{systemd-resolved,unbound}: disable ECS with Quad9 in situations with multiple providers

2025-10-25 23:27:34 +02:00 · 2025-10-22 17:48:57 +03:00 · 2025-10-22 17:48:57 +03:00 · 93aa13d9e2
commit 93aa13d9e2
parent b6cbbeefb2
4 changed files with 49 additions and 37 deletions
--- a/etc/systemd/resolved.conf.d/90-working-dns.conf
+++ b/etc/systemd/resolved.conf.d/90-working-dns.conf
@ -1,8 +1,10 @@
 [Resolve]
 DNS=
 DNS=::1 127.0.0.1
-DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net 149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
+DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
+#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net 149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
 DNS=2a13:1001::86:54:11:201#protective.joindns4.eu 2a13:1001::86:54:11:1#protective.joindns4.eu 86.54.11.201#protective.joindns4.eu 86.54.11.1#protective.joindns4.eu
+#DNS=2606:4700:4700::1112#security.cloudflare-dns.com 2606:4700:4700::1002#security.cloudflare-dns.com 1.1.1.2#security.cloudflare-dns.com 1.0.0.2#security.cloudflare-dns.com
 FallbackDNS=
 FallbackDNS=::1 127.0.0.1
 Domains=~.
--- a/etc/unbound/unbound.conf.d/dns-over-tls.conf
+++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf
@ -45,24 +45,24 @@ forward-zone:
 	#forward-addr: 2606:1a40:1::@853#s0.freedns.controld.com

 	# Quad9 unfiltered, anycast, no ECS, no DNSSEC (Unbound does that)
-	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
-	#forward-addr: 149.112.112.10@853#dns10.quad9.net
-	#forward-addr: 149.112.112.10@8853#dns10.quad9.net
-	#forward-addr: 2620:fe::10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::10@8853#dns10.quad9.net
-	#forward-addr: 9.9.9.10@853#dns10.quad9.net
-	#forward-addr: 9.9.9.10@8853#dns10.quad9.net
+	forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
+	forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
+	forward-addr: 149.112.112.10@853#dns10.quad9.net
+	forward-addr: 149.112.112.10@8853#dns10.quad9.net
+	forward-addr: 2620:fe::10@853#dns10.quad9.net
+	forward-addr: 2620:fe::10@8853#dns10.quad9.net
+	forward-addr: 9.9.9.10@853#dns10.quad9.net
+	forward-addr: 9.9.9.10@8853#dns10.quad9.net

 	# Quad9 unfiltered, anycast, ECS, no DNSSEC (Unbound does that)
 	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
-	forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
+	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
 	#forward-addr: 9.9.9.12@853#dns12.quad9.net
-	forward-addr: 9.9.9.12@8853#dns12.quad9.net
+	#forward-addr: 9.9.9.12@8853#dns12.quad9.net
 	#forward-addr: 2620:fe::12@853#dns12.quad9.net
-	forward-addr: 2620:fe::12@8853#dns12.quad9.net
+	#forward-addr: 2620:fe::12@8853#dns12.quad9.net
 	#forward-addr: 149.112.112.12@853#dns12.quad9.net
-	forward-addr: 149.112.112.12@8853#dns12.quad9.net
+	#forward-addr: 149.112.112.12@8853#dns12.quad9.net

 	# Adguard DNS Unfiltered Anycast. Malta based. Private ECS.
 	forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
--- a/etc/unbound/unbound.conf.d/dot-cloudflare-dns4eu-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-cloudflare-dns4eu-quad9.conf
@ -26,15 +26,25 @@ forward-zone:
 	forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
 	forward-addr: 1.0.0.2@853#security.cloudflare-dns.com

+	# Quad9 malicious domain blocking without ECS
+	forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	forward-addr: 2620:fe::9@8853#dns.quad9.net
+	forward-addr: 9.9.9.9@8853#dns.quad9.net
+	forward-addr: 149.112.112.112@8853#dns.quad9.net
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 149.112.112.112@853#dns.quad9.net
+
 	# Quad9 malicious domain blocking with ECS
-	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-	forward-addr: 9.9.9.11@853#dns11.quad9.net
-	forward-addr: 9.9.9.11@8853#dns11.quad9.net
-	forward-addr: 2620:fe::11@853#dns11.quad9.net
-	forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	forward-addr: 149.112.112.11@853#dns11.quad9.net
-	forward-addr: 149.112.112.11@8853#dns11.quad9.net
+	#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	#forward-addr: 9.9.9.11@853#dns11.quad9.net
+	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	#forward-addr: 2620:fe::11@853#dns11.quad9.net
+	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	#forward-addr: 149.112.112.11@853#dns11.quad9.net
+	#forward-addr: 149.112.112.11@8853#dns11.quad9.net

 	# DNS4EU malicious domain blocking
 	forward-addr: 2a13:1001::86:54:11:201@853#protective.joindns4.eu
--- a/etc/unbound/unbound.conf.d/dot-dns4eu-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns4eu-quad9.conf
@ -15,23 +15,23 @@ forward-zone:
 	name: "."
 	forward-tls-upstream: yes
 	## Quad9 Secure
-	#forward-addr: 2620:fe::fe@8853#dns.quad9.net
-	#forward-addr: 2620:fe::9@8853#dns.quad9.net
-	#forward-addr: 9.9.9.9@8853#dns.quad9.net
-	#forward-addr: 149.112.112.112@8853#dns.quad9.net
-	#forward-addr: 2620:fe::fe@853#dns.quad9.net
-	#forward-addr: 2620:fe::9@853#dns.quad9.net
-	#forward-addr: 9.9.9.9@853#dns.quad9.net
-	#forward-addr: 149.112.112.112@853#dns.quad9.net
+	forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	forward-addr: 2620:fe::9@8853#dns.quad9.net
+	forward-addr: 9.9.9.9@8853#dns.quad9.net
+	forward-addr: 149.112.112.112@8853#dns.quad9.net
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 149.112.112.112@853#dns.quad9.net
 	# Quad9 Secure + ECS
-	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-	forward-addr: 9.9.9.11@853#dns11.quad9.net
-	forward-addr: 9.9.9.11@8853#dns11.quad9.net
-	forward-addr: 2620:fe::11@853#dns11.quad9.net
-	forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	forward-addr: 149.112.112.11@853#dns11.quad9.net
-	forward-addr: 149.112.112.11@8853#dns11.quad9.net
+	#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	#forward-addr: 9.9.9.11@853#dns11.quad9.net
+	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	#forward-addr: 2620:fe::11@853#dns11.quad9.net
+	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	#forward-addr: 149.112.112.11@853#dns11.quad9.net
+	#forward-addr: 149.112.112.11@8853#dns11.quad9.net
 	# DNS4EU Protective
 	forward-addr: 2a13:1001::86:54:11:201@853#protective.joindns4.eu
 	forward-addr: 2a13:1001::86:54:11:1@853#protective.joindns4.eu