "Enable a DNS server using an encrypted upstream source.";
+
+    port = mkOption {
+      type = types.port;
+      description = "Port on which to listen for DNS queries.";
+      default = 53;
+    };
+
+    upstream-dns = mkOption {
+      type = with types; listOf str;
+      description = ''
+        The upstream DNS services to use, in a format useable by dnsproxy.
+
+        See: https://github.com/AdguardTeam/dnsproxy
+      '';
+      default = ["https://cloudflare-dns.com/dns-query"];
+    };
+
+    bootstrap-dns = mkOption {
+      type = types.str;
+      description = "A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary.";
+      default = "1.1.1.1";
+    };
+
+    listen-ips = mkOption {
+      type = with types; listOf str;
+      description = "A list of local IP addresses on which to listen.";
+      default = ["0.0.0.0"];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      dnsproxy
+    ];
+
+    systemd.services.secure-dns-proxy = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "DNS Proxy for secure DNS lookups";
+      serviceConfig = let
+        upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns;
+        upstream-line = concatStringsSep " " upstreams;
+        listen-line = concatStringsSep " "
+          (map (listen: "-l ${listen}") cfg.listen-ips);
+        cmd = "${pkgs.dnsproxy}/bin/dnsproxy -p ${toString cfg.port} ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}";
+
+      in {
+        ExecStart = cmd;
+      };
+    };
+  };
+}
--- a/config/local.nix
+++ b/config/local.nix
@ -18,8 +18,9 @@ with lib;
    ./fudo/node-exporter.nix
    ./fudo/postgres.nix
    ./fudo/prometheus.nix
-    ./fudo/system.nix
+    ./fudo/secure-dns-proxy.nix
    ./fudo/slynk.nix
+    ./fudo/system.nix
    ./fudo/webmail.nix

    ../fudo/profiles
--- a/hosts/nostromo.nix
+++ b/hosts/nostromo.nix
@ -102,10 +102,15 @@ in {
      ];
    };

-    # secure-dns = {
-    #   enable = true;
-    #   port = 9053;
-    # };
+    secure-dns-proxy = {
+      enable = true;
+      port = 3535;
+      upstream-dns = [
+        "https://cloudflare-dns.com/dns-query"
+        # "https://dns.adguard.com/dns-query"
+      ];
+      bootstrap-dns = "1.1.1.1";
+    };
  };

  environment.systemPackages = with pkgs; [