diff options
author | h7x4 <h7x4@nani.wtf> | 2024-01-20 15:21:45 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-20 15:21:45 +0100 |
commit | e7069e4aa2b66cdc57a3f6812f96cb970081d63e (patch) | |
tree | 1a11eb7e81fc794a815e821ec040e5dfd15eca39 /nixos | |
parent | 6b84f4f5073869881e273c08063a97bc35008161 (diff) | |
parent | dfc87b9048ebf19902077ce045d2e465880b35e1 (diff) |
Merge pull request #281055 from majiru/resolved-dns-over-tls
nixos/resolved: add dnsovertls option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/boot/resolved.nix | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 538f71cc0b9ae..c42c88163c564 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -95,6 +95,29 @@ in ''; }; + services.resolved.dnsovertls = mkOption { + default = "false"; + example = "true"; + type = types.enum [ "true" "opportunistic" "false" ]; + description = lib.mdDoc '' + If set to + - `"true"`: + all DNS lookups will be encrypted. This requires + that the DNS server supports DNS-over-TLS and + has a valid certificate. If the hostname was specified + via the `address#hostname` format in {option}`services.resolved.domains` + then the specified hostname is used to validate its certificate. + - `"opportunistic"`: + all DNS lookups will attempt to be encrypted, but will fallback + to unecrypted requests if the server does not support DNS-over-TLS. + Note that this mode does allow for a malicious party to conduct a + downgrade attack by immitating the DNS server and pretending to not + support encryption. + - `"false"`: + all DNS lookups are done unencrypted. + ''; + }; + services.resolved.extraConfig = mkOption { default = ""; type = types.lines; @@ -141,6 +164,7 @@ in "Domains=${concatStringsSep " " cfg.domains}"} LLMNR=${cfg.llmnr} DNSSEC=${cfg.dnssec} + DNSOverTLS=${cfg.dnsovertls} ${config.services.resolved.extraConfig} ''; |