{ hostName, config, lib, pkgs, ... }: lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { services.unbound = { enable = true; interfaces = [ "0.0.0.0" "::0" ]; # TODO: generate allowedAccess = [ "fd23:42:c3d2:500::/56" "2a02:8106:208:5200::/56" "2a02:8106:211:e900::/56" "::172.20.72.0/117" "::172.22.99.0/120" "::1/128" "172.20.72.0/21" "10.0.0.0/24" "10.200.0.0/15" "172.22.99.0/24" "127.0.0.0/8" ]; extraConfig = '' remote-control: control-enable: yes control-use-cert: no server: num-threads: 4 verbosity: 1 prefetch: yes serve-expired: yes cache-min-ttl: 60 cache-max-ttl: 3600 # For DNS over TLS tls-cert-bundle: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt # allow reverse lookup of rfc1918 space, which includes the DN42 address space unblock-lan-zones: yes insecure-lan-zones: yes domain-insecure: "dn42" domain-insecure: "20.172.in-addr.arpa" domain-insecure: "21.172.in-addr.arpa" domain-insecure: "22.172.in-addr.arpa" domain-insecure: "99.22.172.in-addr.arpa" domain-insecure: "23.172.in-addr.arpa" domain-insecure: "d.f.ip6.arpa" domain-insecure: "ffdd" domain-insecure: "200.10.in-addr.arpa" domain-insecure: "201.10.in-addr.arpa" local-zone: "20.172.in-addr.arpa." nodefault local-zone: "21.172.in-addr.arpa." nodefault local-zone: "22.172.in-addr.arpa." nodefault local-zone: "99.22.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault local-zone: "200.10.in-addr.arpa." nodefault local-zone: "201.10.in-addr.arpa." nodefault forward-zone: name: "." forward-tls-upstream: yes # Quad9 forward-addr: 2620:fe::fe@853#dns.quad9.net forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 2620:fe::9@853#dns.quad9.net forward-addr: 149.112.112.112@853#dns.quad9.net # Cloudflare DNS forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com forward-addr: 1.0.0.1@853#cloudflare-dns.com # Local networks forward-zone: name: "zentralwerk.dn42" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "72.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "73.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "74.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "75.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "76.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "77.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "0.0.5.0.2.d.3.c.4.2.0.0.3.2.d.f.ip6.arpa" forward-host: "dns.serv.zentralwerk.org" # C3D2 reverse forward-zone: name: "99.22.172.in-addr.arpa" forward-host: "ns.c3d2.de" # Freifunk forward-zone: name: "ffdd" forward-addr: 10.200.0.4 forward-addr: 10.200.0.16 forward-zone: name: "200.10.in-addr.arpa" forward-addr: 10.200.0.4 forward-addr: 10.200.0.16 forward-zone: name: "201.10.in-addr.arpa" forward-addr: 10.200.0.4 forward-addr: 10.200.0.16 # DN42 stub-zone: name: "dn42" stub-prime: yes stub-addr: 172.23.0.53 stub-zone: name: "20.172.in-addr.arpa" stub-prime: yes stub-addr: 172.23.0.53 stub-zone: name: "21.172.in-addr.arpa" stub-prime: yes stub-addr: 172.23.0.53 stub-zone: name: "22.172.in-addr.arpa" stub-prime: yes stub-addr: 172.23.0.53 stub-zone: name: "23.172.in-addr.arpa" stub-prime: yes stub-addr: 172.23.0.53 stub-zone: name: "d.f.ip6.arpa" stub-prime: yes stub-addr: 172.23.0.53 ''; }; }