dnsmasq.nix

{
  services.dnsmasq = {
    enable = true;
    resolveLocalQueries = true;
    servers = [
      "213.46.228.196"
      "62.179.104.196"
    ];
    extraConfig = ''
      # All reverse lookups for private IP ranges (e.g. 192.168.x.x) which are not found in /etc/hosts
      # or the DHCP leases file are answered with "no such domain" rather than being forwarded upstream.
      bogus-priv

      # Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to upstream nameservers.
      # If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned.
      domain-needed

      # Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
      # Note: huge cache size impacts performance.
      cache-size=1024

      # Don't read /etc/resolv.conf. Get upstream servers only from the command line or the dnsmasq configuration file.
      no-resolv

      # Don't poll /etc/resolv.conf for changes.
      no-poll

      # Resolve *.localhost domain names to 127.0.0.1.
      address=/localhost/127.0.0.1

      # Only listen on the given IP address.
      listen-address=127.0.0.2

      # This option forces dnsmasq to really bind only the interfaces it is listening on.
      bind-interfaces

      # Additional hosts file.
      addn-hosts=/etc/dnsmasq-hosts.conf

      # Due to the use of listen-address and bind-interfaces this instance of dnsmasq cannot be used for DHCP as well.
      # dhcp-authoritative # the only DHCP server on the network
      # dhcp-leasefile=/opt/dnsmasq/dnsmasq.leases
      # dhcp-option=option:router,192.168.0.1
      # dhcp-range=192.168.0.51,192.168.0.99,255.255.255.0,24h
      # dhcp-range=192.168.0.151,192.168.0.199,255.255.255.0,24h
      # dhcp-host=e0:cb:4e:7f:e5:cb,192.168.0.203
    '';
  };
}