mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-23 03:02:52 +01:00
systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config
This commit is contained in:
parent
da6eab8dfc
commit
a2e36f2a3b
@ -15,15 +15,13 @@ sudo systemctl restart systemd-resolved
|
||||
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
||||
enables opportunistic DoT, caching and local DNS servers.
|
||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
|
||||
captive portals are a concern, `DNSOverTLS=no`. At least one of these
|
||||
captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
|
||||
should be used in addition to `00-defaults.conf`
|
||||
- `README.md` - you are reading it right now.
|
||||
|
||||
## General commentary
|
||||
|
||||
- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
|
||||
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
|
||||
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
|
||||
- DNSOverTLS became supported in systemd v239, strict mode (true) in
|
||||
v243 (big improvements in v244).
|
||||
- TODO: find out when SNI became supported, I have just spotted it in the
|
||||
fine manual in 2020-06-??.
|
||||
@ -32,10 +30,13 @@ sudo systemctl restart systemd-resolved
|
||||
- DNSSEC may not work if the system is down for a long time and not updated.
|
||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||
potential downgrade attack. There are also captive portals, affecting
|
||||
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
|
||||
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
||||
for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
- Then again when was any system that outdated to not have working DNSSEC?
|
||||
- TODO: return to this configuration should that actually happen?
|
||||
- I am actually running Unbound simultaneously with `resolv.conf` pointing
|
||||
to both with `options rotate edns0 trust-ad` which might workaround that
|
||||
potential issue.
|
||||
|
||||
Other links I have found important and my files are based on:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user