{ ... }:
{
# all unbound requests are just proxied to resolved served on 127.0.0.53
services.resolved = {
enable = true;
};
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 53 ];
services.unbound = {
enable = true;
user = "unbound";
group = "unbound";
resolveLocalQueries = false;
settings = {
server = {
verbosity = 5;
# number of threads to create. 1 disables threading.
num-threads = 1;
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
# morj note: only answer queries as vpn server
interface = [ "192.168.10.1" ];
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
# interface-automatic: yes
#
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
# NOTE: Disabled per Fedora policy not to listen to * on default install
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
interface-automatic = "no";
# Prefer ipv4 upstream servers, even if ipv6 is available.
prefer-ip4 = "no";
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
# 3072 causes +dnssec any isc.org queries to need TC=1.
# Helps mitigating DDOS
max-udp-size = 3072;
# Enable IPv4, "yes" or "no".
do-ip4 = "yes";
# Enable IPv6, "yes" or "no".
do-ip6 = "yes";
# morj note: same subnet we're listening on
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
# allow_snoop (recursive and nonrecursive ok)
# deny_non_local (drop queries unless can be answered from local-data)
# refuse_non_local (like deny_non_local but polite error reply).
access-control = [ "192.168.10.0/24 allow_snoop" ];
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
log-time-ascii = "yes";
# if yes, the above default do-not-query-address entries are present.
# if no, localhost can be queried (for testing and debugging).
# morj note: important for my use case as a proxy DNS
do-not-query-localhost = "no";
# module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator"
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
module-config = ''"validator iterator"'';
# without this setting, requests to upstream servers fail with timeout
tcp-upstream = "yes";
};
# Forward to systemd-resolved for all requests
forward-zone = {
name = ".";
forward-addr = "127.0.0.53";
forward-first = "no";
};
};
};
}