feat: use unbound as a recursive DNS resolver. retire blocky

author: tdback <tyler@tdback.net> 2025-01-11 19:08:14 -0500
committer: tdback <tyler@tdback.net> 2025-01-11 19:08:14 -0500
commit: 01d012473d4311d4f4e5a0831d912bc4b8c61639 (patch)
tree: b6ae98c69032d7d23219b07c73be4b15c53942b0 /modules/services/dns/default.nix
parent: 46ccba81833d5c9c2b02b873ac067eb5108e2b1f (diff)
1 files changed, 26 insertions, 0 deletions
diff --git a/modules/services/dns/default.nix b/modules/services/dns/default.nix
new file mode 100644
index 0000000..e229da3
--- /dev/null
+++ b/modules/services/dns/default.nix
@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  services.unbound = {
+    enable = true;
+    package = pkgs.unbound-with-systemd;
+    enableRootTrustAnchor = true;
+    resolveLocalQueries = true;
+    settings.server = {
+      interface = [ "0.0.0.0" ];
+      port = 53;
+      access-control = [ "10.44.0.0/16 allow" ];
+      harden-glue = true;
+      harden-dnssec-stripped = true;
+      use-caps-for-id = false;
+      edns-buffer-size = 1232;
+      prefetch = true;
+      hide-identity = true;
+      hide-version = true;
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}
author	tdback <tyler@tdback.net>	2025-01-11 19:08:14 -0500
committer	tdback <tyler@tdback.net>	2025-01-11 19:08:14 -0500
commit	01d012473d4311d4f4e5a0831d912bc4b8c61639 (patch)
tree	b6ae98c69032d7d23219b07c73be4b15c53942b0 /modules/services/dns/default.nix
parent	46ccba81833d5c9c2b02b873ac067eb5108e2b1f (diff)