New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd: change fallback dns servers #92061
Conversation
By default systemd fallbacks to google DNS server. The new default is to first use Cloudflare than Quad9 than google. The first two should have have better privacy policies than the google one. Note that this is the default value which can be overriden by users as well. The default should be a good compromise between global availability, speed and privacy.
mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org") | ||
mesonFlagsArray+=("-Ddns-servers=${toString defaultDnsServers}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not change much actually... But it is probably good to have had a discussion about it.
By default nixos does not use systemd-resolved btw.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, seems like privacy is the right priority to consider for the defaults.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer if we could do this via the module system (in resolved.conf
), instead of doing a world rebuild and baking this into the derivation.
Edit: It seems there's already services.resolved.fallbackDns
- we could probably just specify another default here than an empty list, if it's desired.
preConfigure = '' | ||
preConfigure = let | ||
defaultDnsServers = [ | ||
# We use these public name services, ordered by their privacy policy (hopefully): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if the ordering here actually means anything - it seems resolved picks one (or multiple) arbitrary server from the list:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, given that their is no preference I don't know how to proceed. Some may want to remove the google one?
By default systemd fallbacks first to cloudflare and than to google DNS server.
The new default is to first use Cloudflare than Quad9 than google.
The first two should have have better privacy policies than the google one.
Note that this is the default value which can be overridden by users as well.
The default should be a good compromise between global availability, speed and privacy.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)