colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

common: net: switch DNS resolver from unbound to BIND

Browse Source
This commit is contained in:
Colin
2024-12-30 04:25:14 +00:00
parent 424f61f782
commit acd20e23d9
3 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
hosts/common/net/dns/bind.nix
View File

@@ -1,15 +1,25 @@
{ lib, ... }: { config, lib, ... }:
{ {
services.bind.enable = lib.mkDefault true; config = lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
services.bind.forwarders = []; #< don't forward queries to upstream resolvers services.resolved.enable = lib.mkForce false;
services.bind.cacheNetworks = [
"127.0.0.0/24"
"::1/128"
"10.0.0.0/16"
];
services.bind.extraOptions = ''
port 953;
'';
networking.resolvconf.useLocalResolver = false; #< undo bind making this default true services.bind.enable = lib.mkDefault true;
services.bind.forwarders = []; #< don't forward queries to upstream resolvers
services.bind.cacheNetworks = [
"127.0.0.0/24"
"::1/128"
"10.0.0.0/16"
];
# when testing, deploy on a port other than 53
# services.bind.extraOptions = ''
# listen-on port 953 { any; };
# '';
# services.bind.listenOn = [];
# services.bind.listenOnIpv6 = [];
# networking.resolvconf.useLocalResolver = false; #< undo bind making this default true
# TODO: how to exempt `pool.ntp.org` from DNSSEC checks, as i did when using unbound?
};
} }

4
hosts/common/net/dns/unbound.nix
View File

@@ -1,7 +1,9 @@
# `man unbound.conf` for info on settings # `man unbound.conf` for info on settings
# it's REALLY EASY to combine settings in a way that produce bad effects. # it's REALLY EASY to combine settings in a way that produce bad effects.
# generally, prefer to stay close to defaults unless there's a compelling reason to differ. # generally, prefer to stay close to defaults unless there's a compelling reason to differ.
{ config, lib, pkgs, ... }: { { config, lib, ... }:
lib.optionalAttrs false #< XXX(2024-12-29): unbound caches failed DNS resolutions, just randomly breaks connectivity daily
{
config = lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) { config = lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
services.resolved.enable = lib.mkForce false; services.resolved.enable = lib.mkForce false;

4
modules/netns.nix
View File

@@ -3,7 +3,9 @@ let
cfg = config.sane.netns; cfg = config.sane.netns;
nsIpv4 = builtins.head (builtins.filter nsIpv4 = builtins.head (builtins.filter
(ns: (builtins.match "[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+" ns) != null) (ns: (builtins.match "[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+" ns) != null)
config.networking.nameservers config.networking.nameservers ++ lib.optionals config.networking.resolvconf.useLocalResolver [
"127.0.0.1" "::1"
]
); );
netnsOpts = with lib; types.submodule { netnsOpts = with lib; types.submodule {
options = { options = {