{ lib, config, ... }: let in { services.bind = { enable = true; forward = "only"; forwarders = [ "127.0.0.1 port 5300" ]; directory = "/var/lib/bind"; cacheNetworks = [ "127.0.0.0/8" "10.1.0.0/19" "10.0.0.1/32" # needed due to SNAT when redirecting DNS in border "192.168.1.0/24" ]; extraConfig = '' logging { channel stderr_chan { print-category yes; print-severity yes; severity dynamic; stderr; }; ${lib.concatMapStringsSep "\n" (category: "category ${category} { stderr_chan; };") [ "client" "cname" "config" "database" "default" "dispatch" "dnssec" "dnstap" "edns-disabled" "general" "lame-servers" "network" "notify" "nsid" "queries" "query-errors" "rate-limit" "resolver" "rpz" "rpz-passthru" "security" "serve-stale" "spill" "sslkeylog" "trust-anchor-telemetry" "unmatched" "update" "update-security" "xfer-in" "xfer-out" "zoneload" ]} }; ''; extraOptions = '' dnssec-validation auto; max-cache-size 512M; max-ncache-ttl 1M; allow-query-cache { cachenetworks; }; ''; }; systemd.services.bind.serviceConfig = { StandardError = "journal"; }; services.dnscrypt-proxy2 = { enable = true; upstreamDefaults = true; settings = { listen_addresses = lib.singleton "127.0.0.1:5300"; dnscrypt_servers = false; doh_servers = true; odoh_servers = false; block_ipv6 = true; static."mullvad".stamp = "sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kbnMubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ"; sources = {}; max_clients = 256; cache_size = 128; }; }; services.resolved.fallbackDns = lib.mkForce []; networking.nameservers = lib.mkForce [ "10.1.0.1" ]; }