From bad0deb8e54ef3708868f8e17d2cc88ed02a9d67 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Thu, 4 Jul 2024 11:21:51 +0200
Subject: [PATCH] replace dnscrypt-wrapper with dnsdist

---
 configuration.nix   |   3 +-
 nameserver.nix      |  43 ++++++++++-----
 secrets/default.nix | 132 ++++++++++++++++++++++----------------------
 3 files changed, 96 insertions(+), 82 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 045ba9a..4e83613 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -44,6 +44,7 @@
     hostName = "maxwell";
 
     firewall.allowedTCPPorts = [
+      53     # dns
       443 80 # reverse proxy
       993    # imaps server
       25 465 # smtp(s) server
@@ -54,7 +55,7 @@
     ];
     firewall.allowedUDPPorts = [
       443   # dnscrypt
-      53    # powerdns
+      53    # dns
       21027 # syncthing discovery
       64738 # mumble server
     ];
diff --git a/nameserver.nix b/nameserver.nix
index f369c6d..eca3a57 100644
--- a/nameserver.nix
+++ b/nameserver.nix
@@ -1,10 +1,10 @@
 { config, lib, ... }:
 
 # Setup:
-# PDNS recursor on port 53
-# DNSCrypt wrapper on port 5353
-# NCDNS for Namecoin bit. zone resolution
-# sslh handling both HTTP and DSN on 443
+# pdns-recursor on localhost:55
+# dnsdist on port 53 (DNS) and localhost:54 (DNSCrypt)
+# sslh handling both HTTP and DNS on port 443
+# ncdns for Namecoin bit. zone resolution
 
 {
   # Recursive DNS resolver
@@ -12,17 +12,30 @@
     { enable = true;
       # Configures the bit. zone
       resolveNamecoin = true;
-      # Use both IPv4 and IPv6
-      dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];
-      settings.local-address = [ "0.0.0.0" "::" ];
+      dns.port = 55;
     };
 
-  # Wrap the local recursive resolver in DNSCrypt
-  services.dnscrypt-wrapper =
-    { enable  = true;
-      address = "[::]";
-      providerKey.public = config.secrets.dnscrypt.pub;
-      providerKey.secret = config.secrets.dnscrypt.sec;
+  # Public DNS resolver
+  services.dnsdist =
+    { enable = true;
+      extraConfig = ''
+        -- Listen on IPv6 and IPv4
+        setLocal("[::]:53"); addLocal("0.0.0.0:53")
+
+        -- Allow everything
+        setACL({"0.0.0.0/0", "::/0"})
+
+        -- Set upstream resolver
+        newServer({address="[::1]:55", name="pdns"})
+      '';
+    };
+
+  # DNSCrypt endpoint
+  services.dnsdist.dnscrypt =
+    { enable = true;
+      listenAddress = "[::1]";
+      listenPort = 54;
+      providerKey = config.secrets.dnscrypt.sec;
     };
 
   # Demultiplex HTTP and DNS from port 443
@@ -38,8 +51,8 @@
         [ # Send TLS to nginx (TCP)
           { name = "tls"; host = "localhost"; port= "443"; }
           # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)
-          { name = "anyprot"; host = "localhost"; port = "5353"; }
-          { name = "anyprot"; host = "localhost"; port = "5353";
+          { name = "anyprot"; host = "localhost"; port = "54"; }
+          { name = "anyprot"; host = "localhost"; port = "54";
            is_udp = true; udp_timeout = 100; }
         ];
     };
diff --git a/secrets/default.nix b/secrets/default.nix
index 650a9a9..4259a5d 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,66 +1,66 @@
-U2FsdGVkX1/ZJj5EU5b+BSTf5NlPUY/G67cJHbDVBovQKquVFMf1P+ZAcmIV62qA
-HbyNN08YRY65vgRzWtU6wRg3q7ifWN82keCjX29Z7S2vYXCzi40UHPmRBBRawVY2
-9pjng2Zo53csln9O+MZAPeVV1E85WI3iLvfX+dhvyDzwzFQ3BxdL824MxctLTJPt
-Ja/GVm0CYcPZTJTzPXJEBUwZxu/oc2HHv9OR9a5I8gqyZOwAiIXQ8rTSU2zPzulp
-xoKL9RgtYonW1UT/XZHOsDEk9Xdd1EcbY1chumYUErtKTouRimWrjnTePsYcQy6f
-griuXE4Lb8xFu6oxsY7Kziwo5B2r5to8dLB0soOWCSImRBy11ntqxezOY6+43YIa
-FUtSTdzBq171tQ5opAIuiCLAos/94rKiktxAEbTMScsJbubvPex1qGTGG1Cvj5hZ
-mA54Elpsjup7rdSkcYVTXojoDA/VR2HP90coBpYD6qRj8IdPfvs7fQu46BQSGKN6
-3VVgmHiMhfraefaL5ldqr/M8FS6vyXSJV9KR7TQ6ha3RgPSYB3EjsC0LRrENuYRO
-eO6KXxmYj3iFtud7gIulsiKXD0WdzPFMH/Od/Tu6LLAFCqFyIBkVuwksxNlHCZ/H
-6ayiSSLNwviY6xSYvZURY7t/l8SCiikRyIsdSR6b+oe+mwkAZ7W9XwLLZc2G2oCd
-FTzvcRv2o9eKr/pnXFPpMgTJ1LJp7wiLOf7xcDY2mZV7mCVm7+3Hzc4W0tiEQ4Uv
-vDSofcTfWZV2PZftekk3//Yt8hLsH1JgtvPxNWtVC+U/504R0FtV4YbYOm98EJJt
-j5ufDSRvo99v+wyokkq4Uv8ysHxTXLeQ4VwxDOvkjRnT4P5QhhE1ontJJWHAuPne
-6JmWMUihKBNz/PKL3tloXWjrf/bfdSfbDh5vYI0C9B6LhnQPeBOjgfdVzuoMvCJ4
-EH4Btz9qtELlNNnWFXIB0n5mBlAIflILpLi1dD5900KQd0T5U2eJh6S371HLqjaq
-pQoBIQfGFKDy9dFUxHKG2A76KfoTvBSNw5/ZxSbMZ0+YEToX0LRQ6Vz7Yqn/TDBn
-cBBMyuBE88xsEC7TluKd88EYhuE0LAVY0SgiHCsRDs2fwrLO2Th0mwHqQJvb9dwz
-h3g7RgM0+nZZXGUl1U81XNK/TB1jj28KyFYBV/sXAqBOiJTwUx86lNYIhJ88l+B8
-hzlYT1YmgmeiRu+wtIfBPyhpFdyWIK3eY3C/YI3Uh2GN2ulHrPjJLusefzd3EWQz
-MS8bNOx39v0dl8oI4Mgmu00dy8uwFzr1tA4XUKmo2bXX7aEV7c7MRYZNRYxukq8n
-HPKH8/gmlpMdK2WoMwgRuJCGZaW/9ruGYlJArzViHoBeypyn/TZOxGLTKqfStcX+
-VdP03n2Wa5E3b1p5eqdJ7xUAl6qJQeT7LoWMTZaPkAEEmRoDembMe9JKxW4qRzzY
-Ez5cKscrEI32m0Owa2u1enRLQ037s5ow9chYbAenaHuKL9aHIqr7ktcrEqC0f+sB
-GSQ1MDiArNmAKDoFj0c1tiByLcuc6vKqLkE8OUmiPy9Yejldejpu2TAH/OHl8Rrc
-xvGKYLj+R7przdoklFDgVVXIoJywv1KKdmhjnjKUjX5c294Xi7eZkbFXTX9MIZ27
-EZ/Sj2paCaSLOo9Z5j0xFWHKMAkIKHSmcFsRPrulA3V8W9ox1VbXcpR0XRItNBgw
-I9BWKvAXwiwB78JXlhacglr/Pc7B4B180qXHMR28YDi578PhiTHUstfoD2aBDePx
-LEUe4+ibp4aBMgCh4Aup/JFx2YaXwoQUeJQnF9YxMpPhmrGbl1/XyGIR4AdW8nf8
-wD7JR0G9PQnn9HUi6j6JaO7ONwwVoeV7greMHBPSMLSQMlrjcUSM0NQ+A2GNCcMK
-vMQkDXx/za8wkCPdBCRYUSv4zqeQocTxTH48InVg4/gAXp52L7vYPuGA3G3JMtI5
-f5C0e2y9swUmeBTT83taY0p99xVJF+c62J7vbiEa8pkqtz7HMet25nIpEguewzMk
-JQdmDVPjxXheIbWphE87UN+ePVkfie6o06/wIb/ug7rAKKeVP+CQT9/w7h+ViZ/m
-Z4QMgMuevZ2hHVNRePSgOPS0OQ/LqrKm2PGokgYplirtL/BORObb3QwgKQ5ihNto
-9U2YzoAKPhGYj5o0FYBzKlUt0JatGhpTDQQZz7Y7yrJDIZ62IvTJgmfMALmbXovD
-oRWVFKeafV/1XQtJ7PxFyHyVfjHVch6luAv+ziCECXmWz4m5liCdh65lu6Ff53Xa
-T8yLHV+2UwCmc8gzuzdFa4RJDSx0+UgoA/GUCnqmkQVbNBFtzLq9zXtQhyAXdcSQ
-dfYtIW2XddiZV77pr8j8M+CrvaxGdzSU63MDYfWbo2evye1teGD2ygZuxWFAvk5k
-wdBeb1Eggj0nwweNXGDtr0xEL1BPgaBQlxOe9cQwan8Flc+NgWDqVmpvXuuGORfA
-SGrHgzWvHQ+Y0UOKj6ObkSUOsIBzPyh8T6TnjYyX+rL6RJkelpGtKYOLvM2Nw1xu
-LBofbmpy+LS1xnToIlXlawvhucsHTt2mi0PQShTJslmxurYhGZQ1Ubn5HyncyhTt
-av6lq46bV/1MUE6yGI8NxfjEH4Sbafh088S1rYSkcy8FZOZHwJNA1EPJetSNqdX5
-3KVRoOlx1Yk1ow0d3kG3Df6X3xOuGFbLuEd4vbi3DbgYBQx2EUBRODjBYLg4ccOY
-S4DjS6BFnddQ/tNjnyafiuatvR1LUYS+wKknvhehepOO0KceeMqCPLowR1y0r56R
-Y23cBLd+QRjaaRpE/hReMhv7xMYbz/F1E81cTaxdcsY3pNIsKwrHDi4aK1ePlvra
-Woi0TKNwp1U2vNL7eV2y6oaHIeMeXsLi9r8cuk+ENl35BK2nwXfW5Pbid18HzGje
-CbIgXKgbHS1k5rTc/Qb20lLes5A/pbCtNaR6Z0jrp4QpBJwa7uSrwLCR18E1W2mt
-EDfL3j4kpCldbIA/FroVqJydmBk06+VoZhFL+C5uVKXyyrSjtq2I2XKSMxscpF2u
-42rUCQGbPM0Po0WrICqKTdXchJ1Hk69lvjvoi1ezcVNcRVkK7yPCAx2mNd+bFdtm
-dz2TO4imAwEQIo9qfqEWGLMC/3h7YxmdlGLcgEZ913UtCorr0igTVpNFY8FnIjfq
-rpbolTCkz1a2kXu3zO2423X0DnieUWMmBVL4A9hUHDU+Yglo9Np1ZTfHHraCcU7l
-2GHiU3Uf3uxjfRMzKC4JOoDyjxjLdbKL7r6Q9Pu0FWZhxTRt6UTUEHzmqvGB/j6Q
-EQfT9GP0v8gcaDCWWULoUF9fNpVoLIq0EDCB0rNfdCDIzSJrDy0lwdDstVFJQUit
-lz7HD7sysoR3ToqcLeR11qQongQtYoq8oBr8Zsw2dkusgqnhJKMYf0XEDSH54JvD
-iWa7QCFmFS6P9O8NXGuCMY528XbEtKGJEqaYINxReF+UVbG/xAum7hBXSYpOm22U
-h5tNxNLv5Quua2eqNZuhcoMIW06oOTpGS6nIuyXDps34C162w3nLkPNry9dSRsLG
-N2aHbOHVpegwyP+wxkVSAXIBx89Y8opWApt6tXmm8xQJEwoj9Pd/ph+IiVOA9WCd
-PJobE0AXz9c5civRQXairp2/oz8FDR+nB7im6e+FHU+p1dsTXe91CJtuI1GwzSF5
-TacW4CupcTFv2Dhv5v1x053tR1n7tYNWpx1i3TPw9aJrRO6ltSaDlkSk6spbF5ul
-/cIINDjUoxmOS3C3GOYw6n34ayPDDX1C99qjkGZGP5FMM8BZrsaq5wqoJr4WuM7v
-B9hIyMOydpTyIxAMJlrApuh7bcVnpsCCJjBqYCKB+pq2mLg6ZTKP+aiRoILZy++L
-4p2P72PJX95zxCXqBemHJ26u4yYMOLoz3asO5og08eO6YlD2Kva7E2diwwQ5vnwd
-CkyW3JSbs8nL5eVFGVSf8wt0ADgIDgMzYk/wn2eSF96AitnMQcEMG5cp2aF9ulBE
-Gg+6Yyr6Xnpx+Sfyij0c5lhIP52eor3QIJPKElW8zorEnviysvo8E8LRtHUZLl8Y
-fXQPCOo35Gc+53zLijUuHUsg5yKJlZ7gevsTFxJl07G/3BUK+SKhLoFDJ9m15RTX
-AWT9pwR8BMGdUUdT4izlL8xG+w==
+U2FsdGVkX19XCACEufEt5M4bXKrEZbc3uwl9/RfxrTWPGRc+9wq/lObPINAaiVJ5
+6RC1WdLmXBnubDqxvvf4Oont7clL3Uf2YlJTvKQ1ybnPOLDG49PXQDS45vjktTf3
+Edl/a9vHj43WbZB/ZRFwcQmPXlGkF/H4wl1Ab44nvTXmIna53kkK6qjpj8gk9BrJ
+qDzyGjtdpZ2IQi1niPZFuTHb/ZYEK/7KVDABo13HL0A02C/tQE8g+oT00BJUKyl2
+4P94Q9lVfqAjMzjIV/yp8QjDh6kQsM6I0Nc0Gyqjjhf8ppdYkeYtqiboaoaxksEU
+LIwyyFV+aqlFGAVdYv8d5TaAoJ+B7+Szw284uGkKOBb78GV4SBBIpe7GlOBcX4+v
+hI2F0HXTcaBg5lO6Z9SS79GeJcbKliu2mAp7hrdSs+gBjPoClxFGgVY7lac3uVW3
+03HptqLB5Dtu98vG/iazEdyxGERYL0HF9pGpCGNCnSmWoR7LOGdNvcI0h5nHYOeB
+4ml+UCak7j8mLMU8ldnvrEIZTfLImnMothXc+oW33sNV3AfnlOGpM8bztHmAbB7U
+1dw+H3ig+eXVtpJ6swSFo0+TepJmZjRGjfpTyLhljnyDavIZk79RkijzzrThWcV3
+joUEk95G26i4+xhDFsbGzriLlLg7rsvxESPdzimfqfO74+jsFxIvlua1DKf9PtvX
+2wobnqhEjDJN2EGvH7j2gK6XUTmRoQwIs7cEETiDg0h3kiiAi6MDCvD6qVSvdIQS
+IfHpOGLYaPR3lZDrvzJtYANkLoXVZ9Mb8laJ9gtAq+Hnvu9Wt3Xe8YrA6S7fF01B
+3PHB7Is4haDwFKSsxHTUhZ0dkaAPe2W45iA5irxrZ8wncvyM1ecoE5M8Lvz8hh2k
+MN5FxscGcQps4jVr0wg+hfyOK7r0P+spyLX0IbvxzTA7gUUrJFpHVYmrWU/MM6ft
+2YstGLSlR1Z1roYFOhCgJzaq/waKClkdS43zEIG5Xyz8LiYQX/M+WijXHlRs1WwH
+/2i04Amc6uLzXr1uXJBXtK4ZmVLu+elJqZhXQxRmLp+ioUr+Wdoo6lF8XAi7RwTV
+1nlk72qXRpb/5l1G8SPykrUFc8E2chqs+0OcRGIi4cKuYPvYTxboSl3nkG8v5UBr
+KZbw6My5gfSyw5ykZdxdec1l0hv8cRcuVpVwnUNUclSbGIrOrYtTxsVhjtmYw2gE
+GOn0iRBbe7pD/q6959VdWmOW1uy2jTOUt5VeOmMAG1MQRcxAlIaDDICzgiD6bWLU
+w4PMwRf5kN/V+GHPdgI3UoKyI3enwDXUtXMfKp65nid28p5sEBYKzEQSxFD5xwlp
+eBjelqcJXatIbZyyjmbs0lw+u9IYfIbLzR5CzR33JQDM9gdmbAIEX6RwEcTLpeYq
+cdmB8Lo/RkbWXUoqM9kHVBSWBPtKPkQ/zt+njVOFW3x+BJiGKX0GfrDMQDewnRKN
+jJbMLDQXnUPp38M13qltypW/fDvUcWKbTX1OXIFj4eZMw9487GfvCtZd4UjPDLop
+cScZVq93GlKd/oSYQM1KcGXANtj0br1xnwYXs+bdMsO7Y9Ae54S+IR1M+WaqtcG2
+uJt7lJIx+7rFJJE13j/nZwcwfKGMv7XxRoHxOI43MW5MSD1IiXgsZ4g1B59NZhDR
+rgDIT9PPA3UK2e28eGAbQVRWriKLUjlkuEa0ecjH8dR+kHuwX+eBhl5f72Ww9/EB
+Wf9Xkr+WsM5Xbh4bEHSM2tUVzFj8T0lyw6mgnI3fF09g0sfNZALNvleF516B7H0k
+bmnL8bBAQiv4k+7WO5+Oj6F+yzuMstjx7nEEnahKUBH8UNH863Q7cYawD0CxtptH
+hdafWlW1CaWlz4YXK9xCxRtQPHJVjI9mMpPReWu6yZeontIHv2l8eyDGurhQH2+p
+hRFcrjdNwjQPPCcvwDRygGgsBukeaAgF+Py6mOujNAugoSGfPVfgJ9Vi4kSx7e64
+j8wZ2iph6pEE0f8jxjFj0CJicLIn/4BIFlF84RfWC03HUz7oCyejDuS+8lAyKtNv
+zVm0NANr/2bQj/wXihVhuYi+nHYnXZ/nHXhYT5ojiaGI2MSmb1kIDi8gyMnDGb82
++QzzhfNr0GqBzxKas1b5WDgb/yMAFOs6mRXwdRhjpaFl3nBDMlRBf/LAHcCRyQgv
+/Rm0esZnLkfzvyevclXJ5OlvGa5YFSGIpjvbLWw0rZvcWhdIPiSE1iViDQVwu3xd
+zNmfGQvw8nVd9gbvkbYDRn0IraWpXMdSiLJKBmBpAh3vQq9EV7386MKDNeLRtxSs
+fA8OHnM8y5javN7b5vSqcEoOrCVXtC1SHdq5L5pcYxZx84MnlibzDMQevusxYY1/
+t14MZoZcAUiA3dnNaco/GSh6MOWvbfr68qomXhQjZyzq3vgz7CIWgOhqkjILvbzp
+xc5Kn6vrw43vDXum6uuOFuHGDjZc2ArgUQBkhtB8y7DIPe+gHlKy0XbvKj2T9mrT
+ig/jR/Z+WkcI7mZK15DKT5zjuG0DPdCHdni+v0pDKIjH4z+H5wxwGSwA5v57i9HG
+6tMJAj1R88jLqKxMvZD5ggB3vyfYf6djJNG915RO8rNJRgwhHT6xU0ozrc6bEgTY
+K0jhpDM7Zleo8Z1E7pM2C/OSdkwIMxiO724mO7E8MeeWIYuEVA4oWiEQlwG53/2B
+Yql/Q4IkYNXFPBXvT0La0utNO/ipjV0Z8iRnj1++RB0lQrScnMULza9Qm8NWLZHZ
+2Ox/427/xk4Rm1r87D1DM/pFM+WAHFx9L9sXbNLZVyxAOJ6OC/6IFPop2JgAIRJC
+9qulboMiR1ns2CPWF0ryueA9vvZoE46ey7lG/LsF79K/lS7jxi5bz9K7VXG6/eBo
+Q24MZEfoljgwDTbMh3uOYvSHn0XtrYYgKl+ZSYjemAqDEKhavDjNvSKLEvnAhyF9
++h9TFGGtcfntE8JC2Xj1UtRrAM5CWJ3K7VFKnLBecPnnuylYVzFv5IDfxA/dMcv8
+ApbRHFMd3q9/0GK81ydYfs37VsDBzhvknb1LBWaC546ZUcEt0knt4iWHKvZNC3BQ
+bL7ZZ5SZjMh5azTGDXRPBHKTpqbh133mCH1eHtiYVLDOvvdcrShs+WuXcXi3jopF
+RxSI1Jx8RhHFFvN3DigymLd7APFoXZzjbzkp6WFJT+mwo9WDkbtU3jhAwLncfSWI
+j9o8/Gj8mggFfhMhFAmNtm2Hpwfi2ZhYRMJIqiGxVhpHTvfMxaIoQA1ixFfUyu7k
+Z8VG6PH/JgBaxSRygGDMc93Vbb5pnj95+Zr5XzwCvChDwKW/2C3yVbO09iR4PoTY
+FWeJ3eYFeYlrmlphTknrUWRD2HvALvkgbGlglWElmtHxVX7B2ke7/fKW9Nef9PTb
+SRKeHikFhBM61Q4NzbkdZVjOrM2XhCw7EQZiNBIgGm9Uo996lp5aghxSQ3KhWtUQ
+phGvjqOVTmTIulFMVs8pVD5+E+8ympw0wGD9YlbyYrkeqvv4acU9yvZN6aXH25mX
+HO3RN3S6zwxwAneBasRcnNJggdBOJwFR4Me76xo4tZeFJwEzL4ILSG+hSFDUkHit
+lE75BOcqwBs30KafoAYpDKdBLbfJemvs8PuPH8XGJn9yeBL1QdDoSerAbucUvVXP
+Px+VtKjaIU+ejmfFCuCr89r3L3Admkix55AUT9BAEQbwbfbMhG6RHF/AvYKIVRHg
+WLdTzOQV6QCpw79E8uj4fQVsXhvt7pXwBgJiEJIdGm1/8VKzEr1O+k6SNvzRd4MA
+bu0RIKILcObiErfyOWgYrwzo+EkYsBAL1AI7NJUUFlxnKY/ZjUq1nuET5nA1q/Tp
+ZcwfxGfUD7Bp4HbpZADLCGyI57SIZ4l1e04SBL6htPmZl4JOFnT4x9VDjtmw4uZ4
+dfNhMdTT9TPjEh7+krCLUXCbsPJfaze0sE2jQq2dGwK0vU3OcgQQAPME2mix6BeR
+3eK4kqk1F8rjsGoqTvT4HumVEsn9CcRrbBn/0F0eVvVMTfsNZGaGzo0H2qHmoU19
+3lsW+1yKg94RUJ+TlpnZ3gEgS5jUh4NirXt3UibhH0TxsidqMjqyZmgh1debiMBK
+nwLo+u6NWn33VuH7TUZLyfPs5wPyVgDmboYPuZE1L+45gEJVX5U5sXM/5JtvsUmK
+cA==