systemd-resolved: another attempt at local resolvers

etc/systemd/resolved.conf.d/00-defaults.conf

@@ -4,6 +4,7 @@
 # BREAKAGE WARNING for everything else than DNSSEC=false !
 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 # PRIVACY WARNING! systemd-networkd/links may override this.
+# NOTE: Empty variables unset whatever is set before! They are not a mistake.
 DNSSEC=true
 # Take the risk of downgrade attacks. Web browser policies enforce
 # DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
@@ -11,10 +12,13 @@ DNSSEC=true
 #DNSOverTLS=opportunistic
 DNSOverTLS=true
 Cache=true
-# Consider local DNS servers if they exist. Empty should erase previous values.
+# Consider local DNS servers if they exist.
 DNS=
-DNS=127.0.0.1
 DNS=::1
+DNS=127.0.0.1
+FallbackDNS=
+FallbackDNS=::1
+FallbackDNS=127.0.0.1
 Domains=~.
 # .local domains
 MulticastDNS=true

etc/systemd/resolved.conf.d/zz-local-resolver.conf

@@ -0,0 +1,14 @@
+# Being at the end of the English alphabet, this file will take priority
+# and override values of others with the unsets.
+[Resolve]
+DNSSEC=false
+DNSOverTLS=false
+Cache=false
+DNS=
+DNS=::1
+DNS=127.0.0.1
+FallbackDNS=
+FallbackDNS=::1
+FallbackDNS=127.0.0.1
+Domains=~.
+# vim: filetype=systemd