mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2025-10-31 01:17:20 +01:00
{unbound,systemd-resolved}: cleanup, disable ECS in unused quad9 file
This commit is contained in:
parent
cb7331bcd5
commit
e52b25bfaa
GPG Key ID:
99392F62BAE30723
@ -3,14 +3,14 @@
|
||||
# encryption, but host a Quad9 node and giving these addresses instead.
|
||||
[Resolve]
|
||||
# Secure
|
||||
#DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
|
||||
#DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
|
||||
DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
|
||||
DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
|
||||
# No Threat Blocking
|
||||
#DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net [2620:fe::10]:8853#dns10.quad9.net [2620:fe::fe:10]:8853#dns10.quad9.net
|
||||
#DNS=149.112.112.10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10:8853#dns10.quad9.net 9.9.9.10:8853#dns10.quad9.net
|
||||
# Secure + ECS. IPv4 first so it gets preferred as my Unbound likely prefers IPv6 anyway.
|
||||
DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
|
||||
DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
|
||||
#DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
|
||||
#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
|
||||
# No Threat Blocking + ECS
|
||||
#DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net
|
||||
#DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net
|
||||
|
||||
@ -1 +0,0 @@
|
||||
dot-private-ecs.conf
|
||||
@ -1,33 +0,0 @@
|
||||
# This is a merging of dot-dns0.conf & dot-quad9.conf with weight on DNS0
|
||||
# IPv4 and when using IPv6, Quad9 Secure with ECS. IPv6 private ECS is
|
||||
# horribly inaccurate and I have minor leaning towards having ECS enabled.
|
||||
# Private ECS is a compromise between privacy and local destinations.
|
||||
#
|
||||
# Both are filtering DNS servers, so this brings risk of something being
|
||||
# blocked by only one of them. However both are non-profits and have servers
|
||||
# in Finland.
|
||||
|
||||
server:
|
||||
# Debian ca-certificates location
|
||||
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
# Fedora
|
||||
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
||||
# Use system certificates no matter where they are
|
||||
tls-system-cert: yes
|
||||
# Quad9 says pointless performance impact on forwarders.
|
||||
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
|
||||
qname-minimisation: no
|
||||
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-tls-upstream: yes
|
||||
## DNS0.eu IPv4 Default
|
||||
forward-addr: 193.110.81.0@853#dns0.eu
|
||||
forward-addr: 185.253.5.0@853#dns0.eu
|
||||
## Quad9 IPv6 Secure + ECS
|
||||
forward-addr: 2620:fe::11@8853#dns11.quad9.net
|
||||
forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
|
||||
forward-addr: 2620:fe::11@853#dns11.quad9.net
|
||||
forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
|
||||
|
||||
# vim: filetype=unbound.conf
|
||||
@ -1,33 +0,0 @@
|
||||
# NOTE! Requires Unbound 1.7.3 or newer!
|
||||
# Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html
|
||||
|
||||
server:
|
||||
# Debian ca-certificates location
|
||||
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
# Fedora location
|
||||
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
||||
# Use system certificates no matter where they are
|
||||
tls-system-cert: yes
|
||||
# Quad9 says pointless performance impact on forwarders.
|
||||
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
|
||||
qname-minimisation: no
|
||||
|
||||
# DNS servers that have public button for flushing cache. Privacy not considered.
|
||||
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-tls-upstream: yes
|
||||
|
||||
# Cloudflare / https://1.1.1.1/purge-cache/
|
||||
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
|
||||
forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
||||
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
|
||||
forward-addr: 1.0.0.1@853#cloudflare-dns.com
|
||||
|
||||
# Google / https://dns.google/cache
|
||||
forward-addr: 8.8.8.8@853#dns.google
|
||||
forward-addr: 8.8.4.4@853#dns.google
|
||||
forward-addr: 2001:4860:4860::8888@853#dns.google
|
||||
forward-addr: 2001:4860:4860::8844@853#dns.google
|
||||
|
||||
# vim: filetype=unbound.conf
|
||||
@ -1,26 +0,0 @@
|
||||
server:
|
||||
# Debian ca-certificates location
|
||||
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
# Fedora
|
||||
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
||||
# Use system certificates no matter where they are
|
||||
tls-system-cert: yes
|
||||
# Quad9 says pointless performance impact on forwarders.
|
||||
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
|
||||
qname-minimisation: no
|
||||
# AdGuard Public DNS without filtering.
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-tls-upstream: yes
|
||||
# AdGuard Public DNS without filtering
|
||||
forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
|
||||
forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
|
||||
forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
|
||||
forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
|
||||
# DNS0.eu without filtering
|
||||
forward-addr: 193.110.81.254@853#open.dns0.eu
|
||||
forward-addr: 185.253.5.254@853#open.dns0.eu
|
||||
forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
|
||||
forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
|
||||
|
||||
# vim: filetype=unbound.conf
|
||||
@ -1,86 +0,0 @@
|
||||
# This file attempts to send zones belonging to DNS operators to their DNS servers.
|
||||
# Inclusion criteria: I know and use the service.
|
||||
|
||||
server:
|
||||
# Debian ca-certificates location
|
||||
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
# Fedora
|
||||
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
||||
# Use system certificates no matter where they are
|
||||
tls-system-cert: yes
|
||||
# Quad9 says pointless performance impact on forwarders.
|
||||
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
|
||||
qname-minimisation: no
|
||||
|
||||
forward-zone:
|
||||
name: "google"
|
||||
forward-tls-upstream: yes
|
||||
# Must be explicit forward-addr for dns.google to be found
|
||||
forward-addr: 2001:4860:4860::8844@853#dns.google
|
||||
forward-addr: 2001:4860:4860::8888@853#dns.google
|
||||
forward-addr: 8.8.4.4@853#dns.google
|
||||
forward-addr: 8.8.8.8@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "google.fi"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "google.com"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "youtube.com"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "youtube-nocookie.com"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "youtu.be"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "googlevideo.com"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "ytimg.com"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
# forward-zone:
|
||||
# name: "googleusercontent.com"
|
||||
# forward-tls-upstream: yes
|
||||
# forward-host: dns.google@853#dns.google
|
||||
|
||||
|
||||
forward-zone:
|
||||
name: "gstatic.com"
|
||||
forward-tls-upstream: yes
|
||||
forward-host: dns.google@853#dns.google
|
||||
|
||||
forward-zone:
|
||||
name: "cloudflare-dns.com"
|
||||
# Must be explicit for forward-addr
|
||||
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
|
||||
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
|
||||
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
|
||||
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
|
||||
|
||||
forward-zone:
|
||||
name: "cloudflare.com"
|
||||
forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
|
||||
|
||||
forward-zone:
|
||||
name: "one.one"
|
||||
forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
|
||||
|
||||
# vim: filetype=unbound.conf
|
||||
@ -17,14 +17,14 @@ forward-zone:
|
||||
name: "."
|
||||
forward-tls-upstream: yes
|
||||
## Secure
|
||||
#forward-addr: 2620:fe::fe@853#dns.quad9.net
|
||||
#forward-addr: 2620:fe::fe@8853#dns.quad9.net
|
||||
#forward-addr: 2620:fe::9@853#dns.quad9.net
|
||||
#forward-addr: 2620:fe::9@8853#dns.quad9.net
|
||||
#forward-addr: 9.9.9.9@853#dns.quad9.net
|
||||
#forward-addr: 9.9.9.9@8853#dns.quad9.net
|
||||
#forward-addr: 149.112.112.112@853#dns.quad9.net
|
||||
#forward-addr: 149.112.112.112@8853#dns.quad9.net
|
||||
forward-addr: 2620:fe::fe@853#dns.quad9.net
|
||||
forward-addr: 2620:fe::fe@8853#dns.quad9.net
|
||||
forward-addr: 2620:fe::9@853#dns.quad9.net
|
||||
forward-addr: 2620:fe::9@8853#dns.quad9.net
|
||||
forward-addr: 9.9.9.9@853#dns.quad9.net
|
||||
forward-addr: 9.9.9.9@8853#dns.quad9.net
|
||||
forward-addr: 149.112.112.112@853#dns.quad9.net
|
||||
forward-addr: 149.112.112.112@8853#dns.quad9.net
|
||||
## No Threat Blocking
|
||||
#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
|
||||
#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
|
||||
@ -35,14 +35,14 @@ forward-zone:
|
||||
#forward-addr: 9.9.9.10@853#dns10.quad9.net
|
||||
#forward-addr: 9.9.9.10@8853#dns10.quad9.net
|
||||
## Secure + ECS
|
||||
forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
|
||||
forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
|
||||
forward-addr: 9.9.9.11@853#dns11.quad9.net
|
||||
forward-addr: 9.9.9.11@8853#dns11.quad9.net
|
||||
forward-addr: 2620:fe::11@853#dns11.quad9.net
|
||||
forward-addr: 2620:fe::11@8853#dns11.quad9.net
|
||||
forward-addr: 149.112.112.11@853#dns11.quad9.net
|
||||
forward-addr: 149.112.112.11@8853#dns11.quad9.net
|
||||
#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
|
||||
#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
|
||||
#forward-addr: 9.9.9.11@853#dns11.quad9.net
|
||||
#forward-addr: 9.9.9.11@8853#dns11.quad9.net
|
||||
#forward-addr: 2620:fe::11@853#dns11.quad9.net
|
||||
#forward-addr: 2620:fe::11@8853#dns11.quad9.net
|
||||
#forward-addr: 149.112.112.11@853#dns11.quad9.net
|
||||
#forward-addr: 149.112.112.11@8853#dns11.quad9.net
|
||||
## No Threat Blocking + ECS
|
||||
#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
|
||||
#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
|
||||
|
||||
@ -1,18 +0,0 @@
|
||||
# This will only affect servers that are accessed with public IP address!
|
||||
server:
|
||||
#module-config: "ipsecmod validator iterator"
|
||||
# subnetcache must be loaded for ecs
|
||||
module-config: "subnetcache validator iterator"
|
||||
# Send ECS everywhere always
|
||||
client-subnet-zone: "."
|
||||
client-subnet-always-forward: yes
|
||||
# Send different subnet size
|
||||
#max-client-subnet-ipv6: "16"
|
||||
#max-client-subnet-ipv4: "0"
|
||||
|
||||
# IP address to send client subnets TO. Optionally /CIDR can be appended.
|
||||
# This actually means AUTHORITY servers!
|
||||
#send-client-subnet:
|
||||
#send-client-subnet:
|
||||
|
||||
# vim: filetype=unbound.conf
|
||||
@ -1,89 +0,0 @@
|
||||
# The point of this file is to have these domains just work without having
|
||||
# to send queries, even if they are queried by web browser.
|
||||
server:
|
||||
# Quad9 Secure
|
||||
local-zone: "dns.quad9.net." typetransparent
|
||||
local-data: "dns.quad9.net. A 9.9.9.9"
|
||||
local-data: "dns.quad9.net. A 149.112.112.112"
|
||||
local-data: "dns.quad9.net. AAAA 2620:fe::fe"
|
||||
local-data: "dns.quad9.net. AAAA 2620:fe::9"
|
||||
# Quad9 No Threat Blocking
|
||||
local-zone: "dns10.quad9.net." typetransparent
|
||||
local-data: "dns10.quad9.net. A 9.9.9.10"
|
||||
local-data: "dns10.quad9.net. A 149.112.112.10"
|
||||
local-data: "dns10.quad9.net. AAAA 2620:fe::10"
|
||||
local-data: "dns10.quad9.net. AAAA 2620:fe::fe:10"
|
||||
# Quad9 Secure + ECS
|
||||
local-zone: "dns11.quad9.net." typetransparent
|
||||
local-data: "dns11.quad9.net. A 9.9.9.11"
|
||||
local-data: "dns11.quad9.net. A 149.112.112.11"
|
||||
local-data: "dns11.quad9.net. AAAA 2620:fe::11"
|
||||
local-data: "dns11.quad9.net. AAAA 2620:fe::fe:11"
|
||||
# Quad9 No Threat Blocking + ECS
|
||||
local-zone: "dns12.quad9.net." typetransparent
|
||||
local-data: "dns12.quad9.net. A 9.9.9.12"
|
||||
local-data: "dns12.quad9.net. A 149.112.112.12"
|
||||
local-data: "dns12.quad9.net. AAAA 2620:fe::12"
|
||||
local-data: "dns12.quad9.net. AAAA 2620:fe::fe:12"
|
||||
# DNS0 default
|
||||
local-zone: "dns0.eu." typetransparent
|
||||
local-data: "dns0.eu. A 193.110.81.0"
|
||||
local-data: "dns0.eu. A 185.253.5.0"
|
||||
local-data: "dns0.eu. AAAA 2a0f:fc80::"
|
||||
local-data: "dns0.eu. AAAA 2a0f:fc81::"
|
||||
# DNS0 Zero
|
||||
local-zone: "zero.dns0.eu." typetransparent
|
||||
local-data: "zero.dns0.eu. A 193.110.81.9"
|
||||
local-data: "zero.dns0.eu. A 185.253.5.9"
|
||||
local-data: "zero.dns0.eu. AAAA 2a0f:fc80::9"
|
||||
local-data: "zero.dns0.eu. AAAA 2a0f:fc81::9"
|
||||
# DNS0 Kids
|
||||
local-zone: "kids.dns0.eu." typetransparent
|
||||
local-data: "kids.dns0.eu. A 193.110.81.1"
|
||||
local-data: "kids.dns0.eu. A 185.253.5.1"
|
||||
local-data: "kids.dns0.eu. AAAA 2a0f:fc80::1"
|
||||
local-data: "kids.dns0.eu. AAAA 2a0f:fc81::1"
|
||||
# DNS0 Open
|
||||
local-zone: "open.dns0.eu." typetransparent
|
||||
local-data: "open.dns0.eu. A 193.110.81.254"
|
||||
local-data: "open.dns0.eu. A 185.253.5.254"
|
||||
local-data: "open.dns0.eu. AAAA 2a0f:fc80::ffff"
|
||||
local-data: "open.dns0.eu. AAAA 2a0f:fc81::ffff"
|
||||
# Cloudflare
|
||||
local-zone: "cloudflare-dns.com." typetransparent
|
||||
local-data: "cloudflare-dns.com. A 1.1.1.1"
|
||||
local-data: "cloudflare-dns.com. A 1.0.0.1"
|
||||
local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1111"
|
||||
local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1001"
|
||||
local-zone: "one.one.one.one." typetransparent
|
||||
local-data: "one.one.one.one. CNAME cloudflare-dns.com."
|
||||
# Cloudflare Malware blocking
|
||||
local-zone: "security.cloudflare-dns.com." typetransparent
|
||||
local-data: "security.cloudflare-dns.com. A 1.1.1.2"
|
||||
local-data: "security.cloudflare-dns.com. A 1.0.0.2"
|
||||
local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1112"
|
||||
local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1002"
|
||||
# Mullvad ad, tracker & malware block
|
||||
local-zone: "base.dns.mullvad.net." typetransparent
|
||||
local-data: "base.dns.mullvad.net. A 194.242.2.4"
|
||||
local-data: "base.dns.mullvad.net. AAAA 2a07:e340::4"
|
||||
# AdGuard Default
|
||||
local-zone: "dns.adguard-dns.com." typetransparent
|
||||
local-data: "dns.adguard-dns.com. A 94.140.14.14"
|
||||
local-data: "dns.adguard-dns.com. A 94.140.15.15"
|
||||
local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad1:ff"
|
||||
local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad2:ff"
|
||||
# Google DNS
|
||||
local-zone: "dns.google." typetransparent
|
||||
local-data: "dns.google. A 8.8.8.8"
|
||||
local-data: "dns.google. A 8.8.4.4"
|
||||
local-data: "dns.google. AAAA 2001:4860:4860::8888"
|
||||
local-data: "dns.google. AAAA 2001:4860:4860::8844"
|
||||
local-zone: "dns.google.com." typetransparent
|
||||
local-data: "dns.google.com. CNAME dns.google."
|
||||
# Google DNS64
|
||||
local-zone: "dns64.dns.google." typetransparent
|
||||
local-data: "dns64.dns.google. AAAA 2001:4860:4860::6464"
|
||||
local-data: "dns64.dns.google. AAAA 2001:4860:4860::64"
|
||||
|
||||
# vim: filetype=unbound.conf
|
||||
Loading…
x
Reference in New Issue
Block a user