From 614e2c804a447e1220352d09503e18b0c353f496 Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 15:58:23 +0300
Subject: [PATCH] kyra(hardening): hickory-dns init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/services/hickory.nix | 58 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 kyra/services/hickory.nix

diff --git a/kyra/services/hickory.nix b/kyra/services/hickory.nix
new file mode 100644
index 0000000..06eff1a
--- /dev/null
+++ b/kyra/services/hickory.nix
@@ -0,0 +1,58 @@
+_: {
+  services = {
+    hickory-dns = {
+      enable = true;
+      settings = {
+        remote_resolvers = [
+          {
+            socket_addr = "1.1.1.1:853";
+            protocol = "tls";
+            tls_dns_name = "cloudflare-dns.com";
+          }
+
+          {
+            socket_addr = "1.1.1.1:443";
+            protocol = "https";
+            tls_dns_name = "cloudflare-dns.com";
+          }
+
+          {
+            socket_addr = "9.9.9.9:853";
+            protocol = "tls";
+            tls_dns_name = "dns.quad9.net";
+          }
+
+          {
+            socket_addr = "9.9.9.9:443";
+            protocol = "https";
+            tls_dns_name = "dns.quad9.net";
+          }
+
+          {
+            socket_addr = "8.8.8.8:853";
+            protocol = "tls";
+            tls_dns_name = "dns.google";
+          }
+
+          {
+            socket_addr = "8.8.8.8:443";
+            protocol = "https";
+            tls_dns_name = "dns.google";
+          }
+        ];
+
+        listen_addrs_http = [
+          {
+            socket_addr = "[::]:8053";
+          }
+        ];
+
+        listen_addrs_tcp = [
+          {
+            socket_addr = "[::]:8853";
+          }
+        ];
+      };
+    };
+  };
+}