mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-23 03:02:52 +01:00
systemd-resolved: attempt to simplify configuration
This commit is contained in:
parent
f976c9a530
commit
dea732d15b
23
etc/systemd/resolved.conf.d/00-defaults.conf
Normal file
23
etc/systemd/resolved.conf.d/00-defaults.conf
Normal file
@ -0,0 +1,23 @@
|
||||
[Resolve]
|
||||
# Don't trust upstream to verify DNSSEC, even if was encrypted.
|
||||
# https://notes.valdikss.org.ru/jabber.ru-mitm/
|
||||
# BREAKAGE WARNING for everything else than DNSSEC=false !
|
||||
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
# PRIVACY WARNING! systemd-networkd/links may override this.
|
||||
DNSSEC=true
|
||||
# Take the risk of downgrade attacks. Web browser policies enforce
|
||||
# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
|
||||
# it.
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
||||
# Consider local DNS servers if they exist. Empty should erase previous values.
|
||||
DNS=
|
||||
DNS=127.0.0.1
|
||||
DNS=::1
|
||||
Domains=~.
|
||||
# .local domains
|
||||
MulticastDNS=true
|
||||
# Microsoft Windows compatibility?
|
||||
LLMNR=true
|
||||
|
||||
# vim: filetype=systemd
|
@ -1,19 +0,0 @@
|
||||
[Resolve]
|
||||
# Use this together with other files other than 00-only-local-resolver.conf!
|
||||
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
#DNSSEC=allow-downgrade
|
||||
# Regardless of the above DNS breaking issues when DNSSEC is
|
||||
# enabled/opportunistic, it provides authentication which is important. TLS
|
||||
# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
|
||||
DNSSEC=true
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
||||
#DNS=127.0.0.1
|
||||
#DNS=::1
|
||||
Domains=~.
|
||||
# .local domains
|
||||
MulticastDNS=true
|
||||
# Microsoft Windows compatibility?
|
||||
LLMNR=true
|
||||
|
||||
# vim: filetype=systemd
|
@ -1,14 +0,0 @@
|
||||
[Resolve]
|
||||
# All this is done by Unbound. Don't use other files together with this one.
|
||||
DNSSEC=false
|
||||
DNSOverTLS=false
|
||||
Cache=false
|
||||
DNS=127.0.0.1
|
||||
DNS=::1
|
||||
Domains=~.
|
||||
# .local domains
|
||||
MulticastDNS=true
|
||||
# Microsoft Windows compatibility?
|
||||
LLMNR=true
|
||||
|
||||
# vim: filetype=systemd
|
@ -26,19 +26,15 @@ sudo systemctl restart systemd-resolved
|
||||
|
||||
## Files explained
|
||||
|
||||
- `00-no-local-resolver.conf` - configuration that should be used everywhere.
|
||||
- `00-defaults.conf` - configuration that should be used everywhere.
|
||||
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
||||
enables opportunistic DoT, caching and local DNS servers (because they
|
||||
should exist anyway as I don't trust systemd-resolved entirely. Anyway if
|
||||
there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
|
||||
- To rephrase, this is sto be used together with other files, especially
|
||||
- To rephrase, this is to be used together with other files, especially
|
||||
some of those beginning with `dot-`.
|
||||
- `00-only-local-resolver.conf` - for when there is known local resolver.
|
||||
**_Don't combine this with the other files._**
|
||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
|
||||
captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
|
||||
should be used in addition to `00-defaults.conf`
|
||||
- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
|
||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
|
||||
At least one of these should be used in addition to `00-defaults.conf`
|
||||
- `README.md` - you are reading it right now.
|
||||
|
||||
## General commentary
|
||||
|
@ -1,5 +0,0 @@
|
||||
[Resolve]
|
||||
DNS=2400:bb40:4444::103 2400:bb40:8888::103
|
||||
DNS=103.86.96.100 103.86.99.100
|
||||
|
||||
# vim: filetype=systemd
|
Loading…
Reference in New Issue
Block a user