From f4a8a52fae42d193ef13431dccadb8ad846aa3d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= <leana.jiang+git@icloud.com>
Date: Sat, 4 Oct 2025 13:30:08 +0800
Subject: [PATCH] vanadium: use dnscrypt-proxy2

---
 .../vanadium/nixos/connectivity.nix           | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix
index c8c9871e..a32de72c 100644
--- a/nix/configurations/vanadium/nixos/connectivity.nix
+++ b/nix/configurations/vanadium/nixos/connectivity.nix
@@ -137,4 +137,44 @@
   services.mullvad-vpn.enable = true;
 
   hardware.bluetooth.enable = true;
+
+  #
+  # Secure DNS
+  #
+  # https://nixos.wiki/wiki/Encrypted_DNS
+  networking = {
+    nameservers = ["127.0.0.1" "::1"];
+    dhcpcd.extraConfig = "nohook resolv.conf";
+    # networkmanager.dns = "none";
+  };
+
+  services.resolved.enable = false;
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    # Settings reference:
+    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+    settings = {
+      listen_addresses = ["127.0.0.1:53"];
+      ipv4_servers = true;
+
+      require_dnssec = true;
+      require_nolog = true;
+      require_nofilter = true;
+
+      lb_strategy = "p2";
+      lb_estimator = true;
+
+      # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
+      # query_log.file = "/var/log/dnscrypt-proxy/query.log";
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+    };
+  };
 }