kyra(hardening): resolved is now using hickory selfhosted

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-05-03 16:00:06 +03:00 · 2026-05-03 16:00:06 +03:00 · 4d6c618cbc
commit 4d6c618cbc
parent d5917b3304
1 changed files with 29 additions and 28 deletions
--- a/kyra/services/resolved.nix
+++ b/kyra/services/resolved.nix
@ -2,38 +2,39 @@ _: {
  services = {
    resolved = {
      enable = true;
-      dnsovertls = toString true;
-      dnssec = toString true;
-      llmnr = toString true;
-      domains = [
-        "~."
-      ];
+      settings = {
+        Resolve = {
+          DNSOverTLS = true;
+          DNSSEC = true;
+          Domains = [
+            "~."
+          ];

-      fallbackDns = [
-        # cf dns
-        "1.1.1.1"
-        "1.0.0.1"
-        "2606:4700:4700::1111"
-        "2606:4700:4700::1001"
+          DNS = [
+            # hand7s dns
+            "127.0.0.1#dns.hand7s.org"
+            "::1#dns.hand7s.org"

-        # google dns
-        "8.8.8.8"
-        "8.8.4.4"
-        "2001:4860:4860::8888"
-        "2001:4860:4860::8844"
+            # cf dns
+            "1.1.1.1#cloudflare-dns.com"
+            "1.0.0.1#cloudflare-dns.com"
+            "2606:4700:4700::1111#cloudflare-dns.com"
+            "2606:4700:4700::1001#cloudflare-dns.com"

-        # q9 dns
-        "9.9.9.9"
-        "149.112.112.112"
-        "2620:fe::fe"
-        "2620:fe::9"
+            # google dns
+            "8.8.8.8#dns.google"
+            "8.8.4.4#dns.google"
+            "2001:4860:4860::8888#dns.google"
+            "2001:4860:4860::8844#dns.google"

-        # open dns
-        "208.67.222.222"
-        "208.67.220.220"
-        "2620:119:35::35"
-        "2620:119:53::53"
-      ];
+            # q9 dns
+            "9.9.9.9#dns.quad9.net"
+            "149.112.112.112#dns.quad9.net"
+            "2620:fe::fe#dns.quad9.net"
+            "2620:fe::9#dns.quad9.net"
+          ];
+        };
+      };
    };
  };
 }