shell-things/etc/systemd/resolved.conf.d/README.md

# systemd-resolved additional config files

## Quickstart

```bash
sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved
```

## Files explained

- `00-defaults.conf` - configuration that should be used everywhere.
  Enables DNSSEC (regardless of systemd-resolved not handling it properly),
  enables opportunistic DoT, caching and local DNS servers.
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
  captive portals are a concern, `DNSOverTLS=no`. At least one of these
  should be used in addition to `00-defaults.conf`
- `README.md` - you are reading it right now.

## General commentary

- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
  at the time of writing this README.md, the current version is Ubuntu 20.04.0)
  (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
  v243 (big improvements in v244).
  - TODO: find out when SNI became supported, I have just spotted it in the
    fine manual in 2020-06-??.
- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
  without which I wouldn't have got this right.
- DNSSEC may not work if the system is down for a long time and not updated.
  Thus `allow-downgrade` may be better for non-tech people, even with the
  potential downgrade attack. There are also captive portals, affecting
  `DNSOverTLS`. Both take `yes` or `no` or their own special option,
  for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
  - Then again when was any system that outdated to not have working DNSSEC?
    - TODO: return to this configuration should that actually happen?

Other links I have found important and my files are based on:

- https://wiki.archlinux.org/index.php/Systemd-resolved
  - Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`# systemd-resolved additional config files`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`## Quickstart`

			```bash
			`sudo systemctl enable --now systemd-resolved.service`
			`sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
			`# After changing configuration`
			`sudo systemctl restart systemd-resolved`
			```

			`## Files explained`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
resolved.conf.d/README.md: mention 00-defaults and dot-something being supposed to be used together 2024-04-10 14:09:31 +02:00			- `00-defaults.conf` - configuration that should be used everywhere.
			`Enables DNSSEC (regardless of systemd-resolved not handling it properly),`
			`enables opportunistic DoT, caching and local DNS servers.`
run prettier 2023-02-21 16:54:39 +01:00			- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
resolved.conf.d/README.md: mention 00-defaults and dot-something being supposed to be used together 2024-04-10 14:09:31 +02:00			captive portals are a concern, `DNSOverTLS=no`. At least one of these
			should be used in addition to `00-defaults.conf`
run prettier 2023-02-21 16:54:39 +01:00			- `README.md` - you are reading it right now.
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 19:43:03 +02:00			`## General commentary`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
run prettier 2023-02-21 16:54:39 +01:00			`- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`at the time of writing this README.md, the current version is Ubuntu 20.04.0)`
			`(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in`
			`v243 (big improvements in v244).`
			`- TODO: find out when SNI became supported, I have just spotted it in the`
			`fine manual in 2020-06-??.`
run prettier 2023-02-21 16:54:39 +01:00			- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`without which I wouldn't have got this right.`
run prettier 2023-02-21 16:54:39 +01:00			`- DNSSEC may not work if the system is down for a long time and not updated.`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			Thus `allow-downgrade` may be better for non-tech people, even with the
			`potential downgrade attack. There are also captive portals, affecting`
			`DNSOverTLS`. Both take `yes` or `no` or their own special option,
			for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
systemd-resolved: keep DNSSEC enabled 2023-10-21 10:27:07 +02:00			`- Then again when was any system that outdated to not have working DNSSEC?`
			`- TODO: return to this configuration should that actually happen?`
etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. 2020-07-04 18:06:18 +02:00
			`Other links I have found important and my files are based on:`

run prettier 2023-02-21 16:54:39 +01:00			`- https://wiki.archlinux.org/index.php/Systemd-resolved`
run prettier on markdown again? 2023-02-21 18:33:31 +01:00			`- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867`
systemd-resolved: keep DNSSEC enabled 2023-10-21 10:27:07 +02:00			`- request for strict DoT: https://github.com/systemd/systemd/issues/10755`
run prettier 2023-02-21 16:54:39 +01:00			`- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397`