nixos/modules/services/networking/dnscrypt-proxy.xml at 16.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / dnscrypt-proxy.xml
at 16.09-beta 2.2 kB view raw
 1<chapter xmlns="http://docbook.org/ns/docbook"
 2         xmlns:xlink="http://www.w3.org/1999/xlink"
 3         xmlns:xi="http://www.w3.org/2001/XInclude"
 4         version="5.0"
 5         xml:id="sec-dnscrypt-proxy">
 6
 7  <title>DNSCrypt client proxy</title>
 8
 9  <para>
10    The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled
11    upstream resolver. The traffic between the client and the upstream
12    resolver is encrypted and authenticated, mitigating the risk of MITM
13    attacks, DNS poisoning attacks, and third-party snooping (assuming the
14    upstream is trustworthy).
15  </para>
16
17  <sect1><title>Basic configuration</title>
18
19  <para>
20    To enable the client proxy, set
21    <programlisting>
22      services.dnscrypt-proxy.enable = true;
23    </programlisting>
24  </para>
25
26  <para>
27    Enabling the client proxy does not alter the system nameserver; to
28    relay local queries, prepend <literal>127.0.0.1</literal> to
29    <option>networking.nameservers</option>.
30  </para>
31
32  </sect1>
33
34  <sect1><title>As a forwarder for a caching DNS client</title>
35
36  <para>
37    By default, DNSCrypt proxy acts as a transparent proxy for the
38    system stub resolver. Because the client does not cache lookups, this
39    setup can significantly slow down e.g., web browsing. The recommended
40    configuration is to run DNSCrypt proxy as a forwarder for a caching DNS
41    client. To achieve this, change the default proxy listening port to
42    a non-standard value and point the caching client to it:
43    <programlisting>
44      services.dnscrypt-proxy.localPort = 43;
45    </programlisting>
46  </para>
47
48  <sect2><title>dnsmasq</title>
49  <para>
50    <programlisting>
51      {
52      services.dnsmasq.enable = true;
53      services.dnsmasq.servers = [ "127.0.0.1#43" ];
54      }
55    </programlisting>
56  </para>
57  </sect2>
58
59  <sect2><title>unbound</title>
60  <para>
61    <programlisting>
62      {
63      networking.nameservers = [ "127.0.0.1" ];
64      services.unbound.enable = true;
65      services.unbound.forwardAddresses = [ "127.0.0.1@43" ];
66      services.unbound.extraConfig = ''
67        do-not-query-localhost: no
68      '';
69      }
70    </programlisting>
71  </para>
72  </sect2>
73
74  </sect1>
75
76</chapter>