From aa6aad28ba5eba618b31de287ade0a7bae50f982 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Wed, 1 May 2024 10:13:30 +0300 Subject: [PATCH] resolv: follow the same order as man resolv.conf --- etc/resolv.conf | 12 ++++++------ etc/resolv.conf-generate.bash | 2 +- etc/systemd-resolv.conf-generate.bash | 2 +- etc/systemd/system/service.d/resolv.conf | 2 +- rc/bashrc | 2 +- rc/zshrc | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/etc/resolv.conf b/etc/resolv.conf index cb63c714..9a54d09d 100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -26,8 +26,9 @@ nameserver 127.0.0.53 # systemd-resolved DNS proxy (to upstream). No DNSSEC, no LLMNR, no mDNS! #nameserver 127.0.0.54 -# edns0 = extended DNS -# trust-ad = trust DNSSEC authenticated data +# no sending local domain to upstream whenever NXDOMAIN happens +search . + # timeout:2 = nameserver timeout 2 s (default 5, max 30), then next # attempts:2 = if all nameservers fail, attempt again 2 times (def 2, max 5) # rotate = instead of trying the nameservers in the order specified, randomize @@ -35,14 +36,13 @@ nameserver 127.0.0.53 # except that NordVPN disables IPv6 so ::1 will fail and occassionally only # systemd-resolved works and I am under impression that some apps are aware of # systemd-resolved and will use it directly bypassing resolv.conf -options edns0 trust-ad timeout:2 attempts:2 rotate +# edns0 = extended DNS +# trust-ad = trust DNSSEC authenticated data +options timeout:2 attempts:2 rotate edns0 trust-ad # AMINDA! Remember, you are specifying these here, a couple of bash scripts # in this directory, see the comment on top, ../rc/{bash,zsh}rc # ($RES_OPTIONS) and systemd/system/service.d/resolv.conf ! -# no sending local domain to upstream whenever NXDOMAIN happens -search . - # PS. Remove empty lines and comments if this ends up in /etc/resolv.conf # PPS. The traditional spell is: # sudo chattr -i /etc/resolv.conf;sudo nvim /etc/resolv.conf;sudo chattr +i /etc/resolv.conf diff --git a/etc/resolv.conf-generate.bash b/etc/resolv.conf-generate.bash index 75efe147..6860dc23 100755 --- a/etc/resolv.conf-generate.bash +++ b/etc/resolv.conf-generate.bash @@ -17,7 +17,7 @@ rm -v /etc/resolv.conf # Actual resolv.conf creation. OK, this could read resolv.conf in this # directory, but I like this being self-contained. # tee -p = operate in a more appropriate MODE with pipes. -printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:2 attempts:2 rotate\nsearch .\n' | tee -p /etc/resolv.conf +printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf # Remove all other permissions than everyone reading resolv.conf chmod -v a=r /etc/resolv.conf diff --git a/etc/systemd-resolv.conf-generate.bash b/etc/systemd-resolv.conf-generate.bash index de532f5d..8aec07ab 100755 --- a/etc/systemd-resolv.conf-generate.bash +++ b/etc/systemd-resolv.conf-generate.bash @@ -29,7 +29,7 @@ chmod -v +w /etc/resolv.conf rm -v /etc/resolv.conf # tee -p = operate in a more appropriate MODE with pipes. -printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:2 attempts:2 rotate\nsearch .\n' | tee -p /etc/resolv.conf +printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf # Remove all other permissions than everyone reading resolv.conf chmod -v a=r /etc/resolv.conf diff --git a/etc/systemd/system/service.d/resolv.conf b/etc/systemd/system/service.d/resolv.conf index 458a4e7c..1c9893ed 100644 --- a/etc/systemd/system/service.d/resolv.conf +++ b/etc/systemd/system/service.d/resolv.conf @@ -5,6 +5,6 @@ # note that this is possible. [Service] Environment=LOCALDOMAIN=. -Environment=RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate" +Environment=RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad" # vim: filetype=systemd diff --git a/rc/bashrc b/rc/bashrc index ee501b43..411bdf49 100755 --- a/rc/bashrc +++ b/rc/bashrc @@ -258,7 +258,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx export LOCALDOMAIN=. # Secureish resolv.conf options (except trust-ad, but systemd also sets it # regardless of whether DNSSEC=true or not. -export RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate" +export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad" ##### Aliases RJ706I ##### diff --git a/rc/zshrc b/rc/zshrc index 605778e2..8bbe82d0 100755 --- a/rc/zshrc +++ b/rc/zshrc @@ -217,7 +217,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx export LOCALDOMAIN=. # Secureish resolv.conf options (except trust-ad, but systemd also sets it # regardless of whether DNSSEC=true or not. -export RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate" +export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad" ##### Aliases RJ706I #####