diff --git a/etc/resolv.conf b/etc/resolv.conf index 69151513..cb63c714 100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -28,9 +28,17 @@ nameserver 127.0.0.53 # edns0 = extended DNS # trust-ad = trust DNSSEC authenticated data -# timeout:1 = nameserver timeout 1 s (default 5, max 30), then next -# attempts:5 = if all nameservers fail, attempt again 5 times (def 2, max 5) -options edns0 trust-ad timeout:1 attempts:5 +# timeout:2 = nameserver timeout 2 s (default 5, max 30), then next +# attempts:2 = if all nameservers fail, attempt again 2 times (def 2, max 5) +# rotate = instead of trying the nameservers in the order specified, randomize +# the order in round-robin fashion. They are all theoretically the same, +# except that NordVPN disables IPv6 so ::1 will fail and occassionally only +# systemd-resolved works and I am under impression that some apps are aware of +# systemd-resolved and will use it directly bypassing resolv.conf +options edns0 trust-ad timeout:2 attempts:2 rotate +# AMINDA! Remember, you are specifying these here, a couple of bash scripts +# in this directory, see the comment on top, ../rc/{bash,zsh}rc +# ($RES_OPTIONS) and systemd/system/service.d/resolv.conf ! # no sending local domain to upstream whenever NXDOMAIN happens search . diff --git a/etc/resolv.conf-generate.bash b/etc/resolv.conf-generate.bash index 0a82fb24..75efe147 100755 --- a/etc/resolv.conf-generate.bash +++ b/etc/resolv.conf-generate.bash @@ -17,7 +17,7 @@ rm -v /etc/resolv.conf # Actual resolv.conf creation. OK, this could read resolv.conf in this # directory, but I like this being self-contained. # tee -p = operate in a more appropriate MODE with pipes. -printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf +printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:2 attempts:2 rotate\nsearch .\n' | tee -p /etc/resolv.conf # Remove all other permissions than everyone reading resolv.conf chmod -v a=r /etc/resolv.conf diff --git a/etc/systemd-resolv.conf-generate.bash b/etc/systemd-resolv.conf-generate.bash index 0301932e..de532f5d 100755 --- a/etc/systemd-resolv.conf-generate.bash +++ b/etc/systemd-resolv.conf-generate.bash @@ -29,7 +29,7 @@ chmod -v +w /etc/resolv.conf rm -v /etc/resolv.conf # tee -p = operate in a more appropriate MODE with pipes. -printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf +printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:2 attempts:2 rotate\nsearch .\n' | tee -p /etc/resolv.conf # Remove all other permissions than everyone reading resolv.conf chmod -v a=r /etc/resolv.conf diff --git a/etc/systemd/system/service.d/resolv.conf b/etc/systemd/system/service.d/resolv.conf index 2cfa80cb..458a4e7c 100644 --- a/etc/systemd/system/service.d/resolv.conf +++ b/etc/systemd/system/service.d/resolv.conf @@ -5,6 +5,6 @@ # note that this is possible. [Service] Environment=LOCALDOMAIN=. -Environment=RES_OPTIONS="edns0 trust-ad timeout:1 attempts:5" +Environment=RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate" # vim: filetype=systemd diff --git a/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf b/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf index 48df792f..4d3dcd03 100644 --- a/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf +++ b/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf @@ -13,10 +13,7 @@ server: serve-expired-reply-ttl: 30 # Serve expired data to client if there is no answer in 1.8 seconds as per # common timeout 2 seconds according to the RFC 8767 - #serve-expired-client-timeout: 1800 - # However my /etc/resolv.conf timeout is 1 second since all my nameservers - # are localhost, so let's wait 0.8 seconds instead. - serve-expired-client-timeout: 800 + serve-expired-client-timeout: 1800 # Human readable DNSSEC errors for expired records ede-serve-expired: yes diff --git a/rc/bashrc b/rc/bashrc index df344b6d..ee501b43 100755 --- a/rc/bashrc +++ b/rc/bashrc @@ -258,7 +258,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx export LOCALDOMAIN=. # Secureish resolv.conf options (except trust-ad, but systemd also sets it # regardless of whether DNSSEC=true or not. -export RES_OPTIONS="edns0 trust-ad timeout:1 attempts:5" +export RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate" ##### Aliases RJ706I ##### diff --git a/rc/zshrc b/rc/zshrc index 54c669fb..605778e2 100755 --- a/rc/zshrc +++ b/rc/zshrc @@ -217,7 +217,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx export LOCALDOMAIN=. # Secureish resolv.conf options (except trust-ad, but systemd also sets it # regardless of whether DNSSEC=true or not. -export RES_OPTIONS="edns0 trust-ad timeout:1 attempts:5" +export RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate" ##### Aliases RJ706I #####