services.resolved.dnsovertls
If set to
"true": all DNS lookups will be encrypted. This requires that the DNS server supports DNS-over-TLS and has a valid certificate. If the hostname was specified via theaddress#hostnameformat inservices.resolved.domainsthen the specified hostname is used to validate its certificate."opportunistic": all DNS lookups will attempt to be encrypted, but will fallback to unecrypted requests if the server does not support DNS-over-TLS. Note that this mode does allow for a malicious party to conduct a downgrade attack by immitating the DNS server and pretending to not support encryption."false": all DNS lookups are done unencrypted.
- Type
one of "true", "opportunistic", "false"- Default
"false"- Example
"true"- Declared
- <nixpkgs/nixos/modules/system/boot/resolved.nix>