From 01d012473d4311d4f4e5a0831d912bc4b8c61639 Mon Sep 17 00:00:00 2001
From: tdback <tyler@tdback.net>
Date: Sat, 11 Jan 2025 19:08:14 -0500
Subject: feat: use unbound as a recursive DNS resolver. retire blocky

---
 modules/services/dns/default.nix | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 modules/services/dns/default.nix

(limited to 'modules/services/dns/default.nix')

diff --git a/modules/services/dns/default.nix b/modules/services/dns/default.nix
new file mode 100644
index 0000000..e229da3
--- /dev/null
+++ b/modules/services/dns/default.nix
@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  services.unbound = {
+    enable = true;
+    package = pkgs.unbound-with-systemd;
+    enableRootTrustAnchor = true;
+    resolveLocalQueries = true;
+    settings.server = {
+      interface = [ "0.0.0.0" ];
+      port = 53;
+      access-control = [ "10.44.0.0/16 allow" ];
+      harden-glue = true;
+      harden-dnssec-stripped = true;
+      use-caps-for-id = false;
+      edns-buffer-size = 1232;
+      prefetch = true;
+      hide-identity = true;
+      hide-version = true;
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}
-- 
cgit v1.2.3