mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-23 03:02:52 +01:00
etc/systemd-resolved: rework all files more or less
* explain things in README.md, don't duplicate comments * opportunistic-insecure.conf should be used everywhere by default, so thus it's now everywhere.conf. However I am yet to test it does what I expect, so this is bad case of testing in production or after committing it in general.
This commit is contained in:
parent
7a73088beb
commit
0ae22081a0
36
etc/systemd/resolved.conf.d/README.md
Normal file
36
etc/systemd/resolved.conf.d/README.md
Normal file
@ -0,0 +1,36 @@
|
||||
## systemd-resolved additional config files
|
||||
|
||||
### Files explained
|
||||
|
||||
* everywhere.conf - configuration that doesn't affect DNS servers, attempts
|
||||
to use DNSSEC and DoT and if it fails, doesn't care and uses insecure
|
||||
configuration.
|
||||
* quad9-compat.conf - non-tech person config for Quad9, same as above except
|
||||
specifies the server.
|
||||
* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9
|
||||
* README.md - you are reading it right now.
|
||||
|
||||
### General commentary
|
||||
|
||||
I have moved duplicate comments to this file, so it will possibly look weird
|
||||
or miss original context.
|
||||
|
||||
* Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
|
||||
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
|
||||
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
|
||||
v243 (big improvements in v244).
|
||||
* TODO: find out when SNI became supported, I have just spotted it in the
|
||||
fine manual in 2020-06-??.
|
||||
* Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
||||
without which I wouldn't have got this right.
|
||||
* DNSSEC may not work if the system is down for a long time and not updated.
|
||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||
potential downgrade attack. There are also captive portals, affecting
|
||||
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
||||
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
|
||||
Other links I have found important and my files are based on:
|
||||
|
||||
* https://wiki.archlinux.org/index.php/Systemd-resolved
|
||||
* request for strict DOT: https://github.com/systemd/systemd/issues/10755
|
||||
* vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
|
@ -1,9 +1,7 @@
|
||||
# Quad9 / systemd-resolved. For non-tech people? See README.md
|
||||
[Resolve]
|
||||
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
|
||||
Domains=~.
|
||||
# see man resolved.conf, may not work if system is down for a long time, +
|
||||
# captive portals?
|
||||
DNSSEC=allow-downgrade
|
||||
# allow downgrade/MITM and captive portals
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
||||
|
8
etc/systemd/resolved.conf.d/quad9-strict.conf
Normal file
8
etc/systemd/resolved.conf.d/quad9-strict.conf
Normal file
@ -0,0 +1,8 @@
|
||||
# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
|
||||
# DoT doesn't work and captive portals attack? See README.md
|
||||
[Resolve]
|
||||
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
@ -1,19 +0,0 @@
|
||||
[Resolve]
|
||||
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
||||
|
||||
# Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS
|
||||
# (systemd v237)
|
||||
|
||||
# Sources:
|
||||
# https://wiki.archlinux.org/index.php/Systemd-resolved
|
||||
# * request for strict DOT: https://github.com/systemd/systemd/issues/10755
|
||||
# * vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
|
||||
# https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
||||
# * I wouldn't have found having to set `~.` without this.
|
||||
|
||||
# DNSOverTLS became supported in v239, strict mode (yes) in v243 (big
|
||||
# improvements in v244).
|
Loading…
Reference in New Issue
Block a user