From 36801338d4ab8cbb027bc00c75287ebc53b5545f Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Sun, 4 May 2025 09:59:36 +0300 Subject: [PATCH] systemd-resolved: maybe I snapped at this --- etc/systemd/resolved.conf.d/.gitignore | 2 -- etc/systemd/resolved.conf.d/00-defaults.conf | 27 ----------------- .../resolved.conf.d/05-do53-dna-moi.conf | 6 ---- .../resolved.conf.d/05-do53-elisa.conf | 9 ------ etc/systemd/resolved.conf.d/10-dot-443.conf | 7 ----- .../resolved.conf.d/10-dot-adguard.conf | 6 ---- .../resolved.conf.d/10-dot-cloudflare.conf | 8 ----- etc/systemd/resolved.conf.d/10-dot-dns0.conf | 8 ----- .../resolved.conf.d/10-dot-google.conf | 8 ----- .../resolved.conf.d/10-dot-mullvad.conf | 9 ------ etc/systemd/resolved.conf.d/10-dot-quad9.conf | 19 ------------ .../resolved.conf.d/98-local-resolver.conf | 15 ---------- .../99-lan-resolver.conf.sample | 13 --------- ...family-compat.conf => 99-working-dns.conf} | 10 ++----- etc/systemd/resolved.conf.d/README.md | 29 ------------------- 15 files changed, 3 insertions(+), 173 deletions(-) delete mode 100644 etc/systemd/resolved.conf.d/.gitignore delete mode 100644 etc/systemd/resolved.conf.d/00-defaults.conf delete mode 100644 etc/systemd/resolved.conf.d/05-do53-dna-moi.conf delete mode 100644 etc/systemd/resolved.conf.d/05-do53-elisa.conf delete mode 100644 etc/systemd/resolved.conf.d/10-dot-443.conf delete mode 100644 etc/systemd/resolved.conf.d/10-dot-adguard.conf delete mode 100644 etc/systemd/resolved.conf.d/10-dot-cloudflare.conf delete mode 100644 etc/systemd/resolved.conf.d/10-dot-dns0.conf delete mode 100644 etc/systemd/resolved.conf.d/10-dot-google.conf delete mode 100644 etc/systemd/resolved.conf.d/10-dot-mullvad.conf delete mode 100644 etc/systemd/resolved.conf.d/10-dot-quad9.conf delete mode 100644 etc/systemd/resolved.conf.d/98-local-resolver.conf delete mode 100644 etc/systemd/resolved.conf.d/99-lan-resolver.conf.sample rename etc/systemd/resolved.conf.d/{11-family-compat.conf => 99-working-dns.conf} (61%) diff --git a/etc/systemd/resolved.conf.d/.gitignore b/etc/systemd/resolved.conf.d/.gitignore deleted file mode 100644 index a99da082..00000000 --- a/etc/systemd/resolved.conf.d/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -10-dot-trex.conf -99-lan-resolver.conf diff --git a/etc/systemd/resolved.conf.d/00-defaults.conf b/etc/systemd/resolved.conf.d/00-defaults.conf deleted file mode 100644 index 1849911b..00000000 --- a/etc/systemd/resolved.conf.d/00-defaults.conf +++ /dev/null @@ -1,27 +0,0 @@ -[Resolve] -# Don't trust upstream to verify DNSSEC, even if was encrypted. -# https://notes.valdikss.org.ru/jabber.ru-mitm/ -# BREAKAGE WARNING for everything else than DNSSEC=false ! -# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867 -# PRIVACY WARNING! systemd-networkd/links may override this. -# NOTE: Empty variables unset whatever is set before! They are not a mistake. -DNSSEC=true -# Take the risk of downgrade attacks. Web browser policies enforce -# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring -# it. -DNSOverTLS=opportunistic -Cache=true -# Consider local DNS servers if they exist. -DNS= -DNS=::1 -DNS=127.0.0.1 -FallbackDNS= -FallbackDNS=::1 -FallbackDNS=127.0.0.1 -Domains=~. -# .local domains -#MulticastDNS=true -# Microsoft Windows compatibility? -#LLMNR=true - -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/05-do53-dna-moi.conf b/etc/systemd/resolved.conf.d/05-do53-dna-moi.conf deleted file mode 100644 index c1e24fd7..00000000 --- a/etc/systemd/resolved.conf.d/05-do53-dna-moi.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Resolve] -# https://asiakaspalvelu.moi.fi/hc/fi/articles/360029789832-Mitk%C3%A4-ovat-Moin-palvelinosoitteet -DNS=2001:14b8:1000::1 2001:14b8:1000::2 -DNS=62.241.198.245 62.241.198.246 -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/05-do53-elisa.conf b/etc/systemd/resolved.conf.d/05-do53-elisa.conf deleted file mode 100644 index 34fe67e5..00000000 --- a/etc/systemd/resolved.conf.d/05-do53-elisa.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Resolve] -# https://elisa.fi/asiakaspalvelu/nettiliittymat/tiedonsiirtoportit-porttiohjaukset/ -# Elisa -DNS=193.229.0.40 193.229.0.42 -# Saunalahti -DNS=2001:998:20::20 2001:998:20::40 -DNS=195.74.0.47 195.197.54.100 -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/10-dot-443.conf b/etc/systemd/resolved.conf.d/10-dot-443.conf deleted file mode 100644 index f807aaa4..00000000 --- a/etc/systemd/resolved.conf.d/10-dot-443.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Resolve] -# OK, this is not 443, but it bothers me to not have both ports used. -DNS=[2a02:1b8:10:234::2]:853#dot1.applied-privacy.net 146.255.56.98:853#dot1.applied-privacy.net -DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net -DNSOverTLS=true -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/10-dot-adguard.conf b/etc/systemd/resolved.conf.d/10-dot-adguard.conf deleted file mode 100644 index c02c076d..00000000 --- a/etc/systemd/resolved.conf.d/10-dot-adguard.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Resolve] -DNS=94.140.14.14#dns.adguard.com 94.140.15.15#dns.adguard.com 2a10:50c0::ad1:ff#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com -#DNS=94.140.14.140#unfiltered.adguard-dns.com 94.140.14.141#unfiltered.adguard-dns.com DNS=2a10:50c0::1:ff#unfiltered.adguard-dns.com 2a10:50c0::2:ff#unfiltered.adguard-dns.com -DNSOverTLS=true -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/10-dot-cloudflare.conf b/etc/systemd/resolved.conf.d/10-dot-cloudflare.conf deleted file mode 100644 index 9a299b9b..00000000 --- a/etc/systemd/resolved.conf.d/10-dot-cloudflare.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Resolve] -# Unfiltered -#DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#one.one.one.one 1.1.1.1#one.one.one.one 1.0.0.1#one.one.one.one 2606:4700:4700::1001#one.one.one.one -# Malicious domain filtering -DNS=2606:4700:4700::1112#security.cloudflare-dns.com 2606:4700:4700::1002#security.cloudflare-dns.com 1.1.1.2#security.cloudflare-dns.com 1.0.0.2#security.cloudflare-dns.com -DNSOverTLS=true -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/10-dot-dns0.conf b/etc/systemd/resolved.conf.d/10-dot-dns0.conf deleted file mode 100644 index 1b91d2b1..00000000 --- a/etc/systemd/resolved.conf.d/10-dot-dns0.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Resolve] -DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu -#DNS=193.110.81.1#kids.dns0.eu 185.253.5.1#kids.dns0.eu 2a0f:fc80::1#kids.dns0.eu 2a0f:fc81::1#kids.dns0.eu -#DNS=193.110.81.254#open.dns0.eu 185.253.5.254#open.dns0.eu 2a0f:fc80::ffff#open.dns0.eu 2a0f:fc81::ffff#open.dns0.eu -#DNS=193.110.81.9#zero.dns0.eu 185.253.5.9#zero.dns0.eu 2a0f:fc80::9#zero.dns0.eu 2a0f:fc81::9#zero.dns0.eu -DNSOverTLS=true -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/10-dot-google.conf b/etc/systemd/resolved.conf.d/10-dot-google.conf deleted file mode 100644 index 7e651c83..00000000 --- a/etc/systemd/resolved.conf.d/10-dot-google.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Resolve] -DNS=8.8.4.4#dns.google 8.8.8.8#dns.google 2001:4860:4860::8844#dns.google 2001:4860:4860::8888#dns.google -# Google DNS64 -#DNS=2001:4860:4860::6464#dns64.dns.google 2001:4860:4860::64#dns64.dns.google -DNSOverTLS=true -Domains=~. -DNSSEC=true -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/10-dot-mullvad.conf b/etc/systemd/resolved.conf.d/10-dot-mullvad.conf deleted file mode 100644 index 967f71be..00000000 --- a/etc/systemd/resolved.conf.d/10-dot-mullvad.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Resolve] -#DNS=2a07:e340::2#dns.mullvad.net 194.242.2.2#dns.mullvad.net -#DNS=194.242.2.3#adblock.dns.mullvad.net 2a07:e340::3#adblock.dns.mullvad.net -DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net -#DNS=2a07:e340::5#extended.dns.mullvad.net 194.242.2.5#extended.dns.mullvad.net -#DNS=2a07:e340::9#all.dns.mullvad.net 194.242.2.9#all.dns.mullvad.net -DNSOverTLS=true -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/10-dot-quad9.conf b/etc/systemd/resolved.conf.d/10-dot-quad9.conf deleted file mode 100644 index 2bd39105..00000000 --- a/etc/systemd/resolved.conf.d/10-dot-quad9.conf +++ /dev/null @@ -1,19 +0,0 @@ -# https://docs.quad9.net/services/ -# https://www.trex.fi/service/resolvers.html - says they don't provide -# encryption, but host a Quad9 node and giving these addresses instead. -[Resolve] -# Secure -DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net -DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net -# No Threat Blocking -#DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net [2620:fe::10]:8853#dns10.quad9.net [2620:fe::fe:10]:8853#dns10.quad9.net -#DNS=149.112.112.10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10:8853#dns10.quad9.net 9.9.9.10:8853#dns10.quad9.net -# Secure + ECS. IPv4 first so it gets preferred as my Unbound likely prefers IPv6 anyway. -#DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net -#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net -# No Threat Blocking + ECS -#DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net -#DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net -DNSOverTLS=true -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/98-local-resolver.conf b/etc/systemd/resolved.conf.d/98-local-resolver.conf deleted file mode 100644 index 0c89aecf..00000000 --- a/etc/systemd/resolved.conf.d/98-local-resolver.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Being at the higher end of numbers, this file will take priority assuming -# nothing else uses the prefix 99- and override values of others with the -# unsets. -[Resolve] -DNSSEC=false -DNSOverTLS=false -Cache=false -DNS= -DNS=::1 -DNS=127.0.0.1 -FallbackDNS= -FallbackDNS=::1 -FallbackDNS=127.0.0.1 -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/99-lan-resolver.conf.sample b/etc/systemd/resolved.conf.d/99-lan-resolver.conf.sample deleted file mode 100644 index cffb3eba..00000000 --- a/etc/systemd/resolved.conf.d/99-lan-resolver.conf.sample +++ /dev/null @@ -1,13 +0,0 @@ -[Resolve] -# These could be used in some business -#DNS=10.0.0.1 -#DNS=172.16.0.1 -# Average router -#DNS=192.168.0.1 -# Huawei? -#DNS=192.168.8.1 -# Mikrotik -#DNS=192.168.88.1 -DNSSEC=true -Domains=~. -# vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/11-family-compat.conf b/etc/systemd/resolved.conf.d/99-working-dns.conf similarity index 61% rename from etc/systemd/resolved.conf.d/11-family-compat.conf rename to etc/systemd/resolved.conf.d/99-working-dns.conf index 260cca9d..e416a219 100644 --- a/etc/systemd/resolved.conf.d/11-family-compat.conf +++ b/etc/systemd/resolved.conf.d/99-working-dns.conf @@ -1,7 +1,4 @@ -# DNS0 and Quad9 should be a good combination for family that just works -# regardless of restrictive networks, thus opportunistic DoT. DNSSEC is a -# risk in systemd-resolved. https://github.com/systemd/systemd/issues/10579 & -# https://github.com/systemd/systemd/issues/9867 +# 99-working-dns.conf [Resolve] DNS= DNS=::1 @@ -14,9 +11,8 @@ FallbackDNS= FallbackDNS=::1 FallbackDNS=127.0.0.1 Domains=~. -#DNSSEC=allow-downgrade -#DNSSEC=true -#DNSSEC=false +# I lied. https://github.com/systemd/systemd/issues/34896 https://github.com/systemd/systemd/issues/35126 +DNSSEC=true DNSOverTLS=opportunistic Cache=true # vim: filetype=systemd diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md index 370cf141..f3484ef5 100644 --- a/etc/systemd/resolved.conf.d/README.md +++ b/etc/systemd/resolved.conf.d/README.md @@ -9,7 +9,6 @@ - [Quickstart](#quickstart) -- [Files explained](#files-explained) - [General commentary](#general-commentary) @@ -33,34 +32,6 @@ sudo systemctl restart systemd-resolved `../../resolv.conf-generate.bash` **is the best** this repository has to offer. -## Files explained - -- `00-defaults.conf` - configuration that should be used everywhere. Enables - DNSSEC (regardless of systemd-resolved not handling it properly), enables - opportunistic DoT, caching and local DNS servers (because they should exist - anyway as I don't trust systemd-resolved entirely. Anyway if there truly is - no local resolver, systemd-resolved will detect that and act accordingly.) - - To rephrase, this is to be used together with other files, especially some - of those beginning with `10-dot-`. -- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's - network and owned by them) -- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their - Saunalahti still exists here as well. -- `10-dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. - At least one of these should be used in addition to `00-defaults.conf` -- `98-local-resolver.conf` attempts to configure localhost resolver and - disables unnecessary features for that scenario. The number 10 takes - priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also - apply to the former ones that are unlikely to support it. When numbering the - files, I didn't think I would be adding the plaintext DNS servers that I am - unlikely to use whenever Unbound is available (and I currently have only one - system that has systemd-resolved while not having Unbound and it seems to - prefer DoT over my router anyway). -- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on - LAN assuming they are trusted. Note that if used together with - `98-local-resolver.conf`, DNSSEC would be disabled. -- `README.md` - you are reading it right now. - ## General commentary - DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big