mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-26 12:52:43 +01:00
etc/ststemd/resolved…: aggressive cleanup/rewriting
This commit is contained in:
parent
6e77c77aa7
commit
d47c374706
6
etc/systemd/resolved.conf.d/00-defaults.conf
Normal file
6
etc/systemd/resolved.conf.d/00-defaults.conf
Normal file
@ -0,0 +1,6 @@
|
||||
[Resolve]
|
||||
# Breaks everything, https://github.com/systemd/systemd/issues?q=dnssec%3Dallow-downgrade+is%3Aissue+is%3Aopen
|
||||
#DNSSEC=allow-downgrade
|
||||
DNSSEC=no
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=yes
|
@ -1,6 +0,0 @@
|
||||
# Config file to attempt DNSSEC and DoT everywhere, regardless of tech
|
||||
# skill
|
||||
[Resolve]
|
||||
DNSSEC=allow-downgrade
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
@ -2,19 +2,15 @@
|
||||
|
||||
### Files explained
|
||||
|
||||
* 00-everywhere.conf - configuration that doesn't affect DNS servers, attempts
|
||||
to use DNSSEC and DoT and if it fails, doesn't care and uses insecure
|
||||
configuration.
|
||||
* quad9-compat.conf - non-tech person config for Quad9, same as above except
|
||||
specifies the server.
|
||||
* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9
|
||||
* 00-defaults.conf - configuration not touching resolvers. Disables DNSSEC (as
|
||||
systemd-resolved doesn't handle it properly), enables opportunistic DoT and
|
||||
caching.
|
||||
* dot-*.conf - configuration to use the DNS provider with DNS-over-TLS. If
|
||||
captive portals are a concern, `DNSOverTLS`.
|
||||
* README.md - you are reading it right now.
|
||||
|
||||
### General commentary
|
||||
|
||||
I have moved duplicate comments to this file, so it will possibly look weird
|
||||
or miss original context.
|
||||
|
||||
* Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
|
||||
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
|
||||
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
|
||||
@ -26,7 +22,7 @@ or miss original context.
|
||||
* DNSSEC may not work if the system is down for a long time and not updated.
|
||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||
potential downgrade attack. There are also captive portals, affecting
|
||||
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
||||
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
|
||||
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
|
||||
Other links I have found important and my files are based on:
|
||||
|
@ -1,14 +0,0 @@
|
||||
# AdGuard / systemd-resolved. For people who don't panic when DoT doesn't
|
||||
# work and captive portals attack? See README.md. Also requires not
|
||||
# panicking if tbe user needs something AdGuard is blocking.
|
||||
[Resolve]
|
||||
DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
|
||||
Domains=~.
|
||||
# non-tech friendliness in case system down for ages. Also DNSSEC ensures
|
||||
# the DNS server isn't lying which is a task of adblocking DNS server...
|
||||
DNSSEC=false
|
||||
# There is no point of disabling this with adblocking DNS
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
||||
|
||||
# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html
|
@ -1,8 +0,0 @@
|
||||
# Cloudflare / systemd-resolved. For people who don't panic when DNSSEC or
|
||||
# DoT doesn't work and captive portals attack? See README.md
|
||||
[Resolve]
|
||||
DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
7
etc/systemd/resolved.conf.d/dot-adguard.conf
Normal file
7
etc/systemd/resolved.conf.d/dot-adguard.conf
Normal file
@ -0,0 +1,7 @@
|
||||
[Resolve]
|
||||
DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
||||
|
||||
# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html
|
5
etc/systemd/resolved.conf.d/dot-cloudflare.conf
Normal file
5
etc/systemd/resolved.conf.d/dot-cloudflare.conf
Normal file
@ -0,0 +1,5 @@
|
||||
[Resolve]
|
||||
DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
@ -1,8 +0,0 @@
|
||||
[Resolve]
|
||||
DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
|
||||
Domains=~.
|
||||
# non-tech friendliness in case system down for ages. Also DNSSEC ensures
|
||||
# the DNS server isn't lying which is a task of adblocking DNS server...
|
||||
DNSSEC=false
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
5
etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf
Normal file
5
etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf
Normal file
@ -0,0 +1,5 @@
|
||||
[Resolve]
|
||||
DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
@ -1,6 +1,5 @@
|
||||
[Resolve]
|
||||
DNS=2a07:e340::2#doh.mullvad.net 194.242.2.2#doh.mullvad.net 193.19.108.2#doh.mullvad.net
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
@ -1,7 +1,5 @@
|
||||
# NextDNS / systemd-resolved. For non-tech people? See README.md
|
||||
[Resolve]
|
||||
2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
|
||||
Domains=~.
|
||||
DNSSEC=allow-downgrade
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
5
etc/systemd/resolved.conf.d/dot-quad9-ecs.conf
Normal file
5
etc/systemd/resolved.conf.d/dot-quad9-ecs.conf
Normal file
@ -0,0 +1,5 @@
|
||||
[Resolve]
|
||||
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
@ -1,7 +1,5 @@
|
||||
# Quad9 / systemd-resolved. For non-tech people? See README.md
|
||||
[Resolve]
|
||||
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
|
||||
Domains=~.
|
||||
DNSSEC=allow-downgrade
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
5
etc/systemd/resolved.conf.d/dot-snopyta.conf
Normal file
5
etc/systemd/resolved.conf.d/dot-snopyta.conf
Normal file
@ -0,0 +1,5 @@
|
||||
[Resolve]
|
||||
DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
Cache=yes
|
@ -1,8 +0,0 @@
|
||||
# NextDNS / systemd-resolved. For people who don't panic when DNSSEC or
|
||||
# DoT doesn't work and captive portals attack? See README.md
|
||||
[Resolve]
|
||||
2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
@ -1,7 +0,0 @@
|
||||
# Quad9 with client subnet / systemd-resolved. For non-tech people? See README.md
|
||||
[Resolve]
|
||||
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
|
||||
Domains=~.
|
||||
DNSSEC=allow-downgrade
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
@ -1,8 +0,0 @@
|
||||
# Quad9 with client subnet / systemd-resolved. For people who don't panic when DNSSEC or
|
||||
# DoT doesn't work and captive portals attack? See README.md
|
||||
[Resolve]
|
||||
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
@ -1,8 +0,0 @@
|
||||
# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
|
||||
# DoT doesn't work and captive portals attack? See README.md
|
||||
[Resolve]
|
||||
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
@ -1,8 +0,0 @@
|
||||
# Snopyta / systemd-resolved. For people who don't panic when DNSSEC or
|
||||
# DoT doesn't work and captive portals attack? See README.md
|
||||
[Resolve]
|
||||
DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
|
||||
Domains=~.
|
||||
DNSSEC=true
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
@ -3,9 +3,9 @@
|
||||
DNS=127.0.0.1
|
||||
DNS=::1
|
||||
Domains=~.
|
||||
# Done better by Unbound, no failed-auxillary
|
||||
DNSSEC=false
|
||||
# Done better by Unbound
|
||||
DNSSEC=no
|
||||
# Not needed on localhost
|
||||
DNSOverTLS=false
|
||||
DNSOverTLS=no
|
||||
# Done by Unbound
|
||||
Cache=false
|
||||
Cache=no
|
||||
|
Loading…
Reference in New Issue
Block a user