machines/briefkasten/router: replace `bind` with `kresd`

commit bd99586f44145bfcdec989a053bca1146c2f9c1e
parent 84ea68938937b893cf39ade548e1ae047730ed66
Author: Katja (ctucx) <git@ctu.cx>
Date: Thu, 27 Feb 2025 16:50:57 +0100

machines/briefkasten/router: replace `bind` with `kresd`

1 file changed, 32 insertions(+), 23 deletions(-)

machines/briefkasten/router/default.nix

++++++++++++++++++++++++++++++++-----------------------

diff --git a/machines/briefkasten/router/default.nix b/machines/briefkasten/router/default.nix
@@ -21,30 +21,39 @@
   };
 
   services = {
+    resolved.enable       = false;
     avahi.allowInterfaces = [ "brlan" ];
-    bind = {
-      enable        = true;
-      forwarders    = [ "1.1.1.1" ];
-      cacheNetworks = [ "localnets" ];
-
-      extraConfig = ''
-        acl translator {
-          localhost;
-        };
-
-        acl dns64-good-clients {
-          localnets;
-        };
-      '';
-
-      extraOptions = ''
-        auth-nxdomain no;
-
-        dns64 64:ff9b::/96 {
-          clients { !translator; dns64-good-clients; };
-        };
-      '';
-    };
+
+    kresd.enable = true;
+    kresd.listenPlain = [ "53" ];
+    kresd.extraConfig = ''
+      require 'math'
+      math.randomseed(os.time())
+
+      modules.load('dns64')
+      modules.load('view')
+
+      dns64.config('64:ff9b::')
+
+      -- disable dns64 for all IPv4 source addresses
+      view:addr('0.0.0.0/0', policy.all(policy.FLAGS('DNS64_DISABLE')))
+
+      dns_providers = {
+        { -- Quad9
+          '9.9.9.9', '149.112.112.112'
+        },
+        { -- Cloudflare
+          '1.1.1.1', '1.0.0.1'
+        },
+        { -- Google
+          '8.8.8.8', '8.8.4.4'
+        }
+      }
+
+      policy.add(function (request, query)
+        return policy.FORWARD(dns_providers[math.random(1, #dns_providers)])
+      end)
+    '';
   };
 
 }