config/networking/services/dns.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

{ config, ... }:

let nets = config.personal.networking.networks;
in {
  services.unbound = {
    enable = true;
    settings = {
      server = {
        module-config = ''"respip validator iterator"'';
        interface =
          [ "127.0.0.1" "${nets.wan.subnet}.1" "${nets.iot.subnet}.1" ];
        access-control = [
          "0.0.0.0/0 refuse"
          "127.0.0.0/8 allow"
          "${nets.wan.subnet}.0/24 allow"
          "${nets.iot.subnet}.0/24 allow"
        ];
      };
      rpz = {
        name = "rpz.oisd.nl";
      };
    };
  };
}