Mikaela
/
shell-things
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config

This commit is contained in:
Aminda Suomalainen 2024-04-11 10:03:53 +03:00
parent da6eab8dfc
commit a2e36f2a3b
Signed by: Mikaela
SSH Key Fingerprint: SHA256:CXLULpqNBdUKB6E6fLA1b/4SzG0HvKD19PbIePU175Q
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
etc/systemd/resolved.conf.d/README.md
View File

@ -15,15 +15,13 @@ sudo systemctl restart systemd-resolved
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
enables opportunistic DoT, caching and local DNS servers.
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
captive portals are a concern, `DNSOverTLS=no`. At least one of these
captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
should be used in addition to `00-defaults.conf`
- `README.md` - you are reading it right now.
## General commentary
- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
- DNSOverTLS became supported in systemd v239, strict mode (true) in
v243 (big improvements in v244).
- TODO: find out when SNI became supported, I have just spotted it in the
fine manual in 2020-06-??.
@ -32,10 +30,13 @@ sudo systemctl restart systemd-resolved
- DNSSEC may not work if the system is down for a long time and not updated.
Thus `allow-downgrade` may be better for non-tech people, even with the
potential downgrade attack. There are also captive portals, affecting
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
`DNSOverTLS`. Both take `true` or `false` or their own special option,
for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
- Then again when was any system that outdated to not have working DNSSEC?
- TODO: return to this configuration should that actually happen?
- I am actually running Unbound simultaneously with `resolv.conf` pointing
to both with `options rotate edns0 trust-ad` which might workaround that
potential issue.
Other links I have found important and my files are based on: