nixos/resolved: add dnsovertls option

2025-07-14 14:10:33 +03:00 · 2024-01-14 20:35:02 -06:00 · 2024-01-14 20:35:02 -06:00 · dfc87b9048
commit dfc87b9048
parent 87b9bf8ea4
1 changed files with 24 additions and 0 deletions
--- a/nixos/modules/system/boot/resolved.nix
+++ b/nixos/modules/system/boot/resolved.nix
@ -95,6 +95,29 @@ in
      '';
    };

+    services.resolved.dnsovertls = mkOption {
+      default = "false";
+      example = "true";
+      type = types.enum [ "true" "opportunistic" "false" ];
+      description = lib.mdDoc ''
+        If set to
+        - `"true"`:
+            all DNS lookups will be encrypted. This requires
+            that the DNS server supports DNS-over-TLS and
+            has a valid certificate. If the hostname was specified
+            via the `address#hostname` format in {option}`services.resolved.domains`
+            then the specified hostname is used to validate its certificate.
+        - `"opportunistic"`:
+            all DNS lookups will attempt to be encrypted, but will fallback
+            to unecrypted requests if the server does not support DNS-over-TLS.
+            Note that this mode does allow for a malicious party to conduct a
+            downgrade attack by immitating the DNS server and pretending to not
+            support encryption.
+        - `"false"`:
+            all DNS lookups are done unencrypted.
+      '';
+    };
+
    services.resolved.extraConfig = mkOption {
      default = "";
      type = types.lines;
@ -141,6 +164,7 @@ in
          "Domains=${concatStringsSep " " cfg.domains}"}
        LLMNR=${cfg.llmnr}
        DNSSEC=${cfg.dnssec}
+        DNSOverTLS=${cfg.dnsovertls}
        ${config.services.resolved.extraConfig}
      '';