From a2e36f2a3b7f6aa4f2e0b93fa5a71938355532d6 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Thu, 11 Apr 2024 10:03:53 +0300 Subject: [PATCH] systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config --- etc/systemd/resolved.conf.d/README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md index 35b2a157..b13db4d9 100644 --- a/etc/systemd/resolved.conf.d/README.md +++ b/etc/systemd/resolved.conf.d/README.md @@ -15,15 +15,13 @@ sudo systemctl restart systemd-resolved Enables DNSSEC (regardless of systemd-resolved not handling it properly), enables opportunistic DoT, caching and local DNS servers. - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If - captive portals are a concern, `DNSOverTLS=no`. At least one of these + captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these should be used in addition to `00-defaults.conf` - `README.md` - you are reading it right now. ## General commentary -- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however - at the time of writing this README.md, the current version is Ubuntu 20.04.0) - (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in +- DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big improvements in v244). - TODO: find out when SNI became supported, I have just spotted it in the fine manual in 2020-06-??. @@ -32,10 +30,13 @@ sudo systemctl restart systemd-resolved - DNSSEC may not work if the system is down for a long time and not updated. Thus `allow-downgrade` may be better for non-tech people, even with the potential downgrade attack. There are also captive portals, affecting - `DNSOverTLS`. Both take `yes` or `no` or their own special option, - for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. + `DNSOverTLS`. Both take `true` or `false` or their own special option, + for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. - Then again when was any system that outdated to not have working DNSSEC? - TODO: return to this configuration should that actually happen? + - I am actually running Unbound simultaneously with `resolv.conf` pointing + to both with `options rotate edns0 trust-ad` which might workaround that + potential issue. Other links I have found important and my files are based on: