Home Explore Blog Models CI



nixpkgs
2nd chunk of `nixos/modules/services/networking/crab-hole.md`
95082cea75d37b7fb067a46a32e5057641a0d75ef3d96631000000010000093e
      port = 53;
    }
  ];
}
```

#### TLS {#module-services-crab-hole-tls}
TLS is a simple encrypted options to serve DNS.
It comes with similar settings to UDP,
but you additionally need a valid TLS certificate and its private key.
The later are specified via a path to the files.
A valid TLS certificate and private key can be obtained using services like ACME.
Make sure the crab-hole service user has access to these files.
Additionally you can set an optional timeout value.
```nix
{
  services.crab-hole.settings.downstream = [
    {
      protocol = "tls";
      listen = "[::]";
      port = 853;
      certificate = ./dns.example.com.crt;
      key = "/dns.example.com.key";
      # optional (default = 3000)
      timeout_ms = 3000;
    }
  ];
}
```

#### HTTPS {#module-services-crab-hole-https}
HTTPS has similar settings to TLS, with the only difference being the additional `dns_hostname` option.
This protocol might need a reverse proxy if other HTTPS services are to share the same port.
Make sure the service has permissions to access the certificate and key.

***Note:** this config is untested*
```nix
{
  services.crab-hole.settings.downstream = [
    {
      protocol = "https";
      listen = "[::]";
      port = 443;
      certificate = ./dns.example.com.crt;
      key = "/dns.example.com.key";
      # optional
      dns_hostname = "dns.example.com";
      # optional (default = 3000)
      timeout_ms = 3000;
    }
  ];
}
```

#### QUIC {#module-services-crab-hole-quic}
QUIC has identical settings to the HTTPS protocol.
Since by default it doesn't run on the standard HTTPS port, you shouldn't need a reverse proxy.
Make sure the service has permissions to access the certificate and key.
```nix
{
  services.crab-hole.settings.downstream = [
    {
      protocol = "quic";
      listen = "127.0.0.1";
      port = 853;
      certificate = ./dns.example.com.crt;
      key = "/dns.example.com.key";
      # optional
      dns_hostname = "dns.example.com";
      # optional (default = 3000)
      timeout_ms = 3000;
    }
  ];
}
```

### Upstream options {#module-services-crab-hole-upstream-options}
You can set additional options of the underlying DNS server. A full list of all the options can be found in the [hickory-dns documentation](https://docs.rs/trust-dns-resolver/0.23.0/trust_dns_resolver/config/struct.ResolverOpts.html).
Title: Crab-hole Downstream Configuration: TLS, HTTPS, and QUIC Protocols
Summary
This section details the configuration options for various secure downstream protocols in Crab-hole. It explains TLS (DNS over TLS), requiring a valid certificate and private key, and allowing an optional timeout. HTTPS (DNS over HTTPS) has similar settings to TLS but includes an additional `dns_hostname` option and might necessitate a reverse proxy if sharing the same port with other HTTPS services. QUIC (DNS over QUIC) offers identical configuration options to HTTPS, but typically doesn't require a reverse proxy due to its non-standard port. The chunk also briefly introduces upstream options, directing users to the `hickory-dns` documentation for a comprehensive list.