From ac79eafd546e7abe5e279996586921ee7e4eaddd Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Mon, 21 Oct 2024 20:34:09 +0300 Subject: [PATCH] Dns: Update config & lists. --- container/Dns.nix | 120 ++++++++++++++++++++++++---------------------- 1 file changed, 63 insertions(+), 57 deletions(-) diff --git a/container/Dns.nix b/container/Dns.nix index 30762e3..1ab7cdb 100644 --- a/container/Dns.nix +++ b/container/Dns.nix @@ -3,100 +3,108 @@ pkgs, lib, config, - util, ... -}@args: -with lib; +}: let cfg = config.container.module.dns; in { options = { container.module.dns = { - enable = mkEnableOption "Dns server."; - address = mkOption { + enable = lib.mkEnableOption "the DNS server."; + address = lib.mkOption { default = "10.1.0.6"; - type = types.str; + type = lib.types.str; }; - port = mkOption { + port = lib.mkOption { default = 53; - type = types.int; + type = lib.types.int; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { containers.dns = container.mkContainer cfg { config = { ... }: container.mkContainerConfig cfg { environment.systemPackages = [ pkgs.cloudflared ]; - systemd.services.cloudflared = { - description = "Cloudflare DoH server."; - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${getExe pkgs.cloudflared} proxy-dns --port 5054"; - }; - }; + # systemd.services.cloudflared = { + # description = "Cloudflare DoH server."; + # enable = true; + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # Type = "simple"; + # ExecStart = "${lib.getExe pkgs.cloudflared} proxy-dns --port 5054"; + # }; + # }; services.blocky = { enable = true; + # SRC: https://0xerr0r.github.io/blocky/main/configuration/ settings = { - upstream = { - default = [ - "0.0.0.0:5054" - "0.0.0.0:5054" - ]; + bootstrapDns = "tcp+udp:1.1.1.1"; + upstreams.groups = { + default = [ "https://dns.quad9.net/dns-query" ]; + }; + caching = { + maxItemsCount = 100000; + maxTime = "30m"; + minTime = "5m"; + prefetchExpires = "2h"; + prefetchMaxItemsCount = 100000; + prefetchThreshold = 5; + prefetching = true; }; blocking = { - blackLists = { + blockTTL = "1m"; + blockType = "zeroIP"; + loading = { + refreshPeriod = "1h"; + strategy = "blocking"; + downloads = { + timeout = "5m"; + attempts = 3; + cooldown = "10s"; + }; + }; + # SRC: https://oisd.nl + # SRC: https://v.firebog.net + denylists = { suspicious = [ - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" + "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # https://github.com/StevenBlack/hosts "https://v.firebog.net/hosts/static/w3kbl.txt" ]; ads = [ - "https://easylist-downloads.adblockplus.org/bitblock.txt" - "https://adaway.org/hosts.txt" + "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" + "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" "https://v.firebog.net/hosts/AdguardDNS.txt" "https://v.firebog.net/hosts/Admiral.txt" - "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" - "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" "https://v.firebog.net/hosts/Easylist.txt" - "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" - "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" - "https://github.com/easylist/ruadlist/blob/master/advblock/adservers.txt" ]; tracking = [ + "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" "https://v.firebog.net/hosts/Easyprivacy.txt" "https://v.firebog.net/hosts/Prigent-Ads.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" - "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" - "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" ]; malicious = [ - "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" - "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" - "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" - "https://v.firebog.net/hosts/Prigent-Crypto.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" - "https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt" - "https://phishing.army/download/phishing_army_blocklist_extended.txt" "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" - "https://v.firebog.net/hosts/RPiList-Malware.txt" - "https://v.firebog.net/hosts/RPiList-Phishing.txt" - "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" + "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" + "https://phishing.army/download/phishing_army_blocklist_extended.txt" "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts" + "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" "https://urlhaus.abuse.ch/downloads/hostfile/" + "https://v.firebog.net/hosts/Prigent-Crypto.txt" + "https://v.firebog.net/hosts/Prigent-Malware.txt" + ]; + other = [ + "https://big.oisd.nl/domainswild" + "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" ]; - other = [ "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" ]; }; - # whiteLists = { + # allowlists = { # other = [ # "/.*.vk.com/" # ]; @@ -114,20 +122,18 @@ in customDNS = { mapping = let - block = "0.0.0.0"; + block = host: { ${host} = "0.0.0.0"; }; in { # All subdomains to current host. # ${config.container.domain} = config.container.host; "voronind.com" = "10.0.0.1"; - - # Blocklist. - "gosuslugi.ru" = block; - "rutube.ru" = block; - "vk.com" = block; - }; + } + // block "gosuslugi.ru" + // block "rutube.ru" + // block "vk.com"; }; - port = cfg.port; + ports.dns = cfg.port; # httpPort = "80"; }; };