From 0ae22081a0977e9fca395a8c532f8e51a1f24c5f Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Sat, 4 Jul 2020 19:06:18 +0300 Subject: [PATCH] etc/systemd-resolved: rework all files more or less * explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general. --- etc/systemd/resolved.conf.d/README.md | 36 +++++++++++++++++++ ...tunistic-insecure.conf => everywhere.conf} | 0 etc/systemd/resolved.conf.d/quad9-compat.conf | 4 +-- etc/systemd/resolved.conf.d/quad9-strict.conf | 8 +++++ etc/systemd/resolved.conf.d/quad9.conf | 19 ---------- 5 files changed, 45 insertions(+), 22 deletions(-) create mode 100644 etc/systemd/resolved.conf.d/README.md rename etc/systemd/resolved.conf.d/{opportunistic-insecure.conf => everywhere.conf} (100%) create mode 100644 etc/systemd/resolved.conf.d/quad9-strict.conf delete mode 100644 etc/systemd/resolved.conf.d/quad9.conf diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md new file mode 100644 index 00000000..8bdf8939 --- /dev/null +++ b/etc/systemd/resolved.conf.d/README.md @@ -0,0 +1,36 @@ +## systemd-resolved additional config files + +### Files explained + +* everywhere.conf - configuration that doesn't affect DNS servers, attempts + to use DNSSEC and DoT and if it fails, doesn't care and uses insecure + configuration. +* quad9-compat.conf - non-tech person config for Quad9, same as above except + specifies the server. +* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9 +* README.md - you are reading it right now. + +### General commentary + +I have moved duplicate comments to this file, so it will possibly look weird +or miss original context. + +* Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however + at the time of writing this README.md, the current version is Ubuntu 20.04.0) + (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in + v243 (big improvements in v244). + * TODO: find out when SNI became supported, I have just spotted it in the + fine manual in 2020-06-??. +* Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd + without which I wouldn't have got this right. +* DNSSEC may not work if the system is down for a long time and not updated. + Thus `allow-downgrade` may be better for non-tech people, even with the + potential downgrade attack. There are also captive portals, affecting + `DNSOverTLS`. Both take `true` or `false` or their own special option, + for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. + +Other links I have found important and my files are based on: + +* https://wiki.archlinux.org/index.php/Systemd-resolved +* request for strict DOT: https://github.com/systemd/systemd/issues/10755 +* vulnerable to MITM: https://github.com/systemd/systemd/issues/9397 diff --git a/etc/systemd/resolved.conf.d/opportunistic-insecure.conf b/etc/systemd/resolved.conf.d/everywhere.conf similarity index 100% rename from etc/systemd/resolved.conf.d/opportunistic-insecure.conf rename to etc/systemd/resolved.conf.d/everywhere.conf diff --git a/etc/systemd/resolved.conf.d/quad9-compat.conf b/etc/systemd/resolved.conf.d/quad9-compat.conf index 1a3b67a4..43fa1c8a 100644 --- a/etc/systemd/resolved.conf.d/quad9-compat.conf +++ b/etc/systemd/resolved.conf.d/quad9-compat.conf @@ -1,9 +1,7 @@ +# Quad9 / systemd-resolved. For non-tech people? See README.md [Resolve] DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net Domains=~. -# see man resolved.conf, may not work if system is down for a long time, + -# captive portals? DNSSEC=allow-downgrade -# allow downgrade/MITM and captive portals DNSOverTLS=opportunistic Cache=true diff --git a/etc/systemd/resolved.conf.d/quad9-strict.conf b/etc/systemd/resolved.conf.d/quad9-strict.conf new file mode 100644 index 00000000..8b157e0c --- /dev/null +++ b/etc/systemd/resolved.conf.d/quad9-strict.conf @@ -0,0 +1,8 @@ +# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or +# DoT doesn't work and captive portals attack? See README.md +[Resolve] +DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net +Domains=~. +DNSSEC=true +DNSOverTLS=true +Cache=true diff --git a/etc/systemd/resolved.conf.d/quad9.conf b/etc/systemd/resolved.conf.d/quad9.conf deleted file mode 100644 index 48f3b4af..00000000 --- a/etc/systemd/resolved.conf.d/quad9.conf +++ /dev/null @@ -1,19 +0,0 @@ -[Resolve] -DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net -Domains=~. -DNSSEC=true -DNSOverTLS=opportunistic -Cache=true - -# Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS -# (systemd v237) - -# Sources: -# https://wiki.archlinux.org/index.php/Systemd-resolved -# * request for strict DOT: https://github.com/systemd/systemd/issues/10755 -# * vulnerable to MITM: https://github.com/systemd/systemd/issues/9397 -# https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd -# * I wouldn't have found having to set `~.` without this. - -# DNSOverTLS became supported in v239, strict mode (yes) in v243 (big -# improvements in v244).