dnsmasq: add servers option for upstream DNS configuration

Adds a new `services.dnsmasq.servers` option to configure upstream DNS servers. This allows users to specify which DNS servers dnsmasq should forward queries to, supporting domain-specific routing and custom ports. When empty (default), dnsmasq uses servers from /etc/resolv.conf. Signed-off-by: Wigger Boelens <me@wigger.email>
2025-10-17 13:05:13 +02:00 · 2025-10-17 13:05:13 +02:00 · 1204e79a1e
commit 1204e79a1e
parent 9a9ab01072
2 changed files with 31 additions and 1 deletions
--- a/modules/services/dnsmasq.nix
+++ b/modules/services/dnsmasq.nix
@ -42,6 +42,27 @@ in
        { localhost = "127.0.0.1"; }
        '';
    };
+
+    services.dnsmasq.servers = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = ''
+        List of upstream DNS servers to forward queries to.
+        If empty, dnsmasq will use the servers from /etc/resolv.conf.
+        Each entry can be:
+        - An IP address (e.g., "1.2.3.4")
+        - A domain-specific server (e.g., "/example.com/1.2.3.4")
+        - A server with port (e.g., "1.2.3.4#5353")
+        See dnsmasq(8) man page for --server option for full syntax.
+      '';
+      example = literalExpression ''
+        [
+          "8.8.8.8"
+          "8.8.4.4"
+          "/internal.example.com/192.168.1.1"
+        ]
+      '';
+    };
  };

  config = mkIf cfg.enable {
@ -53,7 +74,8 @@ in
        "--listen-address=${cfg.bind}"
        "--port=${toString cfg.port}"
        "--keep-in-foreground"
-      ] ++ (mapA (domain: addr: "--address=/${domain}/${addr}") cfg.addresses);
+      ] ++ (mapA (domain: addr: "--address=/${domain}/${addr}") cfg.addresses)
+        ++ (map (server: "--server=${server}") cfg.servers);

      serviceConfig.KeepAlive = true;
      serviceConfig.RunAtLoad = true;
--- a/tests/services-dnsmasq.nix
+++ b/tests/services-dnsmasq.nix
@ -12,6 +12,10 @@ in
  services.dnsmasq.addresses = {
    localhost = "127.0.0.1";
  };
+  services.dnsmasq.servers = [
+    "8.8.8.8"
+    "/example.com/192.168.1.1"
+  ];

  test = ''
    echo >&2 "checking dnsmasq service in /Library/LaunchDaemons"
@ -19,6 +23,10 @@ in
    grep "${dnsmasq}/bin/dnsmasq" ${config.out}/Library/LaunchDaemons/org.nixos.dnsmasq.plist
    grep -F -- "--address=/localhost/127.0.0.1" ${config.out}/Library/LaunchDaemons/org.nixos.dnsmasq.plist

+    echo >&2 "checking server options"
+    grep -F -- "--server=8.8.8.8" ${config.out}/Library/LaunchDaemons/org.nixos.dnsmasq.plist
+    grep -F -- "--server=/example.com/192.168.1.1" ${config.out}/Library/LaunchDaemons/org.nixos.dnsmasq.plist
+
    echo >&2 "checking resolver config"
    grep -F "port 53" ${config.out}/etc/resolver/localhost
    grep -F "nameserver 127.0.0.1" ${config.out}/etc/resolver/localhost