shell-things/etc/systemd/resolved.conf.d/README.md

<!-- @format -->

# systemd-resolved additional config files

<!-- editorconfig-checker-disable -->
<!-- prettier-ignore-start -->

<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

- [Quickstart](#quickstart)
- [Files explained](#files-explained)
- [General commentary](#general-commentary)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

<!-- prettier-ignore-end -->
<!-- editorconfig-checker-enable -->

## Quickstart

This is also done by `../../systemd-resolv.conf-restore.bash` which takes into
account more circumstances...

```bash
sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved
```

...but `../../systemd-resolv.conf-generate.bash` **is better.** Although
`../../resolv.conf-generate.bash` **is the best** this repository has to
offer.

## Files explained

- `00-defaults.conf` - configuration that should be used everywhere. Enables
  DNSSEC (regardless of systemd-resolved not handling it properly), enables
  opportunistic DoT, caching and local DNS servers (because they should exist
  anyway as I don't trust systemd-resolved entirely. Anyway if there truly is
  no local resolver, systemd-resolved will detect that and act accordingly.)
  - To rephrase, this is to be used together with other files, especially some
    of those beginning with `10-dot-`.
- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
  network and owned by them)
- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
  Saunalahti still exists here as well.
- `10-dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
  At least one of these should be used in addition to `00-defaults.conf`
- `98-local-resolver.conf` attempts to configure localhost resolver and
  disables unnecessary features for that scenario. The number 10 takes
  priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also
  apply to the former ones that are unlikely to support it. When numbering the
  files, I didn't think I would be adding the plaintext DNS servers that I am
  unlikely to use whenever Unbound is available (and I currently have only one
  system that has systemd-resolved while not having Unbound and it seems to
  prefer DoT over my router anyway).
- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
  LAN assuming they are trusted. Note that if used together with
  `98-local-resolver.conf`, DNSSEC would be disabled.
- `README.md` - you are reading it right now.

## General commentary

- DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big
  improvements in v244).
  - TODO: find out when SNI became supported, I have just spotted it in the
    fine manual in 2020-06-??.
- Domains has to be `.~` for them to override DHCP. See
  https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
  without which I wouldn't have got this right.
- DNSSEC may not work if the system is down for a long time and not updated.
  Thus `allow-downgrade` may be better for non-tech people, even with the
  potential downgrade attack. There are also captive portals, affecting
  `DNSOverTLS`. Both take `true` or `false` or their own special option, for
  DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
  - Then again when was any system that outdated to not have working DNSSEC?
    - TODO: return to this configuration should that actually happen?
    - I am actually running Unbound simultaneously with `resolv.conf` pointing
      to both with `options rotate edns0 trust-ad` which might workaround that
      potential issue.
- DNS server priority is the one they are specified in. The first working one
  will be used when it won't work anymore and then the next is used as long as
  it works and then it's back to the beginning.
  - https://github.com/systemd/systemd/issues/16322#issuecomment-724143641

Other links I have found important and my files are based on:

- https://wiki.archlinux.org/index.php/Systemd-resolved
  - Also provides the serious issues systemd-resolved+DNSSEC issues,
    https://github.com/systemd/systemd/issues/10579 &
    https://github.com/systemd/systemd/issues/9867
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			`<!-- @format -->`

systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`# systemd-resolved additional config files`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
systemd-resolved/README.md: enable doctoc 2024-04-11 09:06:18 +02:00			`<!-- editorconfig-checker-disable -->`
			`<!-- prettier-ignore-start -->`

			`<!-- START doctoc generated TOC please keep comment here to allow auto update -->`
			`<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->`

			`- [Quickstart](#quickstart)`
			`- [Files explained](#files-explained)`
			`- [General commentary](#general-commentary)`

			`<!-- END doctoc generated TOC please keep comment here to allow auto update -->`

			`<!-- prettier-ignore-end -->`
			`<!-- editorconfig-checker-enable -->`

systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`## Quickstart`

fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			This is also done by `../../systemd-resolv.conf-restore.bash` which takes into
			`account more circumstances...`
systemd/resolved.conf.d/README: note my scripts existing 2024-05-15 19:29:59 +02:00
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			```bash
			`sudo systemctl enable --now systemd-resolved.service`
			`sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
			`# After changing configuration`
			`sudo systemctl restart systemd-resolved`
			```

systemd/resolved.conf.d/README: note my scripts existing 2024-05-15 19:29:59 +02:00			...but `../../systemd-resolv.conf-generate.bash` is better. Although
			`../../resolv.conf-generate.bash` is the best this repository has to
			`offer.`

systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`## Files explained`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			- `00-defaults.conf` - configuration that should be used everywhere. Enables
			`DNSSEC (regardless of systemd-resolved not handling it properly), enables`
			`opportunistic DoT, caching and local DNS servers (because they should exist`
			`anyway as I don't trust systemd-resolved entirely. Anyway if there truly is`
			`no local resolver, systemd-resolved will detect that and act accordingly.)`
			`- To rephrase, this is to be used together with other files, especially some`
			of those beginning with `10-dot-`.
systemd-resolved: add DNA/Moi & Elisa DNS servers I was unable to find authoritative source for what is Telia's DNS 2024-04-28 15:11:13 +02:00			- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
			`network and owned by them)`
			- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
			`Saunalahti still exists here as well.`
systemd-resolved: rename conf files to have a number prefix 2024-04-28 08:13:20 +02:00			- `10-dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
systemd-resolved: attempt to simplify configuration 2024-04-22 14:08:03 +02:00			At least one of these should be used in addition to `00-defaults.conf`
systemd-resolved: rename conf files to have a number prefix 2024-04-28 08:13:20 +02:00			- `98-local-resolver.conf` attempts to configure localhost resolver and
systemd-resolved: add DNA/Moi & Elisa DNS servers I was unable to find authoritative source for what is Telia's DNS 2024-04-28 15:11:13 +02:00			`disables unnecessary features for that scenario. The number 10 takes`
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			`priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also`
			`apply to the former ones that are unlikely to support it. When numbering the`
			`files, I didn't think I would be adding the plaintext DNS servers that I am`
			`unlikely to use whenever Unbound is available (and I currently have only one`
			`system that has systemd-resolved while not having Unbound and it seems to`
			`prefer DoT over my router anyway).`
systemd-resolved: rename conf files to have a number prefix 2024-04-28 08:13:20 +02:00			- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
			`LAN assuming they are trusted. Note that if used together with`
			`98-local-resolver.conf`, DNSSEC would be disabled.
run prettier 2023-02-21 16:54:39 +01:00			- `README.md` - you are reading it right now.
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`## General commentary`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			`- DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big`
			`improvements in v244).`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`- TODO: find out when SNI became supported, I have just spotted it in the`
			`fine manual in 2020-06-??.`
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			- Domains has to be `.~` for them to override DHCP. See
			`https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`without which I wouldn't have got this right.`
run prettier 2023-02-21 16:54:39 +01:00			`- DNSSEC may not work if the system is down for a long time and not updated.`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			Thus `allow-downgrade` may be better for non-tech people, even with the
			`potential downgrade attack. There are also captive portals, affecting`
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			`DNSOverTLS`. Both take `true` or `false` or their own special option, for
			DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
systemd-resolved: keep DNSSEC enabled 2023-10-21 10:27:07 +02:00			`- Then again when was any system that outdated to not have working DNSSEC?`
			`- TODO: return to this configuration should that actually happen?`
systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config 2024-04-11 09:03:53 +02:00			- I am actually running Unbound simultaneously with `resolv.conf` pointing
			to both with `options rotate edns0 trust-ad` which might workaround that
			`potential issue.`
systemd-resolved: note server priority 2024-05-15 19:23:27 +02:00			`- DNS server priority is the one they are specified in. The first working one`
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			`will be used when it won't work anymore and then the next is used as long as`
			`it works and then it's back to the beginning.`
systemd-resolved: note server priority 2024-05-15 19:23:27 +02:00			`- https://github.com/systemd/systemd/issues/16322#issuecomment-724143641`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
			`Other links I have found important and my files are based on:`

run prettier 2023-02-21 16:54:39 +01:00			`- https://wiki.archlinux.org/index.php/Systemd-resolved`
fix .prettierrc & run prettier again 2024-07-03 18:08:14 +02:00			`- Also provides the serious issues systemd-resolved+DNSSEC issues,`
			`https://github.com/systemd/systemd/issues/10579 &`
			`https://github.com/systemd/systemd/issues/9867`
systemd-resolved: keep DNSSEC enabled 2023-10-21 10:27:07 +02:00			`- request for strict DoT: https://github.com/systemd/systemd/issues/10755`
run prettier 2023-02-21 16:54:39 +01:00			`- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397`