mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 18:05:37 +00:00
fix dns issues with ipv6 and local bind
This commit is contained in:
parent
520f0587c8
commit
bf58cf62d3
@ -5,7 +5,12 @@
|
|||||||
# To set this on all home machines, I point my router's DNS resolver to the
|
# To set this on all home machines, I point my router's DNS resolver to the
|
||||||
# local IP address of the machine running this service (swan).
|
# local IP address of the machine running this service (swan).
|
||||||
|
|
||||||
{ config, pkgs, lib, ... }:
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
@ -18,8 +23,8 @@ let
|
|||||||
];
|
];
|
||||||
mkRecord = service: "${service} A ${localIp}";
|
mkRecord = service: "${service} A ${localIp}";
|
||||||
localRecords = lib.concatLines (map mkRecord localServices);
|
localRecords = lib.concatLines (map mkRecord localServices);
|
||||||
|
in
|
||||||
in {
|
{
|
||||||
|
|
||||||
config = lib.mkIf config.services.bind.enable {
|
config = lib.mkIf config.services.bind.enable {
|
||||||
|
|
||||||
@ -31,12 +36,20 @@ in {
|
|||||||
|
|
||||||
# Allow requests coming from these IPs. This way I don't somehow get
|
# Allow requests coming from these IPs. This way I don't somehow get
|
||||||
# spammed with DNS requests coming from the Internet.
|
# spammed with DNS requests coming from the Internet.
|
||||||
cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
|
cacheNetworks = [
|
||||||
|
"127.0.0.0/24"
|
||||||
|
"192.168.0.0/16"
|
||||||
|
"::1/128" # Required because IPv6 loopback now added to resolv.conf
|
||||||
|
# (see: https://github.com/NixOS/nixpkgs/pull/302228)
|
||||||
|
];
|
||||||
|
|
||||||
# When making normal DNS requests, forward them to Cloudflare to resolve.
|
# When making normal DNS requests, forward them to Cloudflare to resolve.
|
||||||
forwarders = [ "1.1.1.1" "1.0.0.1" ];
|
forwarders = [
|
||||||
|
"1.1.1.1"
|
||||||
|
"1.0.0.1"
|
||||||
|
];
|
||||||
|
|
||||||
ipv4Only = true;
|
ipv4Only = false;
|
||||||
|
|
||||||
# Use rpz zone as an override
|
# Use rpz zone as an override
|
||||||
extraOptions = ''response-policy { zone "rpz"; };'';
|
extraOptions = ''response-policy { zone "rpz"; };'';
|
||||||
@ -59,13 +72,16 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# We must allow DNS traffic to hit our machine as well
|
# We must allow DNS traffic to hit our machine as well
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||||
|
|
||||||
|
# Set our own nameservers to ourselves
|
||||||
|
networking.nameservers = [
|
||||||
|
"127.0.0.1"
|
||||||
|
"::1"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user