diff --git a/etc/systemd/resolved.conf.d/00-defaults.conf b/etc/systemd/resolved.conf.d/00-no-local-resolver.conf similarity index 87% rename from etc/systemd/resolved.conf.d/00-defaults.conf rename to etc/systemd/resolved.conf.d/00-no-local-resolver.conf index 0cb7b64e..9c1e9ade 100644 --- a/etc/systemd/resolved.conf.d/00-defaults.conf +++ b/etc/systemd/resolved.conf.d/00-no-local-resolver.conf @@ -1,4 +1,5 @@ [Resolve] +# Use this together with other files other than 00-only-unbound.conf! # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867 #DNSSEC=allow-downgrade # Regardless of the above DNS breaking issues when DNSSEC is diff --git a/etc/systemd/resolved.conf.d/00-only-local-resolver.conf b/etc/systemd/resolved.conf.d/00-only-local-resolver.conf new file mode 100644 index 00000000..9deda665 --- /dev/null +++ b/etc/systemd/resolved.conf.d/00-only-local-resolver.conf @@ -0,0 +1,12 @@ +[Resolve] +# All this is done by Unbound. Don't use other files together with this one. +DNSSEC=false +DNSOverTLS=false +Cache=false +DNS=127.0.0.1 +DNS=::1 +Domains=~. +# .local domains +MulticastDNS=true +# Microsoft Windows compatibility? +LLMNR=true diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md index 90692096..d52b1271 100644 --- a/etc/systemd/resolved.conf.d/README.md +++ b/etc/systemd/resolved.conf.d/README.md @@ -26,9 +26,15 @@ sudo systemctl restart systemd-resolved ## Files explained -- `00-defaults.conf` - configuration that should be used everywhere. +- `00-no-local-resolver.conf` - configuration that should be used everywhere. Enables DNSSEC (regardless of systemd-resolved not handling it properly), - enables opportunistic DoT, caching and local DNS servers. + enables opportunistic DoT, caching and local DNS servers (because they + should exist anyway as I don't trust systemd-resolved entirely. Anyway if + there truly is no local resolver, systemd-resolved will detect that and act accordingly.) + - To rephrase, this is sto be used together with other files, especially + some of those beginning with `dot-`. +- `00-only-local-resolver.conf` - for when there is known local resolver. + **_Don't combine this with the other files._** - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these should be used in addition to `00-defaults.conf`