{ oisd, ... }:

let
  cloudflareServers = [
    "1.1.1.1" "1.0.0.1"
    "2606:4700:4700::1111" "2606:4700:4700::1001"
  ];

  quad9Servers = [
    "9.9.9.9" "149.112.112.112"
    "2620:fe::fe" "2620:fe::9"
  ];

  upstreamServers = cloudflareServers ++ quad9Servers;
in
{
  services.resolved.enable = false;

  services.dnsmasq = {
    enable = true;

    # Ref: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
    settings = {
      interface = [ "enp1s0" "tailscale0" ];
      bind-dynamic = true;

      server = upstreamServers;
      cache-size = 4096;

      no-resolv = true;
      bogus-priv = true;
      domain-needed = true;
      localise-queries = true;

      conf-file = "${oisd}/dnsmasq2_big.txt";

      log-queries = true;
    };
  };
}