etc/ststemd/resolved…: aggressive cleanup/rewriting

2022-03-28 20:28:17 +03:00 · 2022-03-28 20:28:17 +03:00 · d47c374706
parent 6e77c77aa7
commit d47c374706
20 changed files with 49 additions and 100 deletions
--- a/etc/systemd/resolved.conf.d/00-defaults.conf
+++ b/etc/systemd/resolved.conf.d/00-defaults.conf
@ -0,0 +1,6 @@
+[Resolve]
+# Breaks everything, https://github.com/systemd/systemd/issues?q=dnssec%3Dallow-downgrade+is%3Aissue+is%3Aopen
+#DNSSEC=allow-downgrade
+DNSSEC=no
+DNSOverTLS=opportunistic
+Cache=yes
--- a/etc/systemd/resolved.conf.d/00-everywhere.conf
+++ b/etc/systemd/resolved.conf.d/00-everywhere.conf
@ -1,6 +0,0 @@
-# Config file to attempt DNSSEC and DoT everywhere, regardless of tech
-# skill
-[Resolve]
-DNSSEC=allow-downgrade
-DNSOverTLS=opportunistic
-Cache=true
--- a/etc/systemd/resolved.conf.d/README.md
+++ b/etc/systemd/resolved.conf.d/README.md
@ -2,19 +2,15 @@

 ### Files explained

-* 00-everywhere.conf - configuration that doesn't affect DNS servers, attempts
-  to use DNSSEC and DoT and if it fails, doesn't care and uses insecure
-  configuration.
-* quad9-compat.conf - non-tech person config for Quad9, same as above except
-  specifies the server.
-* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9
+* 00-defaults.conf - configuration not touching resolvers. Disables DNSSEC (as
+  systemd-resolved doesn't handle it properly), enables opportunistic DoT and
+  caching.
+* dot-*.conf - configuration to use the DNS provider with DNS-over-TLS. If
+  captive portals are a concern, `DNSOverTLS`.
 * README.md - you are reading it right now.

 ### General commentary

-I have moved duplicate comments to this file, so it will possibly look weird
-or miss original context.
-
 * Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
  at the time of writing this README.md, the current version is Ubuntu 20.04.0)
  (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
@ -26,7 +22,7 @@ or miss original context.
 * DNSSEC may not work if the system is down for a long time and not updated.
  Thus `allow-downgrade` may be better for non-tech people, even with the
  potential downgrade attack. There are also captive portals, affecting
-  `DNSOverTLS`. Both take `true` or `false` or their own special option,
+  `DNSOverTLS`. Both take `yes` or `no` or their own special option,
  for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.

 Other links I have found important and my files are based on:
--- a/etc/systemd/resolved.conf.d/adguard-dot.conf
+++ b/etc/systemd/resolved.conf.d/adguard-dot.conf
@ -1,14 +0,0 @@
-# AdGuard / systemd-resolved. For people who don't panic when DoT doesn't
-# work and captive portals attack? See README.md. Also requires not
-# panicking if tbe user needs something AdGuard is blocking.
-[Resolve]
-DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
-Domains=~.
-# non-tech friendliness in case system down for ages. Also DNSSEC ensures
-# the DNS server isn't lying which is a task of adblocking DNS server...
-DNSSEC=false
-# There is no point of disabling this with adblocking DNS
-DNSOverTLS=true
-Cache=true
-
-# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html
--- a/etc/systemd/resolved.conf.d/cloudflare-strict.conf
+++ b/etc/systemd/resolved.conf.d/cloudflare-strict.conf
@ -1,8 +0,0 @@
-# Cloudflare / systemd-resolved. For people who don't panic when DNSSEC or
-# DoT doesn't work and captive portals attack? See README.md
-[Resolve]
-DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
-Domains=~.
-DNSSEC=true
-DNSOverTLS=true
-Cache=true
--- a/etc/systemd/resolved.conf.d/dot-adguard.conf
+++ b/etc/systemd/resolved.conf.d/dot-adguard.conf
@ -0,0 +1,7 @@
+[Resolve]
+DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
+Domains=~.
+DNSOverTLS=yes
+Cache=yes
+
+# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html
--- a/etc/systemd/resolved.conf.d/dot-cloudflare.conf
+++ b/etc/systemd/resolved.conf.d/dot-cloudflare.conf
@ -0,0 +1,5 @@
+[Resolve]
+DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
+Domains=~.
+DNSOverTLS=yes
+Cache=yes
--- a/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
+++ b/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
@ -1,8 +0,0 @@
-[Resolve]
-DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
-Domains=~.
-# non-tech friendliness in case system down for ages. Also DNSSEC ensures
-# the DNS server isn't lying which is a task of adblocking DNS server...
-DNSSEC=false
-DNSOverTLS=true
-Cache=true
--- a/etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf
+++ b/etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf
@ -0,0 +1,5 @@
+[Resolve]
+DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
+Domains=~.
+DNSOverTLS=yes
+Cache=yes
--- a/etc/systemd/resolved.conf.d/dot-mullvad-strict.conf
+++ b/etc/systemd/resolved.conf.d/dot-mullvad-strict.conf
@ -1,6 +1,5 @@
 [Resolve]
 DNS=2a07:e340::2#doh.mullvad.net 194.242.2.2#doh.mullvad.net 193.19.108.2#doh.mullvad.net
 Domains=~.
-DNSSEC=true
-DNSOverTLS=true
-Cache=true
+DNSOverTLS=yes
+Cache=yes
--- a/etc/systemd/resolved.conf.d/nextdns-compat.conf
+++ b/etc/systemd/resolved.conf.d/nextdns-compat.conf
@ -1,7 +1,5 @@
-# NextDNS / systemd-resolved. For non-tech people? See README.md
 [Resolve]
 2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
 Domains=~.
-DNSSEC=allow-downgrade
-DNSOverTLS=opportunistic
-Cache=true
+DNSOverTLS=yes
+Cache=yes
--- a/etc/systemd/resolved.conf.d/dot-quad9-ecs.conf
+++ b/etc/systemd/resolved.conf.d/dot-quad9-ecs.conf
@ -0,0 +1,5 @@
+[Resolve]
+DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
+Domains=~.
+DNSOverTLS=yes
+Cache=yes
--- a/etc/systemd/resolved.conf.d/quad9-compat.conf
+++ b/etc/systemd/resolved.conf.d/quad9-compat.conf
@ -1,7 +1,5 @@
-# Quad9 / systemd-resolved. For non-tech people? See README.md
 [Resolve]
 DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
 Domains=~.
-DNSSEC=allow-downgrade
-DNSOverTLS=opportunistic
-Cache=true
+DNSOverTLS=yes
+Cache=yes
--- a/etc/systemd/resolved.conf.d/dot-snopyta.conf
+++ b/etc/systemd/resolved.conf.d/dot-snopyta.conf
@ -0,0 +1,5 @@
+[Resolve]
+DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
+Domains=~.
+DNSOverTLS=yes
+Cache=yes
--- a/etc/systemd/resolved.conf.d/nextdns-strict.conf
+++ b/etc/systemd/resolved.conf.d/nextdns-strict.conf
@ -1,8 +0,0 @@
-# NextDNS / systemd-resolved. For people who don't panic when DNSSEC or
-# DoT doesn't work and captive portals attack? See README.md
-[Resolve]
-2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
-Domains=~.
-DNSSEC=true
-DNSOverTLS=true
-Cache=true
--- a/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf
+++ b/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf
@ -1,7 +0,0 @@
-# Quad9 with client subnet / systemd-resolved. For non-tech people? See README.md
-[Resolve]
-DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
-Domains=~.
-DNSSEC=allow-downgrade
-DNSOverTLS=opportunistic
-Cache=true
--- a/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf
+++ b/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf
@ -1,8 +0,0 @@
-# Quad9 with client subnet / systemd-resolved. For people who don't panic when DNSSEC or
-# DoT doesn't work and captive portals attack? See README.md
-[Resolve]
-DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
-Domains=~.
-DNSSEC=true
-DNSOverTLS=true
-Cache=true
--- a/etc/systemd/resolved.conf.d/quad9-strict.conf
+++ b/etc/systemd/resolved.conf.d/quad9-strict.conf
@ -1,8 +0,0 @@
-# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
-# DoT doesn't work and captive portals attack? See README.md
-[Resolve]
-DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
-Domains=~.
-DNSSEC=true
-DNSOverTLS=true
-Cache=true
--- a/etc/systemd/resolved.conf.d/snopyta-strict.conf
+++ b/etc/systemd/resolved.conf.d/snopyta-strict.conf
@ -1,8 +0,0 @@
-# Snopyta / systemd-resolved. For people who don't panic when DNSSEC or
-# DoT doesn't work and captive portals attack? See README.md
-[Resolve]
-DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
-Domains=~.
-DNSSEC=true
-DNSOverTLS=true
-Cache=true
--- a/etc/systemd/resolved.conf.d/unbound.conf
+++ b/etc/systemd/resolved.conf.d/unbound.conf
@ -3,9 +3,9 @@
 DNS=127.0.0.1
 DNS=::1
 Domains=~.
-# Done better by Unbound, no failed-auxillary
-DNSSEC=false
+# Done better by Unbound
+DNSSEC=no
 # Not needed on localhost
-DNSOverTLS=false
+DNSOverTLS=no
 # Done by Unbound
-Cache=false
+Cache=no