{ config, lib, ... }: with lib; {
  options.features.disableTunnels = mkOption {
    type = types.bool;
    default = false;
    description = ''
      Take reasonable precautions against the use of a proxy, or an encrypted DNS tunnel.

      This can make sense if we do DNS-level filtering, and the user does not have full control
      over the device they're using.

      If a motivated user has local write and execution privileges, it is unlikely that we can prevent
      them from circumventing these restrictions.
    '';
  };

  config.policies = mkIf config.features.disableTunnels {
    DNSOverHTTPS = {
      Enabled = false;
      Locked = true;
    };

    Proxy = {
      Mode = "none";
      Locked = true;
    };
  };
}