From 422ab0de4eedfe378d1866bfb58a2b4dac774b83 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Sat, 20 Apr 2024 17:50:12 +0300 Subject: [PATCH] libreawoo, unbound & resolved: uncomment Quad9 default, comment ECS --- conf/librewolf.overrides.cfg | 4 +- etc/firefox/policies/policies.json | 2 +- etc/systemd/resolved.conf.d/dot-quad9.conf | 4 +- .../unbound.conf.d/dot-dns0-quad9.conf | 60 ------------------- etc/unbound/unbound.conf.d/dot-quad9.conf | 16 ++--- 5 files changed, 13 insertions(+), 73 deletions(-) delete mode 100644 etc/unbound/unbound.conf.d/dot-dns0-quad9.conf diff --git a/conf/librewolf.overrides.cfg b/conf/librewolf.overrides.cfg index 94a07dcf..3d1b82ea 100644 --- a/conf/librewolf.overrides.cfg +++ b/conf/librewolf.overrides.cfg @@ -112,8 +112,8 @@ pref("reader.parse-on-load.force-enabled", true); //pref("network.trr.mode", 2); defaultPref("network.trr.mode", 3); pref("network.trr.early-AAAA", true); -//defaultPref("network.trr.uri", "https://dns0.eu"); -defaultPref("network.trr.uri"), "https://dns11.quad9.net/dns-query"); +defaultPref("network.trr.uri", "https://dns0.eu/"); +//defaultPref("network.trr.uri"), "https://dns11.quad9.net/dns-query"); //defaultPref("network.trr.uri", "https://dns.adguard-dns.com/dns-query"); // NOTE: ECH requires TRR, so mode 2 may not use it. defaultPref("network.trr.disable-ECS", false); diff --git a/etc/firefox/policies/policies.json b/etc/firefox/policies/policies.json index af32cba2..fc87021d 100644 --- a/etc/firefox/policies/policies.json +++ b/etc/firefox/policies/policies.json @@ -25,7 +25,7 @@ "DNSOverHTTPS": { "Enabled": true, "Locked": false, - "ProviderURL": "https://dns11.quad9.net/dns-query" + "ProviderURL": "https://dns0.eu/" }, "DisablePocket": false, "EnableTrackingProtection": { diff --git a/etc/systemd/resolved.conf.d/dot-quad9.conf b/etc/systemd/resolved.conf.d/dot-quad9.conf index d11330e5..f45c9186 100644 --- a/etc/systemd/resolved.conf.d/dot-quad9.conf +++ b/etc/systemd/resolved.conf.d/dot-quad9.conf @@ -1,10 +1,10 @@ [Resolve] # Secure -#DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net +DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net # No Threat Blocking #DNS=2620:fe::10#dns10.quad9.net 149.112.112.10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net 9.9.9.10#dns10.quad9.net # Secure + ECS -DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net +#DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net # No Threat Blocking + ECS #DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net # Uncomment for port 443 resolver diff --git a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf deleted file mode 100644 index 535caef6..00000000 --- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf +++ /dev/null @@ -1,60 +0,0 @@ -# This is merging of dot-dns0.conf & dot-quad9.conf -# Both are filtering DNS servers, so this brings risk of something being -# blocked by only one of them. However both are non-profits and have servers -# in Finland. -# Another issue is DNS0 having private ECS, while Quad9 with ECS enabled is -# not. - -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no - -forward-zone: - name: "." - forward-tls-upstream: yes -## DNS0.eu - # Default - forward-addr: 2a0f:fc80::@853#dns0.eu - forward-addr: 193.110.81.0@853#dns0.eu - forward-addr: 2a0f:fc81::@853#dns0.eu - forward-addr: 185.253.5.0@853#dns0.eu - ## Unfiltered - #forward-addr: 193.110.81.254@853#open.dns0.eu - #forward-addr: 185.253.5.254@853#open.dns0.eu - #forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu - #forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu - ## Heavier filtering - #forward-addr: 2a0f:fc80::9@853#zero.dns0.eu - #forward-addr: 193.110.81.9@853#zero.dns0.eu - #forward-addr: 2a0f:fc81::9@853#zero.dns0.eu - #forward-addr: 185.253.5.9@853#zero.dns0.eu -## Quad9 - ## Secure - #forward-addr: 2620:fe::fe@853#dns.quad9.net - #forward-addr: 9.9.9.9@853#dns.quad9.net - #forward-addr: 2620:fe::9@853#dns.quad9.net - #forward-addr: 149.112.112.112@853#dns.quad9.net - ## No Threat Blocking - #forward-addr: 2620:fe::fe:10@853#dns10.quad9.net - #forward-addr: 149.112.112.10@853#dns10.quad9.net - #forward-addr: 2620:fe::10@853#dns10.quad9.net - #forward-addr: 9.9.9.10@853#dns10.quad9.net - ## Secure + ECS - forward-addr: 2620:fe::fe:11@853#dns11.quad9.net - forward-addr: 9.9.9.11@853#dns11.quad9.net - forward-addr: 2620:fe::11@853#dns11.quad9.net - forward-addr: 149.112.112.11@853#dns11.quad9.net - ## No Threat Blocking + ECS - #forward-addr: 2620:fe::fe:12@853#dns12.quad9.net - #forward-addr: 9.9.9.12@853#dns12.quad9.net - #forward-addr: 2620:fe::12@853#dns12.quad9.net - #forward-addr: 149.112.112.12@853#dns12.quad9.net - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-quad9.conf b/etc/unbound/unbound.conf.d/dot-quad9.conf index 9c5c3611..944ce97d 100644 --- a/etc/unbound/unbound.conf.d/dot-quad9.conf +++ b/etc/unbound/unbound.conf.d/dot-quad9.conf @@ -13,20 +13,20 @@ forward-zone: name: "." forward-tls-upstream: yes ## Secure - #forward-addr: 2620:fe::fe@853#dns.quad9.net - #forward-addr: 9.9.9.9@853#dns.quad9.net - #forward-addr: 2620:fe::9@853#dns.quad9.net - #forward-addr: 149.112.112.112@853#dns.quad9.net + forward-addr: 2620:fe::fe@853#dns.quad9.net + forward-addr: 9.9.9.9@853#dns.quad9.net + forward-addr: 2620:fe::9@853#dns.quad9.net + forward-addr: 149.112.112.112@853#dns.quad9.net ## No Threat Blocking #forward-addr: 2620:fe::fe:10@853#dns10.quad9.net #forward-addr: 149.112.112.10@853#dns10.quad9.net #forward-addr: 2620:fe::10@853#dns10.quad9.net #forward-addr: 9.9.9.10@853#dns10.quad9.net ## Secure + ECS - forward-addr: 2620:fe::fe:11@853#dns11.quad9.net - forward-addr: 9.9.9.11@853#dns11.quad9.net - forward-addr: 2620:fe::11@853#dns11.quad9.net - forward-addr: 149.112.112.11@853#dns11.quad9.net + #forward-addr: 2620:fe::fe:11@853#dns11.quad9.net + #forward-addr: 9.9.9.11@853#dns11.quad9.net + #forward-addr: 2620:fe::11@853#dns11.quad9.net + #forward-addr: 149.112.112.11@853#dns11.quad9.net ## No Threat Blocking + ECS #forward-addr: 2620:fe::fe:12@853#dns12.quad9.net #forward-addr: 9.9.9.12@853#dns12.quad9.net