feat: use unbound as a recursive DNS resolver. retire blocky

2 files changed, 26 insertions, 93 deletions

diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix
deleted file mode 100644
index ca58f4f..0000000
--- a/modules/services/blocky/default.nix
+++ /dev/null
@@ -1,93 +0,0 @@
-{ pkgs, ... }:
-{
-  services.blocky = {
-    enable = true;
-    package = pkgs.blocky;
-    settings = {
-      upstreams = {
-        init.strategy = "fast";
-        groups.default = [
-          "9.9.9.9"
-          "149.112.112.112"
-        ];
-      };
-      bootstrapDns = [{
-        upstream = "https://dns.quad9.net/dns-query";
-        ips = [ "9.9.9.9" ];
-      }];
-      ports = {
-        dns = 53;
-        tls = 853;
-        https = 443;
-      };
-      blocking = {
-        denylists = {
-          ads = [
-            "https://adaway.org/hosts.txt"
-            "https://v.firebog.net/hosts/AdguardDNS.txt"
-            "https://v.firebog.net/hosts/Admiral.txt"
-            "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
-            "https://v.firebog.net/hosts/Easylist.txt"
-            "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
-            "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
-          ];
-          malicious = [
-            "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
-            "https://v.firebog.net/hosts/Prigent-Crypto.txt"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
-            "https://phishing.army/download/phishing_army_blocklist_extended.txt"
-            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
-            "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
-            "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
-            "https://urlhaus.abuse.ch/downloads/hostfile/"
-            "https://v.firebog.net/hosts/Prigent-Malware.txt"
-          ];
-          other = [
-            "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
-          ];
-          suspicious = [
-            "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
-            "https://v.firebog.net/hosts/static/w3kbl.txt"
-            "https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt"
-            "https://someonewhocares.org/hosts/zero/hosts"
-            "https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts"
-            "https://winhelp2002.mvps.org/hosts.txt"
-            "https://v.firebog.net/hosts/neohostsbasic.txt"
-            "https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt"
-            "https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt"
-          ];
-          tracking-telemetry = [
-            "https://v.firebog.net/hosts/Easyprivacy.txt"
-            "https://v.firebog.net/hosts/Prigent-Ads.txt"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
-            "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
-            "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
-            "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
-            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt"
-            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt"
-            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt"
-            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt"
-          ];
-        };
-        clientGroupsBlock.default = [
-          "ads"
-          "malicious"
-          "other"
-          "suspicious"
-          "tracking-telemetry"
-        ];
-        loading = {
-          concurrency = 16;
-          strategy = "failOnError";
-        };
-      };
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = [ 53 443 853 ];
-    allowedUDPPorts = [ 53 ];
-  };
-}
diff --git a/modules/services/dns/default.nix b/modules/services/dns/default.nix
new file mode 100644
index 0000000..e229da3
--- /dev/null
+++ b/modules/services/dns/default.nix
@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  services.unbound = {
+    enable = true;
+    package = pkgs.unbound-with-systemd;
+    enableRootTrustAnchor = true;
+    resolveLocalQueries = true;
+    settings.server = {
+      interface = [ "0.0.0.0" ];
+      port = 53;
+      access-control = [ "10.44.0.0/16 allow" ];
+      harden-glue = true;
+      harden-dnssec-stripped = true;
+      use-caps-for-id = false;
+      edns-buffer-size = 1232;
+      prefetch = true;
+      hide-identity = true;
+      hide-version = true;
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}