{unbound,systemd-resolved}: cleanup, disable ECS in unused quad9 file

This commit is contained in:
Aminda Suomalainen 2025-03-12 20:43:26 +02:00
parent cb7331bcd5
commit e52b25bfaa
Signed by: Mikaela
GPG Key ID: 99392F62BAE30723
9 changed files with 20 additions and 306 deletions

View File

@ -3,14 +3,14 @@
# encryption, but host a Quad9 node and giving these addresses instead.
[Resolve]
# Secure
#DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
#DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
# No Threat Blocking
#DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net [2620:fe::10]:8853#dns10.quad9.net [2620:fe::fe:10]:8853#dns10.quad9.net
#DNS=149.112.112.10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10:8853#dns10.quad9.net 9.9.9.10:8853#dns10.quad9.net
# Secure + ECS. IPv4 first so it gets preferred as my Unbound likely prefers IPv6 anyway.
DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
#DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
# No Threat Blocking + ECS
#DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net
#DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net

View File

@ -1 +0,0 @@
dot-private-ecs.conf

View File

@ -1,33 +0,0 @@
# This is a merging of dot-dns0.conf & dot-quad9.conf with weight on DNS0
# IPv4 and when using IPv6, Quad9 Secure with ECS. IPv6 private ECS is
# horribly inaccurate and I have minor leaning towards having ECS enabled.
# Private ECS is a compromise between privacy and local destinations.
#
# Both are filtering DNS servers, so this brings risk of something being
# blocked by only one of them. However both are non-profits and have servers
# in Finland.
server:
# Debian ca-certificates location
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
# Fedora
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Use system certificates no matter where they are
tls-system-cert: yes
# Quad9 says pointless performance impact on forwarders.
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
qname-minimisation: no
forward-zone:
name: "."
forward-tls-upstream: yes
## DNS0.eu IPv4 Default
forward-addr: 193.110.81.0@853#dns0.eu
forward-addr: 185.253.5.0@853#dns0.eu
## Quad9 IPv6 Secure + ECS
forward-addr: 2620:fe::11@8853#dns11.quad9.net
forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
forward-addr: 2620:fe::11@853#dns11.quad9.net
forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
# vim: filetype=unbound.conf

View File

@ -1,33 +0,0 @@
# NOTE! Requires Unbound 1.7.3 or newer!
# Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html
server:
# Debian ca-certificates location
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
# Fedora location
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Use system certificates no matter where they are
tls-system-cert: yes
# Quad9 says pointless performance impact on forwarders.
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
qname-minimisation: no
# DNS servers that have public button for flushing cache. Privacy not considered.
forward-zone:
name: "."
forward-tls-upstream: yes
# Cloudflare / https://1.1.1.1/purge-cache/
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Google / https://dns.google/cache
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 2001:4860:4860::8888@853#dns.google
forward-addr: 2001:4860:4860::8844@853#dns.google
# vim: filetype=unbound.conf

View File

@ -1,26 +0,0 @@
server:
# Debian ca-certificates location
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
# Fedora
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Use system certificates no matter where they are
tls-system-cert: yes
# Quad9 says pointless performance impact on forwarders.
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
qname-minimisation: no
# AdGuard Public DNS without filtering.
forward-zone:
name: "."
forward-tls-upstream: yes
# AdGuard Public DNS without filtering
forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
# DNS0.eu without filtering
forward-addr: 193.110.81.254@853#open.dns0.eu
forward-addr: 185.253.5.254@853#open.dns0.eu
forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
# vim: filetype=unbound.conf

View File

@ -1,86 +0,0 @@
# This file attempts to send zones belonging to DNS operators to their DNS servers.
# Inclusion criteria: I know and use the service.
server:
# Debian ca-certificates location
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
# Fedora
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Use system certificates no matter where they are
tls-system-cert: yes
# Quad9 says pointless performance impact on forwarders.
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
qname-minimisation: no
forward-zone:
name: "google"
forward-tls-upstream: yes
# Must be explicit forward-addr for dns.google to be found
forward-addr: 2001:4860:4860::8844@853#dns.google
forward-addr: 2001:4860:4860::8888@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
forward-zone:
name: "google.fi"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
forward-zone:
name: "google.com"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
forward-zone:
name: "youtube.com"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
forward-zone:
name: "youtube-nocookie.com"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
forward-zone:
name: "youtu.be"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
forward-zone:
name: "googlevideo.com"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
forward-zone:
name: "ytimg.com"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
# forward-zone:
# name: "googleusercontent.com"
# forward-tls-upstream: yes
# forward-host: dns.google@853#dns.google
forward-zone:
name: "gstatic.com"
forward-tls-upstream: yes
forward-host: dns.google@853#dns.google
forward-zone:
name: "cloudflare-dns.com"
# Must be explicit for forward-addr
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
forward-zone:
name: "cloudflare.com"
forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
forward-zone:
name: "one.one"
forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
# vim: filetype=unbound.conf

View File

@ -17,14 +17,14 @@ forward-zone:
name: "."
forward-tls-upstream: yes
## Secure
#forward-addr: 2620:fe::fe@853#dns.quad9.net
#forward-addr: 2620:fe::fe@8853#dns.quad9.net
#forward-addr: 2620:fe::9@853#dns.quad9.net
#forward-addr: 2620:fe::9@8853#dns.quad9.net
#forward-addr: 9.9.9.9@853#dns.quad9.net
#forward-addr: 9.9.9.9@8853#dns.quad9.net
#forward-addr: 149.112.112.112@853#dns.quad9.net
#forward-addr: 149.112.112.112@8853#dns.quad9.net
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::fe@8853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 2620:fe::9@8853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 9.9.9.9@8853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 149.112.112.112@8853#dns.quad9.net
## No Threat Blocking
#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
@ -35,14 +35,14 @@ forward-zone:
#forward-addr: 9.9.9.10@853#dns10.quad9.net
#forward-addr: 9.9.9.10@8853#dns10.quad9.net
## Secure + ECS
forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
forward-addr: 9.9.9.11@853#dns11.quad9.net
forward-addr: 9.9.9.11@8853#dns11.quad9.net
forward-addr: 2620:fe::11@853#dns11.quad9.net
forward-addr: 2620:fe::11@8853#dns11.quad9.net
forward-addr: 149.112.112.11@853#dns11.quad9.net
forward-addr: 149.112.112.11@8853#dns11.quad9.net
#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
#forward-addr: 9.9.9.11@853#dns11.quad9.net
#forward-addr: 9.9.9.11@8853#dns11.quad9.net
#forward-addr: 2620:fe::11@853#dns11.quad9.net
#forward-addr: 2620:fe::11@8853#dns11.quad9.net
#forward-addr: 149.112.112.11@853#dns11.quad9.net
#forward-addr: 149.112.112.11@8853#dns11.quad9.net
## No Threat Blocking + ECS
#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net

View File

@ -1,18 +0,0 @@
# This will only affect servers that are accessed with public IP address!
server:
#module-config: "ipsecmod validator iterator"
# subnetcache must be loaded for ecs
module-config: "subnetcache validator iterator"
# Send ECS everywhere always
client-subnet-zone: "."
client-subnet-always-forward: yes
# Send different subnet size
#max-client-subnet-ipv6: "16"
#max-client-subnet-ipv4: "0"
# IP address to send client subnets TO. Optionally /CIDR can be appended.
# This actually means AUTHORITY servers!
#send-client-subnet:
#send-client-subnet:
# vim: filetype=unbound.conf

View File

@ -1,89 +0,0 @@
# The point of this file is to have these domains just work without having
# to send queries, even if they are queried by web browser.
server:
# Quad9 Secure
local-zone: "dns.quad9.net." typetransparent
local-data: "dns.quad9.net. A 9.9.9.9"
local-data: "dns.quad9.net. A 149.112.112.112"
local-data: "dns.quad9.net. AAAA 2620:fe::fe"
local-data: "dns.quad9.net. AAAA 2620:fe::9"
# Quad9 No Threat Blocking
local-zone: "dns10.quad9.net." typetransparent
local-data: "dns10.quad9.net. A 9.9.9.10"
local-data: "dns10.quad9.net. A 149.112.112.10"
local-data: "dns10.quad9.net. AAAA 2620:fe::10"
local-data: "dns10.quad9.net. AAAA 2620:fe::fe:10"
# Quad9 Secure + ECS
local-zone: "dns11.quad9.net." typetransparent
local-data: "dns11.quad9.net. A 9.9.9.11"
local-data: "dns11.quad9.net. A 149.112.112.11"
local-data: "dns11.quad9.net. AAAA 2620:fe::11"
local-data: "dns11.quad9.net. AAAA 2620:fe::fe:11"
# Quad9 No Threat Blocking + ECS
local-zone: "dns12.quad9.net." typetransparent
local-data: "dns12.quad9.net. A 9.9.9.12"
local-data: "dns12.quad9.net. A 149.112.112.12"
local-data: "dns12.quad9.net. AAAA 2620:fe::12"
local-data: "dns12.quad9.net. AAAA 2620:fe::fe:12"
# DNS0 default
local-zone: "dns0.eu." typetransparent
local-data: "dns0.eu. A 193.110.81.0"
local-data: "dns0.eu. A 185.253.5.0"
local-data: "dns0.eu. AAAA 2a0f:fc80::"
local-data: "dns0.eu. AAAA 2a0f:fc81::"
# DNS0 Zero
local-zone: "zero.dns0.eu." typetransparent
local-data: "zero.dns0.eu. A 193.110.81.9"
local-data: "zero.dns0.eu. A 185.253.5.9"
local-data: "zero.dns0.eu. AAAA 2a0f:fc80::9"
local-data: "zero.dns0.eu. AAAA 2a0f:fc81::9"
# DNS0 Kids
local-zone: "kids.dns0.eu." typetransparent
local-data: "kids.dns0.eu. A 193.110.81.1"
local-data: "kids.dns0.eu. A 185.253.5.1"
local-data: "kids.dns0.eu. AAAA 2a0f:fc80::1"
local-data: "kids.dns0.eu. AAAA 2a0f:fc81::1"
# DNS0 Open
local-zone: "open.dns0.eu." typetransparent
local-data: "open.dns0.eu. A 193.110.81.254"
local-data: "open.dns0.eu. A 185.253.5.254"
local-data: "open.dns0.eu. AAAA 2a0f:fc80::ffff"
local-data: "open.dns0.eu. AAAA 2a0f:fc81::ffff"
# Cloudflare
local-zone: "cloudflare-dns.com." typetransparent
local-data: "cloudflare-dns.com. A 1.1.1.1"
local-data: "cloudflare-dns.com. A 1.0.0.1"
local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1111"
local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1001"
local-zone: "one.one.one.one." typetransparent
local-data: "one.one.one.one. CNAME cloudflare-dns.com."
# Cloudflare Malware blocking
local-zone: "security.cloudflare-dns.com." typetransparent
local-data: "security.cloudflare-dns.com. A 1.1.1.2"
local-data: "security.cloudflare-dns.com. A 1.0.0.2"
local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1112"
local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1002"
# Mullvad ad, tracker & malware block
local-zone: "base.dns.mullvad.net." typetransparent
local-data: "base.dns.mullvad.net. A 194.242.2.4"
local-data: "base.dns.mullvad.net. AAAA 2a07:e340::4"
# AdGuard Default
local-zone: "dns.adguard-dns.com." typetransparent
local-data: "dns.adguard-dns.com. A 94.140.14.14"
local-data: "dns.adguard-dns.com. A 94.140.15.15"
local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad1:ff"
local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad2:ff"
# Google DNS
local-zone: "dns.google." typetransparent
local-data: "dns.google. A 8.8.8.8"
local-data: "dns.google. A 8.8.4.4"
local-data: "dns.google. AAAA 2001:4860:4860::8888"
local-data: "dns.google. AAAA 2001:4860:4860::8844"
local-zone: "dns.google.com." typetransparent
local-data: "dns.google.com. CNAME dns.google."
# Google DNS64
local-zone: "dns64.dns.google." typetransparent
local-data: "dns64.dns.google. AAAA 2001:4860:4860::6464"
local-data: "dns64.dns.google. AAAA 2001:4860:4860::64"
# vim: filetype=unbound.conf