{ flake.modules.nixos.dns = { lib, ... }: let servers = [ "194.242.2.2#dns.mullvad.net" "2a07:e340::2#dns.mullvad.net" ]; fallbackServers = [ "1.1.1.1#cloudflare-dns.com" "1.0.0.1#cloudflare-dns.com" ]; in { services.resolved = { enable = true; settings = { Resolve = { DNS = servers; FallbackDNS = fallbackServers; DNSSEC = true; DNSOverTLS = true; Domains = [ "~." ]; }; }; }; networking = { nameservers = servers; networkmanager.dns = lib.mkDefault "systemd-resolved"; }; # Workaround mullvad dns REFUSED response networking.hosts = { "216.58.206.78" = [ "www.youtube.com" ]; }; }; flake.modules.darwin.dns = { pkgs, lib, ... }: let dnscryptToml = pkgs.writeText "dnscrypt-proxy.toml" '' listen_addresses = ['127.0.0.1:53'] # The exact names of the servers as defined in the public-resolvers list server_names = ['mullvad-doh', 'quad9-doh-ip4-filter-pri'] [sources] [sources.'public-resolvers'] urls = [ 'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md' ] cache_file = '/var/tmp/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' ''; in { environment.systemPackages = [ pkgs.dnscrypt-proxy ]; networking = { dns = [ "127.0.0.1" ]; knownNetworkServices = [ "Wi-Fi" "Thunderbolt Bridge" ]; }; launchd.daemons.dnscrypt-proxy = { serviceConfig = { Label = "com.dnscrypt.proxy"; ProgramArguments = [ "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy" "-config" "${dnscryptToml}" ]; RunAtLoad = true; KeepAlive = true; StandardOutPath = "/var/log/dnscrypt-proxy.log"; StandardErrorPath = "/var/log/dnscrypt-proxy.log"; }; }; }; }