pyrox.dev
dnscrypt-proxy module: move detailed info to module documentation
+6
-22
nixos/modules/services/networking/dnscrypt-proxy.nix
+6
-22
nixos/modules/services/networking/dnscrypt-proxy.nix
···
28
in
29
30
{
31
options = {
32
services.dnscrypt-proxy = {
33
-
enable = mkEnableOption "dnscrypt-proxy" // { description = ''
34
-
Whether to enable the DNSCrypt client proxy. The proxy relays
35
-
DNS queries to a DNSCrypt enabled upstream resolver. The traffic
36
-
between the client and the upstream resolver is encrypted and
37
-
authenticated, mitigating the risk of MITM attacks and third-party
38
-
snooping (assuming the upstream is trustworthy).
39
-
40
-
Enabling this option does not alter the system nameserver; to relay
41
-
local queries, prepend <literal>127.0.0.1</literal> to
42
-
<option>networking.nameservers</option>.
43
44
-
The recommended configuration is to run DNSCrypt proxy as a forwarder
45
-
for a caching DNS client, as in
46
-
<programlisting>
47
-
{
48
-
services.dnscrypt-proxy.enable = true;
49
-
services.dnscrypt-proxy.localPort = 43;
50
-
services.dnsmasq.enable = true;
51
-
services.dnsmasq.servers = [ "127.0.0.1#43" ];
52
-
services.dnsmasq.resolveLocalQueries = true; # this is the default
53
-
}
54
-
</programlisting>
55
-
''; };
56
localAddress = mkOption {
57
default = "127.0.0.1";
58
type = types.str;
···
28
in
29
30
{
31
+
meta = {
32
+
maintainers = with maintainers; [ joachifm ];
33
+
doc = ./dnscrypt-proxy.xml;
34
+
};
35
+
36
options = {
37
services.dnscrypt-proxy = {
38
+
enable = mkEnableOption "DNSCrypt client proxy";
39
40
localAddress = mkOption {
41
default = "127.0.0.1";
42
type = types.str;
+76
nixos/modules/services/networking/dnscrypt-proxy.xml
+76
nixos/modules/services/networking/dnscrypt-proxy.xml
···
···
1
+
<chapter xmlns="http://docbook.org/ns/docbook"
2
+
xmlns:xlink="http://www.w3.org/1999/xlink"
3
+
xmlns:xi="http://www.w3.org/2001/XInclude"
4
+
version="5.0"
5
+
xml:id="sec-dnscrypt-proxy">
6
+
7
+
<title>DNSCrypt client proxy</title>
8
+
9
+
<para>
10
+
The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled
11
+
upstream resolver. The traffic between the client and the upstream
12
+
resolver is encrypted and authenticated, mitigating the risk of MITM
13
+
attacks, DNS poisoning attacks, and third-party snooping (assuming the
14
+
upstream is trustworthy).
15
+
</para>
16
+
17
+
<sect1><title>Basic configuration</title>
18
+
19
+
<para>
20
+
To enable the client proxy, set
21
+
<programlisting>
22
+
services.dnscrypt-proxy.enable = true;
23
+
</programlisting>
24
+
</para>
25
+
26
+
<para>
27
+
Enabling the client proxy does not alter the system nameserver; to
28
+
relay local queries, prepend <literal>127.0.0.1</literal> to
29
+
<option>networking.nameservers</option>.
30
+
</para>
31
+
32
+
</sect1>
33
+
34
+
<sect1><title>As a forwarder for a caching DNS client</title>
35
+
36
+
<para>
37
+
By default, DNSCrypt proxy acts as a transparent proxy for the
38
+
system stub resolver. Because the client does not cache lookups, this
39
+
setup can significantly slow down e.g., web browsing. The recommended
40
+
configuration is to run DNSCrypt proxy as a forwarder for a caching DNS
41
+
client. To achieve this, change the default proxy listening port to
42
+
a non-standard value and point the caching client to it:
43
+
<programlisting>
44
+
services.dnscrypt-proxy.localPort = 43;
45
+
</programlisting>
46
+
</para>
47
+
48
+
<sect2><title>dnsmasq</title>
49
+
<para>
50
+
<programlisting>
51
+
{
52
+
services.dnsmasq.enable = true;
53
+
services.dnsmasq.servers = [ "127.0.0.1#43" ];
54
+
}
55
+
</programlisting>
56
+
</para>
57
+
</sect2>
58
+
59
+
<sect2><title>unbound</title>
60
+
<para>
61
+
<programlisting>
62
+
{
63
+
networking.nameservers = [ "127.0.0.1" ];
64
+
services.unbound.enable = true;
65
+
services.unbound.forwardAddresses = [ "127.0.0.1@43" ];
66
+
services.unbound.extraConfig = ''
67
+
do-not-query-localhost: no
68
+
'';
69
+
}
70
+
</programlisting>
71
+
</para>
72
+
</sect2>
73
+
74
+
</sect1>
75
+
76
+
</chapter>