systemd-resolved: enforce DoT for files explicitly supporting it, demand DNSSEC from LAN resolver

This commit is contained in:
Aminda Suomalainen 2024-08-01 19:12:07 +03:00
parent b470649d3a
commit c47faaf25e
Signed by: Mikaela
SSH Key Fingerprint: SHA256:CXLULpqNBdUKB6E6fLA1b/4SzG0HvKD19PbIePU175Q
8 changed files with 8 additions and 9 deletions

View File

@ -9,8 +9,7 @@ DNSSEC=true
# Take the risk of downgrade attacks. Web browser policies enforce # Take the risk of downgrade attacks. Web browser policies enforce
# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring # DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
# it. # it.
#DNSOverTLS=opportunistic DNSOverTLS=opportunistic
DNSOverTLS=true
Cache=true Cache=true
# Consider local DNS servers if they exist. # Consider local DNS servers if they exist.
DNS= DNS=

View File

@ -2,6 +2,6 @@
# OK, this is not 443, but it bothers me to not have both ports used. # OK, this is not 443, but it bothers me to not have both ports used.
DNS=[2a02:1b8:10:234::2]:853#dot1.applied-privacy.net 146.255.56.98:853#dot1.applied-privacy.net DNS=[2a02:1b8:10:234::2]:853#dot1.applied-privacy.net 146.255.56.98:853#dot1.applied-privacy.net
DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
#DNSOverTLS=true DNSOverTLS=true
# vim: filetype=systemd # vim: filetype=systemd

View File

@ -1,6 +1,6 @@
[Resolve] [Resolve]
DNS=94.140.14.14#dns.adguard.com 94.140.15.15#dns.adguard.com 2a10:50c0::ad1:ff#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com DNS=94.140.14.14#dns.adguard.com 94.140.15.15#dns.adguard.com 2a10:50c0::ad1:ff#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com
#DNS=94.140.14.140#unfiltered.adguard-dns.com 94.140.14.141#unfiltered.adguard-dns.com DNS=2a10:50c0::1:ff#unfiltered.adguard-dns.com 2a10:50c0::2:ff#unfiltered.adguard-dns.com #DNS=94.140.14.140#unfiltered.adguard-dns.com 94.140.14.141#unfiltered.adguard-dns.com DNS=2a10:50c0::1:ff#unfiltered.adguard-dns.com 2a10:50c0::2:ff#unfiltered.adguard-dns.com
#DNSOverTLS=true DNSOverTLS=true
# vim: filetype=systemd # vim: filetype=systemd

View File

@ -3,6 +3,6 @@
#DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#one.one.one.one 1.1.1.1#one.one.one.one 1.0.0.1#one.one.one.one 2606:4700:4700::1001#one.one.one.one #DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#one.one.one.one 1.1.1.1#one.one.one.one 1.0.0.1#one.one.one.one 2606:4700:4700::1001#one.one.one.one
# Malicious domain filtering # Malicious domain filtering
DNS=2606:4700:4700::1112#security.cloudflare-dns.com 2606:4700:4700::1002#security.cloudflare-dns.com 1.1.1.2#security.cloudflare-dns.com 1.0.0.2#security.cloudflare-dns.com DNS=2606:4700:4700::1112#security.cloudflare-dns.com 2606:4700:4700::1002#security.cloudflare-dns.com 1.1.1.2#security.cloudflare-dns.com 1.0.0.2#security.cloudflare-dns.com
#DNSOverTLS=true DNSOverTLS=true
# vim: filetype=systemd # vim: filetype=systemd

View File

@ -3,6 +3,6 @@ DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns
#DNS=193.110.81.1#kids.dns0.eu 185.253.5.1#kids.dns0.eu 2a0f:fc80::1#kids.dns0.eu 2a0f:fc81::1#kids.dns0.eu #DNS=193.110.81.1#kids.dns0.eu 185.253.5.1#kids.dns0.eu 2a0f:fc80::1#kids.dns0.eu 2a0f:fc81::1#kids.dns0.eu
#DNS=193.110.81.254#open.dns0.eu 185.253.5.254#open.dns0.eu 2a0f:fc80::ffff#open.dns0.eu 2a0f:fc81::ffff#open.dns0.eu #DNS=193.110.81.254#open.dns0.eu 185.253.5.254#open.dns0.eu 2a0f:fc80::ffff#open.dns0.eu 2a0f:fc81::ffff#open.dns0.eu
#DNS=193.110.81.9#zero.dns0.eu 185.253.5.9#zero.dns0.eu 2a0f:fc80::9#zero.dns0.eu 2a0f:fc81::9#zero.dns0.eu #DNS=193.110.81.9#zero.dns0.eu 185.253.5.9#zero.dns0.eu 2a0f:fc80::9#zero.dns0.eu 2a0f:fc81::9#zero.dns0.eu
#DNSOverTLS=true DNSOverTLS=true
# vim: filetype=systemd # vim: filetype=systemd

View File

@ -4,6 +4,6 @@
DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net
#DNS=2a07:e340::5#extended.dns.mullvad.net 194.242.2.5#extended.dns.mullvad.net #DNS=2a07:e340::5#extended.dns.mullvad.net 194.242.2.5#extended.dns.mullvad.net
#DNS=2a07:e340::9#all.dns.mullvad.net 194.242.2.9#all.dns.mullvad.net #DNS=2a07:e340::9#all.dns.mullvad.net 194.242.2.9#all.dns.mullvad.net
#DNSOverTLS=true DNSOverTLS=true
# vim: filetype=systemd # vim: filetype=systemd

View File

@ -14,6 +14,6 @@ DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:885
# No Threat Blocking + ECS # No Threat Blocking + ECS
#DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net #DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net
#DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net #DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net
#DNSOverTLS=true DNSOverTLS=true
# vim: filetype=systemd # vim: filetype=systemd

View File

@ -8,5 +8,5 @@
#DNS=192.168.8.1 #DNS=192.168.8.1
# Mikrotik # Mikrotik
#DNS=192.168.88.1 #DNS=192.168.88.1
DNSSEC=true
# vim: filetype=systemd # vim: filetype=systemd