{
	config,
	container,
	lib,
	pkgs,
	...
}: let
	cfg = config.container.module.dns;
in {
	options.container.module.dns = {
		enable = lib.mkEnableOption "the DNS server.";
		address = lib.mkOption {
			default = "10.1.0.6";
			type    = lib.types.str;
		};
		port = lib.mkOption {
			default = 53;
			type    = lib.types.int;
		};
	};

	config = lib.mkIf cfg.enable {
		containers.dns = container.mkContainer cfg {
			config = { ... }: container.mkContainerConfig cfg {
				services.blocky = {
					enable = true;
					# REF: https://0xerr0r.github.io/blocky/main/configuration/
					settings = {
						bootstrapDns     = "tcp+udp:1.1.1.1";
						connectIPVersion = "v4";
						ports.dns        = cfg.port;
						# httpPort = "80";
						upstreams.groups = {
							default = [
								"https://dns.quad9.net/dns-query"
							];
						};
						caching = {
							maxItemsCount         = 100000;
							maxTime               = "30m";
							minTime               = "5m";
							prefetchExpires       = "2h";
							prefetchMaxItemsCount = 100000;
							prefetchThreshold     = 5;
							prefetching           = true;
						};
						blocking = {
							blockTTL  = "1m";
							blockType = "zeroIP";
							loading = {
								refreshPeriod = "24h";
								strategy      = "blocking";
								downloads = {
									attempts = 3;
									cooldown = "10s";
									timeout  = "5m";
								};
							};
							# SRC: https://oisd.nl
							# SRC: https://v.firebog.net
							denylists = {
								suspicious = [
									"https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
									"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # https://github.com/StevenBlack/hosts
									"https://v.firebog.net/hosts/static/w3kbl.txt"
								];
								ads = [
									"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
									"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
									"https://v.firebog.net/hosts/AdguardDNS.txt"
									"https://v.firebog.net/hosts/Admiral.txt"
									"https://v.firebog.net/hosts/Easylist.txt"
								];
								tracking = [
									"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
									"https://v.firebog.net/hosts/Easyprivacy.txt"
									"https://v.firebog.net/hosts/Prigent-Ads.txt"
								];
								malicious = [
									"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
									"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
									"https://phishing.army/download/phishing_army_blocklist_extended.txt"
									"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
									"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
									"https://urlhaus.abuse.ch/downloads/hostfile/"
									"https://v.firebog.net/hosts/Prigent-Crypto.txt"
									"https://v.firebog.net/hosts/Prigent-Malware.txt"
								];
								other = [
									"https://big.oisd.nl/domainswild"
									"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
								];
							};
							# allowlists = {
							#   other = [
							#     "/.*.vk.com/"
							#   ];
							# };
							clientGroupsBlock = {
								default = [
									"ads"
									"malicious"
									"other"
									"suspicious"
									"tracking"
								];
							};
						};
						customDNS = {
							mapping = let
								block = host: { ${host} = "0.0.0.0"; };
							in {
								# All subdomains to current host.
								# ${config.container.domain} = config.container.host;
								"voronind.com" = "10.0.0.1";
							}
							// block "gosuslugi.ru"
							// block "rutube.ru"
							// block "vk.com"
							;
						};
					};
				};
			};
		};
	};
}