systemd-resolved: think more on local resolvers or not

etc/systemd/resolved.conf.d/00-no-local-resolver.conf

@@ -1,4 +1,5 @@
 [Resolve]
+# Use this together with other files other than 00-only-unbound.conf!
 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 #DNSSEC=allow-downgrade
 # Regardless of the above DNS breaking issues when DNSSEC is

etc/systemd/resolved.conf.d/00-only-local-resolver.conf

@@ -0,0 +1,12 @@
+[Resolve]
+# All this is done by Unbound. Don't use other files together with this one.
+DNSSEC=false
+DNSOverTLS=false
+Cache=false
+DNS=127.0.0.1
+DNS=::1
+Domains=~.
+# .local domains
+MulticastDNS=true
+# Microsoft Windows compatibility?
+LLMNR=true

etc/systemd/resolved.conf.d/README.md

@@ -26,9 +26,15 @@ sudo systemctl restart systemd-resolved
 
 ## Files explained
 
-- `00-defaults.conf` - configuration that should be used everywhere.
+- `00-no-local-resolver.conf` - configuration that should be used everywhere.
   Enables DNSSEC (regardless of systemd-resolved not handling it properly),
-  enables opportunistic DoT, caching and local DNS servers.
+  enables opportunistic DoT, caching and local DNS servers (because they
+  should exist anyway as I don't trust systemd-resolved entirely. Anyway if
+  there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
+  - To rephrase, this is sto be used together with other files, especially
+    some of those beginning with `dot-`.
+- `00-only-local-resolver.conf` - for when there is known local resolver.
+  **_Don't combine this with the other files._**
 - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
   captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
   should be used in addition to `00-defaults.conf`