From 2fc26761a1e93e6212845ebd005eab71da704d6e Mon Sep 17 00:00:00 2001
From: Mel <einebeere@gmail.com>
Date: Sun, 27 Oct 2024 22:05:25 +0100
Subject: Add global dns-blocking dnsmasq service

Signed-off-by: Mel <einebeere@gmail.com>
---
 modules/dns.nix | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 modules/dns.nix

(limited to 'modules/dns.nix')

diff --git a/modules/dns.nix b/modules/dns.nix
new file mode 100644
index 0000000..c3512e4
--- /dev/null
+++ b/modules/dns.nix
@@ -0,0 +1,40 @@
+{ oisd, ... }:
+
+let
+  cloudflareServers = [
+    "1.1.1.1" "1.0.0.1"
+    "2606:4700:4700::1111" "2606:4700:4700::1001"
+  ];
+
+  quad9Servers = [
+    "9.9.9.9" "149.112.112.112"
+    "2620:fe::fe" "2620:fe::9"
+  ];
+
+  upstreamServers = cloudflareServers ++ quad9Servers;
+in
+{
+  services.resolved.enable = false;
+
+  services.dnsmasq = {
+    enable = true;
+
+    # Ref: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
+    settings = {
+      interface = [ "enp1s0" "tailscale0" ];
+      bind-dynamic = true;
+
+      server = upstreamServers;
+      cache-size = 4096;
+
+      no-resolv = true;
+      bogus-priv = true;
+      domain-needed = true;
+      localise-queries = true;
+
+      conf-file = "${oisd}/dnsmasq2_big.txt";
+
+      log-queries = true;
+    };
+  };
+}
-- 
cgit 1.4.1