From 466a7bc2c1de64fe0e243928e5f467fe39706657 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Mon, 25 Mar 2019 13:41:23 +0200
Subject: [PATCH] etc/systemd/resolved.conf.d: add some configs

These aren't seeing real world usage though as the only host not running
dnscrypt-proxy has too old systemd.
---
 etc/systemd/resolved.conf.d/general.conf |  5 +++++
 etc/systemd/resolved.conf.d/quad9.conf   | 15 +++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 etc/systemd/resolved.conf.d/general.conf
 create mode 100644 etc/systemd/resolved.conf.d/quad9.conf

diff --git a/etc/systemd/resolved.conf.d/general.conf b/etc/systemd/resolved.conf.d/general.conf
new file mode 100644
index 00000000..5bffed67
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/general.conf
@@ -0,0 +1,5 @@
+[Resolve]
+#DNSSEC=allow-downgrade
+DNSSEC=true
+DNSOverTLS=opportunistic
+Cache=true
diff --git a/etc/systemd/resolved.conf.d/quad9.conf b/etc/systemd/resolved.conf.d/quad9.conf
new file mode 100644
index 00000000..66f296e4
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/quad9.conf
@@ -0,0 +1,15 @@
+[Resolve]
+DNS=2620:fe::9 149.112.112.112 2620:fe::fe 9.9.9.9
+Domains=~.
+DNSSEC=true
+DNSOverTLS=opportunistic
+Cache=true
+
+# Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS.
+
+# Sources:
+# https://wiki.archlinux.org/index.php/Systemd-resolved
+# * request for strict DOT: https://github.com/systemd/systemd/issues/10755
+# * vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
+# https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
+# * I wouldn't have found having to set `~.` without this.