encrypted dns

2025-01-28 19:54:36 +01:00 · 2025-01-28 19:54:36 +01:00 · d62b9c76d2
commit d62b9c76d2
parent 59c4d9dd11
11 changed files with 130 additions and 51 deletions
--- a/common/firefox.nix
+++ b/common/firefox.nix
@ -62,6 +62,11 @@ in
          "media.hardware-video-decoding.enabled" = true;
          "media.ffmpeg.vaapi.enabled" = true;
          "network.dns.disableIPv6" = true;
+          # "network.dns.DNS_HTTPS.domain" = "::1";
+          "network.connectivity-service.DNSv4.domain" = "127.0.0.1";
+          "network.connectivity-service.DNSv6.domain" = "::1";
+          network.dns.localDomains = "::1";
+          network.dns.forceResolve = true;
          "media.rdd-ffmpeg.enabled" = true;
          "media.navigator.mediadatadecoder_vpx_enabled" = true;
        } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };
--- a/common/tooling/nix-index.nix
+++ b/common/tooling/nix-index.nix
@ -13,6 +13,7 @@ in
  users.users."${user}" = {
    isSystemUser = true;
    group = user;
+    uid = 995;
  };
  users.groups."${user}" = { };

--- a/hardening/default.nix
+++ b/hardening/default.nix
@ -10,6 +10,7 @@
    ./apparmor
    ./opensnitch
    ./security.nix
+    ./encrypt-dns.nix
  ];

  specialisation.unhardened.configuration = {
--- a/hardening/encrypt-dns.nix
+++ b/hardening/encrypt-dns.nix
@ -0,0 +1,39 @@
+{ pkgs, config, lib, ... }:
+{
+  networking = {
+    nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
+    dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp
+    networkmanager.dns = "none"; # nm
+    resolvconf.useLocalResolver = true; # resoved
+  };
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = config.networking.enableIPv6;
+      ipv4_servers = true;
+      require_dnssec = true;
+      dnscrypt_servers = true;
+      doh_servers = true;
+      odoh_servers = false;
+      require_nolog = true;
+      require_nofilter = true;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+      # server_names = [ ... ];
+    };
+  };
+
+  systemd.services.dnscrypt-proxy2.serviceConfig = {
+    StateDirectory = "dnscrypt-proxy";
+  };
+}
--- a/hardening/opensnitch/cups.nix
+++ b/hardening/opensnitch/cups.nix
@ -48,7 +48,7 @@ in
            {
              type = "regexp";
              operand = "dest.port";
-              data = "5353|53";
+              data = "5353";
            }
            {
              type = "simple";
@ -77,7 +77,7 @@ in
            {
              type = "regexp";
              operand = "dest.port";
-              data = "53|631|80";
+              data = "631|80";
            }
            {
              type = "lists";
--- a/hardening/opensnitch/default.nix
+++ b/hardening/opensnitch/default.nix
@ -29,6 +29,7 @@ in
    ./network_support.nix
    ./firefox.nix
    ./tooling.nix
+    ./dns.nix
  ];

  config = mkIf (enable && tooling.enable && network) {
--- a/hardening/opensnitch/dns.nix
+++ b/hardening/opensnitch/dns.nix
@ -0,0 +1,77 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.grimmShared)
+    enable
+    tooling
+    network
+    ;
+  inherit (lib)
+    getExe
+    mkIf
+    ;
+
+  created = "1970-01-01T00:00:00.0+00:00";
+
+  dnscrypt_proxy_user = "dnscrypt-proxy2";
+in
+{
+
+  config = mkIf (enable && tooling.enable && network) {
+    users.users."${dnscrypt_proxy_user}" = {
+      isSystemUser = true;
+      group = dnscrypt_proxy_user;
+      uid = 991;
+    };
+    users.groups."${dnscrypt_proxy_user}" = { };
+
+    systemd.services.dnscrypt-proxy2.serviceConfig = {
+      DynamicUser = lib.mkForce true;
+      User = dnscrypt_proxy_user;
+      Group = dnscrypt_proxy_user;
+    };
+
+    services.opensnitch.rules = {
+      dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {
+        name = "dnscrypt-proxy";
+        enabled = true;
+        action = "allow";
+        duration = "always";
+        inherit created;
+        operator = {
+          type = "list";
+          operand = "list";
+          list = [
+            {
+              type = "simple";
+              sensitive = false;
+              operand = "process.path";
+              data = getExe pkgs.dnscrypt-proxy;
+            }
+            {
+              type = "regexp";
+              operand = "dest.port";
+              data = "53|443|4434|5443";
+            }
+            #  {
+            #    type = "lists";
+            #    operand = "lists.nets";
+            #    data = pkgs.writeTextDir "cidr_dns.list" (
+            #      concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
+            #    );
+            #  }
+            {
+              type = "simple";
+              operand = "user.id";
+              data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);
+            }
+          ];
+        };
+      };
+    };
+  };
+}
--- a/hardening/opensnitch/network_support.nix
+++ b/hardening/opensnitch/network_support.nix
@ -11,60 +11,15 @@ let
    network
    ;
  inherit (lib)
-    getExe
-    concatLines
    getExe'
    mkIf
    ;

-  local_network = [
-    "192.168.0.0/16"
-    "10.0.0.0/8"
-    "172.16.0.0/12"
-    "fc00::/7"
-  ];
-
  created = "1970-01-01T00:00:00.0+00:00";
 in
 {
  config = mkIf (enable && tooling.enable && network) {
    services.opensnitch.rules = {
-      nsncd = mkIf (config.services.nscd.enableNsncd) {
-        name = "nsncd-dns";
-        enabled = true;
-        action = "allow";
-        duration = "always";
-        inherit created;
-        operator = {
-          type = "list";
-          operand = "list";
-          list = [
-            {
-              type = "simple";
-              sensitive = false;
-              operand = "process.path";
-              data = getExe pkgs.nsncd;
-            }
-            {
-              type = "simple";
-              operand = "dest.port";
-              data = "53";
-            }
-            {
-              type = "lists";
-              operand = "lists.nets";
-              data = pkgs.writeTextDir "cidr_dns.list" (
-                concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
-              );
-            }
-            {
-              type = "simple";
-              operand = "user.id";
-              data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
-            }
-          ];
-        };
-      };
      network-manager = mkIf (config.networking.networkmanager.enable) {
        name = "network-manager";
        enabled = true;
--- a/hardening/opensnitch/nix.nix
+++ b/hardening/opensnitch/nix.nix
@ -39,7 +39,7 @@ in
            {
              type = "regexp";
              operand = "dest.port";
-              data = "53|443";
+              data = "443";
            }
            {
              type = "simple";
@ -70,7 +70,7 @@ in
            {
              type = "regexp";
              operand = "dest.port";
-              data = "53|443";
+              data = "443";
            }
            {
              type = "regexp";
--- a/hardening/opensnitch/osu.nix
+++ b/hardening/opensnitch/osu.nix
@ -51,7 +51,7 @@ in
            {
              type = "regexp";
              operand = "dest.port";
-              data = "443|53";
+              data = "443";
            }
            {
              type = "regexp";
--- a/hardening/opensnitch/time.nix
+++ b/hardening/opensnitch/time.nix
@ -39,7 +39,7 @@ in
            {
              type = "regexp";
              operand = "dest.port";
-              data = "123|37|53";
+              data = "123|37";
            }
            #              {
            #                type = "regexp";