etc/systemd-resolved: rework all files more or less

* explain things in README.md, don't duplicate comments
* opportunistic-insecure.conf should be used everywhere by default, so
  thus it's now everywhere.conf. However I am yet to test it does what
  I expect, so this is bad case of testing in production or after
  committing it in general.
This commit is contained in:
Aminda Suomalainen 2020-07-04 19:06:18 +03:00
parent 7a73088beb
commit 0ae22081a0
Signed by: Mikaela
GPG Key ID: 99392F62BAE30723
5 changed files with 45 additions and 22 deletions

View File

@ -0,0 +1,36 @@
## systemd-resolved additional config files
### Files explained
* everywhere.conf - configuration that doesn't affect DNS servers, attempts
to use DNSSEC and DoT and if it fails, doesn't care and uses insecure
configuration.
* quad9-compat.conf - non-tech person config for Quad9, same as above except
specifies the server.
* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9
* README.md - you are reading it right now.
### General commentary
I have moved duplicate comments to this file, so it will possibly look weird
or miss original context.
* Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
v243 (big improvements in v244).
* TODO: find out when SNI became supported, I have just spotted it in the
fine manual in 2020-06-??.
* Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
without which I wouldn't have got this right.
* DNSSEC may not work if the system is down for a long time and not updated.
Thus `allow-downgrade` may be better for non-tech people, even with the
potential downgrade attack. There are also captive portals, affecting
`DNSOverTLS`. Both take `true` or `false` or their own special option,
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
Other links I have found important and my files are based on:
* https://wiki.archlinux.org/index.php/Systemd-resolved
* request for strict DOT: https://github.com/systemd/systemd/issues/10755
* vulnerable to MITM: https://github.com/systemd/systemd/issues/9397

View File

@ -1,9 +1,7 @@
# Quad9 / systemd-resolved. For non-tech people? See README.md
[Resolve] [Resolve]
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
Domains=~. Domains=~.
# see man resolved.conf, may not work if system is down for a long time, +
# captive portals?
DNSSEC=allow-downgrade DNSSEC=allow-downgrade
# allow downgrade/MITM and captive portals
DNSOverTLS=opportunistic DNSOverTLS=opportunistic
Cache=true Cache=true

View File

@ -0,0 +1,8 @@
# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

View File

@ -1,19 +0,0 @@
[Resolve]
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=true
DNSOverTLS=opportunistic
Cache=true
# Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS
# (systemd v237)
# Sources:
# https://wiki.archlinux.org/index.php/Systemd-resolved
# * request for strict DOT: https://github.com/systemd/systemd/issues/10755
# * vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
# https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
# * I wouldn't have found having to set `~.` without this.
# DNSOverTLS became supported in v239, strict mode (yes) in v243 (big
# improvements in v244).