From 37f2298e7333a542c7d301b469ce0d6c5e1261eb Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen@aminda.eu>
Date: Mon, 30 Jun 2025 10:34:26 +0300
Subject: [PATCH] unbound: restore Quad9 ECS promotion

---
 .../unbound.conf.d/dot-dns0-dns4eu-quad9.conf | 32 +++++++--------
 .../unbound.conf.d/dot-dns0-quad9.conf        | 41 +++++++++++++++++++
 etc/unbound/unbound.conf.d/dot-quad9.conf     | 32 +++++++--------
 3 files changed, 73 insertions(+), 32 deletions(-)
 create mode 100644 etc/unbound/unbound.conf.d/dot-dns0-quad9.conf

diff --git a/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf
index e6542532..f2dd8bd2 100644
--- a/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf
@@ -21,23 +21,23 @@ forward-zone:
 	forward-addr: 2a0f:fc81::@853#dns0.eu
 	forward-addr: 185.253.5.0@853#dns0.eu
 	## Quad9 Secure
-	forward-addr: 2620:fe::fe@8853#dns.quad9.net
-	forward-addr: 2620:fe::9@8853#dns.quad9.net
-	forward-addr: 9.9.9.9@8853#dns.quad9.net
-	forward-addr: 149.112.112.112@8853#dns.quad9.net
-	forward-addr: 2620:fe::fe@853#dns.quad9.net
-	forward-addr: 2620:fe::9@853#dns.quad9.net
-	forward-addr: 9.9.9.9@853#dns.quad9.net
-	forward-addr: 149.112.112.112@853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	#forward-addr: 2620:fe::9@8853#dns.quad9.net
+	#forward-addr: 9.9.9.9@8853#dns.quad9.net
+	#forward-addr: 149.112.112.112@8853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@853#dns.quad9.net
+	#forward-addr: 2620:fe::9@853#dns.quad9.net
+	#forward-addr: 9.9.9.9@853#dns.quad9.net
+	#forward-addr: 149.112.112.112@853#dns.quad9.net
 	# Quad9 Secure + ECS
-	#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-	#forward-addr: 9.9.9.11@853#dns11.quad9.net
-	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
-	#forward-addr: 2620:fe::11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	#forward-addr: 149.112.112.11@853#dns11.quad9.net
-	#forward-addr: 149.112.112.11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	forward-addr: 9.9.9.11@853#dns11.quad9.net
+	forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::11@853#dns11.quad9.net
+	forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	forward-addr: 149.112.112.11@853#dns11.quad9.net
+	forward-addr: 149.112.112.11@8853#dns11.quad9.net
 	# DNS4EU Protective
 	forward-addr: 2a13:1001::86:54:11:201@853#protective.joindns4.eu
 	forward-addr: 2a13:1001::86:54:11:1@853#protective.joindns4.eu
diff --git a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
new file mode 100644
index 00000000..3bd7f614
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
@@ -0,0 +1,41 @@
+# Non-commercial DNS providers with some sort of ECS implementation which I
+# seem to be using often regardless of privacy issues.
+
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	forward-addr: 2a0f:fc80::@853#dns0.eu
+	forward-addr: 193.110.81.0@853#dns0.eu
+	forward-addr: 2a0f:fc81::@853#dns0.eu
+	forward-addr: 185.253.5.0@853#dns0.eu
+	## Quad9 Secure
+	#forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	#forward-addr: 2620:fe::9@8853#dns.quad9.net
+	#forward-addr: 9.9.9.9@8853#dns.quad9.net
+	#forward-addr: 149.112.112.112@8853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@853#dns.quad9.net
+	#forward-addr: 2620:fe::9@853#dns.quad9.net
+	#forward-addr: 9.9.9.9@853#dns.quad9.net
+	#forward-addr: 149.112.112.112@853#dns.quad9.net
+	# Quad9 Secure + ECS
+	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	forward-addr: 9.9.9.11@853#dns11.quad9.net
+	forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::11@853#dns11.quad9.net
+	forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	forward-addr: 149.112.112.11@853#dns11.quad9.net
+	forward-addr: 149.112.112.11@8853#dns11.quad9.net
+
+# vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/dot-quad9.conf b/etc/unbound/unbound.conf.d/dot-quad9.conf
index d15b6f4f..61c117b5 100644
--- a/etc/unbound/unbound.conf.d/dot-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-quad9.conf
@@ -17,14 +17,14 @@ forward-zone:
 	name: "."
 	forward-tls-upstream: yes
 	## Secure
-	forward-addr: 2620:fe::fe@853#dns.quad9.net
-	forward-addr: 2620:fe::fe@8853#dns.quad9.net
-	forward-addr: 2620:fe::9@853#dns.quad9.net
-	forward-addr: 2620:fe::9@8853#dns.quad9.net
-	forward-addr: 9.9.9.9@853#dns.quad9.net
-	forward-addr: 9.9.9.9@8853#dns.quad9.net
-	forward-addr: 149.112.112.112@853#dns.quad9.net
-	forward-addr: 149.112.112.112@8853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	#forward-addr: 2620:fe::9@853#dns.quad9.net
+	#forward-addr: 2620:fe::9@8853#dns.quad9.net
+	#forward-addr: 9.9.9.9@853#dns.quad9.net
+	#forward-addr: 9.9.9.9@8853#dns.quad9.net
+	#forward-addr: 149.112.112.112@853#dns.quad9.net
+	#forward-addr: 149.112.112.112@8853#dns.quad9.net
 	## No Threat Blocking
 	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
 	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
@@ -35,14 +35,14 @@ forward-zone:
 	#forward-addr: 9.9.9.10@853#dns10.quad9.net
 	#forward-addr: 9.9.9.10@8853#dns10.quad9.net
 	## Secure + ECS
-	#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-	#forward-addr: 9.9.9.11@853#dns11.quad9.net
-	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
-	#forward-addr: 2620:fe::11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	#forward-addr: 149.112.112.11@853#dns11.quad9.net
-	#forward-addr: 149.112.112.11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	forward-addr: 9.9.9.11@853#dns11.quad9.net
+	forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::11@853#dns11.quad9.net
+	forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	forward-addr: 149.112.112.11@853#dns11.quad9.net
+	forward-addr: 149.112.112.11@8853#dns11.quad9.net
 	## No Threat Blocking + ECS
 	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
 	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net