diff --git a/etc/resolv.tsv b/etc/resolv.tsv index b5c2bbfa..ad0b6f7f 100644 --- a/etc/resolv.tsv +++ b/etc/resolv.tsv @@ -15,10 +15,6 @@ Cloudflare antimalware https://security.cloudflare-dns.com/dns-query security.cl Cloudflare family https://family.cloudflare-dns.com/dns-query family.cloudflare-dns.com 2606:4700:4700::1113 2606:4700:4700::1003 1.1.1.3 1.0.0.3 no https://developers.cloudflare.com/1.1.1.1/faq/#does-1.1.1.1-send-edns-client-subnet-header Cloudflare MozillaFirefox https://mozilla.cloudflare-dns.com/dns-query no https://developers.cloudflare.com/1.1.1.1/faq/#does-1.1.1.1-send-edns-client-subnet-header CZ.NIC ODVR https://odvr.nic.cz/dns-query odvr.nic.cz 2001:148f:ffff::1 2001:148f:fffe::1 193.17.47.1 185.43.135.1 No 2023-03-11 I tested with https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/dns-ecs-debug.bash -DNS0 https://dns0.eu dns0.eu 2a0f:fc80:: 2a0f:fc81:: 193.110.81.0 185.253.5.0 https://www.dns0.eu/dns0.eu.mobileconfig private https://www.dns0.eu/privacy -DNS0 Kids https://kids.dns0.eu kids.dns0.eu 2a0f:fc80::1 2a0f:fc81::1 193.110.81.1 185.253.5.1 https://www.dns0.eu/kids.dns0.eu.mobileconfig private https://www.dns0.eu/privacy -DNS0 Open (unfiltered, discouraged) https://open.dns0.eu open.dns0.eu 2a0f:fc80::ffff 2a0f:fc81::ffff 193.110.81.254 185.253.5.254 https://dns0.eu/open.dns0.eu.mobileconfig private https://www.dns0.eu/privacy -DNS0 Zero https://zero.dns0.eu zero.dns0.eu 2a0f:fc80::9 2a0f:fc81::9 193.110.81.9 185.253.5.9 https://www.dns0.eu/zero.dns0.eu.mobileconfig private https://www.dns0.eu/privacy DNS4EU Protective https://protective.joindns4.eu/dns-query protective.joindns4.eu 2a13:1001::86:54:11:1 2a13:1001::86:54:11:201 86.54.11.1 86.54.11.201 no I tested with https://dnscheck.tools DNS4EU Protective with adblocking https://noads.joindns4.eu/dns-query noads.joindns4.eu 2a13:1001::86:54:11:13 2a13:1001::86:54:11:213 86.54.11.13 86.54.11.213 no I tested with https://dnscheck.tools DNS4EU Protective with child protection https://child.joindns4.eu/dns-query child.joindns4.eu 2a13:1001::86:54:11:12 2a13:1001::86:54:11:212 86.54.11.12 86.54.11.212 no diff --git a/etc/systemd/resolved.conf.d/80-dot-eu-gdpr.conf b/etc/systemd/resolved.conf.d/80-dns4eu.conf similarity index 80% rename from etc/systemd/resolved.conf.d/80-dot-eu-gdpr.conf rename to etc/systemd/resolved.conf.d/80-dns4eu.conf index 3ae42cb4..16a30923 100644 --- a/etc/systemd/resolved.conf.d/80-dot-eu-gdpr.conf +++ b/etc/systemd/resolved.conf.d/80-dns4eu.conf @@ -2,8 +2,6 @@ # GDPR-compatible [Resolve] DNS= -DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu -DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu DNS=2a13:1001::86:54:11:201#protective.joindns4.eu DNS=2a13:1001::86:54:11:1#protective.joindns4.eu DNS=86.54.11.201#protective.joindns4.eu diff --git a/etc/systemd/resolved.conf.d/90-working-dns.conf b/etc/systemd/resolved.conf.d/90-working-dns.conf index 6e181bd3..3014bed5 100644 --- a/etc/systemd/resolved.conf.d/90-working-dns.conf +++ b/etc/systemd/resolved.conf.d/90-working-dns.conf @@ -1,7 +1,6 @@ [Resolve] DNS= DNS=::1 127.0.0.1 -DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 193.110.81.0#dns0.eu 185.253.5.0#dns0.eu DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net 149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net DNS=2a13:1001::86:54:11:201#protective.joindns4.eu 2a13:1001::86:54:11:1#protective.joindns4.eu 86.54.11.201#protective.joindns4.eu 86.54.11.1#protective.joindns4.eu FallbackDNS= diff --git a/etc/unbound/unbound.conf.d/dns-over-tls.conf b/etc/unbound/unbound.conf.d/dns-over-tls.conf index 94f338cb..05b30411 100644 --- a/etc/unbound/unbound.conf.d/dns-over-tls.conf +++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf @@ -17,8 +17,6 @@ server: # - cloudflare-dns.com contributes to https://radar.cloudflare.com which gets # used by many others including PrivacyBadger most popular domains for its # badgersett pretraining -# - dns0.eu provides servers located only in the EU and private ECS -# - adguard-dns.com provides private ECS around the world forward-zone: name: "." @@ -66,12 +64,6 @@ forward-zone: #forward-addr: 149.112.112.12@853#dns12.quad9.net forward-addr: 149.112.112.12@8853#dns12.quad9.net - # https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS - forward-addr: 193.110.81.254@853#open.dns0.eu - forward-addr: 185.253.5.254@853#open.dns0.eu - forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu - forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu - # Adguard DNS Unfiltered Anycast. Malta based. Private ECS. forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com diff --git a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf deleted file mode 100644 index 3bd7f614..00000000 --- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf +++ /dev/null @@ -1,41 +0,0 @@ -# Non-commercial DNS providers with some sort of ECS implementation which I -# seem to be using often regardless of privacy issues. - -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no - -forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 2a0f:fc80::@853#dns0.eu - forward-addr: 193.110.81.0@853#dns0.eu - forward-addr: 2a0f:fc81::@853#dns0.eu - forward-addr: 185.253.5.0@853#dns0.eu - ## Quad9 Secure - #forward-addr: 2620:fe::fe@8853#dns.quad9.net - #forward-addr: 2620:fe::9@8853#dns.quad9.net - #forward-addr: 9.9.9.9@8853#dns.quad9.net - #forward-addr: 149.112.112.112@8853#dns.quad9.net - #forward-addr: 2620:fe::fe@853#dns.quad9.net - #forward-addr: 2620:fe::9@853#dns.quad9.net - #forward-addr: 9.9.9.9@853#dns.quad9.net - #forward-addr: 149.112.112.112@853#dns.quad9.net - # Quad9 Secure + ECS - forward-addr: 2620:fe::fe:11@853#dns11.quad9.net - forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net - forward-addr: 9.9.9.11@853#dns11.quad9.net - forward-addr: 9.9.9.11@8853#dns11.quad9.net - forward-addr: 2620:fe::11@853#dns11.quad9.net - forward-addr: 2620:fe::11@8853#dns11.quad9.net - forward-addr: 149.112.112.11@853#dns11.quad9.net - forward-addr: 149.112.112.11@8853#dns11.quad9.net - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-dns0.conf b/etc/unbound/unbound.conf.d/dot-dns0.conf deleted file mode 100644 index a84a949e..00000000 --- a/etc/unbound/unbound.conf.d/dot-dns0.conf +++ /dev/null @@ -1,31 +0,0 @@ -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no - -forward-zone: - name: "." - forward-tls-upstream: yes - # Default - forward-addr: 2a0f:fc80::@853#dns0.eu - forward-addr: 193.110.81.0@853#dns0.eu - forward-addr: 2a0f:fc81::@853#dns0.eu - forward-addr: 185.253.5.0@853#dns0.eu - # # Unfiltered - # forward-addr: 193.110.81.254@853#open.dns0.eu - # forward-addr: 185.253.5.254@853#open.dns0.eu - # forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu - # forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu - # # Heavier filtering - # forward-addr: 2a0f:fc80::9@853#zero.dns0.eu - # forward-addr: 193.110.81.9@853#zero.dns0.eu - # forward-addr: 2a0f:fc81::9@853#zero.dns0.eu - # forward-addr: 185.253.5.9@853#zero.dns0.eu - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns4eu-quad9.conf similarity index 82% rename from etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf rename to etc/unbound/unbound.conf.d/dot-dns4eu-quad9.conf index f2dd8bd2..2fac30b3 100644 --- a/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf +++ b/etc/unbound/unbound.conf.d/dot-dns4eu-quad9.conf @@ -1,6 +1,4 @@ -# Three non-commercial malicious domain blocking DNS servers. At least one -# will likely work, even if three choices means three different filters and -# things might get past something. +# DNS providers without interest in sneaking and selling traffic server: # Debian ca-certificates location @@ -16,10 +14,6 @@ server: forward-zone: name: "." forward-tls-upstream: yes - forward-addr: 2a0f:fc80::@853#dns0.eu - forward-addr: 193.110.81.0@853#dns0.eu - forward-addr: 2a0f:fc81::@853#dns0.eu - forward-addr: 185.253.5.0@853#dns0.eu ## Quad9 Secure #forward-addr: 2620:fe::fe@8853#dns.quad9.net #forward-addr: 2620:fe::9@8853#dns.quad9.net diff --git a/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf b/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf deleted file mode 100644 index 16012172..00000000 --- a/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf +++ /dev/null @@ -1,28 +0,0 @@ -# Brownie points for no data transmitted outside of the EU and thus -# GDPR-compatible - -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no - -forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 2a0f:fc80::@853#dns0.eu - forward-addr: 193.110.81.0@853#dns0.eu - forward-addr: 2a0f:fc81::@853#dns0.eu - forward-addr: 185.253.5.0@853#dns0.eu - # DNS4EU Protective - forward-addr: 2a13:1001::86:54:11:201@853#protective.joindns4.eu - forward-addr: 2a13:1001::86:54:11:1@853#protective.joindns4.eu - forward-addr: 86.54.11.201@853#protective.joindns4.eu - forward-addr: 86.54.11.1@853#protective.joindns4.eu - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf b/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf new file mode 120000 index 00000000..ee31ae27 --- /dev/null +++ b/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf @@ -0,0 +1 @@ +dot-dns4eu.conf \ No newline at end of file diff --git a/etc/unbound/unbound.conf.d/dot-nextdns.conf b/etc/unbound/unbound.conf.d/dot-nextdns.conf deleted file mode 120000 index e2d2a617..00000000 --- a/etc/unbound/unbound.conf.d/dot-nextdns.conf +++ /dev/null @@ -1 +0,0 @@ -dot-dns0.conf \ No newline at end of file diff --git a/etc/unbound/unbound.conf.d/please-hijack-me.conf b/etc/unbound/unbound.conf.d/please-hijack-me.conf index fd099344..da589e17 100644 --- a/etc/unbound/unbound.conf.d/please-hijack-me.conf +++ b/etc/unbound/unbound.conf.d/please-hijack-me.conf @@ -1,6 +1,6 @@ # These domains belong to silly network appliances or captive portals that # wish to perform DNS hijacking instead of just using IP addresses. The -# server is https://dns0.eu/zero and hopefully rejects upstream queries +# server is Quad9 default and hopefully rejects upstream queries # should the domains become malicious. # Pv6 is not specified since I don't think the silly devices support that. server: @@ -11,26 +11,26 @@ qname-minimisation: no forward-zone: name: "router.asus.com" forward-tls-upstream: no - forward-addr: 193.110.81.9 - forward-addr: 185.253.5.9 + forward-addr: 149.112.112.112 + forward-addr: 9.9.9.9 forward-zone: name: "tplinkrepeater.net" forward-tls-upstream: no - forward-addr: 193.110.81.9 - forward-addr: 185.253.5.9 + forward-addr: 149.112.112.112 + forward-addr: 9.9.9.9 # Netgear forward-zone: name: "mywifiext.net" forward-tls-upstream: no - forward-addr: 193.110.81.9 - forward-addr: 185.253.5.9 + forward-addr: 149.112.112.112 + forward-addr: 9.9.9.9 forward-zone: name: "norwegianwifi.com" forward-tls-upstream: no - forward-addr: 193.110.81.9 - forward-addr: 185.253.5.9 + forward-addr: 149.112.112.112 + forward-addr: 9.9.9.9 # vim: filetype=unbound.conf