From d47c374706e9748f3167dbe42f5d8d8177fd6af9 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Mon, 28 Mar 2022 20:28:17 +0300 Subject: [PATCH] =?UTF-8?q?etc/ststemd/resolved=E2=80=A6:=20aggressive=20c?= =?UTF-8?q?leanup/rewriting?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- etc/systemd/resolved.conf.d/00-defaults.conf | 6 ++++++ etc/systemd/resolved.conf.d/00-everywhere.conf | 6 ------ etc/systemd/resolved.conf.d/README.md | 16 ++++++---------- etc/systemd/resolved.conf.d/adguard-dot.conf | 14 -------------- .../resolved.conf.d/cloudflare-strict.conf | 8 -------- etc/systemd/resolved.conf.d/dot-adguard.conf | 7 +++++++ etc/systemd/resolved.conf.d/dot-cloudflare.conf | 5 +++++ .../dot-mullvad-adblock-strict.conf | 8 -------- .../resolved.conf.d/dot-mullvad-adblock.conf | 5 +++++ ...{dot-mullvad-strict.conf => dot-mullvad.conf} | 5 ++--- .../{nextdns-compat.conf => dot-nextdns.conf} | 6 ++---- etc/systemd/resolved.conf.d/dot-quad9-ecs.conf | 5 +++++ .../{quad9-compat.conf => dot-quad9.conf} | 6 ++---- etc/systemd/resolved.conf.d/dot-snopyta.conf | 5 +++++ etc/systemd/resolved.conf.d/nextdns-strict.conf | 8 -------- .../resolved.conf.d/quad9-ecs-compat.conf | 7 ------- .../resolved.conf.d/quad9-ecs-strict.conf | 8 -------- etc/systemd/resolved.conf.d/quad9-strict.conf | 8 -------- etc/systemd/resolved.conf.d/snopyta-strict.conf | 8 -------- etc/systemd/resolved.conf.d/unbound.conf | 8 ++++---- 20 files changed, 49 insertions(+), 100 deletions(-) create mode 100644 etc/systemd/resolved.conf.d/00-defaults.conf delete mode 100644 etc/systemd/resolved.conf.d/00-everywhere.conf delete mode 100644 etc/systemd/resolved.conf.d/adguard-dot.conf delete mode 100644 etc/systemd/resolved.conf.d/cloudflare-strict.conf create mode 100644 etc/systemd/resolved.conf.d/dot-adguard.conf create mode 100644 etc/systemd/resolved.conf.d/dot-cloudflare.conf delete mode 100644 etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf create mode 100644 etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf rename etc/systemd/resolved.conf.d/{dot-mullvad-strict.conf => dot-mullvad.conf} (74%) rename etc/systemd/resolved.conf.d/{nextdns-compat.conf => dot-nextdns.conf} (50%) create mode 100644 etc/systemd/resolved.conf.d/dot-quad9-ecs.conf rename etc/systemd/resolved.conf.d/{quad9-compat.conf => dot-quad9.conf} (51%) create mode 100644 etc/systemd/resolved.conf.d/dot-snopyta.conf delete mode 100644 etc/systemd/resolved.conf.d/nextdns-strict.conf delete mode 100644 etc/systemd/resolved.conf.d/quad9-ecs-compat.conf delete mode 100644 etc/systemd/resolved.conf.d/quad9-ecs-strict.conf delete mode 100644 etc/systemd/resolved.conf.d/quad9-strict.conf delete mode 100644 etc/systemd/resolved.conf.d/snopyta-strict.conf diff --git a/etc/systemd/resolved.conf.d/00-defaults.conf b/etc/systemd/resolved.conf.d/00-defaults.conf new file mode 100644 index 00000000..91bc1fb8 --- /dev/null +++ b/etc/systemd/resolved.conf.d/00-defaults.conf @@ -0,0 +1,6 @@ +[Resolve] +# Breaks everything, https://github.com/systemd/systemd/issues?q=dnssec%3Dallow-downgrade+is%3Aissue+is%3Aopen +#DNSSEC=allow-downgrade +DNSSEC=no +DNSOverTLS=opportunistic +Cache=yes diff --git a/etc/systemd/resolved.conf.d/00-everywhere.conf b/etc/systemd/resolved.conf.d/00-everywhere.conf deleted file mode 100644 index 0aa18ad6..00000000 --- a/etc/systemd/resolved.conf.d/00-everywhere.conf +++ /dev/null @@ -1,6 +0,0 @@ -# Config file to attempt DNSSEC and DoT everywhere, regardless of tech -# skill -[Resolve] -DNSSEC=allow-downgrade -DNSOverTLS=opportunistic -Cache=true diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md index 22026f16..c53622ad 100644 --- a/etc/systemd/resolved.conf.d/README.md +++ b/etc/systemd/resolved.conf.d/README.md @@ -2,19 +2,15 @@ ### Files explained -* 00-everywhere.conf - configuration that doesn't affect DNS servers, attempts - to use DNSSEC and DoT and if it fails, doesn't care and uses insecure - configuration. -* quad9-compat.conf - non-tech person config for Quad9, same as above except - specifies the server. -* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9 +* 00-defaults.conf - configuration not touching resolvers. Disables DNSSEC (as + systemd-resolved doesn't handle it properly), enables opportunistic DoT and + caching. +* dot-*.conf - configuration to use the DNS provider with DNS-over-TLS. If + captive portals are a concern, `DNSOverTLS`. * README.md - you are reading it right now. ### General commentary -I have moved duplicate comments to this file, so it will possibly look weird -or miss original context. - * Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however at the time of writing this README.md, the current version is Ubuntu 20.04.0) (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in @@ -26,7 +22,7 @@ or miss original context. * DNSSEC may not work if the system is down for a long time and not updated. Thus `allow-downgrade` may be better for non-tech people, even with the potential downgrade attack. There are also captive portals, affecting - `DNSOverTLS`. Both take `true` or `false` or their own special option, + `DNSOverTLS`. Both take `yes` or `no` or their own special option, for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. Other links I have found important and my files are based on: diff --git a/etc/systemd/resolved.conf.d/adguard-dot.conf b/etc/systemd/resolved.conf.d/adguard-dot.conf deleted file mode 100644 index 32f71ecc..00000000 --- a/etc/systemd/resolved.conf.d/adguard-dot.conf +++ /dev/null @@ -1,14 +0,0 @@ -# AdGuard / systemd-resolved. For people who don't panic when DoT doesn't -# work and captive portals attack? See README.md. Also requires not -# panicking if tbe user needs something AdGuard is blocking. -[Resolve] -DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com -Domains=~. -# non-tech friendliness in case system down for ages. Also DNSSEC ensures -# the DNS server isn't lying which is a task of adblocking DNS server... -DNSSEC=false -# There is no point of disabling this with adblocking DNS -DNSOverTLS=true -Cache=true - -# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html diff --git a/etc/systemd/resolved.conf.d/cloudflare-strict.conf b/etc/systemd/resolved.conf.d/cloudflare-strict.conf deleted file mode 100644 index c22d90af..00000000 --- a/etc/systemd/resolved.conf.d/cloudflare-strict.conf +++ /dev/null @@ -1,8 +0,0 @@ -# Cloudflare / systemd-resolved. For people who don't panic when DNSSEC or -# DoT doesn't work and captive portals attack? See README.md -[Resolve] -DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com -Domains=~. -DNSSEC=true -DNSOverTLS=true -Cache=true diff --git a/etc/systemd/resolved.conf.d/dot-adguard.conf b/etc/systemd/resolved.conf.d/dot-adguard.conf new file mode 100644 index 00000000..ef3578b9 --- /dev/null +++ b/etc/systemd/resolved.conf.d/dot-adguard.conf @@ -0,0 +1,7 @@ +[Resolve] +DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com +Domains=~. +DNSOverTLS=yes +Cache=yes + +# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html diff --git a/etc/systemd/resolved.conf.d/dot-cloudflare.conf b/etc/systemd/resolved.conf.d/dot-cloudflare.conf new file mode 100644 index 00000000..2f061927 --- /dev/null +++ b/etc/systemd/resolved.conf.d/dot-cloudflare.conf @@ -0,0 +1,5 @@ +[Resolve] +DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com +Domains=~. +DNSOverTLS=yes +Cache=yes diff --git a/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf b/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf deleted file mode 100644 index 1313ac60..00000000 --- a/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Resolve] -DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net -Domains=~. -# non-tech friendliness in case system down for ages. Also DNSSEC ensures -# the DNS server isn't lying which is a task of adblocking DNS server... -DNSSEC=false -DNSOverTLS=true -Cache=true diff --git a/etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf b/etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf new file mode 100644 index 00000000..98d05c07 --- /dev/null +++ b/etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf @@ -0,0 +1,5 @@ +[Resolve] +DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net +Domains=~. +DNSOverTLS=yes +Cache=yes diff --git a/etc/systemd/resolved.conf.d/dot-mullvad-strict.conf b/etc/systemd/resolved.conf.d/dot-mullvad.conf similarity index 74% rename from etc/systemd/resolved.conf.d/dot-mullvad-strict.conf rename to etc/systemd/resolved.conf.d/dot-mullvad.conf index d5e7ec4f..c435bdb8 100644 --- a/etc/systemd/resolved.conf.d/dot-mullvad-strict.conf +++ b/etc/systemd/resolved.conf.d/dot-mullvad.conf @@ -1,6 +1,5 @@ [Resolve] DNS=2a07:e340::2#doh.mullvad.net 194.242.2.2#doh.mullvad.net 193.19.108.2#doh.mullvad.net Domains=~. -DNSSEC=true -DNSOverTLS=true -Cache=true +DNSOverTLS=yes +Cache=yes diff --git a/etc/systemd/resolved.conf.d/nextdns-compat.conf b/etc/systemd/resolved.conf.d/dot-nextdns.conf similarity index 50% rename from etc/systemd/resolved.conf.d/nextdns-compat.conf rename to etc/systemd/resolved.conf.d/dot-nextdns.conf index d964db1a..a8bd7674 100644 --- a/etc/systemd/resolved.conf.d/nextdns-compat.conf +++ b/etc/systemd/resolved.conf.d/dot-nextdns.conf @@ -1,7 +1,5 @@ -# NextDNS / systemd-resolved. For non-tech people? See README.md [Resolve] 2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io Domains=~. -DNSSEC=allow-downgrade -DNSOverTLS=opportunistic -Cache=true +DNSOverTLS=yes +Cache=yes diff --git a/etc/systemd/resolved.conf.d/dot-quad9-ecs.conf b/etc/systemd/resolved.conf.d/dot-quad9-ecs.conf new file mode 100644 index 00000000..69ef8e58 --- /dev/null +++ b/etc/systemd/resolved.conf.d/dot-quad9-ecs.conf @@ -0,0 +1,5 @@ +[Resolve] +DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net +Domains=~. +DNSOverTLS=yes +Cache=yes diff --git a/etc/systemd/resolved.conf.d/quad9-compat.conf b/etc/systemd/resolved.conf.d/dot-quad9.conf similarity index 51% rename from etc/systemd/resolved.conf.d/quad9-compat.conf rename to etc/systemd/resolved.conf.d/dot-quad9.conf index 43fa1c8a..42603cbc 100644 --- a/etc/systemd/resolved.conf.d/quad9-compat.conf +++ b/etc/systemd/resolved.conf.d/dot-quad9.conf @@ -1,7 +1,5 @@ -# Quad9 / systemd-resolved. For non-tech people? See README.md [Resolve] DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net Domains=~. -DNSSEC=allow-downgrade -DNSOverTLS=opportunistic -Cache=true +DNSOverTLS=yes +Cache=yes diff --git a/etc/systemd/resolved.conf.d/dot-snopyta.conf b/etc/systemd/resolved.conf.d/dot-snopyta.conf new file mode 100644 index 00000000..a6a84ff9 --- /dev/null +++ b/etc/systemd/resolved.conf.d/dot-snopyta.conf @@ -0,0 +1,5 @@ +[Resolve] +DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org +Domains=~. +DNSOverTLS=yes +Cache=yes diff --git a/etc/systemd/resolved.conf.d/nextdns-strict.conf b/etc/systemd/resolved.conf.d/nextdns-strict.conf deleted file mode 100644 index 3ac91881..00000000 --- a/etc/systemd/resolved.conf.d/nextdns-strict.conf +++ /dev/null @@ -1,8 +0,0 @@ -# NextDNS / systemd-resolved. For people who don't panic when DNSSEC or -# DoT doesn't work and captive portals attack? See README.md -[Resolve] -2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io -Domains=~. -DNSSEC=true -DNSOverTLS=true -Cache=true diff --git a/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf b/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf deleted file mode 100644 index 07912f5b..00000000 --- a/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Quad9 with client subnet / systemd-resolved. For non-tech people? See README.md -[Resolve] -DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net -Domains=~. -DNSSEC=allow-downgrade -DNSOverTLS=opportunistic -Cache=true diff --git a/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf b/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf deleted file mode 100644 index cc3993e2..00000000 --- a/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf +++ /dev/null @@ -1,8 +0,0 @@ -# Quad9 with client subnet / systemd-resolved. For people who don't panic when DNSSEC or -# DoT doesn't work and captive portals attack? See README.md -[Resolve] -DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net -Domains=~. -DNSSEC=true -DNSOverTLS=true -Cache=true diff --git a/etc/systemd/resolved.conf.d/quad9-strict.conf b/etc/systemd/resolved.conf.d/quad9-strict.conf deleted file mode 100644 index 8b157e0c..00000000 --- a/etc/systemd/resolved.conf.d/quad9-strict.conf +++ /dev/null @@ -1,8 +0,0 @@ -# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or -# DoT doesn't work and captive portals attack? See README.md -[Resolve] -DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net -Domains=~. -DNSSEC=true -DNSOverTLS=true -Cache=true diff --git a/etc/systemd/resolved.conf.d/snopyta-strict.conf b/etc/systemd/resolved.conf.d/snopyta-strict.conf deleted file mode 100644 index 17052602..00000000 --- a/etc/systemd/resolved.conf.d/snopyta-strict.conf +++ /dev/null @@ -1,8 +0,0 @@ -# Snopyta / systemd-resolved. For people who don't panic when DNSSEC or -# DoT doesn't work and captive portals attack? See README.md -[Resolve] -DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org -Domains=~. -DNSSEC=true -DNSOverTLS=true -Cache=true diff --git a/etc/systemd/resolved.conf.d/unbound.conf b/etc/systemd/resolved.conf.d/unbound.conf index d0f52174..225842eb 100644 --- a/etc/systemd/resolved.conf.d/unbound.conf +++ b/etc/systemd/resolved.conf.d/unbound.conf @@ -3,9 +3,9 @@ DNS=127.0.0.1 DNS=::1 Domains=~. -# Done better by Unbound, no failed-auxillary -DNSSEC=false +# Done better by Unbound +DNSSEC=no # Not needed on localhost -DNSOverTLS=false +DNSOverTLS=no # Done by Unbound -Cache=false +Cache=no