How to change order of DNS nameservers?

I’m pretty sure my Wi-Fi router is slowing down my web browsing by being really slow at DNS resolving. So I added Cloudflare and Google nameservers like this:

{ lib, ... }:

{
  networking = {
    networkmanager.enable = true;
    nameservers = [
      # Cloudflare
      "1.1.1.1"
      "1.0.0.1"
      # Google
      "8.8.8.8"
      "8.8.4.4"
    ];
  };
}

But this seems to not make any improvement because the computer still waits a long time for 192.168.1.1 to resolve a domain, and only tries Cloudflare if the first one times out.

Contents of /etc/resolv.conf

# Generated by resolvconf
nameserver 192.168.1.1
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
options edns0

What I really want to do is have /etc/resolv.conf look like this:

# Generated by resolvconf
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 192.168.1.1
options edns0

or, if possible, when finding a domain all nameservers should be queried in parallel so that the fastest one is the result.

I think you can use the option networking.networkmanager.insertNameservers


I personally use dnscrypt-proxy which has load balancing options and a bunch of other goodies which would help find the fastest one.

I used networking.networkmanager.insertNameservers and the file looks like this now:

# Generated by resolvconf
options edns0
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 192.168.1.1

However, now when I try to access computers on the local network that is resolved by 192.168.1.1, such as gaming-computer, it doesn’t work. 1.1.1.1 says that it is not found, and it looks like 192.168.1.1 is not even used.

Hey @DarkKronicle can i ask you multiples questions about dnscrypt-proxy on nix ? First do you know how to use dnscrypt with the anonymous settings ? And if yes could you show me a example that work please ?

And last question is it normal that when i connect to mullvad vpn the file “/etc/resolv.conf” is not overwritten by the vpn ? the command “cat /etc/resolv.conf” show me the dns from dnscrypt and not mullvad

I made a test and without dnscrypt-proxy the file /etc/resolv.conf show the dns server of the vpn

Have you looked at Anonymized DNS · DNSCrypt/dnscrypt-proxy Wiki · GitHub? You’ll need to setup relays first, and then manually some routes. I don’t use anonmyized DNS personally since it doesn’t really assist in my threat model (mainly because encrypted client hello isn’t really used so my ISP still can tell where I go (and I also don’t really care)).

I don’t personally use mulvad, but I nordvpn and that changes my /etc/hosts. I had to set

environment.etc.hosts.mode = "0644";

Maybe something like that will work for you.

If you have more questions, maybe another thread will be better.

This is probably because it will only fallback if there is an error connecting to the DNS server. Do you have pihole or something set up?

I know there’s avahi which lets you do <hostname>.local. dnscrypt also has cloaking, but you’d have to do that manually.

I don’t have PiHole setup. I will try to change the DNS resolver to Cloudflare or Google in the router settings and see if that speeds things up.

If you want the local resolving, I think avahi would work if you don’t want to configure the router. I use it to access my homeserver at hostname.local, though I think it works as a general mDNS service.

avahi is setup and works for hostname.local for some devices, but I prefer to not have the .local. Plus, I have a microcontroller accessible at gaming-computer-remote which cannot run avahi (I assume, since it’s bare metal).