diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/dnscrypt-proxy.xml')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/dnscrypt-proxy.xml | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/dnscrypt-proxy.xml b/nixpkgs/nixos/modules/services/networking/dnscrypt-proxy.xml new file mode 100644 index 000000000000..afc7880392a1 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/dnscrypt-proxy.xml @@ -0,0 +1,66 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-dnscrypt-proxy"> + <title>DNSCrypt client proxy</title> + <para> + The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled upstream + resolver. The traffic between the client and the upstream resolver is + encrypted and authenticated, mitigating the risk of MITM attacks, DNS + poisoning attacks, and third-party snooping (assuming the upstream is + trustworthy). + </para> + <sect1 xml:id="sec-dnscrypt-proxy-configuration"> + <title>Basic configuration</title> + + <para> + To enable the client proxy, set +<programlisting> +<xref linkend="opt-services.dnscrypt-proxy.enable"/> = true; +</programlisting> + </para> + + <para> + Enabling the client proxy does not alter the system nameserver; to relay + local queries, prepend <literal>127.0.0.1</literal> to + <option>networking.nameservers</option>. + </para> + </sect1> + <sect1 xml:id="sec-dnscrypt-proxy-forwarder"> + <title>As a forwarder for another DNS client</title> + + <para> + To run the DNSCrypt proxy client as a forwarder for another DNS client, + change the default proxy listening port to a non-standard value and point + the other client to it: +<programlisting> +<xref linkend="opt-services.dnscrypt-proxy.localPort"/> = 43; +</programlisting> + </para> + + <sect2 xml:id="sec-dnscrypt-proxy-forwarder-dsnmasq"> + <title>dnsmasq</title> + <para> +<programlisting> +{ + <xref linkend="opt-services.dnsmasq.enable"/> = true; + <xref linkend="opt-services.dnsmasq.servers"/> = [ "127.0.0.1#43" ]; +} +</programlisting> + </para> + </sect2> + + <sect2 xml:id="sec-dnscrypt-proxy-forwarder-unbound"> + <title>unbound</title> + <para> +<programlisting> +{ + <xref linkend="opt-services.unbound.enable"/> = true; + <xref linkend="opt-services.unbound.forwardAddresses"/> = [ "127.0.0.1@43" ]; +} +</programlisting> + </para> + </sect2> + </sect1> +</chapter> |