From 12877098cb6f76bd021ba74684cb70759a7b76b9 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Thu, 17 Mar 2016 14:34:56 +0100 Subject: [PATCH] dnscrypt-proxy service: expose option to use ephemeral keys Some users may wish to improve their privacy by using per-query key pairs, which makes it more difficult for upstream resolvers to track users across IP addresses. --- nixos/modules/services/networking/dnscrypt-proxy.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index d9ca430161ee..a6b5b1deed76 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -10,6 +10,7 @@ let daemonArgs = [ "--local-address=${localAddress}" (optionalString cfg.tcpOnly "--tcp-only") + (optionalString cfg.ephemeralKeys "-E") ] ++ resolverArgs; resolverArgs = if (cfg.customResolver != null) @@ -116,6 +117,17 @@ in TCP instead of UDP (on port 443). Use only if the UDP port is blocked. ''; }; + ephemeralKeys = mkOption { + default = false; + type = types.bool; + description = '' + Compute a new key pair for every query. Enabling this option + increases CPU usage, but makes it more difficult for the upstream + resolver to track your usage of their service across IP addresses. + The default is to re-use the public key pair for all queries, making + tracking trivial. + ''; + }; }; };