system/hosts/tatos/services/dns.nix

{ lib, ... }:

let dnsport = 53; in
{
  services.dnscrypt-proxy2.settings.listen_addresses = [ "[::1]:51" ];

  # Forward loopback traffic on port 53 to dnscrypt-proxy2.
  networking.firewall.extraCommands = ''
    ip6tables --table nat --flush OUTPUT
    ${lib.flip (lib.concatMapStringsSep "\n") [ "udp" "tcp" ] (proto: ''
      ip6tables --table nat --append OUTPUT \
        --protocol ${proto} --destination ::1 --destination-port 53 \
        --jump REDIRECT --to-ports 51
    '')}
  '';

  networking.firewall = {
    allowedTCPPorts = [ dnsport ];
    allowedUDPPorts = [ dnsport ];
  };

  services.dnsmasq = {
    enable = true;
    settings = {
      interface = "wg0";
    };
  };
};
host/tatos: add forwarding traffic to dnscrypt-proxy2 2024-04-16 17:57:37 +03:00			`{ lib, ... }:`

			`let dnsport = 53; in`
			`{`
			`services.dnscrypt-proxy2.settings.listen_addresses = [ "[::1]:51" ];`

			`# Forward loopback traffic on port 53 to dnscrypt-proxy2.`
			`networking.firewall.extraCommands = ''`
			`ip6tables --table nat --flush OUTPUT`
			`${lib.flip (lib.concatMapStringsSep "\n") [ "udp" "tcp" ] (proto: ''`
			`ip6tables --table nat --append OUTPUT \`
			`--protocol ${proto} --destination ::1 --destination-port 53 \`
			`--jump REDIRECT --to-ports 51`
			`'')}`
			`'';`

			`networking.firewall = {`
			`allowedTCPPorts = [ dnsport ];`
			`allowedUDPPorts = [ dnsport ];`
			`};`

			`services.dnsmasq = {`
			`enable = true;`
			`settings = {`
			`interface = "wg0";`
			`};`
			`};`
			`};`