shell-things/etc/systemd/resolved.conf.d/README.md

# systemd-resolved additional config files

## Quickstart

```bash
sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved
```

## Files explained

- `00-defaults.conf` - configuration that should be used everywhere.
  Enables DNSSEC (regardless of systemd-resolved not handling it properly),
  enables opportunistic DoT, caching and local DNS servers.
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
  captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
  should be used in addition to `00-defaults.conf`
- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
- `README.md` - you are reading it right now.

## General commentary

- DNSOverTLS became supported in systemd v239, strict mode (true) in
  v243 (big improvements in v244).
  - TODO: find out when SNI became supported, I have just spotted it in the
    fine manual in 2020-06-??.
- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
  without which I wouldn't have got this right.
- DNSSEC may not work if the system is down for a long time and not updated.
  Thus `allow-downgrade` may be better for non-tech people, even with the
  potential downgrade attack. There are also captive portals, affecting
  `DNSOverTLS`. Both take `true` or `false` or their own special option,
  for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
  - Then again when was any system that outdated to not have working DNSSEC?
    - TODO: return to this configuration should that actually happen?
    - I am actually running Unbound simultaneously with `resolv.conf` pointing
      to both with `options rotate edns0 trust-ad` which might workaround that
      potential issue.

Other links I have found important and my files are based on:

- https://wiki.archlinux.org/index.php/Systemd-resolved
  - Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`# systemd-resolved additional config files`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`## Quickstart`

			```bash
			`sudo systemctl enable --now systemd-resolved.service`
			`sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
			`# After changing configuration`
			`sudo systemctl restart systemd-resolved`
			```

			`## Files explained`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
resolved.conf.d/README.md: mention 00-defaults and dot-something being supposed to be used together 2024-04-10 14:09:31 +02:00			- `00-defaults.conf` - configuration that should be used everywhere.
			`Enables DNSSEC (regardless of systemd-resolved not handling it properly),`
			`enables opportunistic DoT, caching and local DNS servers.`
run prettier 2023-02-21 16:54:39 +01:00			- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config 2024-04-11 09:03:53 +02:00			captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
resolved.conf.d/README.md: mention 00-defaults and dot-something being supposed to be used together 2024-04-10 14:09:31 +02:00			should be used in addition to `00-defaults.conf`
systemd-resolved/README.md: mention nordvpn.conf 2024-04-11 09:05:18 +02:00			- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
run prettier 2023-02-21 16:54:39 +01:00			- `README.md` - you are reading it right now.
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`## General commentary`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config 2024-04-11 09:03:53 +02:00			`- DNSOverTLS became supported in systemd v239, strict mode (true) in`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`v243 (big improvements in v244).`
			`- TODO: find out when SNI became supported, I have just spotted it in the`
			`fine manual in 2020-06-??.`
run prettier 2023-02-21 16:54:39 +01:00			- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`without which I wouldn't have got this right.`
run prettier 2023-02-21 16:54:39 +01:00			`- DNSSEC may not work if the system is down for a long time and not updated.`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			Thus `allow-downgrade` may be better for non-tech people, even with the
			`potential downgrade attack. There are also captive portals, affecting`
systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config 2024-04-11 09:03:53 +02:00			`DNSOverTLS`. Both take `true` or `false` or their own special option,
			for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
systemd-resolved: keep DNSSEC enabled 2023-10-21 10:27:07 +02:00			`- Then again when was any system that outdated to not have working DNSSEC?`
			`- TODO: return to this configuration should that actually happen?`
systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config 2024-04-11 09:03:53 +02:00			- I am actually running Unbound simultaneously with `resolv.conf` pointing
			to both with `options rotate edns0 trust-ad` which might workaround that
			`potential issue.`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
			`Other links I have found important and my files are based on:`

run prettier 2023-02-21 16:54:39 +01:00			`- https://wiki.archlinux.org/index.php/Systemd-resolved`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867`
systemd-resolved: keep DNSSEC enabled 2023-10-21 10:27:07 +02:00			`- request for strict DoT: https://github.com/systemd/systemd/issues/10755`
run prettier 2023-02-21 16:54:39 +01:00			`- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397`