curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(nixos-config): utilise malware-blocking dns 

- https://1.1.1.1/family/
- add quad9, tls1.3 & enforce dnssec
This commit is contained in:
MDLeom 2020-12-01 10:56:15 +00:00
parent 0a725e9ecf
commit c834bc2d8d
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
source/_posts/caddy-nixos-part-2.md
View File

@ -156,9 +156,9 @@ Once the secret is generated, TOTP can be enabled using the following config. I
## DNS-over-TLS ## DNS-over-TLS
Since DNS is not encrypted in transit, it risks being tampered. To resolve that, I use DNS-over-TLS which as the name implies, uses TLS to encrypt the DNS traffic. I use `stubby` which creates a DNS resolver that listens on localhost and forward DNS query to the upstream server(s) using DoT. `stubby` enables DNSSEC by default to verify authenticity of the DNS response for supported domains. (This domain mdleom.com has DNSSEC enabled by having a DS record) Since DNS is not encrypted in transit, it risks being tampered. To resolve that, I use DNS-over-TLS which as the name implies, uses TLS to encrypt the DNS traffic. I use `stubby` which creates a DNS resolver that listens on localhost and forward DNS query to the upstream server(s) using DoT. `stubby` enables DNSSEC by default to verify authenticity of the DNS response for supported domains. (This domain mdleom.com has DNSSEC enabled through a DS record)
I use Cloudflare DNS simply because I'm already using its CDN, using other alternatives wouldn't have the privacy benefit since Cloudflare already knows that a visitor is browsing this website though its CDN. Refer to stubby.yml for a full list of supported servers. I use Cloudflare DNS simply because I'm already using its CDN, using other alternatives wouldn't have the privacy benefit since it already knows that a visitor is browsing this website. I add [Quad9](https://quad9.net/) as a backup. Refer to [stubby.yml](https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example) for a full list of supported servers.
``` nix ``` nix
## DNS-over-TLS ## DNS-over-TLS
@ -169,14 +169,30 @@ I use Cloudflare DNS simply because I'm already using its CDN, using other alter
upstreamServers = upstreamServers =
'' ''
## Cloudflare DNS ## Cloudflare DNS
- address_data: 2606:4700:4700::1111 - address_data: 2606:4700:4700::1112
tls_auth_name: "cloudflare-dns.com" tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001 - address_data: 2606:4700:4700::1002
tls_auth_name: "cloudflare-dns.com" tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.1 - address_data: 1.1.1.2
tls_auth_name: "cloudflare-dns.com" tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1 - address_data: 1.0.0.2
tls_auth_name: "cloudflare-dns.com" tls_auth_name: "cloudflare-dns.com"
## Quad9
- address_data: 2620:fe::fe
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::9
tls_auth_name: "dns.quad9.net"
- address_data: 9.9.9.9
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_auth_name: "dns.quad9.net"
'';
extraConfig =
''
# Set TLS 1.3 as minimum acceptable version
tls_min_version: GETDNS_TLS1_3
# Require DNSSEC validation
dnssec: GETDNS_EXTENSION_TRUE
''; '';
}; };
``` ```