From d78e0ed1f98bbeae09d874c748e702da31c9a1b1 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Mon, 29 Aug 2016 18:10:00 +0200 Subject: [PATCH] dnscrypt-proxy module: move detailed info to module documentation --- .../services/networking/dnscrypt-proxy.nix | 28 ++----- .../services/networking/dnscrypt-proxy.xml | 76 +++++++++++++++++++ 2 files changed, 82 insertions(+), 22 deletions(-) create mode 100644 nixos/modules/services/networking/dnscrypt-proxy.xml diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 97764cd2ed3..2714e8d7599 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -28,31 +28,15 @@ let in { + meta = { + maintainers = with maintainers; [ joachifm ]; + doc = ./dnscrypt-proxy.xml; + }; + options = { services.dnscrypt-proxy = { - enable = mkEnableOption "dnscrypt-proxy" // { description = '' - Whether to enable the DNSCrypt client proxy. The proxy relays - DNS queries to a DNSCrypt enabled upstream resolver. The traffic - between the client and the upstream resolver is encrypted and - authenticated, mitigating the risk of MITM attacks and third-party - snooping (assuming the upstream is trustworthy). + enable = mkEnableOption "DNSCrypt client proxy"; - Enabling this option does not alter the system nameserver; to relay - local queries, prepend 127.0.0.1 to - . - - The recommended configuration is to run DNSCrypt proxy as a forwarder - for a caching DNS client, as in - - { - services.dnscrypt-proxy.enable = true; - services.dnscrypt-proxy.localPort = 43; - services.dnsmasq.enable = true; - services.dnsmasq.servers = [ "127.0.0.1#43" ]; - services.dnsmasq.resolveLocalQueries = true; # this is the default - } - - ''; }; localAddress = mkOption { default = "127.0.0.1"; type = types.str; diff --git a/nixos/modules/services/networking/dnscrypt-proxy.xml b/nixos/modules/services/networking/dnscrypt-proxy.xml new file mode 100644 index 00000000000..e212a8d3e2c --- /dev/null +++ b/nixos/modules/services/networking/dnscrypt-proxy.xml @@ -0,0 +1,76 @@ + + + DNSCrypt client proxy + + + The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled + upstream resolver. The traffic between the client and the upstream + resolver is encrypted and authenticated, mitigating the risk of MITM + attacks, DNS poisoning attacks, and third-party snooping (assuming the + upstream is trustworthy). + + + Basic configuration + + + To enable the client proxy, set + + services.dnscrypt-proxy.enable = true; + + + + + Enabling the client proxy does not alter the system nameserver; to + relay local queries, prepend 127.0.0.1 to + . + + + + + As a forwarder for a caching DNS client + + + By default, DNSCrypt proxy acts as a transparent proxy for the + system stub resolver. Because the client does not cache lookups, this + setup can significantly slow down e.g., web browsing. The recommended + configuration is to run DNSCrypt proxy as a forwarder for a caching DNS + client. To achieve this, change the default proxy listening port to + a non-standard value and point the caching client to it: + + services.dnscrypt-proxy.localPort = 43; + + + + dnsmasq + + + { + services.dnsmasq.enable = true; + services.dnsmasq.servers = [ "127.0.0.1#43" ]; + } + + + + + unbound + + + { + networking.nameservers = [ "127.0.0.1" ]; + services.unbound.enable = true; + services.unbound.forwardAddresses = [ "127.0.0.1@43" ]; + services.unbound.extraConfig = '' + do-not-query-localhost: no + ''; + } + + + + + + +