mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-23 03:02:52 +01:00
systemd-resolved/README.md: remove EOL Ubuntu, fix booleans, note my actual DNS config
This commit is contained in:
parent
da6eab8dfc
commit
a2e36f2a3b
@ -15,15 +15,13 @@ sudo systemctl restart systemd-resolved
|
|||||||
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
||||||
enables opportunistic DoT, caching and local DNS servers.
|
enables opportunistic DoT, caching and local DNS servers.
|
||||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
|
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
|
||||||
captive portals are a concern, `DNSOverTLS=no`. At least one of these
|
captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
|
||||||
should be used in addition to `00-defaults.conf`
|
should be used in addition to `00-defaults.conf`
|
||||||
- `README.md` - you are reading it right now.
|
- `README.md` - you are reading it right now.
|
||||||
|
|
||||||
## General commentary
|
## General commentary
|
||||||
|
|
||||||
- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
|
- DNSOverTLS became supported in systemd v239, strict mode (true) in
|
||||||
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
|
|
||||||
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
|
|
||||||
v243 (big improvements in v244).
|
v243 (big improvements in v244).
|
||||||
- TODO: find out when SNI became supported, I have just spotted it in the
|
- TODO: find out when SNI became supported, I have just spotted it in the
|
||||||
fine manual in 2020-06-??.
|
fine manual in 2020-06-??.
|
||||||
@ -32,10 +30,13 @@ sudo systemctl restart systemd-resolved
|
|||||||
- DNSSEC may not work if the system is down for a long time and not updated.
|
- DNSSEC may not work if the system is down for a long time and not updated.
|
||||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||||
potential downgrade attack. There are also captive portals, affecting
|
potential downgrade attack. There are also captive portals, affecting
|
||||||
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
|
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
||||||
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||||
- Then again when was any system that outdated to not have working DNSSEC?
|
- Then again when was any system that outdated to not have working DNSSEC?
|
||||||
- TODO: return to this configuration should that actually happen?
|
- TODO: return to this configuration should that actually happen?
|
||||||
|
- I am actually running Unbound simultaneously with `resolv.conf` pointing
|
||||||
|
to both with `options rotate edns0 trust-ad` which might workaround that
|
||||||
|
potential issue.
|
||||||
|
|
||||||
Other links I have found important and my files are based on:
|
Other links I have found important and my files are based on:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user